We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

A Failure of Imagination: Kwikset Smartkey and Insecurity Engineering

00:00
Untertitel
Aus
Abspielgeschwindigkeit
1
Untertitel
Aus
Englisch (automatisch erzeugt)
Abspielgeschwindigkeit
0.25
0.5
0.75
1
1.25
1.5
1.75
2
Qualität
576p
21
 Zitieren
 Teilen
 Zugehöriges Material
 Herunterladen Bestellen
Kein Logo verfügbarDEF CON
 Tobias, Marc Weber Bluzmanis, Tobias

Formale Metadaten

Titel
A Failure of Imagination: Kwikset Smartkey and Insecurity Engineering
Untertitel
One of the most secure and insecure locks in America
Serientitel
Anzahl der Teile
112
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Homeowners, apartment complexes, and businesses throughout the United States and Canada have purchased locks from one of the leading manufacturers in the country in the belief that they were secure. Advertising represents they are the highest grade of residential security available as a result of security ratings from different Standards organizations. While the design of this lock effectively resists certain forms of covert and forced entry that are common with other mechanical cylinders, there are also what we perceive as serious design flaws that will allow these locks to be opened, bypassed, or decoded in seconds. Because this is one of the most popular locks in America, the consumer needs to understand the inherent security vulnerabilities in order to assess their risk. In this presentation we analyze the design of this lock and earlier similar designs implemented by other manufacturers. The focus is on a failure of the design engineers to understand different methods of bypass and to protect against them, and why standards and what they purport to define may be misleading and misrepresent the real security of a product.Consumers rely upon the representations of manufacturers and the security ratings of locks by Underwriters Laboratory and the Builders Hardware Manufacturers Association to assure them of the quality and resistance to attack of the locks they buy. We present evidence that millions of homeowners and businesses that have implemented these locks can be vulnerable to simple methods of entry of which they may not be aware.This is a classic example of insecurity engineering in a very clever and unique mechanical lock. Unfortunately, the very unique mechanism also provides the basis for several incredibly simple attacks that can be performed with a minimum of time, tools and training. Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He is the principal attorney for Investigative Law Offices, P.C. and as part of his practice represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. Marc and his associates also conduct technical fraud investigations and deal with related legal issues. Marc has authored five police textbooks, including "Locks, Safes, and Security", which is recognized as a primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two- volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book (LSS+) is also available online. Marc has written extensively about the security vulnerabilities of products and has appeared in numerous television and radio interviews and news reports as well as magazine articles during the past thirty years. He is a member of several professional organizations including the American Bar Association (ABA, American Society for Industrial Security (ASIS), Associated Locksmiths of America (ALOA), Association of Firearms and Tool mark Examiners (AFTE), American Polygraph Association (APA) and the American Police Polygraph Association (APPA). Tobias Bluzmanis was born in Caracas, Venezuela. Tobias came to the United States in 1995 and was granted citizenship in 2000. He has been a professional locksmith for the past 20 years. Tobias is an expert in Covert Methods of Entry and has developed many unique forms of bypass, custom tools, including a decoder for Medeco locks, which was the impetus for the book "Open in Thirty Seconds".
00:00
GeradeProdukt <Mathematik>Quelle <Physik>DruckverlaufVideokonferenzSystemaufrufMengeRechenwerkPersönliche IdentifikationsnummerDienst <Informatik>SoftwareschwachstelleNegative ZahlKartesisches ProduktMAPSchlüsselverwaltungCASE <Informatik>MereologieZahlenbereichRechenschieberGeradePunktRechter WinkelStandardabweichungMechanismus-Design-TheorieGamecontrollerCoxeter-GruppeComputersicherheitPlastikkarteOffene MengeBefehl <Informatik>AssoziativgesetzGüte der AnpassungProdukt <Mathematik>Selbst organisierendes SystemGewicht <Ausgleichsrechnung>DifferenteWechselsprungResultanteInternetworkingForcingRichtungEinsTouchscreenBenutzerschnittstellenverwaltungssystemWasserdampftafelInformationsspeicherungZweiChatten <Kommunikation>Office-PaketSichtenkonzept
09:52
GeradeProdukt <Mathematik>DistributionenraumProdukt <Mathematik>DistributionenraumGeradeKartesisches Produkt
10:27
GeradeProdukt <Mathematik>Kartesisches ProduktProgrammPersönliche IdentifikationsnummerComputersicherheitSchlüsselverwaltungComputersicherheitPersönliche IdentifikationsnummerYouTubeZellularer AutomatPlastikkarteDifferenteGamecontrollerMengeInstallation <Informatik>VersionsverwaltungAttributierte GrammatikVorlesung/Konferenz
11:47
Persönliche IdentifikationsnummerPersönliche IdentifikationsnummerDifferenteRechter WinkelSchlüsselverwaltungDigitale PhotographieQuelle <Physik>
13:18
Persönliche IdentifikationsnummerMAPInverser LimesMAPPersönliche IdentifikationsnummerKategorie <Mathematik>ZahlenbereichInverser LimesAttributierte GrammatikSchlüsselverwaltungComputersicherheitGrundraumSchaltnetz
13:58
Persönliche IdentifikationsnummerKartesisches ProduktPersönliche IdentifikationsnummerOrdnung <Mathematik>DifferenteSchlüsselverwaltungGeradeScherbeanspruchungCASE <Informatik>Element <Gruppentheorie>KreisbewegungRegulärer Graphp-BlockMereologieMAPQuelle <Physik>Nabel <Mathematik>Keller <Informatik>Divergente ReiheMinimum
16:22
Mechanismus-Design-TheorieQuick-SortSchlüsselverwaltungPersönliche IdentifikationsnummerPlastikkarteZusammenhängender GraphMenge
17:36
ComputersicherheitEinfache GenauigkeitSchlüsselverwaltungPunktPunktspektrumSchaltnetzMinimalgradSchlüsselverwaltungPersönliche IdentifikationsnummerMoment <Mathematik>Minkowski-MetrikKonfiguration <Informatik>AggregatzustandPlastikkarteAttributierte GrammatikComputersicherheitFrequenzStandardabweichungDifferenteMenge
19:44
Attributierte GrammatikKontrollstrukturSchlüsselverwaltungGradientPhysikalisches SystemGamecontrollerSchlüsselverwaltungAttributierte GrammatikTaskInverser LimesVorlesung/Konferenz
20:24
Kartesisches ProduktSchaltnetzCybersexEinsPersönliche IdentifikationsnummerGeradeSchlüsselverwaltungScherbeanspruchungGrenzschichtablösungCASE <Informatik>KonfigurationsraumOrtsoperatorOrdnung <Mathematik>Automatische IndexierungMathematikTorusAlgorithmische ProgrammierspracheMengeMoment <Mathematik>Total <Mathematik>Vorlesung/Konferenz
24:27
ComputersicherheitPersönliche IdentifikationsnummerZusammenhängender GraphExogene VariableDechiffrierungSchaltwerkVorlesung/Konferenz
25:09
Attributierte GrammatikPhysikalisches SystemSchlüsselverwaltungSystemprogrammierungMAPPersönliche IdentifikationsnummerPhysikalisches SystemSchlüsselverwaltungMAPGeradeScherbeanspruchungDifferenteKartesisches ProduktVorlesung/Konferenz
25:49
ExtrapolationGeradePhysikalisches SystemComputersicherheitSystemprogrammierungMaster KeySchlüsselverwaltungMAPPhysikalisches SystemPersönliche IdentifikationsnummerMinimumQuelle <Physik>GeradeVorlesung/Konferenz
26:35
SystemprogrammierungMaster KeyPhysikalisches SystemSchlüsselverwaltungKartesisches ProduktOrdnung <Mathematik>MagnetbandlaufwerkPersönliche IdentifikationsnummerHeegaard-ZerlegungSchaltwerkGeradeScherbeanspruchungCASE <Informatik>ZahlenbereichProzess <Informatik>p-BlockOffene Menge
28:50
ComputersicherheitFaktor <Algebra>KontrollstrukturSchlüsselverwaltungGrenzschichtablösungPhysikalisches SystemSchlüsselverwaltungMAPPhysikalisches SystemMathematikDatenverwaltungKartesisches ProduktSpeicherabzugGamecontrollerEinsMaschinenschreibenMengeVorlesung/Konferenz
29:46
Attributierte GrammatikKartesisches ProduktDisassemblerKontrollstrukturSchlüsselverwaltungGeradeScherbeanspruchungStochastische AbhängigkeitSystemprogrammierungMAPPhysikalisches SystemMathematikCAN-BusPhysikalisches SystemSchlüsselverwaltungSchaltnetzInverser LimesSoftwareschwachstelleGüte der AnpassungVorlesung/Konferenz
30:25
Lokales MinimumComputersicherheitRechter WinkelService providerOffene MengeVektorpotenzialGradientVirtuelle RealitätComputersicherheitZweiVierzigRechter WinkelEntscheidungstheorieGradientStandardabweichungVorlesung/Konferenz
31:12
SoftwarewartungYouTubeVideokonferenzBefehl <Informatik>Abstrakter SyntaxbaumComputersicherheitPersönliche IdentifikationsnummerSchlüsselverwaltungCAN-BusSchlüsselverwaltungMengeWiederkehrender ZustandSoftwarewartungComputersicherheitPlastikkarteProgrammiergerätMoment <Mathematik>Offene MengeVorlesung/Konferenz
31:53
SchlüsselverwaltungKontrollstrukturLesen <Datenverarbeitung>OrtsoperatorMoment <Mathematik>Offene MengeMaster KeyGrundraumSchlüsselverwaltungCodierung <Programmierung>OrtsoperatorGamecontrollerMultiplikationsoperatorPhysikalisches SystemDifferenteMengeVorlesung/Konferenz
32:58
SchlüsselverwaltungSchnitt <Mathematik>MengeDifferenteTypentheorieVorlesung/Konferenz
33:34
Persönliche IdentifikationsnummerKugelkappeSchlüsselverwaltungQuadratzahlSchlüsselverwaltungEnergiedichteInterface <Schaltung>Kartesisches ProduktVorlesung/Konferenz
34:21
SchlüsselverwaltungSchlüsselverwaltungZweiKonfigurationsraumPersönliche IdentifikationsnummerKartesisches ProduktMenge
35:01
MengeSchlüsselverwaltungPlastikkarteKartesisches ProduktMereologiep-BlockSchlussregelOffene MengeQuadratzahlKugelkappeVisualisierung
37:39
Interface <Schaltung>OrtsoperatorCAN-BusSchlüsselverwaltungCodeSichtenkonzeptVisuelles SystemOffene MengeWarpingMoment <Mathematik>OrtsoperatorCodierung <Programmierung>EinfügungsdämpfungGradientRechenschieberVorlesung/Konferenz
38:14
Moment <Mathematik>Offene MengeRechter WinkelDiagrammComputersicherheitMathematikElementargeometrieStandardabweichungVerschlingungSoftwaretestGrundsätze ordnungsmäßiger DatenverarbeitungVorlesung/Konferenz
38:56
Kartesisches ProduktKreisbewegungp-BlockSchlüsselverwaltungParametersystemElement <Gruppentheorie>PlotterOrtsoperatorPersönliche IdentifikationsnummerOffene Menge
39:57
Moment <Mathematik>Offene MengeDigitales ZertifikatMereologieQuaderOffene MengeKartesisches ProduktElement <Gruppentheorie>SchlüsselverwaltungSoftwaretestDatenkompressionMehrrechnersystem
41:28
KontrollstrukturSchlüsselverwaltungPlastikkarteSchlüsselverwaltungGamecontrollerAlgorithmische ProgrammierspracheMultiplikationsoperatorPersönliche IdentifikationsnummerVorlesung/Konferenz
42:34
IndexberechnungBitSchlüsselverwaltungOrtsoperatorCodeVideokonferenzKartesisches ProduktGamecontrollerMereologieZweiPersönliche IdentifikationsnummerMoment <Mathematik>ZahlenbereichMultiplikationsoperatorProgrammierungAnalysisMenge
44:13
SchlüsselverwaltungKontrollstrukturMathematikSchlüsselverwaltungGamecontrollerNummernsystemKartesisches ProduktAutomatische HandlungsplanungPhysikalisches SystemSystemplattformMengeVorlesung/Konferenz
44:55
SchlüsselverwaltungMathematikKontrollstrukturGeradeKartesisches ProduktÜberlagerung <Mathematik>Arithmetisches MittelSummierbarkeitMinimumVorlesung/Konferenz
Transkript: Englisch(automatisch erzeugt)
00:00
Well, good morning, everyone. Welcome to DEF CON again. We're glad to see you all up this morning. And my name is Mark Tobias. This is Tobias Bluesmanis, my partner. And hopefully they'll get our audio problems dealt with and our ‑‑ hey, okay. Okay.
00:28
So we got video on both screens? Right. No teleprompter. But the president is not here either. So Toby and I work for security labs, which is in our office. And we work
00:47
for a number of major lock companies in the world. We have a team that analyzes mainly high security locks with some consumer level products as well for security vulnerabilities, mainly for covert entry. So a few years ago at DEF CON we talked
01:04
about a number of different consumer level locks, but not really in detail. And as a result of that, we ended up filing a complaint with one of the standards organizations about the lock we're going to talk about today. And we figured a couple years ago by some
01:23
things would occur, maybe the problems would be remedied, but they weren't. So today we're ‑‑ now the monitor went away here, but I guess we're okay. So today we're going to talk about one of the most popular consumer level mechanical
01:42
cylinders in the United States. And the problems, the design problems that we found. How many of you guys have this lock on your doors? So everybody knows what this is. Okay. So this is probably in the United States, there's
02:08
really two major consumer level brands in the United States. This is one of them. And they're in every DIY store, hardware store. And a lot of folks believe that these
02:20
are really secure. And in many ways they are. The problem is, as we'll point out to you, in critical ways they're not. So we're going to go through ‑‑ we've done a pretty detailed slide presentation. And with a lot of graphics and animation that we hope you guys enjoy to detail the problems. And we recognize that a lot of folks can't
02:45
afford high security cylinders that are $7500, $150 a piece. We do understand that. And I guess some locks is better than no locks on your door. But there's also a false sense
03:01
of security that these kind of locks provide a higher level of security than they do. And that's also enhanced by packaging and marketing statements by the manufacturers, especially with regard to the builders hardware manufacturers association standard ‑‑ it's a consumer
03:22
commercial level standard that has much more to do with endurance and durability than security. And that's the case in this lock. So quick sets are really easy to understand. Today we're going to talk about their smart key versus conventional pin tumbler locks and a number of ways that we've determined
03:42
to open them very rapidly and to present some serious vulnerabilities. Now, you'll notice that the lock on the left‑hand side of the screen, that's a smart key because it's got a little slot to the left of the keyway. That means that it's a reprogrammable lock. So what we're going to do is begin this morning letting you listen to a couple
04:03
pieces of audio. We called customer service repeatedly to ask them how secure their locks were as if we were going to buy some. And we wanted to set the stage because this ‑‑
04:20
either these folks aren't trained properly or they're making statements that they shouldn't be making. So either way, we thought you would enjoy the questions. These are about two minute clips each. And nothing's been edited out that was relevant. Only the chit chat between us, but these ‑‑ I tried to edit out to the relevant statements. So
04:44
this first one was in June of this year with Brian. Quick set, this is Brian. Can I help you? A couple questions on smart key. Okay. So my only concern is, is quick set comfortable and basically debunk this, that there's no
05:02
way to stick a screwdriver, you know, just a common tool, into the lock and open it? No, that would be a negative. I mean, if it was that easy to pick a quick set lock, they would be having us do recalls, okay, this customer's got this unit, you get a call
05:24
tag, have a prepaid label sent out and send that back to quality control. There's nothing like that. It's business as usual. Is there any ‑‑ are you guys aware of and trained any tools out there that will open these or is this just all nonsense? No, without the actual key for the unit itself, no.
05:42
You can't open it. Just so I can tell my boss, as far as quick set is concerned, other than drilling these, if you don't have the key, you're not going to get in. No. And that's the bottom line. Sticking anything foreign inside of the keyway is just going to make it that much harder to open up.
06:02
Okay. So basically what you're telling me is it isn't going to happen. You can sabotage the keyway, which won't. Yeah, but ‑‑ okay. So that was Brian. So you're starting to get the picture. So this is Satima. Are you tech support?
06:21
Yes, I am. Ma'am, we're looking at buying a large amount of your smart key cylinders. I have some questions. Sure, go ahead. Are you technical? Yes. Oh, okay. How about forced entry? How difficult are they? Like the old locks, you could like take a screwdriver and put a lot of pressure on it.
06:43
Yeah, same thing with these. I mean, you can line up the springs. That's what the screwdriver would do, right? Force the springs to align and open the lock. With these ones, you can't even put a flathead screwdriver in there. You can't? No. Because there's ‑‑ there's racks, we
07:02
call them, coming from up and down ‑‑ you know, up and down direction, not just up. Okay. So this stuff on the Internet is not true? That you can stick a screwdriver in them and open them? No, no. We were aware of that video. And, you know, we found out about it.
07:24
But they did something else before they ‑‑ they showed that video. That's what it was ‑‑ I believe that's what I heard, that it was ‑‑ they had to do something else to the cylinder and then they recorded the video with ‑‑ just using a flathead screwdriver and opening it. That's not how it works. So if somebody walks up to a lock on one
07:42
of our apartments, unless they can take that lock apart, you're telling me they can't open it without the right keys? That's correct. Is there any quick way of forcing these open? No. That a burglar could do, like, in 30 seconds, 15 seconds, is there anything that you guys
08:01
have been trained on or aware of? Oh, no, no, no, nothing like that. There's no tool that you can just put in the cylinder and pop it open. There isn't. There's no emergency key that you can ‑‑ or we send you that will open it, nothing like that. How long have you been with Kwikset dealing with these? Four years. Let's just take a 4‑inch or a 6‑inch
08:24
screwdriver, which everybody has in their kitchen drawer, and you stick it in the lock and you take a pair of pliers or vice grips and you turn it. Can you open the lock? No. Of course. What about sticking a wire through the ‑‑ where the key goes in or any other way? Now, don't jump ahead of yourself.
08:44
No. You can't put a wire or anything like that. You cannot. No, you cannot. Okay. So you wouldn't worry about putting these to protect valuables, to protect your house or your apartment? Not at all. Okay. So that's what the public is told if you call in and want to know if these
09:08
locks are secure. So unfortunately ‑‑ and I don't think there's any malice on the part of their employees. They just don't know. They have not been educated. There was plenty of stuff on the net a couple
09:21
years ago that they referred to, and I just don't think they know or they've been told not to say it. We don't know. So the reality is, as we can see from the show of hands, there's millions of these locks used in America, homes, apartments, businesses. They're inexpensive. The cylinders run $120 to $30, maybe $40 apiece. They have pin tumbler models and they have smart key
09:46
models. They have dead bolts and they also have electronic cylinders. So it is one of the most popular locks in America. And they've been in business actually for about 60 years. And again, they have a very diversified product line. These are
10:03
some of their distribution channels as you recognize Home Depots, Lowes, Ace Hardware. Lots of folks are carrying these locks. And mainly they're sold through DIY channels, do it yourself channels rather than the locksmiths.
10:20
A lot of locksmiths actually don't care for these cylinders because it circumvents their revenue and they're low quality locks. And this is a shot I think from Home Depot and they're very, very prevalent. They've got great marketing. They're in residential and apartment facilities. So Kwikset, Weiser, Baldwin, the basics. Toby?
10:46
All right. We're talking about pin tumbler locks, which is their older version and smart key. Smart key will show you the difference. In some ways it is a very clever lock. The pin tumbler locks they sell are 5 or 6 pin. The smart key is 5 pin. The smart
11:07
key, there's some attributes that the pin tumbler locks don't have as far as security. The pin tumbler locks, if some of you guys were around several years ago, we had little 11‑year‑old Jenna Lynn bumping them open. Y'all remember Jenna Lynn? She's
11:28
a little girl in one minute figured out how to open these locks. Whack, whack, they're open. The problem is they all have the same keyway. There's no duplication protection. There's no key control protection. These are definitely not for high‑security installations.
11:45
They're mainly residential and apartments. So Kwikset history, as I said, they've been around about 60 years. They're very easily compromised. And the smart key actually was introduced around 2008. But probably a lot of you folks still have pin tumbler locks.
12:05
You probably wouldn't know the difference unless you look at the little slot, the right hand photograph, the little slot to the left of the keyway. That indicates Kwikset. But it's the same key that will open these locks. So here's the difference. On the left
12:23
is a pin tumbler where it's a conventional lock with two pins and a spring in each chamber. On the right‑hand side is smart key. It's much more complicated design, but same key will open it. And actually, you can see also that what they share is the same key. What Kwikset did
12:44
with this design is trying to use the same key for their locks. So you have one that is a pin tumbler design and the other one that you can reprogram and supposedly be more secure. You cannot bump. You cannot pick open the lock. You can probably ‑‑
13:04
other attacks like impressioning the key, you cannot do that with Kwikset. But on the tradeoff, we find ways more easy to open this Kwikset lock. Okay. So pin tumbler design, they're essentially not secure unless they're a high security
13:24
lock with a number of added‑on attributes. Pin tumbler locks essentially in this category are easy to pick, easy to bump open, easy to impression. They're easy to mechanically bypass. They can be master keyed. And it's also fairly easy to determine what the top
13:42
level master key is. And there's limited number of combinations. And these locks are fairly low tolerance locks. So there are many fewer keys that ‑‑ in the universe of keys that will open these locks. So the pin tumbler lock ‑‑ go ahead.
14:02
Okay. So we're going to go first on how a pin tumbler cylinder works. In this case we have a Kwikset cylinder. This is what you see from the outside. And the parts we have a shell that is the outside portion, the plug and the key slot where you put
14:22
the key. That's what more people know about the lock. So what is inside is a pin stack. You have a spring and a series of pin tumblers. And you have a shear line. That shear line is where you have to move the pin stack in order to create ‑‑ separate those pins
14:50
in order for the lock to turn. Okay. So that's the basics of a pin tumbler. You have to get that pin on shear line depending on the height of the key so you can unlock
15:05
the cylinder. Now that's one pin on a regular pin tumbler. You have more than one pin. You have in this case five pins, different heights on the bottom pin which is the portion that fits the key. So when you put the key, you see all the bottom pins line up
15:27
with the cylinder. So that cylinder can turn if the matching pins match the key. So if you put a wrong key, what you have is some pins either extend to the plug or something
15:45
from the top blocking the rotation of that pin. It's a very simple design. It has been for many, many years. And most manufacturers work around this design adding sidebars, third
16:03
locking devices but it's the most common element. So that's what is inside on a regular pin tumbler. And we said the smart key is not a pin tumbler lock. If you look inside
16:30
this very different components that will make that lock be able to reprogram the lock to any specific key and to make it more secure against bumping and peeking and some
16:46
sort of impressioning with techniques. Okay. So this is what the inside of a smart key looks like and we'll blow this up in just a minute. But this is a sidebar based lock which means that it's a different locking
17:03
mechanism that keeps the plug where you stick the key into from turning. And this design actually was developed in 1978. The original design here was in over a million hotel rooms because it was the first real programmable lock. Very, very clever. And
17:25
then it was improved by a company in Italy called Rialda and then quick set took the Rialda design and modified it for the consumer market in the United States. So attributes of smart key. It's only a five pin lock. And when we say pins, they're
17:44
really not pins. They're sliders. And there's a really big difference. Pins mechanically and physically are secure against torque and forced attack. The sliders in these locks are not quite so secure. In this lock there's one sidebar that really provides the entire
18:04
security of this lock. They are extremely pick resistant. There's an underwriters laboratory standard 437 which defines picking for commercial and high security locks. Quick set actually meets this standard. That means these cannot be picked in under ten minutes. They are very,
18:26
very pick resistant. And they also cannot be bumped. Period. Because there's no pin tumblers. These are sliders and so there's nothing to bump open which in a way as we
18:41
refer to this lock, it's one of the most secure, insecure locks in America. Now, obviously those are opposite ends of the spectrum. But that's what it is. Because from the picking standpoint, from the impressioning standpoint, from the bumping standpoint, you're essentially
19:00
not going to open them. The problem is that's trumped by other ways that we'll show you. The other really cool thing, how many of you guys have smart key versus the old pin tumblers? Or do you know? Oh, so not that many. Okay. Well, smart key, they're actually backwards compatible. Smart key, you can instantly reprogram them without a locksmith. You stick the correct key into the lock, turn it about 30 degrees,
19:25
pull it out, stick a new key in, turn it back to 12 o'clock, that lock is reprogrammed with a new combination. It is a very, very clever and desirable option in the marketplace. But there's a lot of security tradeoffs to get there. No, definitely. We have to also understand that the space that they have to work is
19:45
always the same. So to put all these different attributes in a lock, it becomes a very difficult task to do. Okay. So the other attributes, it has one primary keyway everywhere, which is really a problem because it's easy to make keys or
20:05
duplicate keys. There is no key control. Now, they make a special deadbolt lock for master keying, limited master keying for like apartment houses that we'll show you. The problem ‑‑ and they think that that key cannot be duplicated easily. We'll
20:24
show you how that happens. Okay. Toby, you want to do this one? Yeah. Okay. So we show you at the beginning how a pin tumbler lock works. And this is called the smart key. The first thing that you notice from the outside is that little slot on the side. That's to change the combination when you follow the right procedure.
20:49
So we told you that on the inside it's totally different. This lock is based on a side bar design. You see a pin, you see a slider next to the pin and the side
21:04
bar. And the side bar is in purple. So when we put torque on that cylinder, the side bar tries to retract but it's blocked by that slider. So in order for that lock to open, the pin has to move the slider
21:22
to the right height so the side bar can enter the groove of the slider and the lock can be open. So that's the principle of the smart key as far as the slider side bar
21:44
combination. So ‑‑ and the way that they can make the different combinations is the way that they fit the pin to the slider with these different channels. The
22:01
side bar at the same position but the pin slider changes for the different depths from one through six. The relationship between the pin tumbler on the right‑hand side and the yellow slider, those separate in reprogramming mode so that they index to one of the six different little teeth on the slider. And
22:24
then they bring it back together. That's how the combination has changed in this lock. It's the same thing. It's not only one pin slider combination. We have in total for the smart key, we have five pins and five sliders. So the sliders are the ones that
22:45
set the combination inside the smart key cylinder. So when you put the key and the side bar drops, okay, so when the side bar drops at that combination, that lock can
23:05
be open. And the pins just follow the combination of the key. In this case, we have 26341 which is the individual depth of each key. So if we want to re‑key the lock, we
23:25
have to put the working key into the lock. They have a special tool that it will move a block in like a hub that house all those sliders. And what happens is that the sliders
23:43
separate from the pins. So now we can remove the pins but the pins, the sliders are at the same ‑‑ they are locked into position so they can't go anywhere until we stick another key in. So we can put another key. That key sets
24:03
to the combination of the key and then we have to bring all those sliders back to engage again to the sliders, the pins. So we have a new key working for this lock. So, it's a very clever design. They have a ball bearing to prevent also ‑‑ yeah.
24:31
Okay. So these are the components that ‑‑ okay. So this shows the five pin tumblers that the key responds to. These are locked together to make this lock work. So ‑‑
24:45
and the two bottom pieces are the side bars that actually stop that plug from turning. And this is what the plug looks like. Yeah, it's ‑‑ their pins are like hallows so you can put the pins, they have a cover, so you see the tabs where the sliders goes
25:01
and you have that hub that ‑‑ that puts the slider together with the side bar. Okay. So now let's talk about master key systems before we get to the attacks. So in conventional master key systems and pin tumbler locks we have one key that can open many locks and
25:23
there's potentially many different levels of keying because we have an extra pin in each chamber. And that creates a whole bunch of different shear lines. Conventional locks are expensive to re‑key. You have to have a locksmith do it. And there's also what we
25:41
call incidental master keys. There's a lot of keys that will open a master key cylinder that really aren't intended. And that's a problem. And that's a problem. Well, actually, what happened with master key systems, those unintended keys, they tried to use those to work in the system.
26:00
So it depends how the people who's doing the master key, but you have more than two keys working on the system. We're going to show pretty much how a master key system works. And as we pointed out many years ago, conventional master key systems, if they're not high security, they can be also easily compromised but in a different way so we can figure out what the top level master key is in the
26:23
system. So remember the pin tumbler lock and then it has one pin, the spring, top pin, bottom pin. Now we have another pin between the top and the bottom. So what happened that we are ‑‑ that we are creating two shear lines. You see? Right there we
26:41
can split the pin and the lock opens. We have one depth for that pin. But it's also another shear line. So we have two depths that opens in that specific chamber. But again, this is not ‑‑ a lock is not one pin. So we ‑‑ for this example we
27:02
put another split pin, we put a master, that's called a master wafer. And the rest we left the pins like that. So we have a keynote that makes the shear
27:22
line ‑‑ so that key will open the cylinder. We also have a B key that can open that cylinder. So those were the two intended keys when we are making a master key system. And we have to understand also that when people say they have a master key, there's no such
27:42
thing as a master key for GM cars. You have to set a master key system in a particular lock. When somebody says I have a master key, the system is set to work with this master
28:02
wafers in order to set the system to open different locks. So the problem is now that we have two unintended keys, key C and key B, that will also open that lock. And if we add more master wafers, that number is going to increase. It's
28:22
an exponential number. And in some cases, depending on the person who is doing the job, they can put even more master wafers and that creates many, many coincidental keys and they're not secure. The other problem with Kwikset, for example,
28:43
is the key way is so common and they have so many different individual keys that they can use that probably your home key, if you have a commercial facility that has been rekeyed and has a master key system, is potentially that one of your keys can
29:05
open one or more of those locks. So Kwikset came up with what they call key control, which is actually ‑‑ it's basically a one level master key system. There's two cores in one cylinder. It's actually a clever
29:23
system for apartment houses where you only need one level of master keys. There's two separate key ways supposedly that are secure that one won't go into the other. So the apartment user, the apartment tenant has one key, their change key, and the management
29:43
has a key that will open the other core in the lock. It's actually very clever. No locksmith is required. You can instantly change your master key systems. There are 46,000 theoretical combinations. They're good for facilities that need a very limited kind of
30:00
system. So actually it's a very clever system. However, it's got the same security vulnerabilities as the single lock. So ‑‑ and again, they can be instantly reprogrammed. And you do not have the cross key problem in the Kwikset system that you have on conventional
30:20
master key systems. It doesn't exist. So the problem is they can also be compromised in 15 seconds. So security, what you get is what you pay for. Does anybody expect a $20 to $30 lock, $40 lock to actually be secure? And that's the question. And again, we understand
30:41
that a lot of folks can't afford high security locks. But we also believe that the public has a right to understand so they can make the decision knowingly and intelligently whether they'll accept the risk. So as we say, there's millions of facilities that can be at risk here. So ‑‑ and there's a false sense of security as we talked about between the
31:04
BHMA standard that says this is the highest grade of security for residential and the anti‑picking, anti‑bumping. So we're going to go through ‑‑ as you heard the tech reps at Kwikset say, there's no way to get into these locks if you
31:23
don't have the key or you got to drill them and destroy them. Okay. So smart key design issues. The problem is with the side bar and the sliders. There's only one layer of security. And our problem is these little sliders that you see, they're very fragile. And there's also maintenance problems and programmability problems and low tolerance
31:45
with the lock. So we're ‑‑ and the real problem is we're going to show you in a minute, you can apply torque to these plugs and open them. So here's the attack methodology that we came up with. Try out keys, wire through the keyway, visually reading the
32:04
side bar and the slider positions, torque the plug, replicating key control and decoding in the master key. Other than that, they're very, very secure locks. Okay. So first of all, try out keys. Probably most of you guys aren't old enough to remember
32:21
in the 60s, we had 64 keys that would open all General Motors cars. 64. Because we split the difference, we exploited the tolerance in the locks. You know, I'm talking that there is no such thing as a master key system for GMs and you say that ‑‑ Well, they're not master key, they're try out keys. You jiggle
32:40
them in the keyway. Sometimes they would open most of the time. But what you're doing is cutting the tolerance in half. And the same thing in Kwikset. So basically with six depths in a Kwikset, most of the time we can make three depths equal six depths. So here is a graphic, the six depths on a Kwikset key, one, two, three, four, five,
33:05
six cuts. This is a depth increment key of one, one and a half and two, three, three and a half and four, five, five and a half and six. We didn't do this. This is something that we test on the smart key. This is an old
33:24
type of attack. Try to split the difference between one cut and the other one. Because the tolerances ‑‑ you need tolerances for this lock to work. So the next problem has always been their problem and it's called the tail piece design.
33:41
And this is the linkage. When you insert the key into the plug, the plug has to talk to the bolt or the latch to communicate the energy to withdraw or lock the bolt. So with Kwikset, this is hollow on one side. It's square and it's hollow so it will interface on both sides of the door together through the bolt. So this is a huge problem.
34:07
So this is one of the attacks that we developed on one of their older key and knob cylinders. This is a special key that we made on the bottom that if we knock out the piece at the end of the keyway so there is a slot, we can go right through that and open
34:22
the lock. So ‑‑ so if you stick that in literally in five seconds, this key and knob lock is open. This is another design. Toby? Yeah, this is an old design and actually this is a pin tumbler lock. They share the
34:41
same configuration but the back was covered by like 20,000 of an inch thick of brass. So we were just piercing that with an old Kwikset key that you can get anywhere. And we put in a piece of wire that was bent to accommodate the cylinder.
35:05
Okay. So this is the newer design. This is on the Kwikset smart key. And we're going to show how easy we can access the tail piece ‑‑ You tell us whether you think this is secure ‑‑ whether you think this is secure ‑‑
35:24
This attack on the tail piece of the Kwikset smart key and earlier cylinders is based on the design of the tail piece by Kwikset. It's hollow and it's square which allows us to pierce the cap at the end of the plug and insert a wire that's been formed
35:48
to catch the edges of the tail piece and turn it. Okay. The first thing is to introduce the tool like a regular key. I'm going to put
36:01
tension and that tension is going to make the side bar block the slider so I can remove the tool. And the reason is I need to put the tool backwards so we can stop the bar piercing from the top. That's the complicated part.
36:22
Yeah. It's just a sharp piece of metal. Yeah. That's the complicated part. No. It's a matter of ‑‑ So you can see the back on one side. And let's see. It's just ‑‑ That's it.
36:43
So this is a complicated part that you ‑‑ Yeah. You have to use the pliers. Yeah. That's why I let him do it. Okay. I always get the complicated part. And now we have an opening for a wire.
37:03
So now we can access the tail piece that is attached to that ‑‑ right here you see I'm moving the ‑‑ keep going. And that's it. And that will open the lock. So that's it. You put this ‑‑ and the lock ‑‑ there's no damage to the lock.
37:28
Your key still works. So how many of you ‑‑ how many of you still trust your door locks? Okay. Next one. Visual decoding ‑‑ and we didn't
37:42
show this, but we'll tell you. You can actually take a little mirror, insert it into the lock. It takes a little more talent. And you can read the position of each of the sliders. Okay. Here's the really good one. This is ‑‑ as I told Toby, let's just label the slide torqued off.
38:01
So this is torquing the plug. And we actually filed a complaint with the Builders Hardware Manufacturers Association a couple years ago. It was essentially ignored that we didn't think this lock should be certified as a grade one lock. This is the entire security of this lock as far as we're concerned. These are sliders
38:21
as you saw in the diagrams. The one on the left is normal. The one on the right has been warped. You can see it's not straight. Okay. And this is also what happens when you stick a screwdriver into the plug of the lock. Again, it's warped. The geometry changes. You know, we said that the lock is going
38:40
to be as secure as his weakest link. And if the material is not strong enough, that's the end of it. We also ran some tests and we were able to torque this lock at 112 pound‑force inches. The standard actually requires 300, but their argument was, well, yeah, but you're either sticking a paper clip or a piece
39:02
of key, a broken off piece of key into the keyway. So ‑‑ there is one element that ‑‑ yeah. There's one element that ‑‑ on the cylinder that when we torque the plug, we have to introduce a piece of key wire
39:21
because we need to lift that slider that is blocking through the housing because there is three different depths. Depth one, the depth two and the depth three that it will block the physical slider will block the rotation for that pin. But there is a specific
39:47
position and it doesn't matter which depth is set the slider, the slider is going to get inside the plug. So the ‑‑ the only element preventing the cylinder for opening
40:06
is the slide. So here's what happens. So that's the smart key. So that's the smart key. We just need to ‑‑ that is specific height and we're using a piece of paper clip.
40:28
We just ‑‑ that's also the complicated part. And of course I did that part. So this is just a standard little screwdriver.
40:43
We just seat it into the keyway. You really don't have to bang on it. This is a very small vice grip. This is your door on your house. You see it's already turned. You can see the plug is already turned. Okay?
41:01
And once it's done, you know, those sliders bend, the plug compresses. So now the cylinder can go back and forth. There's no ‑‑ now you have to put that piece there. And that's the reason why they passed the test on the certification. Because when they test
41:22
for this lock, they put the screwdriver, they torque it, they say ‑‑ It's open. But the cylinder is open right now. Okay. Same problem. No key control, plastic keys. Okay? This is very impressive.
41:51
That's a MasterCard. No, that's Chase. Sorry. Yeah. I didn't know. So then we figured out how to decode the lock because we're going to run out of time.
42:03
So basically there's a procedure that we can take six different keys and we can figure out ‑‑ How to decode it. Those are the depths of each pin. But now if we notice that side bar, it really doesn't ‑‑ does not engage on the ‑‑ on the false gate.
42:28
So we designed one key that can move ‑‑ basically what we're going to ‑‑ you're going to see here in this video is that if we can remove the key from the cylinder
42:44
with a specific depth, that is an indication that that depth ‑‑ we have decoded ‑‑ So I don't think we have time to run this video. But these are the six keys ‑‑ let me just do part of this. Okay. This is going to be decoding the control cylinder
43:02
on a quick set. This is the problem with our master key. We've got depth analysis keys, depth probing keys for each of the six depths that we're going to probe in rapid order and determine the ‑‑ essentially the gate positions on each of the sliders. So let's start with number six. You just
43:27
have to put the key in, put a little bit of torque and try to remove the key. If we cannot remove the key, it's an indication that that pin is not set for that depth.
43:43
So basically we go through and probe each of the six sliders. And then once we figure out the code, we generate a key for it in like ten seconds. So we go pin by pin. We just put the key in that position, try to remove it.
44:03
If it can be removed, we record the number that we're using. And so basically Tobii goes through, decodes the entire lock, creates a key for it. So making the control key as we'll wrap this up, this is their master key scheme.
44:22
This is the way that quick set takes the approach for the master key system. This is what they call the key control ‑‑ it's not playing. It's not playing. Go ahead.
44:41
So that cylinder has another cylinder on top. So that's the scheme that they use. It's two cylinders because their platform now is so small that they decided, well, I can have one key for a renter and one key for the user. The thing is they're so
45:01
close and all this attack also can be performed on their lock that we thought, well, this is not secure. It's even more insecure because you don't see the cylinder is on top. The cover has to turn so you can expose the other cylinder. So if you torque the
45:22
plug or you pierce the plug, you're never going to notice. And that's something that you as a consumer should know that they ‑‑ Yeah, here's the bottom line as we'll sum up. This is a very clever design lock in certain respects but it's also extremely insecure in certain respects. So there's really a trade‑off
45:42
and you need to understand when you spend money on locks, it's an insurance policy. You need to understand that you really do get what you pay for and it may look secure but that as we've shown you, it doesn't mean that it is. I think that wraps it up for this DEF CON this year. We thank you very much for coming and we hope you enjoyed
46:00
this. Thank you.