Monday, August 26, 2013

Wheel locks - Theft deterrent or mostly annoying?

As I was trying to change a tire on my wife's SUV the other day, in the pouring rain, I realized something... those little wheel locks (the funny-shaped bit that's on one of the wheel lugs so you have to have the "key") are the quintessential example of a security idea that just doesn't past real-world muster.

There I was, changing a tire, getting soaked, and now I was going to have to dig through my glove box, arm rest, trunk compartment for that special key so I could get the damn wheel off. As I was cursing the people who put these things on the truck I tried to understand why they are put on cars anyway. Turns out, this is a security feature, right? To keep people from stealing wheels from nice cars (or sometimes not) these were meant as a deterrent to theft, and to frustrate the would-be wheel thief. There's just a few problems with this...
  • Wheel locks barely add any anti-theft "security" - primarily because thieves can get these things quite easily, you don't need any special permissions, validation that you own that particular make and model, or really anything else. If I wanted to steal the wheels off of a high-end Mercedes I'd simply call up the local dealership, ask them for one, and then go off and steal the wheels off the car.
  • The inconvenience to losing one of these is immense - if you've ever lost one, or can't find out, you know what I'm talking about. As I was there on the side of the road, getting soaked and cursing up a storm I wondered where I could get one so the rest of my day wasn't spent calling dealers, and trying to get a ride to pick one of these up from a dealer that was less than 25mi away. Very frustrating.
  • Wheel locks are expensive! - I'm not one to complain about a $25 part, but when I have to pay the dealership $25 (or more) to replace one of these wheel locks, which is just annoying to me anyway, I'm upset and feel like I'm getting hit when I'm already down. Again, very frustrating.
The lesson learned? Sometimes something that has a reasonable perceived security value to inconvenience trade-off is completely wrong in the real world. This is perfectly in-line with how I feel about having to change your password every 30 days, or those often insane-sounding complexity requirements for passwords (you know, 10 characters, 2 numbers but not in the beginning or end, and an upper-case letter, but no spaces of "special characters", and no repeats) ... come to think of it I'm starting to feel like passwords altogether are going this direction in general.

My plea to you security professionals out there, and those that are aspiring to lead enterprises into the future of security - please, please think about what you're asking not just developers but end-users to do and then weigh that carefully against the real risk-reduction benefit. Often times if you're forced to do a failure-mode analysis-like activity around your desired control you may find out that there are 100 ways this new thing can be heavily inconvenient to the end-user, while there are less then a handful of cases where it will benefit and reduce risk.

Love wheel locks? Hate 'em? Have a real-life story to share? Love to hear your input, frustrations, and snarky commentary. Hit me on Twitter (@Wh1t3Rabbit) and hashtag your tweets with #SecBiz ... let's learn from other seemingly great ideas!

2 comments:

David V said...

Excellent analogy, because time, is money as they say. What irritates more than anything is when an organizations policies or internal communications are so complex, either due to size or poor leadership, that more time is spent trying to figure out a way to implement or integrate innovative solutions, that you just end up giving up. The same can be said for training the force. Recently I had the annual chore of infosec training. The organization that I work with decided to spend tons of money creating a game to keep in touch with the youth, but mandated that EVERYONE had to complete this training. I could just envision high ranking individuals playing rock 'em sock 'em robot which was incorporated to this training program. So, without doubt, many folks didn't get the real message of the training. Training shouldn't be like the wheel lock, annoying, hard to find when needed, or slippery when wet.

Cat Assassin Akademy said...

Agree with blog posting and comment.

Google+