Hawkeye Dank has been pretty active over the last while.

Oh, it looks like we're in. I haven't seen it yet, but I'll transition us live. There it is. All righty. Okay, thank you everybody for coming along.

This is the Q&A portion for exploiting key space vulnerabilities in the physical world. Your main goon here is going to be pasties. This is fallible. And thank you, Bill Graydon for coming to join us today. Bill, could you tell us a little bit about yourself before we get started?

Yeah, absolutely. So my name is Bill, as you know. This is my second DEF CON. I actually started out last year as both a main track speaker and a village lead, founding and running the Lock Bypass Village, which I'm helping out with this year as well in the online forum.

In my non-hacker life, I worked for a company called GGR Security doing physical security consulting, audits, and a number of related services in that regard. So sort of the very flashy aspect of that job that is highly applicable to the DEF CON environment

is physical penetration tests with which some of these things that I talk about fit into. Excellent. Just catching on, go ahead. Yeah, we're seeing a couple of questions come in right now. There, well, we have one question about have you ever worked, have you ever created a bump key?

Another one is your opinions on the disc style locks. So some general questions about different types of locks right now. You're welcome to take a stab at those and we'll wait for a few more talks to come in. So in terms of creating the bump key,

I've created hundreds, possibly thousands of them. Yeah, I mean, that video that we showed, or that I showed at the very start of my talk with how keys actually get originated, all you have to do to make a bump key is that cutter wheel that's taking a bite out of the key at particular positions, you just take that all the way down to the bottom position and then some,

and you do that across all of the spaces and that'll do it for you. So yeah, I've absolutely done that for both regular systems as well as high security ones like Medeco. So sort of along the lines with your talk, when you got to the point

where you were like narrowing it down to like the last like 10 or 18 keys, is it possible to make like a targeted bump key that would just be more effective just like dealing with all of those all at once? That is an incredible question. And the answer is absolutely yes. What a targeted bump key would look like is effectively the lowest cuts

that are present in any of those keys in your narrow down key space. And so in fact, this is something that's been known to locksmiths for decades, actually the possibility to do something like that. So I didn't have time to talk about, well, a lot of this in the talk, but one aspect is I talked a bit about

how you want your grand master key to be one cut in the highest position so that none of the change keys under it can be filed down. You also, in many cases, want it to have one cut in the lowest position. And the reason for that is if there's any of your change keys that are lower than your master key in all positions, then that change key will act as a bump key

that will work in every lock on that system and can possibly be jiggled around and bump those pins all up to the master shear lines. So yeah, it's a great question and that's how you do it. And the next question, which I kind of interrupted there,

was what are your opinions are on disk-style locks? Apparently storage locations hate them because they actually have to be cut off. Disk detainer-type locks? Yeah, so I'm looking at this question now. I'm not entirely sure what it means with how they have to be cut off.

In terms of a storage location, like if someone needs their locks removed, I guess what the question's getting at is that maybe locksmiths are able to pick the other types of locks but not the disk detainer locks. That effectively comes down to the skill level of a locksmith. I mean, disk detainer locks can be picked just like any others. They're a much more specialized skillset to do

and they require more specialized tools to do. And the good ones are harder. You know, so if you've got an Abloy Protech on there, it's like there's no verified, documented picking success with those. So in that case, then yeah, cutting them off is your only option, which for an Abloy Protech is also going to be a hellish of a job.

But so I'm not entirely sure what the question's getting at, but I think that- I think that pretty well covers it. More than likely. So, I always enjoy when people come and give us more of the in-depth side of the physical security stuff for DEATHCON talks. And I appreciate you coming in and presenting that material.

So, as you're going through, you are explaining things from a bypass direction, at least a lot more bypass this year, right? You're not approaching things from the lock picking side. So, how did you find yourself

in the direction of the bypass instead of what seems to be more in vogue with the hacking community of the single pin picking? That's a great question. So with, I mean, with bypass, it's the sort of thing that in my anecdotal experience, at least there's a lot less literature out there

about those particular techniques. You know, you've got a whole bunch of great talks at various conferences about them, but nothing super formalized. And there's a lot in that field that really is yet to be discovered or potentially yet to be published. Since, as I've mentioned,

in some of my other talks with Bypass Village, lock bypassing has traditionally been the domain of criminals and of classified materials, both of which tend not to get published. And even, I mean, locksmiths as well do it, but for, I mean, even still, the locksmithing industry is a very kind of tight tribal knowledge,

apprenticeship-based type industry where they don't publish that sort of thing. And so that's, I think, a large part of why the hacker community has not gotten into it nearly as much lately or until lately. From a personal perspective as well, like I have never been a very good lock picker. I understand the theory inside and out,

but I just can't do it. And that's in a large part because of a fine motor disability that I have. So it's like, I gotta go find something else that takes a bit more core skills. And so lock bypass is part of that. And then having founded and run the lock bypass village, just like you jump headlong into it, you can't get out once you're running a village.

I can totally understand that. So what's your everyday carry kit look like? Good question. I mean, I am incredibly disorganized. So to think that I have an everyday carry kit is a bit of gratuitous to me, but if I'm anticipating needing

to potentially get through a door, it's like, well, in that case, I'm carrying a much larger kit than what would be everyday carry. If I'm anticipating, well, maybe needing it, but probably not, I might have a rake and a tension wrench, real simple. That's all the picking equipment for poking the latch out of the way.

So like a shove knife for a latch bypass. What I've got on my key ring is a little wire that's just an L-shaped end of wire that I can whip out and do that on any block that I might encounter. So I've got that and really that's about it. Like I don't carry a whole lot else with me.

And I find that in many cases, if you can't improvise it's not worth taking that particular approach in an everyday situation. So. I know there's a lot of discussion in the community, at least in the lock picking community of most of what we do for fun as locksporters

isn't all that practical in your, out in the world trying to be a locksmith. At least from what I've heard, and maybe you'll either confirm this or tear this down. But if you are, if you're faced with a lock,

it's usually going to be easier to attack the mechanism that holds the door together or get in through a window or et cetera. Oh yeah, absolutely. I mean, the large part of it is sort of not just hacking, but ethical hacking. It's like, if our goal is to get into a facility,

well, we're sort of balancing a number of objectives here. How much do we care about? How long it takes us to get there? How much do we care about the damage that we do, the noise that we make, the forensic evidence that we leave behind, et cetera. So you kind of pick and choose your techniques based on that. And then of course there's a cost element, there's a skill element. So it's pretty multi-dimensional in that regard.

And the vast majority of practical cases, so what we see in security consulting is you're protecting against forcible, you're protecting against very, very, very basic bypasses and that's about it. And that's what your threat model is. And so I think in some regard, the focus of the hacker community on ethical hacking

has done somewhat a disservice for the blue team because they are protecting against the wrong threat model. And so you see that a lot with the forcible entry being really downplayed in terms of its impact on physical security.

I like that as a thought. That's really interesting of talking about training the blue team maybe to not... The things that people in the outside world are going to hit you with might not be the same things that we as the hobbyists are going to hit you with.

Do you have some specific example of something that is more realistic in the real world that a blue team might encounter as far as physical security protection goes that isn't normally tested or advocated for these kinds of talks, that kind of thing? Yeah, I mean, if you...

Let's take a simple example. You're a mom and pop shop and you want to protect your store. If you go to many police departments, we'll do a very simple free security audit for you. And they know very well what the threat model is. And so they're recommending things like bars on the windows.

If you go and ask many people in the hacker community to do a security audit, they're not going to think about things like that. They're going to try to use a fancy latch, thumb turned bypass tool on the door and say, okay, you got to patch that up. And they might try some sort of electronic attack

on your access control system. And it's like, well, that's sure it's a vulnerability, but the sort of people that have the means and the motivation and the skills to perform those are not going to be breaking into their neighborhood mom and pop shop. Right. Matching the attacker to the threat model. Yeah. Yeah. We got a question.

Have you notified any security desks about the vulnerability of having their keys visible? Can you say the first part again? Have I notified them? Yeah, has it been like an actionable report or just like informed them like, like, hey, you've got your security keys on your ring

and I can see them and that's a problem. Oh, absolutely. Yeah. It's, I mean, it's one of the standard things we check for with any security audits. The biggest time that we see this is with a multi-unit residential. You know, if you've got a concierge desk and we leave that lying out and it's a really simple human factors thing, right? So you just create, you know, put a little box there that they can put it in

that shields it from public view and that little box then can be self-locking. So if they have to walk away and handle something that's not then left out there for anyone to see or take or whatnot. And we've seen some pretty egregious cases of that being breached when you don't have good human factor design in that regard.

So you're, okay, so first off, the tool that you showed off throughout the entirety of your talk, is that already available? Is that something that other people can see and use? Yes, it is, yeah. So that's online at a number of links that I've posted in my talk. So you can find the source code on my GitHub,

B. Gradin and tinyurl.com slash key dash space will link you to a version that you can run right in your web browser. That's awesome. We can share that in the track one channel here at the end, if that's cool with everybody. Yeah, so with that tool,

it starts out with a pretty brute force approach and you start adding on these layers of knowledge. There was a lot of pieces of knowledge. Is that something that you already, you just picked up through your experience or is this just like,

you just aggressively compiled all this information from everyone that you knew just to put this tool together? It's a great question. I'd say that a lot of it's experience just talking to people, the sort of thing that, again, that kind of tribal knowledge that exists in locksmithing communities, for instance.

So we were fairly good friends with a number of locksmiths and so we chat with them about all sorts of stuff like this and get information there. And then a lot of it, when you kind of crunch the numbers and understand the mathematics behind how keying systems actually operate, at that point, you can formally model them

with a number of mathematical constructs. And from that, these rules become a corollary of that. So a lot of it can be derived independently. And so for instance, the rights amplification attack, right? So we derive that independently and then determine that actually this has been published about before as well

and it's been known at the locksmithing community. So it's the sort of thing that a lot of people have thought about but hasn't until relatively recently been published widely. And to my knowledge, it's the first time that there's a computational tool for analyzing it. That's awesome.

So we've got another question. Have you had any experience with working with lifelocks at any military contractor facilities? The answer is no. I will actually ask for clarification on what is a lifelock. I don't know either. Hawkeye Dank, if you're still watching,

you've got us all intrigued what a lifelock is. I guess I'll bump back to your tool a little bit while we're waiting to hear back from Hawkeye. So I totally blanked on my question. Kal, you got me. No, you're good.

So your talk is quite long and thank you for that. And actually, if anybody is out there looking forward to watching this, he was, or someone was nice enough to go through and nicely index all of the timestamps on that. So that was you, you went to that effort.

So yeah, thank you for that. There was some, you mentioned some code books in there and I get the impression there were some legal, possibly ethical implications of having that information available. Could you talk to that a little bit of any solutions that you're working on

on trying to make that more accessible? Absolutely, yeah. So as far as code books are concerned, I mean, there's hundreds, well, there's thousands of them out there. There's hundreds that are common to see examples of in the wild. Everything from, I mean, any standards,

key system that has generally numbers associated with it. So you might've heard of common keys like 1284X. Well, that's part of a series, 0151X, which you looked at in the talk is another part of that series. And then there's 1700 others in it. C415A, so there's your national cabinet keying set. There's about 600 in the A series

as well as there's a B and a C. And there's hundreds of others like that. Medeco non-mastered systems have code books as well. So this is a lot of data that's being compiled by a number of services out there. The most well-known of which is Instacode. So anyone that's looking for that information

on a case by case basis can get a subscription to that and look up, what is C415A? Well, what's the bidding of that? You can't download the entire dataset for that. We happen to have the entire dataset. It's not licensed in a manner that we can then release it freely, unfortunately.

So one thing that I'm toying with to make that actually happen is create sort of a crowd-sourced platform so people can, if they have access to that information in a way that they're not constrained by the license, they can upload it and then we can create a compendium of that, as well as I'm gonna be adding back into the app a way to import that data if you happen to have it

through whatever reason or whatever source and then you can analyze it that way. So yeah, I'm working on a workaround for that, but at the time, yeah, go ahead. Just like spitballing, could that kind of like crowd-sourcing happen at like a finer grade level? Like I have this style of key, it's got this numeric thing on and here's the bidding.

And could that just be crowd-sourced that way instead of fully wholesaling uploading the book? It absolutely could be. That is a little bit trickier when you intersect that with doing the analysis with this software because now it's like, if I have a photo of a key

that I think is in this series and I say I want to limit my key space to only what's in that series, if I don't have a complete series, I'm gonna get a wrong answer there. So it does create a bit of a challenge with that, which is why there's value in that information that the codebook you've uploaded is complete.

But for someone that just wants to do a task like look up a particular indirect bidding code to get the direct one, that would absolutely be valuable for that. So Hawkeye did get back to us. A lifelock is a fail-secure combo lock.

It can be spun to keep any further attempts to open a current. Interesting, so yeah, is it the sort of thing where you can spin it to permanently disable lock if something's happening? That sounds like exactly what it is. That's a cool concept. I'm not, I haven't actually worked on any of those before.

I'm interested to look it up and see if there's any fun analytics we can do with that. So Hawkeye, if you have any examples of these that you would like to talk further about, this would be a good opportunity to send some messages over to Bill and DM, and maybe there's some interesting future research

at play there. Which is actually probably a good question to go to. What is your next, what's your future research? Where are you going next with this project? That's a great question. So there's a number of dimensions of that research, one of which is applying these general methodologies

to combination locks. So a lot of the same thing can be used if you can get any little bit of information out of say a safe dial. So very, very skilled people can listen to the place and determine what that means. Can we use a computer to make that accessible to a wider audience?

That's something that I'm currently working on and will be submitting to DEF CON in future years once that's complete. Another dimension is tying it into the talk that I gave last year about key ways and the shape of the keys. And so we can combine those two and really get a good sense of,

from a photo, being able to disambiguate that. And so tying those two pieces in as well. Cool, that's awesome. Hock, I came back to mention that he's seen them

but is not able to show pics because of policy being, policy discouraging that, which is probably expected. So you will share all of your contact information so people can reach out to you, I'm assuming

and you are active in some of the other communities here. Would you tell us a little bit about the Lock Bypass Village and some of what you do over there? Yeah, for sure. So as I mentioned last year was our first year at DEF CON. And so we had a whole bunch of little doors,

two feet tall that had different types of hardware within them. We had a car door there and sort of some components from elevators, some components from interphone intercom systems that people could then try and do these physical security hacks on.

And we were packed right up to Fire Code the entire time. People really loved doing that. And so this year, of course, with Safe Mode, what we've done is taken what we could and made online games for it. So you can go online to bypassvillage.org. You can practice rewiring alarms to disable them at the comms line.

You can practice using UP Ink to bypass combination locks, practice using shove knives to disable batches on doors, a whole bunch of other stuff that we've got little mini games for. So you can, you know, we've focused on the village. I crashed the village last year and I loved what I saw.

The one thing that I don't know if I just missed it or if it wasn't there, if you can add something about the magnetic door locking things that I would love to see somebody. Yeah, yeah. We're planning to have a whole big exhibit on that this year and then Ronnie B happens. So that's absolutely there for you to see next year.

I look forward to it. Was there anything that you felt like you just couldn't fit into your talk? Some piece of your tool or something else that you wanted to go over that was just fascinating for you, but just got the cut? Oh my gosh, there was so much.

I mean, I did the initial talk and thought, oh man, an hour 45, this is great. I can cover everything. And then I had to cut it down for three hours. So I mean, one interesting thing that those who are mathematically inclined will be interested to play around with is there's a separate related tool that will take,

if you have a system of locks, you know what their shear lines are, it'll generate a relationship graph for all the different low level keys, master keys and the top level master for which key will work in which lock. And you get some really neat emergent mathematical properties from that using different mastering systems.

So that's something that is up on my GitHub right now. I will send a link as soon as I can hop over to the track one talk page, I'll send a link to an active version you could play with. So that's one of many things. Did you use that to generate a key diagram

in your talk at one point? Cause there was like a grand master, master, like tree effect. So that one was not auto-generated, that the auto-generated ones are not nearly as well behaved as what I showed in the talk. I manually made that one.

But what the auto-generated ones look like is, one thing to consider is with key hierarchies, it's like, if I do the mastering on pins, one, two, three, four, and five, if I have a master in pin three, four, five, like in the example that I showed, that's what a typical submaster key would look like. I could also put a master in pins one and two,

and then change keys in pins three, four, and five. And so now I have a master key that's gonna work on selectively some locks in the A and B and the C system and not others. And so you actually have this N-dimensional tesseract that's created from doing up master keys in that regard.

And there's another type of system called rotating constant system that creates incredibly complex relationship graphs there. That's absolutely awesome. We are right almost at a time. I love the question that Panopticon just asked though, would you consider posting the director's cut version

of your talk? Yeah, I actually gave a thought to that. I think what I'll do is break it up into bite-sized pieces and post a number of separate videos talking about the different elements that I didn't get time to discuss in the main talk. And so that's, I just created a whole bunch

of social media when this talk was accepted. Like I should probably make a Twitter. So I made that, I made a YouTube channel as well. So that's the Burton-Liam channel that's been commenting on my talk there. That's for me and my brother or Robert and William, but well Burton-Liam, that's also a valid shorthand for that.

So take a look at that. And whenever I have time, after all the chaos of DEF CON comes down, I'll be posting some bite-sized videos to there. Awesome. Well, thank you for doing our QA session. Thank you for doing such a fantastic talk. Hope to see you again next year.

Yep, thank you so much. Yeah, there's plenty more that we all want to hear from you. So for anybody who would like to know more, it sounds like you can track Bill down in the Lock Bypass Village. And there's more information over there for you to learn as well. So thank you very much.

And I'll be lurking in the Q&A page or a chat for the next few minutes as well. So perfect. Excellent. Cheers. Thank you so much.