Marc Weber Tobias has dedicated his life to fortifying the age-old lock. From the time he was a child he’s been reverse engineering things to see how they work. Fast forward to today, and Tobias is a renowned investigative attorney and physical security expert with more than 30 patents. For the past 40 years he has worked on investigations, both criminal and civil, first for government agencies and then private corporate clients. Tobias also works for many of the major lock manufacturers globally and runs a team that figures out how to compromise these locks in seconds, then fix them.
Dubbed the "Keymaster" by Wired Magazine, he recently published Tobias on Locks and Insecurity Engineering: Understanding and Preventing Design Vulnerabilities in Locks, Safes, and Security Hardware, a nearly 700-page tome that provides an examination of and history of the lock – showing people where there are vulnerabilities in locks and safes and then how to overcome them.
“Locks are a very complicated business, so I decided to write a book about my experience and hopefully it will help not only design engineers, but also law enforcement, crime labs, risk managers – anyone involved in security from all areas – to identify and mitigate vulnerabilities,” says Tobias. “I’ve found that engineers are not familiar enough with all the tools and techniques that are available to bypass locks. And as a lawyer I have been dealing with locks for my whole career … I understand all the pieces.”
Tobias gives the famous example of “lock bumping,” which he says is still an issue today, even though the problem was brought to national attention nearly 20 years ago. “We introduced the concept of lock bumping to the U.S. in 2006 and 2007, and I was probably on 100 TV interviews showing people the vulnerability. I mean, it is just crazy because they didn't understand the problem then and it's still a problem today.”
Tobias says the book imparts much of the knowledge and wisdom he has gained working with all the major lock companies in the United States, Europe and the Middle East for the past 20 years.
“Our task is to look at product design and figure out how the locks can be opened,” Tobias explains. “I have seen a lock compromised by 11-year-old kids in seconds, after a company spent millions of dollars in R&D.”
Tobias and his team also run a security engineering lab at the University of Pittsburgh. “We have senior engineering students in our class this semester, which has given me a really good perspective alongside the engineers we work with worldwide,” says Tobias, noting that today’s curriculums are too heavy on theory and not enough on practical applications. “They have no concept of the balance between security and design, especially mechanical engineers.”
He is also seeing this with manufacturers, especially post-pandemic with budget cuts and increasing retirements of senior level engineers and R&D folks.
“They're losing all of their engineers that really know anything – there's no institutional memory,” he points out. “So, all these engineers, like I said, know how to make things work really well, and we're talking mainly about mechanical locks, but now with the integration of electronics, the problem is they don't know how to break things – and that's a 50-50 equation in engineering.”
What is Insecurity Engineering?
So where did the phrase insecurity engineering come from? Tobias recalls, “I've lectured at Cambridge University for more than 20 years, at their computing school in England, and it was there I met a genius, Professor Ross Anderson [who recently passed away], who wrote the book called Security Engineering, now in its third edition,” he explains. “It is the reference on what can go wrong in computer-based designs – everything from satellite receivers to door locks. I'm in his books, so one of the times I was lecturing I thought – what these companies are doing is insecurity engineering … so I coined the phrase.”
Essentially, engineers unwittingly design these flaws in the locks many times because they are lacking the knowledge of how it will be applied in real-life situations. Working on so many cases that ended tragically because a lock, for example, was engineering insecurely, as in the case with a safe holding a gun that is compromised by a child, Tobias is hopeful his book will help the industry learn from the numerous examples he gives.
“It's also a really good guide for reverse engineering locks to figure out how they were compromised or how they can be compromised, especially for law enforcement, crime labs and covert entry teams,” he points out. “I've been a technical advisor for the leading crime lab forensics group in the world called AFTE, The Association of Firearms and Tool Mark Examiners, so they call me on occasion when they need expertise on locks.”
Tobias is also a member of InfraGard, which is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure. “They are liaison between public and private, and they're tasked with protecting 14 critical infrastructures. And if you look at some of the locks and security on some of this infrastructure, some of it's easy to compromise. So, this has really serious implications and real-world implications.”
He also worked as chief of the Organized Crime unit in South Dakota for the Attorney General, where Tobias says he had the unique experience of seeing into the mind of a criminal, so to speak. “For 16 years I helped run Internal Affairs investigations for the governor's office, and I was a polygraph examiner for 30 years. So, I was lucky in a way to work with criminals – I interrogated thousands of them and caught lots of them.”
He continues, “Working in law enforcement, especially what I did at a high level, testifying on many cases, it gives me a real perspective that most people don't have. I think more like a criminal than anything, which I tried to point out in the book as far as vulnerability assessment testing and selecting a vulnerability assessment team, because this takes really special skills. My background, especially as a lawyer, is why I was hired by all the lock companies because as a lawyer, if we find vulnerabilities in their designs, if somebody sues them for defective product, they can't force me to testify. And so, for us, we've created a little niche in the world for what we do.”
The Rise of Electronic Access Control
With electronic access control becoming much more prominent these days, it adds another layer of vulnerability, as It's more about what's controlling that mechanical lock than anything else, Tobias explains.
“Something has to move in the lock is one of my rules, as electronics don't open doors, mechanical locks do, so we always attacked the interface between electronic and mechanical because that's always where the vulnerability is,” he points out. “And I mean electronics are taking over, and they offer some incredible options and convenience, but it's access control and the problem is, there's always ways to hack things. We're not software guys, but we've got cyber experts that we work with.”
The trick with electronic locks, Tobias insists, is whether it can be done securely. “All you're doing is adding another layer of complexity, which also means it's another layer of vulnerability and that’s the problem,” he says, noting that locksmiths in the U.S. are not as trained on the IT side of things.
“It has become a real problem in Europe and the United States, with man in the middle attacks,” he adds. “I wrote the article and was in contact with the head of Quality Control at Mercedes, and they put out a memo a few years ago warning everybody. This is the problem and hopefully everybody will read my book and at least get some insight into a different way of thinking.”