Duplicating Restricted Mechanical Keys
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 335 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/48440 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
Familie <Mathematik>BitPhysikalismusCASE <Informatik>ComputersicherheitWeg <Topologie>Güte der AnpassungEinfacher RingTouchscreenInformationsspeicherungComputeranimation
00:59
Schmelze <Betrieb>Virtuelle MaschineVideokonferenzProfil <Aerodynamik>MinimumFitnessfunktionBitComputeranimation
01:45
SpielkonsoleInformationsspeicherungComputersicherheitSchnitt <Mathematik>Nuklearer RaumComputeranimation
02:22
ScherbeanspruchungGeradeTreiber <Programm>GeradeScherbeanspruchungMinimumVideokonferenzPersönliche IdentifikationsnummerSchnitt <Mathematik>Profil <Aerodynamik>Computeranimation
03:12
SupercomputerBitSchnitt <Mathematik>InformationsspeicherungEinfacher RingRandomisierungComputersicherheitComputeranimation
04:09
FontShape <Informatik>Quick-SortMereologieProfil <Aerodynamik>SollkonzeptMAPCodeBildgebendes VerfahrenBitKreisflächeSchnitt <Mathematik>ExploitKette <Mathematik>ZahlenbereichMusterspracheVideokonferenzRechteckPhysikalisches SystemComputeranimation
07:15
FokalpunktComputersimulationSollkonzeptSchnitt <Mathematik>Technische ZeichnungDiagramm
07:51
Produkt <Mathematik>Rechter WinkelPhysikalisches SystemVirtuelle MaschineDiagrammRuhmasseShape <Informatik>RechteckDreieckMinimumCASE <Informatik>VollständigkeitQuaderFunktionalBlackboxComputeranimation
08:45
Elektronische PublikationSollkonzeptRechter WinkelSoftwareDifferenteDämpfungp-BlockMinimumBitSkriptspracheComputeranimationXMLUMLFlussdiagramm
09:48
Reverse EngineeringKrümmungsmaßCASE <Informatik>Funktionalp-BlockQuick-SortMathematikNichtlinearer OperatorComputeranimation
10:27
E-MailGamecontrollerQuick-SortMathematikBildgebendes VerfahrenRechter WinkelVariableVirtuelle MaschineCASE <Informatik>InstantiierungComputeranimation
12:02
Kartesische AbgeschlossenheitÄhnlichkeitsgeometrieKontrollstrukturTuring-TestDatenbankStichprobenumfangVollständigkeitProgrammschleifeAnalysisCASE <Informatik>SkriptspracheFunktion <Mathematik>Formale SprachePaarvergleichKlassische PhysikMinimumQuick-SortKlasse <Mathematik>
13:00
FunktionalTermBitPaarvergleichElektronische PublikationCodeSollkonzeptVirtuelle MaschineSchnitt <Mathematik>Computeranimation
13:45
HilfesystemMinimumCodeComputeranimation
14:21
Virtuelle MaschineHackerCodeVideokonferenzSchnitt <Mathematik>
14:58
Hash-AlgorithmusSchnitt <Mathematik>MinimumBildgebendes VerfahrenDimensionsanalyseÄhnlichkeitsgeometrieComputeranimation
15:33
Physikalischer EffektBildgebendes VerfahrenCheat <Computerspiel>SoftwareschwachstelleSchreib-Lese-KopfComputeranimation
16:11
Reelle ZahlComputersicherheitPhysikalischer EffektMultiplikationsoperatorSchnitt <Mathematik>Elektronische PublikationEinfügungsdämpfungÄhnlichkeitsgeometrieMinimumComputeranimation
17:10
UnternehmensarchitekturInformation RetrievalZeitrichtungE-MailDifferenteObjekt <Kategorie>Computeranimation
17:46
KrümmungsmaßZeitrichtungDifferenteSchnitt <Mathematik>Computeranimation
18:26
p-BlockCASE <Informatik>
19:04
KrümmungsmaßBildschirmmaskeProfil <Aerodynamik>Hecke-OperatorComputeranimation
19:46
DifferenteZeitrichtungSchnitt <Mathematik>Persönliche IdentifikationsnummerKategorie <Mathematik>FunktionalComputersicherheitComputeranimation
20:26
Office-PaketRelation <Informatik>Spezielle unitäre GruppeWorkstation <Musikinstrument>ComputersicherheitEindringerkennungInzidenzalgebraSollkonzeptMultiplikationsoperatorDickePhysikalischer EffektPersönliche IdentifikationsnummerUmfangCASE <Informatik>BitZeitrichtungComputeranimation
21:29
Minkowski-MetrikTypsystemMAPWinkelCodeBitGeradeFastringPunktScherbeanspruchungInformationPhysikalisches SystemDifferenteSchnitt <Mathematik>SpeicherabzugCASE <Informatik>Technische ZeichnungComputeranimation
22:19
WinkelQuick-SortSchnitt <Mathematik>Persönliche IdentifikationsnummerMereologieKrümmungsmaßComputersicherheitBitComputeranimation
23:10
Dean-ZahlLokales MinimumFunktion <Mathematik>Produkt <Mathematik>RechteckDifferenteCodeProgrammierungBitMathematikComputeranimation
24:10
Kategorie <Mathematik>DatenbankFitnessfunktionComputeranimation
25:04
BitEinsSchnitt <Mathematik>Computeranimation
25:43
Digitale PhotographieDigitale PhotographieComputersicherheitBildgebendes VerfahrenProgrammierungKontrollstrukturEINKAUF <Programm>CASE <Informatik>Analytische MengeComputeranimation
26:40
EinflussgrößeBitZweiSoftwaretestProzess <Informatik>Digitale PhotographieSollkonzeptComputeranimation
27:34
Pythagoreischer LehrsatzComputersicherheitMathematikMereologieSchnitt <Mathematik>BitEntscheidungstheorieDigitale PhotographieFigurierte ZahlAnalysisReelle ZahlPunktTechnische ZeichnungDiagrammComputeranimation
28:27
FontMereologieSollkonzeptElektronische PublikationMAPSchnittmengeComputeranimation
29:20
ComputersicherheitMinimumSchnitt <Mathematik>TVD-VerfahrenExistenzsatzKlassische PhysikDifferenteWinkelHackerComputeranimationDiagramm
30:07
AuswahlverfahrenSchnittmengeRegulärer GraphSchnitt <Mathematik>HackerSchreib-Lese-KopfMinkowski-MetrikSollkonzeptBildschirmmaskeComputeranimation
31:01
Urbild <Mathematik>AuswahlverfahrenStochastische AbhängigkeitObjekt <Kategorie>Element <Gruppentheorie>ComputersicherheitComputeranimation
31:37
Klassische PhysikStandardabweichungElement <Gruppentheorie>Generator <Informatik>Persönliche IdentifikationsnummerSoftwarewartungSchnitt <Mathematik>Nichtlinearer OperatorRechter WinkelSchnittmengeComputeranimation
32:32
BitHackerMinkowski-MetrikAutomatische IndexierungKommandospracheOrtsoperator
33:10
Schreib-Lese-KopfMinimumPhysikalischer EffektComputeranimation
33:45
Persönliche IdentifikationsnummerBitElement <Gruppentheorie>Schnitt <Mathematik>Computeranimation
34:21
LogarithmusBenutzerprofilComputersicherheitTermGüte der AnpassungGenerator <Informatik>Persönliche IdentifikationsnummerKreisflächeRechteckPASS <Programm>Element <Gruppentheorie>Mini-DiscDifferenteQuick-SortInteraktives FernsehenMinimumZeitrichtungComputeranimationTechnische Zeichnung
35:35
DickePASS <Programm>RadiusMini-DiscSchnitt <Mathematik>DifferenteWinkelPersönliche IdentifikationsnummerBitRechteckQuick-SortSichtenkonzeptRechter Winkel
36:54
AuswahlverfahrenMini-DiscGamecontrollerVirtuelle MaschineHackerMinkowski-MetrikSchnitt <Mathematik>Element <Gruppentheorie>GamecontrollerMini-DiscRechteckComputeranimationTechnische Zeichnung
37:40
Persönliche IdentifikationsnummerQuelle <Physik>Element <Gruppentheorie>BitMinimumInteraktives Fernsehen
38:36
SchnittmengeInteraktives FernsehenVideokonferenzComputeranimation
39:16
SymmetrieMultiplikationSymmetrieElement <Gruppentheorie>CASE <Informatik>Mini-DiscMetropolitan area networkSchlussregelComputeranimation
39:59
ComputersicherheitKartesische KoordinatenMetropolitan area networkSchlussregelExploitComputeranimation
40:35
GeradeElement <Gruppentheorie>BitMini-DiscComputeranimation
41:15
BitRechter WinkelMini-DiscTermComputersicherheit
42:04
CodeVirtuelle MaschineTermRechter WinkelBitBildgebendes VerfahrenPlastikkarteSchnitt <Mathematik>CodeSoftwareEin-AusgabeComputeranimation
43:06
Dienst <Informatik>Disjunktion <Logik>Langevin-GleichungKontrollstrukturGamecontrollerVorzeichen <Mathematik>Ordnung <Mathematik>CodeElektronische UnterschriftReverse EngineeringFrequenzEINKAUF <Programm>ABEL <Programmiersprache>FontComputersicherheitCodierungComputersicherheitComputeranimation
43:43
ComputersicherheitKontrollstrukturDatenmodellComputersicherheitExploitEndliche ModelltheorieZahlenbereichComputeranimation
44:18
ComputersicherheitOrdnung <Mathematik>Physikalisches SystemZweiMultiplikationsoperatorSchnittmengePhysikalischer EffektDiagramm
45:29
SichtenkonzeptComputerforensikSoftwaretestZahlenbereichPhysikalisches SystemTypentheorieQuick-SortExploitProxy ServerRechter WinkelBesprechung/Interview
Transkript: Englisch(automatisch erzeugt)
00:00
We are here to hear about uh a little bit of physical security stuff. Uh how many people have seen those uh those uh keys that say do not duplicate? Say ooh well in that case I'm definitely not gonna duplicate that. These guys apparently have a different philosophy on this. Let's give uh Billy and Bobby a great uh welcome to uh fancy track. Have a
00:23
good time gentlemen. Thank you. Alright so uh welcome everyone this is duplicating restricted keys. I'm Bobby and this is my brother Billy Graydon. So first I want you all to take a look at your key ring and almost all of you are gonna notice one of them looks like
00:41
one of the keys that's on this uh screen here and and uh so these these are some of the most common keys that you'll find in North America um and they're relatively easy to copy. So if you wanna copy them uh basically you go to any locksmith corner store and um
01:01
they're gonna be showing you or sorry we're gonna be showing you uh video if you can get that up. So what this machine here is called is a profile cutter and essentially how it works is it has a little probe that rides along the uh the key that you want copied and then a cutter on the right side that you can see here um and that's what actually cuts the
01:22
fitting in the key. Yeah so you can see there on the bottom is the probe following the key and on the top is the cutter and that's going to create the exact same profile on the duplicate. Oh and all's have four. Nope. Sorry folks. There we go. Okay so just for an
02:03
example of one of the simple keys that you might be able to get copied with this technique um is just regular keys like this here which is uh one of the keys for the tightened two nuclear missiles and you'd be able to walk into any corner store with this thing and they'd cut it for you. Thankfully high security keys have come a long way since
02:21
then. And for any of you who don't have a background kind of on how a lock works um if you take a look at the bottom you can see how there's two pins essentially in each column there and the line between them is called the shear line and when the key's in there those are all lined up which allows the key to turn and when it's out at the top
02:43
there you can see they're not lined up and uh that's why you need the key in there for it to actually work. And so next we're going to be showing you a video of you know when you bring a key in to be copied you already have that key and that's what the profile cutter uh can do to copy it. Um how do you get the first one? So this is called
03:05
origination and essentially how it works is it's similar to the other one there's a cutting wheel there however with this one you can very very specifically move the key forwards to take out little bites of the key and that will create the bidding. And so you
03:24
can see there's a wheel being turned there and so that's one of two that lets you precisely move the key side to side and in and out to get those cuts right. So again I'm
03:47
going to ask you take out your key ring um take a look on it or some of you might even recognize these immediately. These are going to be less common but all of these that you see here are high security keys which means good luck going into any random corner store
04:02
or locksmith and getting these copied. Uh they won't be able to do it or they won't do it for you. So we're going to talk about how you can make that happen. When you take a restricted key into a locksmith and the locksmith says sorry I can't cut this for you. The number one reason for that is going to be that the locksmith simply does not have
04:24
the blank. So the two videos we showed before profile cutting and code cutting or origination of a key we started with an uncut blank and we added the cuts into it um that would then operate the lock. More the most important part of a blank is what's called the keyway. So that's the specific shape that that blank has. So the manufacturing process
04:45
of a key blank is we start like image number one with a rectangular piece of metal and then we're going to mill along or mill out uh some hole or some grooves along the side of that key and you'll end up with something like image three over there. And so if you
05:01
look at your keys if you look at them head on you'll see a pattern similar to image three and that's going to match up with the lock similar to image five. Uh just for some terminology in image two where we're cutting out the grooves along the key that's called millings and in image four those pieces of metal that are put in the lock to prevent the wrong key from going in that's called warding. So uh we'll try to remind you
05:24
but uh keep that terminology in mind. The purpose of this is all sorts of lock manufacturers have their own keyways and they try to make it unique amongst different lock manufacturers so you can't say take a Schlage key and stick it in a Weiser lock it won't even fit. Let's cover our first keyway exploit. So here we have what's called a
05:46
mastered keyway system. You're all familiar with master keys I'm sure and that uses the key. You can also do it with keyways. So we have at the top the Schlage SC1 keyway probably arguably arguably the most common in North America. Um but you have a whole bunch in its
06:02
family. So third from the left on the top we have the SC8 and those two will not fit in each other's locks. However circled in blue just below it we have the H keyway and that's a mastered keyway it's going to fit into both the SC1 and SC8 lock. So in very large
06:22
facilities or poorly designed locking systems as we'll go into um you can do mastering with that. So let's say I have room A that's an SC1 key and room B that's an SC8 key same bidding on top and then the master key is that H keyway there that's gonna enter both locks. The exploit you can even do unintentionally and this is the real
06:44
problem is if I take let's say I'm in room B I have a key to room B and I take that into a locksmith. Now that locksmith might not stock all of these blanks we see up here. He might say hey well at the very bottom there there's SC19 that's gonna enter all these
07:00
locks. So I can save some supply chain cost and just stock that and I can cut everyone's on that. So he cuts me a key a duplicate on SC19 it works perfectly fine on my lock but it's also gonna work now in room A because it's a more higher level master keyway it's gonna enter that. Um so that's the first exploit that some people can do completely
07:24
unintentionally. The main focus of this talk though is on restricted keys. So this some folks might recognize is a 3D computer model of the Medeco M3 key blank and because they're just pieces of metal you can CAD them up you can make models for them so here's
07:43
one for a biaxial and here's that one that we've 3D printed and this is now a functional blank we can add cuts to that and it works just fine in the lock. If you wanna make it out of metal you'd be using a machine like this and this is very similar to what happens in the mass production system for all the keys that you'll have in
08:01
your pocket right now. At the top you'll see that circular cutter wheel and that's what's gonna mill those grooves along the key and you put it in the clamp there and mill the specific shapes out as we see here so in diagram 2 it would be taking out that rectangle at the top and those two triangles at the bottom. I talk about restricted keys
08:23
and restricted keyways wouldn't be complete without mentioning the easy entry that effectively does all of that for you it's um a complete black box or pink box as the case may be um most people don't have access to them they're very expensive and a lot of the functionality is restricted um and finally because it's a black box you don't really
08:40
understand what's going on within them so for that reason we won't say anything more about that. Keyway research so finding keyways that fit in locks are not supposed to and doing various other things with that used to be a very tedious process and you ask any locksmith about this if you have a lock and you need to find the right keyway for it you're kinda looking at it oh I recognize this it's close to that nope not quite take
09:03
your hand file out file it away nope file in the wrong place and then you just get mad about it. We've gone and automated that process. So we've written some software that takes hundreds of different key blanks and we brought them into a digital database and we've written a little scripting language um with a UI similar to uh MIT's Scratch for those
09:21
who've heard of it you might recognize those blocks on the bottom so what they're doing is first we're drawing out the Schlage SC1 you can see in the top right there and then we're comparing the SC1 with the SC8 those are the two we talked about before on the master keyways and you can see in red where the SC8 is and the SC1 isn't and in blue
09:40
where the SC1 is and the SC8 isn't those are the pieces of metal that prevents one key from entering the other's lock. So we add a bit more functionality to it so taking the reverse of a keyway as you can see in the very top block there and so we can see that the Sargent RA and LA keyway are the same when reversed and you can tell that
10:02
it's completely purple there's no metal that's unique to one or the other. We can also compare say how much uh a or how thick a flat piece of metal has to be to fit into that lock. So in this case we have the Medico 9S blank that's a biaxial blank restricted you're not supposed to be able to get them anywhere but you can get a piece of uh a
10:22
flat metal 32 thousandths of an inch thick and that'll work just fine as we can see here. We added binary operations in as well so to do sort of math with keyways rather than adding and subtracting them we're intersecting and taking the union of them so we have the Schlage CE and F keyway by the way C and E are another name for SC1 and SC8 and
10:43
so that's what we're seeing in the first 3 there uh the intersection of those is the master key or master keyway that's going to enter all of those locks and so we can calculate the intersection there and the union is the lock that will accept all of those keys so that's a much wider open keyway. We uh considered how you can machine and
11:07
modify these keyways so in this case we have milling with a ball cutter so that creates a nice circular groove along the key and so for instance if we have a best L keyway and that's what we see up at the top um and we want it to enter both an L
11:23
and an M lock well we first start by comparing them and you notice that red there that's where the L has metal where the M doesn't so that's what's going to prevent it from entering that uh that lock. We can go ahead and play around with where we have to mill off and if we mill off with a uh 32 sorry 16th inch ball cutter we can take away
11:45
that red and we see that in the image on the right and that will now enter uh that lock. Those of you who are familiar with scripting will notice that we're using variables for that as well so in red we have the milled best L and we keep modifying it to be itself with some uh some taken off on the mill. We went one step further built in
12:06
control structures for loops ifs etcetera and made a Turing complete keyway analysis language um so in this particular case we're looping through every keyway in our database and we're checking to see is that key very similar to itself upside down and if so
12:21
we're going to dump it out. This is a small sample of the output when we ran that script and we get a whole bunch of keyways that uh that are symmetric either way. So let's apply this to actually create restricted keys. So we see here the Medeco 15 15 uh that's what's shown in red there um and that's a restricted keyway that's for
12:44
Medeco classic you're not supposed to be able to buy those anywhere but you can buy best A anywhere most common best keyway out there. If you look at these this comparison here you'll see that they're the same in the bottom half of the keyway. Well what sort of key only uses the bottom half? Well bump key. So we can take that best A
13:03
and cut it to be a medical bump key and otherwise completely unmodified in terms of the keyway and that's going to enter that medical lock and function as a bump key. Going back to our comparison we see that if we need to make uh make it a full height key that's going to work as a full fledged key we just have to take a little bit off the top
13:23
there. Of course you can do it with hand files. We also made a little adapter that's going to fit on our code cutting machine and uh and that will allow us to mill it out as well and this also demonstrates for you what the keyway milling process looks like.
13:42
Alright so we have our blank clamped in at the bottom there. We're starting up the wheel and then we're moving it in so that it's cutting the right depth of the groove and now we're moving the blank up slowly and that's milling out a longitudinal groove along
14:06
that key and so that being a code cutter that lets us very precisely position where along the X Y that groove is going to be as well as how deep that groove is going to be. You can also use an end mill. So this is a picture of modifying a Yale Y1 blank on a
14:30
milling machine. Um this is a much more common piece of machinery than a keyway modifier, a horizontal mill or a uh code cutter. Um so anyone that has access to
14:42
hackerspaces, makerspaces etcetera you got 50 bucks for a month you can get access to one of these and they can modify your keyway for you as well. So we took one of these best blanks and we modified it accordingly. Um this blank that you're about to see was actually the one that was shown in that video on the HPC machine and we added the
15:00
Medeco cuts to it. And it's now a functioning Medeco key cut on one of the most common blanks in the country. We can get even stupider. So if we look at the bottom left here we see the Medeco 1515 to the far left and the Schlage E which is also SC8 right beside it. They don't look similar on first glance until you notice that
15:24
they're mirror images of one another. Well we live in 3 dimensions not 4 so you can't flip a key mirror wise unfortunately. Um but what you can do is put it in backwards. So if you stick it in the back of the lock it actually fits. That gets you your mirror image and we've chopped the head off of the key so you can see uh exactly how nicely
15:43
it fits. That's completely unmodified. How do you fit it in the front cause usually you don't have access to the back. Well you chop the head off. And so we made these cute little key nuggets that you stick in backwards so you get the mirror image of the keyway. And of course it works. And you might say well that's that's kind of cheating. You
16:01
don't have a head you can't remove the key you can only use this once. Well if you're a criminal do you really need to use it twice? Do you really need to remove that key? So this should be considered a security vulnerability. You don't necessarily even need the blank. So high security lock manufacturers tightly control the blanks because the blank can be used to create any key. Once it's a cut key it goes to the
16:23
end user and they can lose it, sell it, whatever with it. And uh it's completely uncontrolled. So if you can get a cut key that happens to be the same keyway and possibly has other uh similar security features as the key you're trying to duplicate. You can cut it down where it's higher than the key you're trying to duplicate. And where it's lower you can just add metal to bring it up. So this one you
16:44
can see here it's uh a little hard to see so we have that close up in the bottom but that's actually been added some metal to with simple electrical solder. Um fits really well. You can get a good hundred uses of that out of that key before it wears down too much cause solder is very soft. Um but because it's so soft it's real easy to
17:03
hand file out the grooves so that it fits. As well as you can just stick it in the lock a few times and the lock will uh do that machining for you. Another interesting key we have here is the USPS arrow key. So this is what your mailman will carry to get into your mailbox um to retrieve mail etcetera. Some enterprising
17:21
criminals in LA found a good way to copy these which that blank of course you're not supposed to be able to get anywhere. Isn't that ingenious? You can see on the left some of the uh useless trinkets that they stole from the mail. But um but that's that's an example of instead of using a keyway um that isn't supposed to be for the lock using a
17:45
completely different household object. There's something else interesting about these arrow keys though. And that's that if you look at it, it hasn't been milled out. It's different than most of the keys you'll have in your wallet. It's been pressed out of a flat piece of metal. So here's an example of the dies. Excuse me. Here's an example of
18:07
the dies that are used to press something like that. So we made those on the mill. And you can go ahead and put a flat piece of metal in between them and press down on it and it's gonna bend that flat piece of metal into a functioning blank that can then be
18:20
cut and turned into a functioning arrow key. Of course we didn't cut that because that would be extremely illegal. That got us thinking though. What about the keys that are normally milled? Can we use this technique on those and press them um in a likewise fashion? And the answer is yes. And you can go a step further. Cause let's think about
18:42
it right? Those milling or those pressing blocks that we made, we can just use the lock for that. Because the lock has the keyway built into it. It is a perfectly shaped die that can be used to press flat metal into that keyway. So we've taken a lock here. In this case it's a Schlage SC1. And we're cutting it in half. In this case on a
19:02
mill you can do it with a Dremel if you have more time. And you get something like this. So that's what a lock looks like on the inside. Kinda cool eh? Uh but you can see how we have the top and bottom forms that can be used to press a flat piece of metal into a functioning blank. So we go ahead and do that. Put a flat piece of metal in between em. Press down hard. And now we have a blank. We can put it on the profile
19:24
cutter. Copy the bidding. And we have a duplicated key pressed out of the lock that it's supposed to open. And of course it works. For really paracentric keyways like this. Really nasty keyways. This is a heck of a lot easier than milling. So it's a good
19:45
tool to have in your toolbox. Now you might ask can you do that with uh something that's actually restricted. And the answer is of course you can. So here's a medical lock cut in half. Two interesting differences. The yellow arrow up there. You can see that anti-drill pin. Different colored metal. That's to prevent you from drilling into
20:01
the lock or cutting it in half. But apparently not. Um and the red arrows there you see those rectangular holes. That's what the sidebar enters in. So for those who know how medical works. Uh that's where the sidebar goes and that gives it it's high security properties. And we use that to press a functioning medical restricted blank. This is
20:27
particularly concerning. Because if you lose a key, you usually are gonna go rekey your lock. If you lose a master key, you have to rekey your whole facility. And that's created some uh major incidents in the news because sometimes that can be a very very
20:42
expensive process. Well what happens if you lose a lock? Most of the time you don't care. Most of the time you don't even know. Um so let's say you have a padlock on one of your perimeter gates. Someone snips it off. Most people don't care. Well what you can do with that is if that was a criminal that took it off, they can open it up, look at
21:01
the pin lengths and create a key that fits that lock. And you might say well that's fine cause we use a restricted keyway. So so they can't make a key for that lock. Well they can go ahead and cut it in half and use the lock itself to press a blank that they can then cut with the bidding for that key and they now have a key to your facility. In the
21:23
case of master keyed system, it's a little bit more complicated. So you can see the right arrow pointing there to the master wafers. That's what allows both the master key to work in the lock as well as the key that's only supposed to be for that single lock. It's a little bit more complicated from there to figure out which one is the master key. But if you have a little bit of information about the system you can do it. So
21:43
you've taken the lock apart, you know where the shear lines are, that seriously reduces your system. In this case we know it's a very large medico system so that lowers the difference that's allowable between adjacent cuts. We know that there's some IC cores in the system. Let's say we found a random key that works on some other singular lock in that system. We can put all that information together and uh and come up with just
22:07
two possible keys to try. And it's very easy to try the first one and if it doesn't work, bring it down to the second one. We have a whole other talk about this coming soon to a conference near you. Um but the point is it's possible. So if you lose a lock that's on a
22:21
master system, you should consider that as being that you've lost that master key. Let's talk about KeyMark. It's sort of a uh compromised solution by medico that has uh ostensibly restricted keyways but none of the high security medico angle cuts. If you take a look at
22:42
this picture here, you can see that the pins in KeyMark in the KeyMark lock only go into that nice straight flat part at the top. That nasty keyway at the bottom never actually interacts with those pins. So if you want to create a KeyMark blank, of course you can press it. It's a really good lock for doing that. But you don't even need to. You
23:04
just need a flat piece of metal that's a little bit shorter than what the blank is supposed to be and that will operate the lock just fine. Let's talk about uh medico's mainline products. So we see here an M3 key and the M3 keyway that we've
23:21
generated on our computer program to the far right there. This is the code that does it, quote unquote code and that's just taking a rectangular piece of bar stock and we're milling out those rectangles in the top and the various holes or the various grooves along the lo- the edge. Here's an example of what some different M3 le- uh keyways
23:41
look like. And what we found, this is purely empirical so I'm uh open to being uh shown a counterexample, but what we found is that for the vast majority of M3 locks, the wards or the milling at the top, the milling at the very bottom doesn't change. The milling in the middle stays the exact same geometry, it just moves up and down a little bit
24:02
and that's what lets medico create so many different M3 locks or M3 keyways. So we just went ahead and removed metal from everywhere that medico- metal could possibly be removed from. And we now have a master M3 blank. But it gets worse than that folks. It
24:22
gets worse than that because we have this master M3 blank. We went ahead and took our database of common keyways that exist out there that you can get for 20 cents unrestricted and we looped through it. And we looked to see which keyways have the least metal you have to file off to make it fit into that master M3 uh keyway. And
24:45
this is what we found. Master lock. Most common padlock in the country. Most common
25:01
padlock keyway in the country. Fits. Unmodified in a medico M3 lock. Not quite all of them. Of the ones we tested about two thirds but that's a bit of a problem. So we took a master lock blank. We used an M19 which is a little bit longer than an M1
25:23
because a medico is a long lock. And we filed a way to uh allow it to operate with the M3 slider. And we added the medico cuts to it. And we created a functioning medico M3 key on a master unrestricted 19 cent M19 blank. Let's talk about facilities that use
25:48
proprietary keyways. Very high security facilities, they're going to purchase a keyway that's only used on that facility. Well what can we do about that? If we can access a lock and presumably we can if we're a criminal trying to break in. Um we're gonna
26:04
go and take a photograph of that lock. And it's very easy image manipulation to then get that into uh a program that you can analyze. And so in this particular example we run through that same analytics and in this case we're limiting ourselves to medico blanks that are available on the aftermarket because everything before M3 is out of
26:22
patent so you can. And we find medico 19S a very small amount that has to be filed off to make that work. Or medico 17S upside down. So when we're analyzing through all the different keyways out there turning it upside down effectively doubles um possibilities that might work. We also have this little nifty tool. If you have
26:44
access to the key physically you stick it in here, push those metal bits in to form along the grooves of the key. And now we have what emulates the lock itself. So if we have access to that key for a brief second on a pen testing job we can push that in, get
27:00
that um get that keyway and then take it back to our shop and see which blank actually fits in there. If you don't have physical access to the key you can still get the keyway from photographing it. So if you look at the keys in your wallet or in your in your pocket whatever you have on you, you'll notice that at the very top of the
27:21
grooves there's these artifacts that are left by the milling process. Those artifacts there tell you how deep that milling is. So the photograph on the side of the key it's hard to tell depth but that gives it to you in fact amplified. Um and that just comes from the fact that milling is done with a circular cutting wheel and do a little bit of
27:40
math Pythagorean theorem there and it tells us that the amount it goes up beyond the end of the deepest part of the groove is related using the Pythagorean theorem to the depth of that groove. So what can we do with that? Well in this uh terrible um security decision here we have the master keys for a facility I will leave nameless um hanging on a
28:03
wall behind the public security guards desk. It's been presented in research already that you can photograph a key and get the bidding from it. You can also photograph a key and now get the wards for one side. So we now know what one side of the keyway looks like and it's real simple at that point to do some analysis and figure out what keyway it
28:23
is because for the most part one sides uh is fairly unique. So that's all you can do with keyways and that's uh for getting a blank that's restricted will not fit in a lock it's not supposed to. Let's now talk about all the other stuff that uh different lock
28:41
manufacturers do to prevent you from duplicating their restricted keys. I'll start by mentioning that for the most part keys are just pieces of metal. We're gonna try to hammer that home and so you don't need any of this fancy equipment. Just about every duplication process you could need you can do with hand files. And in fact uh our
29:01
sister was recently in India and the first thing she said when she got back is hey guys guess how they cut keys there? And so on the left you see that gentleman in blue sitting down and he just has some hand files and a set of blanks and the gentleman standing behind or in front of him is getting his key copied and he gets very very good at that and without woopsies and with that level of skill you can copy standard keys and
29:25
just about any high security variant. With that said let's talk about Medeco. So there's a few different variations of uh Medeco that exist. At the top you can see Medeco classic. In the middle there is uh Medeco biaxial and at the bottom is
29:41
Medeco M3. So just for background here uh you can see that the cuts at the bottom of those valleys there some of them are straight some of them do have angles to them and that's one of the big uh security features that Medeco has and one of the challenges when you would be trying to copy it. So we've already talked about filing that's one of those
30:03
options. Another one is anyone with access to a hackerspace you'd have access to a lathe. So here we have the Medeco cutting wheel which you can buy online relatively cheap sixty bucks. Um and we have it set up in the lathe there. We have a key set up and this can be used to cut those quite easily. And another one that you would find at a
30:23
uh hackerspace is a mill and that's pretty easy as well to do copying with. You basically clamp the uh blank down onto the mill and then you can rotate the head and just use a regular end mill to get those angled valleys for the cuts. So another one that's
30:41
really uh it's been documented pretty thoroughly but we'll just mention here is casting and this process is essentially you take your blank or your key that you want to copy you press it into a material that will take its form and then you would pour in something that would basically set in there and it would create a copy. So kind of a novelty here. Um
31:02
this is a carbon fiber Medeco biaxial that we cast. And one of the important things to note with Medeco is even with the M3 um the blank is one solid piece. What you often see on high security keys is called an interactive element which is where you essentially have a piece inside of it that moves independently and that defeats the casting attack here. Uh
31:25
because you can't cast something with two separate pieces inside of it that are moving freely. You can only do really one solid object. And that brings us to multi-lock which is one of those where you do need to consider the interactive element. Alright let's talk
31:40
about multi-locks. We see here the three generations of multi-lock key. Classic at the top. And multi-lock is what's known as a dimple key. So the cuts are made on the side of the key rather than the top. Otherwise the operation is exactly the same setting pins uh to the right height. As well as it has what's called telescoping pins. So you have an outer pin and an inner pin inside of it. Other than that it is um a
32:04
standard pin tumbler lock. Multi-lock interactive has that little black piece um on the second pin from the left. And that actually moves within the key. So that's going to push itself up and um and one of the pins is actually too short. So it will push that
32:22
pin up and allow it to reach the uh shear line. And MT5 which is their latest generation that just changes the interactive element around slightly to maintain patent protection. We went ahead and figured out a way to duplicate a multi-lock on a standard drill press. So you can buy these multi-lock uh cutting bits online for about 20 bucks. And
32:47
most many people have a drill press if not a hackerspace surely will. And the first thing we do is we take the key we want to copy and we put it in our vice. And we index on the cutting uh cutting head. We index where exactly that key should be placed by
33:02
putting the vice at the right position. Index how deep the drill should go. And you can set that once it's at the right depth so it'll only drill to that right depth. And we can go ahead and use a common drill press to copy a multi-lock key. There we go. So we
33:23
can see here that cutting head. Now that everything's been indexed we replaced it out and swapped in a blank uh for that particular key. And there it goes. And then when it reaches the bottom stop that's as far as we know we have to drill down um cause the
33:41
depth is what's important here. And you can see that nice uh channel there or that nice uh hole there that will work for that outer pin. So here's the copy. A little bit messy but it works. We can get stupider than that. We can copy a key by mitosis. So a
34:02
multi-lock you can insert it either way. And because of that it completely duplicates all locking ele- or all important elements on the key. So we can just cut em in half. End up with two functioning multi-lock keys that have everything you need to make it work. Of course it works. And by the way um this one that we cut in half we cut on a drill press
34:25
using blanks we bought on ebay. Let's talk about Appleoy. So Appleoy's probably one of the most well known names in terms of high security locks. And it's for good reason. So here we're showing uh three of the main most common uh generations that they have. There's
34:44
the classic up in the top there. Uh the Protek in the middle here and the Protek 2 in the bottom. And something important to note is the Protek 2 you can see the arrow pointing to that little sort of circle there. And that's the interactive or the interactive element of Protek 2 and it's essentially a ball bearing that's captive in that
35:02
key. So how these work um is we've already covered a lot of pin tumbler which is where you have a lock that has pins in it and the key will raise those to the right height. Similar to how you would have a sheer line for that. Um instead here we have disks. And when the key's inserted into the lock it's gonna go inside of that disk
35:22
stack which is in the red rectangle. And when you rotate it depending on the notches in the side of the key it's gonna rotate those disks different amounts and if they are rotated correctly then the key will be able to open. And here you can just see similar to how you would have different length pins for uh the bidding on a pin tumbler lock that would
35:42
correspond to depths on a key. Here you have disks with those notches and depending on the radius and the angle of the cuts on the uh key it'll hit it after rotating a certain amount. And those little notches on the outside at the top of each disk uh those all need to be lined up perfectly for it to open. So let's talk about the uh keyway of
36:07
Abloy. So here what we're showing is a view of the uh keyway on a common Abloy blank. And you can see in the red rectangle there that's essentially all that you have in terms of actual warding that's gonna be uh restricting this. Above that those two points
36:25
below and above are what contact the disks. And so what we can essentially do here is looking at that that's pretty thick in the middle right? So we can take off all of the material where Abloy has sort of accounted having that there for their warding and what we
36:40
end up with is on the right there that's a master blank for Abloy. It has enough clearance that it can fit past any of the warding that they have and it still has those two uh sides there that you would put the cuts on for the disks. And so for cutting this they have real fancy machines in a locksmith shop. We don't have any of those. So again go
37:03
out to your hackerspace or wherever um and all you need is just a mill here and we have that blank mounted and just a cutter there and you can easily get the cuts working with that. And so casting we discussed before uh this would also work for Protek 1 because it doesn't have the interactive element. However Protek 2 has that so we're gonna have to
37:25
think of something else. So in the red rectangle there that's basically one of the only important new features on Protek when it comes to what we're thinking about and it's called the disk controller. And so a close up of that here how that works is with the
37:43
interactive element there's a ball bearing with a spring that you can see on the right side and when the key's inserted all the way that ball bearing can be pressed into the key it pushes that captive bearing over which in turn pushes the blue pin you can see there and that pin needs to be pushed outwards all the way for the lock to actually be able
38:00
to rotate. So how do we defeat that? Well here we have a Protek 2 that's got a 2 key up top a Protek 1 key down below both of them we have cut to the same bidding and you can see it's kind of a little bit disfigured there the Protek 1 at the bottom and that's because we've milled out a recess that allows us to put in a pick a piece of
38:22
wire really anything and it's not hard to get that interactive element to set. And again with the master blank there there's more than enough clearance to insert that pick or piece of wire to uh interact with that and here's just a little piece of uh metal that we've made as a tool that makes it incredibly easy to get that interactive piece set. And
38:45
so now we're gonna show you a video this is a Protek 2 lock that you see and it's a Protek 1 key and normally there's no chance that's gonna work here we show just how incredibly quick it is using that pick to get that to actually work. Let's play that
39:02
again that was uh uh nevermind my mouse is hidden. Let's play that again that was a real quick video. And you can see we're inserting that pick in there and that's how easy it is it's low tolerance there's really nothing challenging about setting that interactive element. So let's talk about the symmetry of Abloy. Similar to multi
39:27
lock um Abloy if you look at that down the middle you'll realize it's entirely symmetrical and in this case it's not so that you can have it uh similar to multi lock but it's because it needs to interact with the disk on both sides or so you'd think. Turns out
39:44
you can cut it in half just like the multi lock that we showed and you now have 2 working keys for Abloy. Now Abloy arguably I would say if I had to trust something to lock Abloy's the company I would go with. So let's talk briefly about the 2 man rule I'm
40:02
sure a lot of you know what this is but it's essentially for very very high security applications we're talking nuclear missiles uh similar things to that. You have to have 2 people to turn 2 separate keys and that would initiate a launch. Now let's say you have an Abloy securing uh your 2 locks with a 2 man rule and you only need one of those
40:26
keys and 2 random people and they could set that off. So this is a pretty significant exploit. So one thing we haven't covered yet uh tip warding is similar to the warding on
40:41
the blank of a regular key. Abloy also has warding on the tip of their key where when you insert it it can go almost all the way in but if that warding isn't correct it won't be able to go fully in and the bidding won't line up with the disks and the
41:00
warding is pretty simple um but some of them can be complex looking so you'd wonder how do we uh how do we throw it oh ok so we have a little bit of a snowstorm here. Alright so let's use this one then so um what you can see here basically is this disk is the tip warding disk it's at the end of the lock and when the key goes in you can see on
41:21
the top left of that there's a little bit of an indent going into the key and that's their tip warding and both of these keys here were handmade by us. The left one we've followed fairly closely what the tip warding would be and you can see how it fits in nicely but you don't need to. That one on the right there is the master blank we created and it turns out it doesn't matter if you file off a lot more than normal it's
41:46
still gonna work in that lock and this is one of the keys that we created and so then we'll briefly talk about uh these uh side bidded keys so this is Primus and Assa and you can see those ridges along the side and those are their high security feature. In
42:04
terms of copying those we have a machine hundred bucks online on eBay and it essentially has a probe that's on the right there that goes into any key that you already have and that could be any other key for the facility or even from the same locksmith that set up that facility the side bidding is usually exactly the same
42:21
regardless of the key and then it's just copied onto this regular SC1 blank on the left and what you end up with is a blank for Primus and that can be applied to Assa as well. And then also we have how do you get it properly copied right? We're telling you all these ways to do it unauthorized um the way that you're supposed to do it is you have
42:42
this card that you bring into an authorized locksmith you show it to them they'll look up that code and they'll cut it for you well this card you see here doesn't actually exist. We created software where you can input at the top what you want your bidding to be and it'll generate an image with the code that corresponds to that and a
43:00
lot of online locksmiths will accept these and all you really need is just one two and this is essentially a cut key. And here we have so here we have just the Abloy one again it's even simpler paper and there's just the codes there. Um patent
43:22
that's basically what prevents regular locksmiths from normally copying it uh because legally they can't. Alrighty so we have about two minutes left to talk about what the blue team can do to remediate against all of this. Uh first off is mastered or sectional keyways they're great as an additional security uh feature not as the only
43:43
one. Restricted keyways exactly the same thing great as additional not as the only security feature. If you've lost a lock you have lost the grandmaster key. Many people say well physical keys are dead herder um because of all of all of these exploits. We don't
44:02
really agree with that. You need to understand your threat model. Number one most criminals aren't going to be picking that lock making duplicated keys etcetera. Locks is generally accepted in the security community they keep honest people honest. Um and so if you're using them for that purpose it's just fine. The other thing you need to
44:21
keep in mind is your security to be truly robust should be uh airtight even if someone has a master key to your facility. So here we have the basement of Toronto City Hall we hail from Toronto go Raptors and um let's say someone wants to steal the key to the city. Well they're going to go in they've got to bypass two doors this is the uh the um
44:46
path we're most concerned about. After bypassing the first door five seconds with the key sets off a motion sensor. Now sets the guard in motion. So he's got to follow through what he has to do to get there. First he has to finish his donut. And then
45:00
travel to intercept. Meanwhile the intruder is taking some time to break through or to key through the second door. Travel 120 feet crack the safe etcetera. If he can get through that safe before your guard gets there um you you have failed security wise and your system is not robust. If you can add enough delays and sense intruders early enough
45:22
you can make your system robust even if a master key is lost. And that's what you should really be aiming for cause locks only keep honest people honest. The last remediation is of course forensics. Um so all of these techniques leave marks on the
45:41
system. Or if you suspect that something has happened to your facility there are tests that can be done to tell what it was. So in short we have defeated a number of uh fairly well known big um key types out there. And um and we we just want everyone to be aware
46:01
of uh the sort of exploits that are out there. Thank you very much. We welcome questions in lock bypass village which we are running right after this right now. Thank you very much folks.