Pragmattica

March 19, 2009

What the Designers of Bank Vaults Should Learn from the Field of Computer Security

Filed under: Uncategorized — bnsmith @ 3:51 pm

I recently read this Wired article about a diamond heist that took place a few years ago. It’s a good read; I suggest you check it out.

Anyway, the article gives an excellent description of each of the security measures that the vault’s owners put in place, as well as the methods that the crooks used to circumvent the each measure. While reading, I continually marvelled at the ingenuity with which the thieves circumvented each system, which is, I suppose, the point of the article, and why it makes such great reading for geeks like myself. At the same time, I couldn’t help but feel a little uneasy about the approach taken by the owners of the building to secure their vault. It seemed like a shotgun approach: take one of every kind of sensor and locking mechanism available and stick it in their somewhere, and then keep the final resulting system secret, to make it more difficult for thieves to figure out which circumvention methods would be necessary to breach the vault.

In the realm of computers, there is a name for this strategy: security through obscurity. That got me thinking, is there a better way to secure physical property? I think that at this point, most knowledgeable computer people have given up on security through obscurity, and now recognize the importance of proper security. But physical security is a very different beast than computer security, isn’t it? I mean, if the current state of the art in vault-making is just security through obscurity, then what would proper security look like?

One of the primary principles of computer security is that it is open. Nothing is hidden or secret about encryption algorithms. The only secret is the secret key that a particular person uses to encrypt their data. As long as an attacker doesn’t know that secret key, their knowledge about the rest of the encryption algorithm doesn’t help them a bit. Would it be possible to do the same thing with a vault? Could you make a vault whose blueprints were completely open and available to anyone, but that was still secure, as long as the combination was unknown?

I thought about this question for a while, and it seemed to me that it should be possible, but no answer was forthcoming. The central problem is this: you can keep the control system for opening and closing the vault inside the vault itself, to protect it from tampering, but you still need some way to communicate with the control system in order to cause it to open the vault’s door. For example, if the control system inside the vault will only open the door for a particular numeric code, then you would need some kind of keypad on the outside of the vault, so that the vault’s owner could enter the code when they wished to enter. Then you would need some kind of connection between the keypad and the control system. The most obvious communication channel would be a simple wire, but then you would need to drill a hole through the vault’s outer wall for the wire to pass through. This hole then becomes a vulnerability. The attackers could rip off the keypad, pull out the wire and then snake a little endoscope-like robot through the hole to monkey with the control system directly. There are little additions that could be made to this system, but none that fully remove the vulnerability. If you make the hole through the vault wavy rather than straight, for example, then the little robot would have more difficulty snaking through, but a more flexible version of the robot could be built. Measures could be adopted to prevent the keypad from being ripped off, but they could all be circumvented by opening and hacking the keypad itself, which the attackers would have relatively easy access to.

If the vault’s walls were constructed of metal thick enough to withstand many hours of drilling, then it probably wouldn’t be possible to use any kind of wireless radio signal to communicate with the control system either. This was the thought that finally led me to the answer that I was looking for. If the vault’s walls were made of metal, then perhaps the walls themselves could conduct electricity well enough to allow a signal to be transmitted through.

Imagine this: a vault cast as a single piece of hardened metal, with walls several feet thick, able to withstand three days of non-stop drilling. The vault’s single opening would be protected by a door of the same thickness as the rest of the vault. The hinges for the door would attach on the inside of the vault. From the outside, the vault might appear as though it is just a solid block of metal, with only the thinnest seam visible where the door joins the rest of the structure. Also inside the vault would be the computer control system, perhaps powered by radioisotope battery. The computer would have paddles touching the outer wall that would be able to detect if the wall was conducting and electrical charge. If the computer detected the right pattern of on-off charges (communicating the secret key in binary), then it would open the door. To open the vault, the owner would roll some device up to the side of the vault, pressing paddles up against the vault’s walls. They would then enter their code, by a keypad or some other means, and it would be transmitted through the vault’s walls to the control system.

All that would remain would be the “brute-force” attack: drilling through the wall. Of course, there could still be some subtle vulnerability, but if the plans were published for review by the security community, that would definitely decrease the likelihood of such a thing. If nobody in the security community publishes an exploit for the vault over the course of, say, 50 years, then I think it would be safe to say that the chances of discovering a vulnerability in the next 50 years would be vanishingly small.

There are some possible problems with this. For instance, I don’t know how much electricity would be needed to generate a signal that could reach into the vault. Perhaps the owner would be risking electrocution every time they tried to open the door. Perhaps the vault would need to sit on insulated pillars, because of the electrical charges involved. I am not a vault designer (IANAVD), but it seems to me that something like this could be built.

Perhaps what I’m describing has already been invented, though a quick Google search didn’t turn up anything. If there’s anyone out there who knows anything about bank vaults and physical security, I’d love to hear what you think.

Advertisements

8 Comments

  1. I have an Infosec background myself, and I’d be more wary of the communications channel you describe as a vulnerability, given the “traditional” dependence on off-the-shelf protocols for that sort of thing.

    Imagine a hacker who can’t break into the safe, but can jam the code up so well with an exploit that he can effectively hold the contents of the safe hostage.

    Comment by Salil — April 6, 2009 @ 2:35 pm

  2. Better hope the computer in the vault never fails!

    What struck me about the Antwerp Diamond District vault was the idiotic practice of turning off the lights at night, thereby blinding the video surveillance system.

    Comment by Jpdemers — April 22, 2009 @ 1:54 am

  3. I suppose that if a hacker managed to jam the computer or if the computer itself crashed, there would be no alternative but to drill through the wall of the vault. It would be a time consuming and expensive proposition, but still better than the computer security equivalent. If you lose the password for a Truecrypt volume, for example, it might take a billion years for the brute force attack to work!

    Comment by bnsmith — April 22, 2009 @ 9:10 pm

  4. Nothing is hidden or secret about the way a simple tumbler vault vault works…just like a computer algorithm….the only thing a thief is missing is the correct key/combination. Now you say that keys locks can be ‘picked’ and tumbler locks can be ‘the equivalent of picking, like with the stethoscope in the movies’, but the same can be said for computer algorithms. Point in case – WEP encryption for wireless routers. hackers learned how to intercept data traveling between host and client and decrypt the password (pick the lock)!

    Comment by Anonymous — April 23, 2009 @ 7:26 pm

  5. This biggest vulnerability with this safe is if thieves find the code. The safe in the diamond heist had a lock with 100^4 combinations, yet they got video footage of the code being entered. If the thieves got that on your idea there would be no other security. with a security by obscurity method there would at least be other safeguards in place.

    Comment by Anonymous — June 14, 2009 @ 6:47 am

  6. I have specialized in physical security, access control, and safe & vault security for a number of years. Are you still interested in discussing this further? I just stumbled onto your blog today! Are you still doing anything with this blog? It appears to have had no activity since about 1 year ago . . .

    Comment by Anon — July 12, 2010 @ 6:16 am

    • Unfortunately, a lot of things have been happening in my life lately, so I haven’t had much time for blogging. I do hope to do some more blogging and open-source software development someday, when things calm down.

      In the mean time, I’d love to discuss the open-source vault idea further. It would be very exciting to hear from a true expert on the subject!

      Comment by bnsmith — July 12, 2010 @ 7:23 am

  7. vault computer would be running windows vista.

    Comment by blah — July 24, 2010 @ 9:53 pm


RSS feed for comments on this post.

Blog at WordPress.com.

%d bloggers like this: