Most Security Measures Easy to Breach, Expert Says

Vulnerability Assessment Team at Argonne National Laboratory break into "foolproof" systems

When things go really, really wrong, Roger Johnston has a really, really good day.

After all, he's usually the man who made them go wrong.

Johnston has a PhD, 10 patents to his name, and what every 10 year old kid would think is a dream job. As chief of the Vulnerability Assessment Team at Argonne National Laboratory outside Chicago, he has made it is his mission to crack into every security system labeled as foolproof by their creators.

"We need to be thinking like the bad guy," said Johnston. "The unfortunate reality is that the bad guys get to define the problem. The good guys don't."

Those card readers at your office? Piece of cake, says Johnston. Nothing secures the boxes to the wall. By inserting some simple circuits inside, he can come back days later and play back the code of the last card passed across using only a magnet.

It's a great example of what Johnston said he sees time and again: security systems which themselves are not very secure.

"Yes, it's remarkable how many high-tech security products, really don't have much security," he said.

One of the most frightening examples Johnston has turned up is in one of the nation's most treasured franchises: the right to vote. He said he's found that most voting machines have almost no security to reveal tampering. Thus, he said, it's a fairly simple matter to tinker with the electronics while machines are in storage or being transported by the truckload. He has even demonstrated how he can turn cheating mechanisms in voting machines on and off by remote control.

"It's much easier to steal the election, right at the electronic voting machine," said Johnston. "In many cases, we see security devices or electronic voting machines where we really have to wonder, 'Did anybody spend 60 seconds figuring out the security issues?"

Johnston and his team said they have learned that all too often, the highest tech systems can be cracked by the lowest tech methods.

"Yes, we almost never need a high-tech attack against a high-tech system. We actually defeated a biometric access control device with parts from a BIC pen."

That's because the "bad guys", as he likes to call them, aren't necessarily going to even try to outsmart gee-whiz gizmos. After all, why go after a retinal scanner when you can simply use a credit card to open the virtually unsecured door?

"Bad guys are not necessarily going to attack an access control device just because you installed an access control device," he says. "In many cases there are very secure fixes. But there just seems to be a problem with people designing these devices not thinking like the bad guys."

He is especially critical of what he calls "security theater;" precautions which are more show than substance and often glaringly ineffective.

"We see this time and again where it looks impressive, but it really doesn't address the security problems of the device," he lamented.

At his lab on the sprawling Argonne campus west of Chicago, Johnston said he is still looking for the uncrackable system or the high-tech gadget which will outsmart him.

"I'd like it to be something where you really need to be James Bond," he said.

Has it happened yet?

"Nowhere near."

Contact Us