[MUSIC] [MUSIC] Okay, all right, now I think you can hear me, right? So welcome to the last talk of the day. So it will be a talk where the physical security research gets really physical, at parts at least. >> Yeah, yeah, yeah. >> So please welcome Matt Smith for the talk. >> [APPLAUSE] >> All right, let's try this again, shall we? Hopefully, we're not gonna have terrible weather tonight, so we'll see. Okay, so this is about physical vulnerability research and some of the stuff that I've been up to. So I'm gonna go through the whole thing again, so it probably makes sense. So if you've heard it before, I'm sorry. So anyway, a bit about me, I'm Matt Smith, otherwise known as Huxley Pig. I've done a lot of social engineering throughout my life. I used to call it like blagging, getting stuff for free, getting in places for free. And then when I got older, this legitimate term came along, yes, I'm a social engineer, yeah, great. And it's making passes, that sort of thing, I don't work for Oxfam. Then I got a degree in computer science, software developer, Skyder engineer. And then I became a locksmith at first, the black hat, and then a white hat. And now I make tools, this is Marsella, where I make the tools, lock fall towers. And I look for things I like to call physical O days, so that's exactly what it sounds like. It's an undisclosed vulnerability in a physical system. And now I also help a lot of lock makers improve their designs, find problems with the locks. And I've also got a couple of patents for locks I've designed now. So if you're like me, you've always loved breaking shit, that's why you're here, right? One of the first things I hacked was Virgin Media to get free, it was nothing great, it was just getting free internet, but that was a lot of fun. Locksmithing actually goes back seven generations in my family. My great, great, great grandad started it. And eventually I fell into the same profession. I never wanted to be a locksmith when I was growing up, by the way. I didn't want to do what my parents did, like everyone. I wanted to be a software developer. And then when I actually did it and sat down at a computer for hours and hours and weeks on end, I thought, maybe not. >> [LAUGH] >> Maybe I don't want to do this. So yeah, originally I was a black hat and I was stealing the money from vending machines, primarily. Not the food, the money. This is before contactless, so it was all change. So you could find quite a lot of money in the busy ones. But it's okay, I've changed now, so no more black hats, white hat now. And I shouldn't have to say this, but don't break into vending machines or parking meters. I know a guy who got convicted for breaking into parking meters. He wasn't picking the locks, he was forcing the locks, but he was definitely stealing the money. And he got a five year injunction banning him from going near any parking meter, unless it was at an airport, and he could do it for a maximum of ten minutes. And then he couldn't return to the parking meter for a minimum of six hours. And yeah, it could make life difficult, so don't do this. Okay, so I'm gonna go through some stuff I've not released before, not publicly at least, and go through some vulnerabilities that I've found, and sort of how I managed to arrive at where I did. And look for sort of common patterns and errors. And this is applicable to digital security as well. You get like vendors that'll use the same chipsets, which have got badly implemented stacks, or bad pseudo random number generators, and every vendor that uses that chipset, that device will be vulnerable. And yeah, we'll try and apply some sort of framework to see if we can expedite it in the future. I'm not going to be showing any sort of classified stuff, but if you want to chat to me in the bar later, buy me a beer, we can talk about the fun stuff then. Okay, so like I say, if you're like me, you think security stuff exists to be broken, right? If it's meant to be secure, we want into it. And this goes for lots of people, red teams, pen testers, etc., criminals. And there's an old adage in locksmithing that says locks only keep honest people out, and this is pretty true. If someone wants through your lock badly enough, it's just a matter of resources and time. They'll do it eventually if they want to, it doesn't matter how good your lock is. And I used to think that if you found problems with things and then reported it back to the people who made it, that they'd fix it. And if this kept happening, security would generally get better in the world. And since I've been in the industry a while, I've learned that that is not the case at all. I don't think things are more secure now than they were when I first started locksmithing. All right, so let's have a look at some physical attacks. So hammers can be used in many different ways. It might sound like a hammer, you just hit something, but it's like a wire shock or other tools. You can use them for multiple purposes. So this is an example of a lock that's been trounced with a hammer. This is like the obvious thing that you do with a hammer. Other things you can do include freezing the shackle so it becomes shatterable. Or if the body of a padlock is made of aluminium or has any aluminium in it, you can actually put gallium on there and it'll react with the aluminium and make the aluminium all crumbly. And then you could hit it with a hammer again and get into the lock that way. Spanners are another interesting one. So I don't know if many people have seen this before, but on the cheap locks, you can use two spanners as demonstrated in the picture and just prize into the shackle and this is an attack on the lock body, the lock body will break. But back to hammers. Many padlocks for convenience, you can just shut them closed. So the good ones have a ball bearing that locks the shackle in place, but the cheaper ones or the most padlocks, you just click and you shut the shackle like that. And so we can make use of that spring and it's a conservation of momentum attack. So like when one pool ball hits another pool ball, if we can create enough energy into the outside of the lock, then the idea is you can compress that spring and the shackle should just pop open. And I can show you this in action. So here's a couple of master padlocks. I'm just demonstrating here that they are locked. And that hits it with a hammer one, hits it with a hammer two, just pops open. And you can do this on lots and lots of locks. It's only a question really of how much energy you can get into the body of the padlock. This is the story of the first vulnerability that I ever found in a lock. So a long time ago, about 1998, when I were a lad, me and my friends used to go over Canik Chase in my mate's Jeep. He had one of these Jeeps and he was obsessed with taking it into the places you shouldn't go. Canik Chase, if you don't know, is like here. It's just a wood with hills and forest. And we couldn't get to the cool bits. We couldn't get to the really cool bits because there's ditches and there's locked barriers. And the lock on the barrier was this. I actually found this in the street and I was driving past and I was like, shit, I know that lock. I need to get that lock because that's the one that's on the barriers at Canik Chase. So anyway, I got this lock and thought, well, this is the reasons they use it right. It's weatherproof. It has to be if it's in the forest. And it's secure because it says so on the front of the lock there. It must be. So I didn't know how to pick lever locks at the time. I sort of knew how they worked, but I didn't know how to pick them. So I thought, let's break open the lock, see what I can find inside. And at the time I didn't have a workshop or even a vice. So I used a hammer again and a wood chisel. It's not even a metal chisel, it's a wood chisel. And I took it outside onto the pavements and just went at it until I broke it open. And this is what it looks like today. And when I got it open, I noticed that those little spike a bit circles are the bits that the key contacts. And those little lumps on the left are the bits that need to be lifted so that the shackle can open. Now this is an example of a good lever lock. And a good lever lock has circle at the bottom there. There's a physical barrier to stop you lifting the levers too high. And that's not the case on this lock. So I use like a two part attack, one part to tension the bolt thrower. And basically just a blank that goes up and pushes all four levers at once. And you can see here at the side, the levers have been lifted clear of the blocking part. So the lock can open. And the good thing is with this as well, you can lock it back up again. And no one's ever known that you've been there. And that led to a lot of fun over Can It Chase in the Jeep. We almost died several times. I'm surprised I'm still here to tell the tale. This is another lock that I've spent a long time working on. Abloy Classic, it's been around for a very long time. 1896, I think, Abloy invented this lock. And it went unpicked for years. And then in the 70s, a guy called Seppi E. Turvinen, a Finnish sex pest, he used to pick the locks on, pick this lock on women's doors, let himself in, and then he'd hide under the bed. And then at some point in the night, he'd come out and attack them like some sort of scary bogeyman. And the Finnish police didn't think that he could actually pick the lock, because this was the first example of this lock ever being picked in the field. Before this, Abloy offered, yeah, a million fin marks reward if anyone could pick the lock, but obviously they scrapped that after this. So what they did, Abloy changed the design of the lock. The tool this guy was using, the Vempelay, it's Finnish thingamajig, or what do you call it, it's got some Finnish name. And they changed the design, so this tool didn't work anymore. And then this was about 1978, I think. And since then, again, since the change to the design, allegedly, it went unpicked. And in a nutshell, here's the problem with trying to pick this lock. You need 90 degrees of movement on your lock picking tool. And you can see there's a gap there of 90 degrees, so you might think, okay, you've got 90 degrees, you need 90 degrees movement. What's the problem? Well, the problem is, your lock picking tool has to exist within that 90 degrees as well, so if you go 90 degrees one way, you're going to upset the further most disk. And if you put the tool on the other side and go 90 degrees the other way, you're going to upset the other disk. So, again, I took it apart and studied it for a long time and found out that you can actually get away with dislodging the disks a little bit. And that's because, in the bottom picture, that little steel bit at the top, that's the side bar, that's what prevents the lock from opening. And it has to sit in that little U shape at the top of the disk. And if you dislodge it, you can see it's not perfectly aligned, so if you dislodge it a little bit and you tension the lock, that side bar will push down into that U shape and end up pulling the disk back around, like by itself. So you can get away with a little bit, so that led to me thinking, okay, so maybe I can do this. Maybe we can exploit this. And like I say, everyone in locksmithing said, this lock can't be picked. It's not possible, no one's done it. So it's like a red rag to a bottom, like, okay, I'm going to do this. It doesn't matter how long it takes, I'm doing this. So about six years of work, off and on, design after design, didn't work, didn't work, and then I realized the design that I wanted to use was difficult to make, so I had to save up to buy a milling machine and make this very fine, thin, delicate part. Anyway, long story short, it worked. I managed to make a tool that picked this lock. And then three, four weeks later, a friend rings me up and says, oh, your tool, that's really cool. It's for sale on that locksmithing website. I'm like, no, I don't know anything about this. So I went to the website and I see pretty much the same design of my tool there. So I contacted the website owner and he said, okay, so yeah, the government's been using this tool for like eight years. Only it's been restricted and it's not publicly available, so no one knows about it. And now you've done a design that's pretty much identical. We can de-restrict it and sell it publicly now. Oh, fuck. Okay. So I don't want to invent things that have already been done. If I'd have known this tool existed already, I wouldn't have spent so much time and effort and money doing it. So yeah, it was quite a kick in the balls. But I decided, I'll tell you what, then, I'm going to use what I've learned and make the tool better. And so this is the tool in action. You don't get to see it. The tool itself is restricted. But this is the improved version of the tool that I made. And it's a terrible video. It was a while ago. But anyway, the tool's in the lot now. And I'm not really picking it. It's a self-impressioning attack. So I'm just jiggling the tool, basically. And that's it. 13 seconds it took to open that lock with the improved tool. And that's a lock that's meant to be unpickable. This is another one of my favorite locks, Ever MCS. It's a magnetic lock. It was developed in Vienna, Austria. And again, this lock went unpicked for a very long time, because you can't physically access the internals of it, because it's all magnetic. And I've spent more time on this lock, I think, than any other lock. So this is how it works. You can see each of these wheels has got a little pie slice cut out of it. And they all have to line up, like in the picture. And there's a blocking element that will go into the pie slices and allow the lock to open. And it's that times two on both sides of the lock. And you can never know what position these little pie slices are in from outside the lock. So ostensibly, it's impossible to open. And then maybe 20 years ago, I got an email from a German friend. And he said, in the MCS, those rotors, they're quite noisy. I was thinking, you know what? Yeah, they are quite noisy. So I thought, well, maybe we can leverage the noise thing, see if we can open the lock. So using a guitar pickup-- you don't have to use a guitar pickup, by the way. You can hear it, but this aids it to a massive degree. So using a guitar pickup, you can tell which wheel is incorrect. So you can't tell which one's right, but you can tell when it's wrong. So if something's wrong, then you change it. And it's still wrong, and you change it. And all of a sudden, it's right. And another one's wrong. You repeat this process until everything's right. And then the lock opens. So you've got 2.2 millimeters of space to work with in this lock. So making something that simulated the key was very difficult. These is four failed designs. The one in the top left is just magnets superglued to a bit of metal. That didn't work. The other one's like fiddly little magnets you push into holes. I mean, it sort of worked, but it was fiddly. And yeah, anyway, none of these worked. But eventually, I managed to simulate how the original key worked. Now, you can't copy how ever have made their keys. They've magnetized the magnets in-- they've patented the process they used to magnetize the magnets. But using two magnets on each side, you can simulate the key, which is exactly what I've done here. But this only was the start. You then had to-- I then had to work on the technique to narrow it down. But eventually, I got to the point where I can open the MCS lock as well. I don't know if anyone knows this lock. Again, another unpickable lock. Boli, they've not been around long. Bless them. They have tried their hardest to make a lock that's unpickable. And I guess it's a good idea on the face of it. This is the key for the Boli. And you can see you've got this funny U shape in it. And that bit missing in the middle, that goes around like a metal shield. So that if you want to try and pick this lock, your lock picks have to go around that U shape and also manipulate the five pins. And because there's only maybe two millimeters of gap at the end, you physically don't have the space to pick the lock. So if traditional lock picks won't work, then that's a win, right? They've made an unpickable lock. Oh, no, not at all. I've got a video of me opening this lock. That one? Yeah. So we'll skip forward a little. So what I'm using here is-- again, it's another conservation of momentum attack. So I don't know if you know how key bumping works. But basically, what you do, you hit all of the bottom pins simultaneously. And the top pins then absorb the energy and fly up away from the bottom pins, creating a big gap between the two. And if you time it right, you can open the lock while that gap exists. And that's what I'm doing here only. This is an EPG. It's an electric pick gun. So it does that, but just really fast. It's not a drill. People sometimes think it's a drill, it's not a drill. So that's vibrating the pins now. And that's it. The lock's open at this point. So this unpickable lock-- I used to say I can open this lock with a paper clip. And people used to laugh at me. And well, actually, it's perfectly possible that that's the back spinning just to prove it's open. And yeah, like you see, it's very effective and very fast. This is another one of my pet locks, if you like. I went through the chain of Abloy locks. And this is like their current top of the range lock, Abloy ProTech 2. It is now. It uses a disk blocking system. So the idea here is that if the disks are jammed in place, then if you try and manipulate them, you can't, because they're physically unmovable. What I did was I looked at the differences between ProTech 1 and ProTech 2 and had a look at what they changed between the two versions, which gave me a lot of hints as to what the problems with the ProTech 1 might have been, because otherwise they wouldn't have changed things, right? And actually, the ProTech 2, some of the new changes they made introduced new problems. And this happens again with digital security all the time. So I broke it down into stages how I can open this lock. They're like chain invulnerabilities. So originally, I bypassed the DBS, that's the disk blocking system, with a piece of wire, which can be seen here. And since then, I've found quite a few ways to do it. But originally, I did it like this. So the two bars on either side of the lock have to meet and come together and sort of slip down one under the other. And that piece of wire allows them to meet, but it doesn't allow them to physically slip down into the grooves and block the disks. So that was the first stage, bypass the disk blocking system. Even then, you still have to manipulate the lock, which is very difficult in itself. But at least now, the blocking system is neutralized. At least it's possible. My current ProTech 2 tools are restricted, so I can't show those. But we can open the ProTech 2 as well. It's in a folder. It's in the folder full of NDAs. I've got loads of NDAs from different lock companies and tool makers and that sort of things. This one's kind of fun. Kensington laptop lock. This is used to secure digital IT infrastructure. And I thought, again, it's got a sprung shackle on the bottom so you can just push the wire in for convenience. And it's locked. And I thought, so I'm going to try the same thing on this lock. I'm going to try and bounce those springs back. So I got a hammer again. And I was only tapping it-- I swear to God, I was only tapping it gently. And it just fell off. And I was like, whoa, surely that isn't right. And what's happened with this is when you hit it, there's a part inside that deforms. And it allows the shutters to still work. So you can still come back and put the lock on. And you can still use the key. And the user would never know there was a problem with it. But yeah, it's very, very, very shit. And it was accidental, like I say. A lot of best discoveries are the accidental ones, right? I wasn't even trying to do this to this lock. Let's have a look at some digital stuff now. So I don't know if anyone's got ring doorbells. I mean, I know I've got one. And they're pretty useless, right? I think the Sol's like a security device. But I mean, they're not. They're not right. So the problem with these is in order to see who's at your front door, it has to make essentially a VoIP call. There's no local recording on the device. So if comms drops, then you don't know there's anyone at your door. And worse, when the comms comes back off, if someone has been at your door, again, you don't know. It doesn't give you any sort of indication that there's been someone there. I believe the Ring Alarm Pro actually has a little SD card that records locally on it. So that's better. That is better. So how could we attack this? Well, if you cut the power to the place, then comms are going to go down. I mean, that's pretty noisy. It doesn't have to be destructive if you've got access to the breaker. But again, the phone line, if you've got the phone line, comms are going to be down. And like if you've got access to the signal box, again, it's not necessarily destructive. You can jam the wireless, which again, is a bit better, I guess. But you risk jamming other stuff. But what you can do is using Wireshark is sniff the MAC address and just de-auth it off the network. And if you just keep de-authing it off the network, then the owner of the Ring doorbell never knows-- doesn't know anything's happening. And yeah, that's very targeted, very clean. That's probably the best way to do it, I think. And yeah, like I say, when it connects back to the network, it's as if nothing's happened. The user would never know you'd been there. There's a trade-off between convenience and security, always. And this is one of those. So people are getting wireless alarms fitted a lot because it's more convenient than drilling holes and laying cables. And they've got exactly the same problems as the Ring doorbell. So again, any sort of connectivity loss, and it's a problem. So you can sniff the MAC address of a particular wireless sensor. And again, you can de-auth them off the network. You can jam them. One of the cool things you can do is if you know the protocol, you can talk to the base station and make out that the signal isn't an alarm, when really it is. The better alarm systems won't let you get away with this because they will pull back regularly to either from the sensor to the base station or from the base station to whoever might be supervising the alarm. But how long do you actually need to get-- if you've opened a door already, then maybe you only need three or four seconds, five seconds maybe, to open and shut that door again. And physical access is always king. If you can get to a system physically, then you own it. So I much preferred wired alarm systems. Often you have redundant comms. So you've got the phone line, and then there'll be a 5G connection as well. And again, if you were to jam the 5G and put the phone line, the better systems will pull back to whoever's supervising the alarm and say, yeah, it's gone offline. Put it into alarm. And again, attack vectors for this. So you can target individual sensors for wired alarm systems. If you can get physical access to something, you've got it, right? Another thing you could do is protocol reversal. Again, so if you've got physical access to some of the wires-- I know someone who's done this, in fact-- if you can get an access point into the network, then you can spoof whatever you want to the base station. And a lot of sensors have got blind spots as well. Badly installed alarm systems are everywhere. And you can socially engineer your way in. There's lots of ways. These read sensors are on the doors of alarm systems. I'm sure you've seen these everywhere. Now there's a few ways you can get to these. Normally, it's normally closed with a magnet that keeps it from going into alarm. So let's say you're on the outside of a door and you don't know the position of an alarm sensor. You can sense for that magnet using a hall sensor. And that'll tell you where the switch is, where the sensor is. And so if you then know where it is, you can then simulate that magnet on the outside of the door, so long as the magnet's sufficiently powerful enough, or even better, if there's a gap in the door-- and I've done this-- if there's a gap in the door, you can feed a little magnet through and simulate the magnet on the door. And then obviously, you keep the magnet there and open the door and the sensor doesn't know anything's happened. If you've got physical access, then you can permanently trick it using a little round magnet. You can tape a magnet to the sensor. And because you're doing that when the alarm isn't activated, when it is activated, that magnet's permanently there then. So again, you can open and close the door, and that magnet is tricking the sensor into thinking nothing's happened. These are fun, too. Dual passive infrared and microwave. So in order to get these to go into alarm, both parts have to be tripped, both the microwave and the infrared. And there's three lights on there. There's a green, an amber, and a red. And green means not a problem. Amber means one of the two has been tripped. And if it goes red, then both of the two have been tripped. And then it goes into alarm. I don't know if there's anyone else done this. This might be weird, but sometimes I go into shops and you'll see these sensors. And obviously, the alarms aren't activated, but the sensor's still active. And so you can walk around the room and see how sensitive the alarm is and where the blind spots are. So if you walk to the edge of the room, and all of a sudden it stops going orange or red, so there's the line of-- that's where the sensor can see to. And I do that quite a lot. The infrared part is the easiest part to trick on these, because it just sees heat. It sees changes in heat. So if you can get some sort of room temperature shields-- if you were to enter a room that has one of these and you have a shield in front of you that is the same temperature as everything else, then the alarm's not going to see. And it can be something as simple as just cardboard, something really simple. If you can get physical access to it while it's not alarmed, then again, physical access is king. They did this in the Antwerp diamond heist. They spread-- there's a whole talk about the Antwerp diamond heist. It was absolutely brilliant. But they had-- they'd rented out safety deposit boxes in the vault. And so when they were in the vault, ostensibly going about the regular work, they sprayed hairspray or latex onto the sensor while it wasn't in alarm. And then later on when they came back, the alarm was blinded-- the sensor was blinded, because they'd already sprayed it and it couldn't see them there. Another trick I've heard people say you can do is turn the heating up to body temperature. So if you walk in, it doesn't see your body temperature. But I don't know how feasible that is. And if all else fails, you can trick them by walking really slowly. But if you're in a situation that sort of isn't conducive to that, it's probably a bad idea. Bad installation of alarm systems, again, is really common. They'll miss places. They'll-- the CCTV, the sensors will have blind spots. A lot of the old cameras, you can blind them with lasers or infrared. And if there's a wire exposed from the outside, like in this picture, then again, if you can get into the network, then you can inject protocols into it. There's a really cool talk-- hold on, I've written it down. Yeah, exploiting network surveillance, like a Hollywood hacker. It's a DEF CON talk from a while ago. And they did exactly that. They reverse engineered the protocol. And in the end, they could inject whatever they wanted into the CCTV feed, like text, video, whatever. They totally own the CCTV. Babak Javadi and Keith Hale have done some good stuff on this as well, if you want to look those guys up. Something else you can do is deliberately trip an alarm over and over again. So you can see what the response time is and the response strength is. And often, if you keep doing it over and over again, whoever is in charge of the alarm system is just going to get annoyed and take the sensor out of the system. And that's the idea sometimes. Or you can do what I said with the read sensor earlier, but deliberately get the magnet wrong and trip the alarm from the outside of the door and do the same sort of thing. Same with vibration sensors and floors or fences. And yeah, like I say, you can use it to sort of socially engineer the response. Access control-- a lot of these are vulnerable to a magnetic attack. So they've got relays in them. And often as well, these are on the outside of buildings, but they'll put really bad screws in them, like security screws. But if you have the right screwdriver, you can just get into there. And again, if you've got physical access to it, then you can use it to sniff creds. You can jump the contacts inside of the box to open it. And again, you can do protocol injection with this stuff too. Smart locks are quite an interesting one. These are getting popular now. The problem with these is a lot of them were designed by electronics engineers, not people who are well versed in physical security. So even if the digital side of it is secure, then you can still manipulate or bypass the locks. A lot of these can be bypassed using a hammer drill. Not a hammer drill. Hammer drill, is it? Reciprocating drill. And you can bump the solenoid in the middle. And lots of manufacturers copy the design of each other. And so these vulnerabilities are present in all of them. So yeah, like I say, you can open them often from-- there's a solenoid in the middle. So when you come along with your card or your phone or whatever and open it, and it authenticates, this little solenoid moves back. But it's often on a spring. And we can do the same thing I was talking about earlier with a spring, and we can hit the outside of the lock, compress that spring from the outside, and then open the lock. And the thing about this is there's normally an audit trial, selling you who's been and when they've been there. But this totally bypasses any sort of audit trial. And yeah, you put a 3D printed head adapter on it and use a hammer drill. And that's just the physical side of it. I mean, there are a lot of really bad smart locks where there are keys in clear text going over the Wi-Fi and predictable rolling codes, replay attacks. I mean, they've been littered with problems since their invention. Routers, so I mean, routers are pretty bad anyway, right? For a long time, you've been able to get onto them using default admin. I mean, WEP, WEP was useless. There was brute force in the pin. I mean, that's better now. But again, that was something that was pretty easy to do. There was an old virgin box where you'd started up, and the Wi-Fi would come up open. And then it would go back down again and come back up, WPA2. But if you could get onto it while it was open, then again, you could use the default creds and own the box. I spoke about this briefly earlier. Virgin, DOCSIS 1. I mean, we're going back a while. But yeah, you could sniff the MAC addresses and swap them with each other and end up getting free virgin internet. And this is a common one. Default wireless passwords derived from the MAC address. British Telecom made this mistake. And loads and loads of their routers, you could derive the password. All right, so briefly, let's have a look at some methodologies. So this guy, Daniel Heiss, he was convicted in Australia for murdering a guy. Him and his friends wanted his guns. And so he got sent to Barrymore Prison. And when he got there, he found a fellow inmate who'd got sort of privileged status. And he was a jeweler on the outside. So he'd been given access to jewelry making equipment. And he said, OK, they got together and said, let's make a key. Let's make a key and we can get out. And they could have tried to view the key as the wardens were using it. But where they actually got the key from is much better than that. So when you first go to Barrymore Prison, they gave you like a booklet saying, welcome to the prison. This is what you should do. This is what you shouldn't do. And on the front cover of the brochure were the master keys to the prison. And so he just copied those and they escaped. He left a cheesy message saying, this bird has flown on his cell. Baker, the jeweler, 24 hours he got recaptured and Heiss, 12 days. And then he got out and started making terrible art. And now he's back in prison again for parole violation. But the point of this story is observation. If you look hard enough, you can see some pretty cool stuff. So photos of keys. There's now a machine. This is an easy entry machine. It'll copy like the profile of a key, any key. Well, nearly any key. But there's actually systems now that will take long range photographs of a key and automatically decode the bidding and then automatically cut the key. So observation can be really useful. Don't put photos online either. This mistake happens quite a lot, like here. So SS Dev, the guys who were doing the lock picking village. The Dutch police had these new high security handcuffs. And the lock on them was good. It wasn't like generic handcuffs where one key will open pretty much all of them. These were good handcuffs. It was a chub three lever lock. Anyway, they put images of it online. And so the guys at SS Dev saw it, copied the key. And this 3D printed key will now open these high security Dutch handcuffs. This is something else I've done quite a lot, sports events. If you watch TV at sports events, you can get a lot of useful information. So these are all passes that I've managed to grab off TV and Twitter feeds and that sort of thing. And once you see them, they're really easy to copy. You can get in. This is one on a dog. I don't know if the dog actually had a legitimate pass. But this is a legitimate format of pass. So yeah, just copy this. And I did this at the World Cup in 2006, actually in Germany. Premier League, cricket, music festivals. Copying passes is a really, really easy way to get into places. Another way we can try and find out some vulnerabilities in stuff is look at what's been changed in the new version to the old version. So revision notes do this a lot. In software, they'll say, yeah, we fixed this and this. And they go, OK. So if you look at it, you know that, oh, that used to be a problem. And that used to be a problem. And so if you ever find an older version of that software, you know for a fact that it's got X, Y, and Z wrong with it. And like I say, this applies to physical and digital security. I did it with the ProTech. And if ever they change something, look at what they've changed. So probably the best way to go about finding vulnerabilities in stuff is like what I did earlier, methodically break down the system, look at every part of it, see if you can find a hole, and exploit the hole. And like I say, you get common designs from one manufacturer to another, decapping PSUs and electromagnetic microscope scanning so you can see exactly what's going on in stuff. And fuzzing is another one. So just throwing stuff at it. And if something sticks, you don't really need to know how it works. If it works, it works. And accidental discoveries. A lot of fun there. Some of my best discoveries have been accidental discoveries. And then try and look at ways in which a system can leak information. So like cryptographic wait times, I use the sound I mentioned earlier. You can measure the rotation of a lock or the arm on a safe to know how close you are to open it. There's lots of ways systems can leak information that whoever designed them didn't intend them to. And be inventive. Look for unconventional attack vectors. And I'm a big fan of this last one. As soon as you've found a way to do something, try and find another way to do it. And then try and find another way to do it. There's many solutions to the same problem as you can. So you've got some sort of redundancy. And the concepts between digital security and physical security, they're the same. But once you've found a problem, you have to ask yourself, is it practical? Just because something's feasible doesn't mean it's practical. So physical keys, I could have like 10,000 keys to a lock. And I mean, it's feasible for me to try every key. And one of them will eventually open. But it's not practical. And it's like brute forcing passwords. If a password is sufficiently strong enough, then it might take 10,000 years. And yet, it's feasible. But it's not practical. So you have to ask yourself, just because you've found a problem, can I actually exploit it? And don't forget that every security system, ever invented, was designed by people. People no smarter than you or me. And people always miss stuff. So remember, nothing's ever perfect. If you have to get a more complex system, often that leaves a larger attack surface. So you can find more problems if something's been made more complicated. And like I said, they're just people. People miss things. And they can't see the future. They can't see what's going to happen. Like so safes in the past were very secure. They were very burglar-proof. And then x-rays came along. And they didn't know what x-rays were when they invented the safe. And all of a sudden, you could get into the safe. And the good safes nowadays actually have x-ray protection on them. So you can't do that. And yeah, another one, never give up until you've done it, until you've broken it. Keep going. So yeah, I've only scratched the surface of the subject. I could do this talk again and replace everything I've just said with other examples. There's so much to go into. Other people's stuff, historical biggies. And yeah, a lot of the stuff that I can't disclose as well. And I think the bottom line here is if I can do it, anyone can do it. Just go and find some cool shit and break it. That's it. We're done. [APPLAUSE] So yeah, thanks a lot for the talk, Matt. We are going to have like three minutes for questions. So if you can line up here for questions, it would be great. I don't think that's working. Is this working? Maybe it is. Maybe it is. Perfect. Any questions? I can't see. Do we have a Q&A mic there? OK. So let's give a last big huge applause to Matt. Thanks. [APPLAUSE] [MUSIC PLAYING] (gentle music)