It is 4 a.m. on this day in June 2020 when Dominic Villeneuve goes down to the basement of his house. The man from Drummondville gets up very early, because he has given himself a goal with considerable implications in terms of security, outside his normal working hours: to try to open a lock, without a key or code… and without the ’cause damage.
To do this, he settles down in front of a red metal cart to tackle his challenge, which has been sitting there for a few weeks: a Schlage CO-100 keypad lock, which retails for over $500 in Canada and is widely used in retail, office towers and industrial buildings around the world.
He observes the object of his attention and notices a hole which serves to evacuate the water, in the lower part of the lock. He first inserts metal wires there to try to reach the mechanism, without success. Too rigid. He tries again, this time with tie-wraps (tie wraps) of different sizes, which he cuts in three places to form hooks. After four or five attempts, the instrument finally slips through. It pulls slightly downwards, and click! The lock is foiled.
« I said to myself: it can’t be simple like that, » says this 46-year-old cybersecurity specialist enthusiastically. To convince himself of the seriousness of his exploit, he went to the offices of his employer, UV Insurance, where there were about ten locks of the same model. In a few seconds, its modest plastic rod unlocks all doors.
That day, Dominic Villeneuve discovered a flaw in a commercial lock recognized as a reference on the market due to its highest security rating in the industry. He will then try, for more than a year, to convince his manufacturer to correct the problem and notify the affected customers, until his patience reaches its limit and he decides to take matters into his own hands. .
Dominic Villeneuve is what is known in the cybersecurity world as an “ethical hacker”. It is his profession. As director of cybersecurity and infrastructure at UV Assurance, a life insurance company more than a century old in Drummondville, he infiltrates, for example, the company’s website and database to find vulnerabilities, then plug them.
He believes his goal has been achieved: the company has been informed of the problem, a solution has been found. But the warning to the general public does not come immediately.
And it is perhaps no coincidence that, outside of work and leisure, he is also a pastor at the Reformed Baptist Church of Drummondville, which he co-founded about a year ago. an, a current of Protestantism that gives pride of place to the virtues of the laws « of men » and to their respect, as well as to certain principles of social justice. “I think there is a connection between the two. In my work as an ethical hacker, I help businesses, and as a pastor, I help believers. »
When he engages in lock picking (lock picking), he does it both for fun and to help out. Tens of thousands of followers on the planet practice this activity, including ethical pirates like him, but also people with varied profiles who share the pleasure of solving a three-dimensional puzzle. On Reddit and YouTube, they share tips and tricks for defeating any mechanism, whether it’s a lock, a padlock, a Denver shoe or a locking system for a firearm. fire.
His ethical profile prompts Dominic Villeneuve, towards the end of June 2020, to call the company Allegion, which owns the Schlage brand. He immediately obtains a telephone interview with the director of cybersecurity, Frank Kasper. He sends her his video of the lock picking. At the time, Kasper believes in a hoax, but he is quickly convinced by the explanations of his interlocutor.
Quickly, Allegion engineers developed a part to block the water drainage hole and sent a copy to Villeneuve in August 2020 so that he could put it to the test. He manages to remove the part in seconds and advises the company to go back to the drawing board.
Months later, in February 2021, he finally receives a modified lock, on which the security flaw has been corrected using an improved version part to plug the hole of the locks already present on the market.
He then believes that his goal has been achieved: the company has been informed of the problem, a solution has been found. All that’s left is to tell all the customers to secure the lock they have, he told himself. But the warning to the general public does not come immediately.
Allegion claims to have notified its partners and distributors who sold vulnerable locks, i.e. models CO-100, CO-200, CO-220 and CO-250 manufactured before February 2021, by an information bulletin dated July 2021. This sheet three-page technique that is now on the company’s site explains the nature of the problem and how to fix it with the part designed to plug the drain hole. Allegion states that this part is free, but sent on request only, and refuses to say how many units have been shipped so far.
However, this newsletter does not appear in the list of Allegion press releases, and Dominic Villeneuve was never informed of its dispatch. “When Toyota noticed problems with the brakes of its cars, it did not hide it. She did a full-scale recall. I would have expected the same from Allegion,” he says.
That’s why in December 2021, with no news from Allegion, he takes action. He publishes a five-minute video – viewed more than 6,000 times since – in which he explains what he found and especially how to fix the flaw. He’s come up with his own piece, called the Tie Breaker, for sale for around $12 for a two-pack on the Sparrows Lock Picks online store, which he works with. At the beginning of February, its owner said he had received nearly 2,100 orders.
Dominic Villeneuve is aware that his approach will not only bring him praise. When the idea is submitted to him that his video could have incited criminals to imitate him to commit misdeeds, he answers without hesitation: “They can also take a brick to break down a door. We will not remove the bricks from the streets. I know the risk of people using the flaw for malicious purposes is slim. »
Above all, he hopes that his efforts have succeeded in reaching people who bought a problematic lock before the modification by the manufacturer. He estimates that millions of vulnerable units have been sold over the years by Allegion, a figure the company has not confirmed.
“I want big business to take responsibility. They sell security products, so they have to live with the consequences when a flaw is discovered. »
In his mind, the story of the Schlage lock is closed, but he is not done thwarting mechanisms. Like this electric strike lock which, at the time of our visit last February, was lying around on one of his workspaces, surrounded by dozens of tools. “This is my next challenge! he said with a smile.
Less than a month later, a new video appeared on his YouTube channel. He explains how he overcame it… and of course how to secure it.
This article originally appeared in the May 2022 issue of Newsunder the title “A flaw at the door”.
#Hack #good
