A hazard of working in computer security is you see the world through a security-focused lens. Suddenly, mundane tasks transform into interesting intellectual challenges: "That card shuffle did not consume enough entropy!"..."Posting this online will open me up to social engineering!"..."People can learn my bike lock combination through a small number of observations!".
The last one is a constant annoyance, because every time I lock my bicycle I know I am providing the data required to steal my bicycle. Imagine someone reads my "scrambled" combination everyday I leave it at the bike stand. The horror! Even without changing the combination, it is easy to compromise the combo within 14 days. Let me explain how.
Every time I lock my bicycle lock, I scramble numbers from a valid starting combination. Attackers can observe the scrambled numbers each day and build a dataset for inferring the original combo.
In the table below, I give observations of my hand scrambled bicycle combination. You can solve for my combination using what is called a "distance metric" and I employed one of the simplest in my solution.
"Scrambled" Combinations |---|---|---|---| | 5 | 7 | 7 | 1 | | 4 | 6 | 0 | 0 | | 5 | 8 | 7 | 1 | | 9 | 9 | 9 | 2 | | 7 | 7 | 5 | 9 | | 7 | 9 | 9 | 0 | | 8 | 8 | 5 | 8 | | 8 | 0 | 1 | 4 | | 6 | 3 | 4 | 9 | | 8 | 8 | 5 | 9 | | 4 | 6 | 4 | 5 | | 8 | 9 | 8 | 2 | | 4 | 3 | 9 | 4 | | 9 | 0 | 5 | 8 | Solution: 7-8-7-0
Making My Lock Secure
This isn't all bad though. Instead of randomly perturbing the lock combination, I can pick a number as a "locked" state and make sure I set it instead of my frantic "randomization."
I love this combination lock as an example of how UI can create security vulnerabilities. If the lock manufacturer made small modifications to their lock, users would not continually leak information about their secret key. It also illustrates how building systems that are both usable and secure requires examining how users interact with the system in the wild. Otherwise the user will compromise themselves without deploying the easy fix.
I compromised the lock dataset in Javascript, so you can run the program by following this link. Please email me if you can do better and I'll acknowledge you here. Inside information: it is difficult to move a single digit because they are flush against each other. You can use this insight to find the combination in fewer samples.
Credit: I pulled the Creative Commons Licensed photo from Flickr.