May 22, 2009 12:00 PM

E-Mail Transcript: Medeco Objects to 'Tobias Attack' Test Conditions

In the course of researching the article about Marc Weber Tobias, Wired decided to test Tobias' claim that he could crack high-security locks manufactured by Medeco.

For years, Medeco had consistently denied that the so-called Tobias Attack was real or that it worked in real-world lock-picking conditions. Wired's test was designed to simulate, as closely as possible, those real-world conditions. The goal was to cut through the rhetoric and counterclaims and get straight to the engineering and the truth: Could Tobias and his hacking partner, a Venezuelan locksmith named Tobias Bluzmanis, open the lock or not?

Writer Charles Graeber went to great lengths to ensure that this test was realistic, fair, and as "real world" as possible. In drawing up the specifications — which locks to purchase, the setting for the test — Graeber consulted with independent locksmiths and security experts before asking Medeco's director of technical services, Clyde Roberson, to observe and participate in the test, in whatever capacity he thought appropriate.

But Roberson was reluctant to attend and cited numerous objections to the terms of the test — the same terms other independent experts had agreed to. Over a series of emails, Graeber attempted, in vain, to understand and meet Roberson's concerns and get Medeco to participate in a test of its product.

What follows is the entire correspondence between Roberson and Graeber, annotated by Graeber.

Charles Graeber adds: Apologies in advance to the English language for all E-grammar and typos.

from Clyde Roberson < > Charles Graeber < >

e Mon, Feb 9, 2009 at 8:10 PM

ject test response

led by medeco.com

Hharlie,

Ached is feedback about your "test" this week. Give me a call or email and let me know your thoughts. Thanks again for the opportunity to comment. 1

oberson said that neither Tobias' story nor his technology was valid. In fact, several weeks earlier, Medeco's legal counsel had sent a letter suggesting that if d</emtory relied on Tobias for information, then that story could be inaccurate and, by implication, potentially actionable. d</emided to put Tobias to the test: Could he and his lock-picking partner, Tobias Bluzmanis, open Medeco locks in an independent survey, on the record, and on camera?

<imgp><a hrst Response [PDF]</a> 2 <<p

h

was the full reply. The final page of the PDF has a summary of conditions, addressed point by point in the following email. |

srcgards,<Clyd

img s

hts Graeber < > to Clyde Robon < > date Tu

e0, 2009 at 6:17 PM subject

test mailed

m.com Clyde;</

panks f

oresponse last night. I'll dive right in, copying your conditions and putting my comments/questions in [[]] So, to s

r, a fair and unbiased test should, at a minimum, comprise the following: [[Sorry,

uion before I even begin. I guess I'm a little over my head about the whole notion of 'conditions' so I wanted to clarify: -are the

otions you are aware of which Medeco high security locks can be picked or bumped or otherwise compromised in less than the UL-rated time? -if the

ins below aren't all met, would you assume that those same locks could then be picked or bumped or otherwise compromised in less than the UL-rated time? -if the

-nting issue is that important a condition, does that mean that a Medeco padlock could be picked or bumped or otherwise compromised in less than the UL-rated time? ]] 3 3

e s

ns, repeatedly asked, have yet to be answered by Medeco or Roberson. | <img src

tps: at lea10 randomly produced, 6 pin, Medeco3 cylinders of current manufacture — Medeco would be willing to assist and you can feel free to examine all cylinders in a lab after your test. [[Is the Med

3he same as the M3? I've picked-

ad to have picked at random- 6 such locks of current manufacture. I believe they will be 6 pin but some may be 5 pin, it depends what's on the shelf. I don't consider this to detract from the randomness or real-worldness. I've asked t

te bitted according to the big code book used, in my understanding, before additional codes were added in December 2007. Again, unless there has been some notification to customers and/or locksmiths that the pre-December 2007 codes are vulnerable to being picked or bumped or otherwise compromised in less than the UL-rated time, I consider this a fair re-creation of the status quo. HOWEVER, I'd

ok you to send another batch of locks for me to test- 10 or more if you 4 want. I will make every effort to have these locks included in the test. 5 4 Mede

evs

any of its products for Wired to ten cam/p> | <img src="ht

//wwsue sou

fusing but is very simple; we set out to test the locks Tobias wrote about. Maybe Medeco cha

locks to address the attack — a natural evolution between hackers and hacked — but Medeco claimed otherwise, and anyway, Wired wasn't teg thalution. The whole point of this exercise was to test whether Tobias and Bluzmanis could do what they said they could — and what Roberson said they could not. To that end, we wanted to minimize the variables and test only the locks and tech in question. | <img src="https:

w.wito:>Wired Magazine ATTN:

rGraeber, Contributing Editor C/O Mark Horowitz, NY Editor 4 Times Square 19th Floor New York, NY 10036 ]] 2. Keys should not b

e, examined, or have information disclosed about them before or during the test. [[Granted.]]

yders should

biewed, disassembled, or examined before beginning the test. [[Granted.]]

eys should no

ealed before or during the test. [[Granted. They've b

romized- even I don't know them at this point. Again though, a ques

-know that some keyways are tougher than others. But does this mean that you believe that the keyways which aren't as difficult are in fact vulnerable to this attack? ]] 5. The cylinders sho

bnstalled in locks on closed doors to avoid tampering, manipulating, and to more closely approximate real-life conditions. Again, if you wish, we could assist you with this installation by referencing a locksmith to perform the work. [[We will assure tha

eis no tampering or manipulating. As for the installation in closed doors, we'd love that, it's only a question of time, expense and logistics. I was going to put the locks in vices for that reason. Let me know about the installation though. What are you suggesting? Anyone that could come and do the work at the above address beforehand would be more than welcome. Please advise.]] 6. There should be a

4equivalent 10 minute time limit for the attempt to open any cylinder. [[agreed. As a side

,at do you think about the other, longer standards, by the way? ]] 6 6 There are tw

and

hat define high security, as mentioned <a href="http://archive.wirederwriters Latories) standard requires that a lock resist 10 minutes of covert entry technique, the ANSI/BHMA ( Nationals Institute/Builders Hardware Manufacturers Association) standard allows for 15. Roberson cites the shorter time allowance only, even though Medeco is rated by both labs. What's interesting h

ihat the labs are allowed to strictly define the methods by which locks can be attacked, and limit their "tests" to include only those attacks. Meaning, if you invent a new hack, and UL or BHMA doesn't acknowledge it, that hack doesn't exist or affect the rating system. Believe it or not, bumping is still one of those unacknowledged lock hack technologies. Tobias' methods are others. Essentially, this sy

tates rules of engagement for criminals, then penalizes only the consumer if the criminals break those rules. Which is why Tobias is quick to point out that insisting that burglars or covert entry operatives "play by the rules" is not just oxymoronic, it's moronic, and that locks should be judged by their resistance to any and all attacks that a creative and skilled engineer might devise. After years of frustTobias is finally being heard; Tobias has been added to the UL's Standards Technical Panel, in part to address exactly this problem. | <img src="h

red.emonstrhis claims that bumping, as well as picking, and under all the same conditions, can be used to open a Medeco3 cylinder. [[yes, we'll be submitti

hocks to both techniques and under the same conditions- although I believe Tobias has said and written that while he bumps many Medeco cylinders, bumping is not a technique which always works for any cylinder of any manufacture. But to disavow all bumping as being impossible based on this uncertainty seems to miss the danger which bumping can pose. Do you believe otherwise? Are some Medeco locks in fact vulnerable to bumping, and if so, which ones?]] 8. Mr. Tobias, or others

oindependently perform all the tests, not just Mr. Bluzmanis, in order to demonstrate that the techniques are not solely dependent upon the talents of one uniquely skilled, veteran Medeco locksmith who may have acquired highly specialized knowledge of the products. [[I believe this would p

hnus upon one other highly specialized lock expert, wouldn't it? I'm not understanding this condition. Are you saying that Medeco cylinders are in fact vulnerable to this "Tobias Attack" when wielded by trained individuals? We'll be conducting a test on the technique. As far as I was aware, it wasn't specific to Tobias, who readily admits that he cannot now easily pick even relatively simple locks. Do you believe that Mr. Bluzmanis can, indeed, compromise Medeco products? And Bluzmanis alone?]] 9. A complete, uninterru

,d unedited copy of the video recording should be provided to Medeco, or we should be allowed to have our own video personnel to record the entire demonstration. [[Again, you and anyone

m Medeco are encouraged to attend and to bring along with any recording device you chose. If you'd like to send a video team I'm sure we could arrange it, let me know. I'm not sure about sending the raw footage outside of the journalistic entity conducting a consumer test though, that's not my department. But it's possibly quite simple- I'll look into it of course. Please let me know if yo

one else is attending, whether you'll be sending locks, and what to do next regarding locksmithing. Among other things, I'll need names to put at the front desk to get everybody into the building. Again, my thanks for you

mn this Clyde! -C <img src="https:

wre

m/Charles Graeber < > e Tue, Feb 10, 2009 at 6

P/p> subject RE: the test <

ad by medeco.com <

aCharlie. I'll get bac

shortly. Regards, Clyde <

s"https:/

.ed.co

-cyde Roberson < > bcc MRobinson < >

, Feb 11, 2009 at 3:15

/ subject also- you were recc'd l

mfor installing cylinders in doors for demo? mailed by gmail.com Hi

ep> Another short o

ithe bulk

hubject line. If the door or lock-type issues are of a serious concern, we'd obviously need to take care of them before the test tomorrow. Let me know? 7 7 Roberson expressed conce

haf

e locks were mounted in vices, rather than being set into real doors, they would be easier to pick. In the end, the only reason the locks were not door mounted were the mundane constraints of time and money. Door mounting is not explicitly required under ANSI/BHMA test standards (it is under UL guidelines). | <img src="https://slim-weight.info/%3C/p%3E%3Cp class="paywall">onted.com/won

/ueber < > date Wed, Fe1, 2009 at 6:23 PM

sect RE: also- you were recc'd locks

installing cylinders in doors for demo? mailed by medeco.com Dear Charl

/I have received you

pto our sugges

sr what we consider to be the minimum requirements for conducting a fair and unbiased test. Frankly, although we appreciate your willingness to incorporate a few of our suggestions, your decision not to incorporate the others was disappointing and does, in our view, call into question the methodology and objectives of your event. Consequently, we cannot participate in it. Our expectation is that your article wil

fnce the fact that we proposed certain minimum test standards and that you elected not to adopt all of our suggestions. Best regards, Clyde <img src

t//www.wired.c

pntent

oa < > bcc Mark Robinson> date Wed, Fe

,09 at 8:07 PM

eRe: also- you were recc'd locksmith

talling cylinders in doors for demo? mailed by gmail.com Clyde- B

rp> Again, we're ha

take al

r locks

trequirements, time requirements- and Mr. Tobias has even expressed an eagerness to pick the locks himself, if that's what you believe to be the point of the exercise. But adding those specific requirements will

pent us from testing the Medeco cylinders against Tobias's claims and technology under what several independent lock experts have considered to be fair and appropriate conditions. for journalistic and scientific purposes, it's only logical to test the locks in question, in the manner in question. So I ask you- why not test it all? (that's a

lestion) Anyway, I'm obviously disappointed that you'

ooing to participate in the test of your technology against Mr. Tobias' claims and attack method. Are you still willing to send us your latest-generation locks for testing? If not, I need to ask, again: which conditio

ou feel are unmet? What do you believe will be the result of not meeting those specific conditions? Are these the conditions under which Medeco locks are capable of being bumped, picked or otherwise compromised? Could your newest locks, under these conditions, be bumped or picked open by Tobias or Bluzmanis or anyone else trained in the method? (again, real questions) I apologize for having to repeat these core

ts in yet another email, but only a detailed response will help me understand the situation. Is there some specific danger on one of the conditions you feel is unmet? Which condition, and what is that danger? I'd welcome your answer and remedy. So again, we have no conflict whatsoever, an

iwelcome you, your representatives, your locks, recommended locksmiths and any particular conditions you'd like to add to the test of your technology. And again, we hope for your cooperation. And if I can't have that, I hope for your answers. Fingers crossed you'll reconsider, -C

mg src="https://slim-weight.info/wp-c%3C/p%3E%3Cp class="paywall">npl

/a date Thu, Feb 12, 20at 5:26 PM subj

Ralso- you were recc'd locksmith for

ting cylinders in doors for demo? mailed by medeco.com Dear Charlie,

oemail from last night,

ting your last

ureversal of your earlier rejection of our recommendations, simply does not convince us that altering our earlier conclusion is warranted. Regards, Clyde <img src="https://www

eom/wp-co

tloads

hi> date Thu, Feb 12, 2009 at12 PM subject

a- you were recc'd locksmith for ins

icylinders in doors for demo? mailed by gmail.com Clyde- There you

.thought you were out

hountry

aHave you already landed? Or is this a WiFi plane (I've not been on one yet). 8 8 Originally, Roberson had indicated that he w

ble to attend the test because he would be traveling. | <img src="https://slim-weight.info/wp-content/uploads/a%3C/p%3E%3Cp class="paywall">ve/iours noication last night that you would not participate in a scientific examination of your locks. I got back to you within two hours. I feel sure that any outcome you wished for this communication was possible. If you're still in the office, even the office of the ai

tstill my job to keep pestering you about the questions I keep sending. I understand that you are saying that your test conditions were 'rejected,' and thus the test was unfair in some way. Please elaborate with specificity. Again, the question is: Are Medeco cylinders vulnerable to being picked, bumped, or otherwise compromised in less than UL or BNHA High Security-rated times when those 'rejected' conditions are not met? And which conditions specifically do you say were 'rejected'? 9 9 As of this writing, Roberson has still neither a

wle

or answered these questions. | <img src="https://slim-weight.info/wp-content/uploads/archi%3C/p%3E%3Cp class="paywall">maged the se of the science without tests or answers. I'm hoping to jump through the rhetoric, into engineering. I don't need your answer in two hours or anything, so please don't consider this a 'last-minute' request. I appreciate your time in clarifying. Thanks again; C (oops, typo- "BNHA" was obviou

sosed to be "B

lday) -C Related <a href="http://archive.wired.com/techbiz/pe

/az

17-06/ff_kor Fun and Profit</a> <a href="http://archive.wired.com/techbiz/people/magazine/17-06k