Tampering with Tamper-Resistant Screws

While their overall security is still moderate at best, it is sufficient for many situations that do not warrant the added expense of locks.


Some lock manufacturers are offering good solutions to this problem. Schlage addresses this issue by putting one screw-head on each side of the door. Arrow goes further by concealing the screw-heads with a rotating plate that exposes them only when the key is turned. Lori uses mortise lock-cylinders, thereby requiring that the door be opened before the set-screws that hold them in place can be loosened. As locksmiths, are we not expected to provide (or at least recommend) hardware that has the appropriate level of security for the application?

In the third situation, a proximity-card reader is fastened to the exterior of a factory with fairly high security needs. It uses the standard Wiegand protocol to transmit identity information to an access control system. Since the Wiegand protocol provides no protection against intercepting electrical signals and replaying them later to impersonate a previously authenticated user, the plastic cover and two tamper-resistant screws are all that stand in the way of an attacker installing a small gadget that will provide him access later on.

Zac Franken demonstrated this at DEF CON 15, a security conference held in August of 2007. The security of a building that has an expensive access-control system is important enough that it should not be subjected to the security limitations of a pair of fancy screws, especially once it has been publicly demonstrated that the security of such a system is lacking.

With a constantly-monitored surveillance system that would detect tampering and provide a prompt response, perhaps the building would be sufficiently protected. But alas, no such system is in place on this door. If it is desirable that the building be secured without the need for constant monitoring, then I suggest that card readers be installed inside the building and that they read cards through the walls. If they must be installed on the exterior, a beefier card-reader enclosure should be used and the installer should make sure that it is well and securely fastened in place.

All I’m saying is to keep a healthy level of paranoia about tampering hoodlums, whoever they may be, and to consider whether the assets are sufficiently protected against the threats. Sometimes they are; sometimes they’re not.

We Recommend