no I'm just introducing Skylar why am I introducing Skylar cuz he's that awesome we we've become really good friends over the past year or two and its really been a joy to watch him work on his projects and his things and when I think what's important which he will not of course talk about is that inherent in his spirit of what he does is not just to be really good at what he does but spend every moment he's not being awesome trying to share his awesome with everyone else as widely as possible the fact that he sits with his skills and says how can I spread these two people some people won't enjoy them some people will be really good at them but the point is to teach because you never know where the next Skylar is coming from and there's something to be said for that so ladies and gentlemen boys and girls the rest of you welcome to DEFCON 19 and the talk by Skylar town do it yourself non-destructive Gentry so get yourself ready for the man we call six-second Skylar the man who will unlock your house just before he unlocks your heart and changes your life forever Skylar town I only found out that I was getting an introduction about 20 minutes ago via Twitter thank you very much Jason Scott ladies and gentlemen you'll be filling the Penn & Teller theater later today okay hey everybody how are you good good good excellent all right um so this is do-it-yourself non-destructive entry i am skyler town of course I'm a competitive lock picker a physical security researcher and I'm really easy to track down either Skylar town calm or at shoe box on Twitter or Skylar town on the Internet there aren't many of us okay what we're going to cover today one of the things in here we are not going to cover it'll be a mystery it'll be a surprise what you don't see we're going to talk about how

to open cars with popsicle sticks we're

going to talk about how to open safes

with palm Sanders we're going to talk about how to open handcuffs with beer

cans we're in talking about how to open electronic safes with nine volt

batteries we're going to talk about how to open tubular locks with pens I know I

know you all know how to open tubular box of pens but I'm going to tell you a lot more about why that works and my hunt to find the man that caused the problem we're going to talk about how to

open up sesame locks using the security

tag off of your DVD case and by

discussing these things we're going to talk about shimming attacks spiking

attacks decoding attacks self impression

attacks over lifting attacks vibratory attacks and I know I missed a better joke there but my mom's going to watch this

okay so first let's talk about the cars

okay cars typically use wafer locks to your right are the wafers wafers are obviously different than pin tumbler locks they don't split it isn't to pin stacked on top of one another in this case those wafers at there when they are matched to the proper ki will fit in the middle of the housing of the lock which is on the left there there'll be an animation to demonstrate this in a second which i just realized i didn't queue up so it's going to be amateur hour in a second here but that'll be just fine okay the wafers are typically

stacked opposite of one another one will spring up the next will spring down when will spring up the next will spring down so they're occupying either this top

chamber or this bottom chamber and the key brings them into the middle yeah

well hold on a second I am doing

everything I can not to demonstrate the

porn oh yeah you just made me say porn

in front of my mom you're the worst all

right hold on oh my god there we go all

right so as the we're just removing the springs for clarity sake but as the normal key enters the lock it will drag each of the wafers into the middle of the chamber you turn it they turn freely inside of there does that make sense beautiful over lifting is an incredibly simple attack taking advantage of how these locks work it's just an inherent flaw in the nature of these locks and there are things that you can do to improve it we're going to show you over lifting with a key blank and then we're going to talk about the inspiration behind this talk and how I broke my own car when a key blank is inserted into the

lock it pushes each of the wafers beyond the chamber that they would normally be caught in so now they're going to be blocking in the opposite chamber but they're trying to be sprung back to their natural chamber keep that pressure on as you remove the key and instead of returning to their home chamber they collide with the side of the housing reinsert just the tip of the law of the key and the lock will open so that's a simple over lifting attack now

importantly and as to why this talk

happened whatsoever I don't get to use this photo enough so it'll it'll actually be in the talk twice I got to thinking what else could I use instead of just a blank key and then I thought

popsicle sticks what if popsicle sticks could replace the keys to my car of course what happened when I initially tried this on my car the first attempt

so it was winter and when you're done when you're done eating a popsicle stick the stick is typically still pretty moist so you know whether successful or not and admittedly I was not I did not open out on my first try and I you know I got into the car it was fine and I drove away and everything but night comes and all of the fluid that I just jammed into the lock of course helps the lock freeze overnight and then I because it's not like I know anything about locks just get really mad the next morning it just keeps shoving my key in until I've bent the wafers out of place and my driver's side door never worked again but if at first you don't succeed

I might not know what it means but I know my audience so yes I did manage to

open image open my passenger-side lock during the spring with the same technique to be perfectly honest this

did not succeed many times but it was very exciting for me the idea that I could potentially be out of my house with absolutely no picks on me whatsoever but still be able to we'll talk about the ethics later but still be able to steal a car I tell an incredibly strict ethical line I don't even pick the locks on my front door because I rent so technically I don't actually owned them I'm incredibly strict abetik sime a little bit worried but if I start crossing small lines that you know I've done on a lot of long road trips where i'll see like a 24-hour thing but it's actually shut down for some reason and I'm like man I really want a coca-cola I could just let myself in and leave some money on the counter and but I'd say you know that's a recipe for disaster but it got me to think and you'll note that I've amped on the slide of the good photo but it got me thinking what else could I do what other attacks are there and there are a lot of them that are already well known all of us dapper lock

folks aren't going to be particularly surprised by the things I'm delivering today but the rest of you rabble I hope

that this will blow your minds so this

is the one that you all know about this is the one that lived in a legend or if you don't know about it don't worry I'll recap but the idea here is that a Bic that a kryptonite you lock plus a Bic pen equals that dirty rat Calhoun

absconded with your bicycle I want to

thank Doug far who I was just told hit his head and ended up at the hospital that's not true don't worry he's just a dick and didn't show up to the talk but he did tell me where to find some walks that I'm going to use in a demo here so um kryptonite's wouldn't come

tonight's advertisements here this reads nothing is harder to steal than an immovable object so kryptonite were actually beloved when they came out in 1972 I believe and by 1974 the concept of the u-lock was so revolutionary and had replaced everybody's heavy chains that they were inducted into the museum

of modern art as a like design Paragon art piece now what was inducted getty museum of modern art was the kryptonite for bike lock and we'll explain exactly the precise importance of that in a

minute but first let's demo man is that echo actually crazy or am I just hearing it crazy Oh am I enunciate enough for everyone have any of you ever if you ever watched the Stooges that song they did beb be a baby i pick you by bo bo byob you boo Vicki by boo boo my mom used to sing that to me okay so kryptonite brake lock I pigpen this is actually uh oh man I had one from the shmoo group oh yeah and I was just over at the tf2 table anyway but I have a bunch of Ben's here so cap was blown off i'm just going to jam it into the lock gonna twist a little bit deep in it not quite i was letting one of the other i was letting one of the other competing speakers play with this so i might have to open up the new pen over in the speaker reading room Oh almost there okay it has already I know you can't see this turned one position we need to turn at least two before the shackle will actually release for us boom you know the great thing is that despite knowing about this to attack academically for years now earlier today was the first time that I ever actually successfully attempted it I mean the thing with this attack is that you any of you could walk up and carry it out it's called a self impressionen attack but why why does it work right so the

Kryptonite bike locks used tubular locks and at the time of this attack they were using a not-very-good tubular lock so

tubular locks are just like normal can't employ locks they have a key pin but it's flat not tapered they have a dr appt in the yellow one white shows up better than I had feared they have a driver pin that will be below the key pin and then there's a spring below that surrounding them you have your plug and

you have your housing of the lock the separating line between the plug and the housing of the lock is the shear line these locks will rotate blocking the shear line are all of the driver pins it's just like a normal pin tumbler lock it's just that its radially aligned you also would not guess that my prior career was as a graphic designer so

around the edges of the key you'll see notches those notches correspond to the heights of the key pins each key pin will be a unique height that corresponds to the depth cut into the side of the key again just a normal pin tumbler lock in a different configuration so with the

proper key inserted all of the key pins will be depressed so that the bottom of the key pin and the top of the driver pin are sitting at the shear line and the lock can rotate freely does that make sense fabulous so importantly

because each of the drivers are exactly the same height every stack will have a unique item when you insert something

soft into that situation the springs all being made out of the same metal and pushing back at the same rate the driver pins all being the same height and the key pins all being unique this means that the lock itself impressions a key into the soft surface that you are attacking it with so the people's are literally pushed into your

piece of plastic making a key that will operate that lock self impression he was a pretty badass attack so here's the

really important part and this I only found out recently this is the little value-add from the historian side of the work that I do kryptonite for bike locks that were inducted into the museum of modern art and so on and so forth used ace two tubular locks h two tubular locks use different types of metal in their Springs so that the springs will not push back at the same rate so that you cannot carry out a self impression attack even if all of the drivers are the same height and even if each stack has a unique height if the springs push back at different rates you won't get a key reproduced they're still pickable there are still tools to pick them they're not perfect by any means but at least the self impression attack is pretty much dead in the water except on certain particular biddings so what

happened well I intend to find out sometime in the late 80s when they were going through a major design change in their locks somebody made the decision to drop the higher end ace to lock and go with a cheap Chinese tubular lock that was designed to fail in this way what you also need to note is that because the ace to lock existed whatsoever this was a known problem that had a known solution so they were reintroducing this flaw it wasn't a major discovery I mean mark Tobias was talking about how Kings new locks for reproducing this flaw and so on and so forth only months before the Kryptonite thing blew up so the Smithsonian happens to have 17 crates of corporate records of the Kryptonite bike lock company from 1972 until 2001 when they were acquired by ingersoll rand i'm going to be going down there in october i'm going to spend as long as it takes at the smithsonian digitizing as much as i can or eating as much as i can my goal is to find the name of the person made that decision and if I'm successful

I'll probably submit that as a fire talk somewhere okay so let's move on to the

handcuffs I'm a little bit nervous but I did bring a handcuff key up onstage with me if this goes poorly my Coors Banquet appears to not be quite as thick a can as I was hoping it would be but we should be able to pop some handcuffs

open with it all right this is the interior of a handcuff mechanism I just want to explain very quickly how it functions this here is just the Paul this is what's going to catch your shackle as it enters the lock this is just a leaf spring that is perpetually pushing the Paul down we're not going to talk about double locking towards the end of this but the important thing here is that there is a way to keep the Paul from ever retracting until you put the proper key in that's what this piece of blue is here it would shove over and keep the Paul from lifting up you double lock someone both for their comfort and to keep them from carrying out the attack or about to describe I don't think I found my mug shot though so I'll tell you right now is arrested a little while ago and three out of the five times i was in cuffs they were not doing it properly so in practice it's it's not always applied everything worked out brilliantly with the with the arrest no no formal charges or anything it worked out great so here is the top portion of

the handcuff with the shackle inserted

the ratcheting mechanism just marries into each other very firmly so you can't retract the shackle but because of the slope so you can continue to push the shackle inward very simple if you introduce a thin piece of metal to the situation and actually close the shackle on yourself I position the thin piece of metal will be drawn in between the teeth by the ratcheting mechanism thus blocking the teeth from walking into one another again and you can just pull the shackle right back out so I'm going to try to do this I have the handcuff key with me I'm under confident in this particular attack however it's a key piece of gringo warrior so if I fail miserably here you can see me get out of the cups crazy fast at gringo warrior I promise alright so I'm just going to cut off a little bit of this course late banquet which by the way was fourteen dollars for a six-pack but I guess that's what you get when you're living the banquet lifestyle okay so as I said before I keep a really strict ethical line but I definitely live a very rich fantasy life in particular I've always dreamed that if I really were cuffed but maybe at some point in time there would be like a soda can on the ground or something and I could just kick it you know kick it into shards and rip it open with my teeth and everything until I got exactly the right little piece of metal and then free myself for my captors in reality I probably get tased but you can dream well is that is this your first stuff come I I'm not asking that to make fun of you I'm at honest have you so have you ever seen the gringo warrior event come on out you're going to love it it'll answer all of your questions it's at noon today I believe in the contest area you start in cuffs typically behind your back my fastest time out of those was ten seconds all right that one poorly did you really oh yes that's what I'm looking for ah I roll deep it is not dremel doubt like the tool guys do okay nice nice he's talking about the universal handcuff key which is in fact the tool guys give which is pretty slick okay so cans that I confirm this function that I can confirm this functions with diet sunkist worked awesome but but no apparently not the coolers banquet so if the metal is a little bit too thin and the ratchet the leaf spring in the ratchets strong enough it will actually crimp it when it inserts in just getting your shim stuck in the lock and only making things worse for you so grain of salt on this particular attack do you want to play with that all right is it okay if he uses here oh great excellent yes there you go okay so we're now going

to talk about sesame lock to coding we're going to explain how sesame lots of work and then I'm going to grab another animation and go through those okay a little water first and we should have time for a little bonus material and some Q&A at the end of this as well so that if you're curious about other DIY attacks we can get into them okay so

in your sesame lock this is like a briefcase lock we showed a picture of it at the start it'll have a series of small wheels all facing outward toward you with numbers on those wheels in reality your outer wheel here has a smaller wheel inside of it with a gap cut out of it the gap is there to accept

the teeth of the locking mechanism so there's our gap there's our teeth in this case there will be three teeth on this all of which will push in at once releasing the shackle on this particular device this particular device was meant to lock around a USB key in order to protect your data the first time that I ever played with it fell apart in my hands so with the wood the teeth pushed

inward so we're going to use a small

piece of metal that you can retrieve out of a DVD security tag that small white piece of plastic or small black piece of plastic inside of the DVD case or CD or video game or I even found some in some curtains once they're used all over the place inside are two fantastic small pieces of metal they're incredibly thin and make amazing shims that you can use shims for a number of things in fact the slide that I showed when I was rapid fire going through the shipping was shimming the back of a lock if you show them the back of a lock you don't have to use a key in it or pick it in order to perform maintenance on it you can just use the shim to slide between the shear line in our case though we're going to use it to decode the sesame lock here you see this tucked into the gate and the idea behind this attack is that we're going to allow the shin to rest on the interior we love the sesame lock and then slowly turn the lock until we feel the shim drop in word when the shim drops in ord we know that the gate is now facing us that isn't the locked position but I'll show you an animation here which will demonstrate that ok

we'll just scramble the wheels to start and introduce our shim so the shim rides along the interior wheel checking right belong the side of the main wheel the timing isn't the best on this as it begins to rotate hopefully it will stay at the same position the same position in one position it will go in quite noticeably so leave that there five actually is not the first number in our combination what we need to do right now is just get all of the gates lined up with all of the gates lined up we now know that those teeth are all going to be in the same orientation so we just turn all of the numbers together try the shackle turn them together try the shackle turn them together try the shackle and we've now reduced the thousand combinations down to 10 possible combinations

thank you ok now the palm sander so the

palm sander is going to affect some

safes so to quickly explain how safes work this is one of the wheels in a three wheel pacsafe there will be a spindle along here but the important thing is the exterior so if this is completely filled and there's just one gate out on the side not dissimilar from the sesame lock hmm open awesome all he did was double up the metal because it was so thin so you could still potentially kick and crush a can your way to victory and outrun the teasing so so we have a few of these in the lock right in between each of the wheels is

what we call a fly that's the small bit in the middle of it each fly picks up the next wheel in the log so these aren't directly driven each one influences the next when you have to pass by your number a couple of times what you're actually doing is picking up every wheel in the lock with the one wheel that's directly driven off of the dial so when you pick up that last wheel you leave it behind then turn two times fast your other number right that way you're picking up your own wheel in the next we?ll leave that one behind one time leave that one behind and the final number or in this case I did one too many but that's the idea so the important thing because these aren't direct driven each one of them can rotate independent of one another if the right sort of force is applied to it so

these are just a quick see through three of the wheels and our safe and this then is our walking bar so when they're all lined up after you've dialed a combination incorrectly that bar can drop down into place and you're safe can open super simple however in some not terribly well-made locks the bar might be right there and if you apply a vibratory force to the

dial of the lock the wheels will want to

settle with either the most material down or the least material facing up so without ever dialing anything just by applying that constant vibration you'll eventually get the wheels to settle into the top gated position allowing that to drop in and the safe to open now I picked up a safe to do as a demo nothing that I was going to fly out to DEFCON would of course but just the smallest of fire safe to try this out on myself and you know wasn't working and I pulled it apart to actually look inside was like oh fairly clever you know they they knew as much to mount the to mount the bar right here but I mean this is a 65-pound exterior fire safe so I just tipped it over and it worked great I often say when I'm doing trainings and talking to people about various other various other methods of entry and picking with traditional tools and things like that as well that very often we know a lot of information before we approach a lock we know information about its key way we know information about the cut depths of the key we know if it's a master keyed system so on and so forth and having that prior information or even having that information stored in the memory banks when we walk up to a lock and CEO it's a schlage Primus I'm in an apartment building you know probably has a regional sidebar vulnerability and we can go to that tool set so in this case there are schematics available you know their patents available you can even just buy something and pull it apart to see at what angle this particular guy is set and if it's an exterior safe that isn't bolted into anything you can just shim the legs of it up to the right angle to carry out this particular attack there was a probably apocryphal story about a naval ship there's actually two good store Navy ships and and locks but the they were having these safes opening all over the decks and I couldn't figure how why it was happening and there are stories of a ghost and things like that but in reality the force is being exerted on the safes from the ship the engines the turbulence of the waters that are etc we're just enough to occasionally make the wheel settle out just enough that the bar could drop in once in a while they shook the dial and after the whole thing open I don't know how true that is but it's certainly a good story how are we on time awesome alright we have

plenty of time for me to tell the other story which has nothing to do with the talk but is also pretty funny so a a

fantastic a beautiful russian lady for whatever reason has been invited on to a military ship in order to sort of take a formal formal cruise of a particular area and she says to a young naval officer oh it's so beautiful out here so lovely but I'm a little worried about my jewels they belonged to my grandmother could I give them to you and could you put them somewhere safe for me so he of course goes and puts them in their safe she later approaches the safe with a sheet of paper comes back later and opens the safe and takes everything out of it because the sheet of paper was radiographic film and her necklace was radioactive again it's apocryphal but certainly a good story all right there are a couple of other things that I want to show you one is items that you can make your own picks out of and then another fantastically clever little hack that Doug fire reminded me of before I came out here which I don't have slides for but I'm still still going to demo for you on stage and try to explain how it works cool so we're going to do those and then we should have plenty of time for questions bank through a lot of material a little faster than I expected all right I'll put this up in the

meanwhile so you can track me down so this is a windshield wiper blade you many of you probably have these and if you don't want to give up your own you probably know where to find some so inside the windshield wiper blade are two fantastic little pieces of spring steel the spring steel in these is perfect for making your own picks out of other sources for good pic making material from found objects street sweeper bristles this is a relatively common one in the community and some people outside of it may have heard of it as well but if you literally just get on your bike and bicycle along behind a street sweeper while it's doing its work occasionally it's spring steel bristles will snap off and lay in the gutter for you pick those up clean them up make your own tools out of them making your own fix is actually relatively easy if you have hand files and a little bit of patience you can bang them out pretty quickly if you don't have much patience but have a ten-dollar grinding wheel you can bring them out very quickly definitely finish your pics and the one thing that I want to explain about this before you all go and put some spring steel through the palm of your hands is how to disassemble this safely very simple just worried the rubber portion out from the middle and then pull down it'll pull out cleanly and you'll be left with two beautiful pieces of spring steel that you can use for tension wrenches lock picks so on and so forth if you try to pry the spring steel out without first removing the rubber it will turn into a bow and fire one of them into you so please be careful about that okay finally this is a master lock 175 this is a sesame lock it's a padlock I am going to just open it very quickly and then explain to you how I opened it very quickly hopefully I open it very quickly in reality yeah they're just like that so we're fairly clever lock Pickers and we can come at things in a number of different ways one of the most important things to think about when you are first approaching a lock or first approaching designing a lock is that there are all sorts of attacks that we know about and have known about that might get accidentally reinvigorated in your really super secure design but we'll just bypass the primary mechanism all together and open your lock without ever consulting your nice you know sesame lock or whatever they else case may be into this case with a thin piece of metal in this case i'm using a pic which i know isn't a found object we could use the windshield wiper blade or a sweet super bristle i've had to perform this attack with the street sweeper bristol before push the shackle down hold it down go in above the numbers not very deep turn yeah not very deep turn open there is a plate inside of the lock that wants to interact with the wheels of the lock just like we were talking about sesame locks before however because of the design of this particular one you can interact with that plate directly just by poking at it you push the shackle in in order to release the plate so that it can move freely push the shackle in so that it's no longer under spring pressure one more time in not very deep push open that's all there is to it so sorry about the huge echo so picking with materials that you find yourself is incredibly satisfying again the idea for this talk came on a lark when I broke my car one day trying to screw around with things in general don't forget that you can break things so please don't pick locks that you rely on please don't pick locks that anybody else relies on but if you personally rely on it nobody else does and you're willing to screw yourself over like I am go ahead does anybody have any questions we have some time right now yes yeah so you found the thing that we skipped okay the idea behind spiking is an electronics problem and I invited a friend up to talk about that is that's more his domain than my domain the basic idea though is that in most electronics safes there will be a Sol annoyed that actually needs to move out of the way in order for the locking bars to be retracted that solenoid is controlled by the electronic keypad so when the gets the right authentication via whatever its authentication mechanism is the solenoid will retract allowing the locking bars to also retract however if you completely bypass the authentication mechanism say with a 9-volt battery drill into the right part of the lock again this goes back to when I said that we know a lot about locks when we first approached them so we can understand the schematics we can download them from the internet we can literally just have a page that tells us drill here but two small holes in where you can put the leads off of your 9-volt battery completely bypass the authentication mechanism and fire the solenoid directly that's spiking does that make sense excellent I only skipped it because it's not my domain but I think that makes sense any other questions yes the tab off of the top of a soda can to be the handcuffs I think that it might be a little bit too thick the actual operating space in there tends to be quite tight however if one of the folks in the lockpick village is willing to let you play with it they definitely have cams and they definitely have handcuffs oh that's not a bad idea at all yeah try that out let me know how it works yeah excellent yes oh yeah man that's a rude of me she was wondering if the interior tab the part that breaks away when you want to drink your soda if that might be a little bit thicker but still available to you to shim the handcuff it'll definitely be a little bit too wide but if you trim it down it might be thick enough and work well so she'll play around with that anybody else yes I've completely dependent I only managed to do it on to the one that I had to knock over went like that once I knocked it over because the gates were about that big and the actual walking bar was about that big it was what would ya I'm very sorry that's the second time I've done that he was asking how long it takes to palm sand the safe open I was explaining that the easiest one for me went very quickly because the actual locking bar was maybe a fifth the size of the gate that was available for it it was made to be incredibly forgiving as you dialed it in and and very poorly made despite being relatively expensive the other one that I worked on we're slightly tighter tolerances but it was still probably two to one and did go after a while I did not work on any high-security safes when operating on that so I don't want to say that none of these attacks are universal these attacks are taking advantage of shortcuts and poor engineering that's what we're taking advantage of the DIY yes no I would before I would ever say it publicly I'm very curious to have a conversation with him most of my work most of my primary work concerns the history of Loch engineering and how changes in physical security of affected culture when the Kryptonite bike lock happened it was such a public disclosure many many many people were affected by it kryptonite had to respond an incredible way and even a stew logs which were not vulnerable to that attack were forever besmirched because they looked just like the lock on the Kryptonite and to this day when somebody sees a tubular lock they'll say oh man you could open that with a big pen even if it's not the case so I want to know why it happened I want to know if he was aware of the decision that he was making and if we get to a point where I can't manage to have that conversation yeah I'll probably say his name thank you we have 10 minutes yes yeah yes thank you very much he said that I should tell loved ones that I'm going to go talk to this kryptonite guy in private um where I'm gonna be anybody else thank you all oh I'm so sorry wait yes damage to the internal components of the lock is really low unless you're I mean anything that you're doing outside of the norm has the chance to wear things out faster you're definitely going to leave marks on the exterior of the lock as well though you could probably mitigate that I suppose by putting something non abrasive in there yeah I the first one that I did I was an idiot and I kept the sandpaper on cuz I just grabbed it in a friend's place ah but yes no that's a good point he says they have rubber bases they shouldn't be marking but as far as rest of the internal components really it's just about where you'll be putting it through a lot of its paces but they're very simple machines so the risks shouldn't be high again the remember locks can break so please don't pick a lock II rely on thank you all so much you