Security commentators, myself included, regularly comment on the security patching cycle and the problems associated with it. What we tend not to do, though, is comment on the ‘patching' problem for physical security systems.
This seems a bit bizarre. In the same way that attackers find holes in computer security systems, problems are found with physical security systems such as locks, safes, intruder alarms, and so on. And like the IT security industry, the physical security people regularly attack their products to see how well they resist.
Where the two worlds diverge is regarding the release of information about weaknesses that are discovered. It's almost unheard of for advisories to be released about physical security systems. When Matt Blaze published his excellent paper on safecracking (see www.crypto.com/papers), it was met with cries of despair from the vendor community.
I find this all rather peculiar. While it's true to say that the cost of “patching” physical systems will generally be higher than patching computer systems, that doesn't explain why customers aren't informed of the problems.
For example, there was some recent coverage in the tabloid press regarding a “new” attack on the “Euro cylinder” lock. The Euro cylinder is the standard lock cylinder that is fitted in double-glazed doors; you may have one in your house or office.
The attack is quick, simple and requires little training when the right tool is provided. It's the locksmithing version of a remote root script exploit (direct access to the outside of a door is the burglar's standard attack position, in the same way that remote access via a network is that of a computer criminal).
There is a countermeasure, which involves replacing the cylinder with a slightly modified version designed to fail safe (that is, stay locked) when attacked. Indeed, good locksmiths will have information all about the leading brand's replacement.
If you do have such a cylinder, the chances are that the company who supplied your door hasn't told you anything about this. And I wouldn't lose too much sleep over it either; the exploit rate is relatively low and burglars prepared to do that sort of damage might well get in anyway.
So next time you're cursing the uphill struggle to keep your software patched, look on the bright side. At least you find out about the problems with your software and usually get fixes from the vendor. In the physical world, that's the exception, not the rule.