There I was, changing a tire, getting soaked, and now I was going to have to dig through my glove box, arm rest, trunk compartment for that special key so I could get the damn wheel off. As I was cursing the people who put these things on the truck I tried to understand why they are put on cars anyway. Turns out, this is a security feature, right? To keep people from stealing wheels from nice cars (or sometimes not) these were meant as a deterrent to theft, and to frustrate the would-be wheel thief. There's just a few problems with this...
- Wheel locks barely add any anti-theft "security" - primarily because thieves can get these things quite easily, you don't need any special permissions, validation that you own that particular make and model, or really anything else. If I wanted to steal the wheels off of a high-end Mercedes I'd simply call up the local dealership, ask them for one, and then go off and steal the wheels off the car.
- The inconvenience to losing one of these is immense - if you've ever lost one, or can't find out, you know what I'm talking about. As I was there on the side of the road, getting soaked and cursing up a storm I wondered where I could get one so the rest of my day wasn't spent calling dealers, and trying to get a ride to pick one of these up from a dealer that was less than 25mi away. Very frustrating.
- Wheel locks are expensive! - I'm not one to complain about a $25 part, but when I have to pay the dealership $25 (or more) to replace one of these wheel locks, which is just annoying to me anyway, I'm upset and feel like I'm getting hit when I'm already down. Again, very frustrating.
The lesson learned? Sometimes something that has a reasonable perceived security value to inconvenience trade-off is completely wrong in the real world. This is perfectly in-line with how I feel about having to change your password every 30 days, or those often insane-sounding complexity requirements for passwords (you know, 10 characters, 2 numbers but not in the beginning or end, and an upper-case letter, but no spaces of "special characters", and no repeats) ... come to think of it I'm starting to feel like passwords altogether are going this direction in general.
My plea to you security professionals out there, and those that are aspiring to lead enterprises into the future of security - please, please think about what you're asking not just developers but end-users to do and then weigh that carefully against the real risk-reduction benefit. Often times if you're forced to do a failure-mode analysis-like activity around your desired control you may find out that there are 100 ways this new thing can be heavily inconvenient to the end-user, while there are less then a handful of cases where it will benefit and reduce risk.
Love wheel locks? Hate 'em? Have a real-life story to share? Love to hear your input, frustrations, and snarky commentary. Hit me on Twitter (@Wh1t3Rabbit) and hashtag your tweets with #SecBiz ... let's learn from other seemingly great ideas!