Print
Close Window
From: www.itworld.com
My Love/Hate Relationship with Our Electronic Entry System
April 8, 2002 —
My current client's office has two ways of getting into the building.
If the office manager is at her desk and knows you, she will buzz the
door for you. If she's elsewhere (i.e. running the company), then you
need to type your passcode on the numeric keypad by the door.
Each of the 150 employees has his or her own 5-digit passcode, which
means the chances that an intruder could guess correctly are pretty
darn small. Five digits isn't too hard to remember, but is more than
most folks would choose on their own.
The annoying part is that the numbers on the keypad seem to be
migratory. Each time you get to the door, the keypad is completely
blank. When you tell it to turn on, it lights up the digits 0-9 on the
keys randomly, so each time you want to get in, you need to figure out
where the keys are located this time. This is really annoying to those
of us who like to commit codes and passwords to motor memory, leaving
higher brain functions out of it entirely.
To make matters worse, the keypad does not have great contrast, and is
in a spot where the sun is usually quite brightly shining. The sun is
far too often shining brightly here in beastly California, but that's a
different pet peeve of mine.
To combat the sun, the keypad has a shield at the top to provide some
shade. However, since the pad is mounted about four feet off the
ground, you can't see the keys when you are standing normally.
The result of all these conditions is that you must bend down, put your
eyes about three inches from the keypad, squint, and try to find where
the digits of your pin have gone to this time. Either the keypad
manufacturer was sadistic, stupid, or extremely security conscious.
The physical stance we must adopt keeps anyone from looking over our
shoulder and the sunshade completely blocks any other viewing angles.
Since the keys are never in the same place twice, watching someone's
hand motions to figure out which numbers are being pressed is
impossible. The best an observer would be able to glean is if any
numbers are used twice in a row (because you'd tap twice without moving
your hand) or, if they are really good, they might be able to tell if a
number is repeated elsewhere in your pin.
We are not allowed to pick our own codes; the security office gives
them to us. The codes are generated pseudo-randomly by computer, but
are tweaked to minimize duplicate digits and eliminate consecutive
identical numbers, rendering the two pin-based vulnerabilities just
mentioned unlikely. So in the end we have a system that, while being
slightly annoying, is both functional and secure.
Compare this to other places I've worked, visited, or performed
security audits. I've scammed so many door codes (even though I really
try not to) that there has never been a place I couldn't access. My
favorites are push-button locks that have a common key for everyone.
Ignoring the fact that the code is usually changed only once every year
regardless of how many employees have left in the interim, when a door
has only one key, the keys themselves start to show uneven wear.
My favorite example is a place in a Chicago suburb where the gloss had
worn off of the 1,2, and 3 keys. You could brute force the six
combinations of this easily. (OK, eighteen combos if the pin was four
digits long.) However, any familiarity with the location would suggest
that the key would be 312 -- the area code for Chicago.
The tricky part was when I came to a door with a different code. It had
the same wear pattern, but no three or four digit permutation worked. I
figured that this code was new, because the servers had recently been
moved there. Based on the use of 312 everywhere else, I tried the most
logical next guess, 773 -- one of the new Chicago area codes. Click,
click, in I walked.
So, though my chiropractor and I are annoyed at the keypad at our
building, I must admit it affords much better security than most
systems out there with a minimum of hassle. Now we just need to get one
on the door to the server room, instead of that old-fashioned lock.
Keys are so twentieth century....
ITworld