DEFCON 27 Conference. Duplication of mechanical keys with limited access. Part 1

Speech Briefing:

Restricted keys, or mechanical keys with limited access, differ from regular keys in that they are not allowed to be duplicated. Therefore, manufacturers of such keys (and locks) strictly monitor that blanks for making duplicates do not appear in the public domain or develop keys that are extremely difficult to pick up finished blanks. Guarded lock systems in the U.S. use lock systems such as Medeco, Abloy, Assa, and Mul-T-Lock, partly to withstand mechanical cracking of locks, but to a greater extent to prevent the possibility of duplicates being made for unauthorized entry into locked rooms. Places such as the White House and the Houses of Parliament of Canada use a special key profile exclusively for these facilities to ensure that no one can procure the blanks,to make duplicates.

However, there are tens of thousands of key blank profiles that are suitable for making duplicates even for very limited series of locks. Since the keys are just pieces of metal, the brothers Bill and Robert Graydon will tell in their speech how to make duplicate keys for mechanical locks of the Medeco, Mul-T-Lock and Abloy high-security systems. They will also touch on all aspects of the control of key manufacturing, including patents, and consider how the administration of secret objects can prevent lock-breaking with duplicate keys.



Bill Graydon is the Director of GGR Security Consultants and is actively engaged in research in the field of electronic surveillance and signaling, human psychology in a safe environment and analysis of blocking systems. He earned a master's degree in computer engineering and a certificate in forensic engineering from the University of Toronto and uses his knowledge to develop mathematical models to improve security in the physical world.

Robert Graydon is the technical director of GGR Security, who is researching the vulnerabilities of mechanical and electronic locks in order to detect and evaluate possible design flaws or attack methods. He personally has well-honed skills in breaking locks, plumbing, and a thorough understanding of the mechanics and functions of many types of high-security locks, as well as electronic security systems and their components. This knowledge and experience allows him to effectively search and test methods of hacking high-security systems.

Presenter: Now we will hear about the physical aspects of security. How many of you have seen these keys labeled "Do not duplicate"? Of course, I’m not going to do this, but the guys who are now speaking to you have a different philosophy. Welcome Bobby and Bill to Fancy Track!



Robert: Greetings to all, I am Bobby, and this is my brother Billy Graydon. Let's take a look at this slide depicting keys for mechanical locks that are widespread in North America. They are very easy to duplicate. If you need a copy of such a key, you go to a locksmith or key workshop.

Let me show you a video of the work of the machine for making duplicate keys, which is called Profile Cutter - "profile cutter". The original key is installed on one side of the machine, and the workpiece on the other. The machine moves the original by mechanically scanning with a metal probe all the cuts and protrusions of the beard and at the same time cutting exactly the same profile on the workpiece.



Just as an example, I will show a key that is simply copied on such a machine. This is the key to launch the Titan II nuclear missiles, inserted into the launch console in the military museum. You could go to any workshop with this key and make yourself a duplicate on the Profile Cutter.



Fortunately, since then, high-security keys have come a long way. In order for you to imagine how the castle works, I will show a diagram. You see rectangles of different colors separated by a shift line. When the key is in the lock, the locking pins of the lock line up with the code pins, or key pins. In this position, the key can be turned to open the lock.



Watch the following video. When you bring a key to a locksmith to make a duplicate, he sets the original in the clip and very precisely adjusts the position of the cutter, which cuts a profile in the workpiece that repeats the outline of the cuts of the original key. Now look at this slide - many of you recognize these keys, although they are not too common. These are keys of a high degree of protection with a special blank profile, and it will be a great success if some locksmith makes you a duplicate of such a key. Most likely, he will not be able or will not want to.



Today we’ll talk about how to make such a key yourself when you bring the original to a locksmith, and he says: “Sorry, man, but I can’t cut anything like that.”

Bill:So, when you bring a locksmith a key that is forbidden to be duplicated, and a locksmith says that he cannot duplicate it, there are 2 reasons for this. The first is that the locksmith simply does not have the necessary workpiece. In the second video, we showed that before you start cutting the copy, you need to select a workpiece whose profile would completely repeat the physical shape of the original, including the key thickness and the transverse profile of the beard. An important part of the workpiece is what is called a key mount - a sectional shape that allows you to easily insert a key into a keyhole. The key manufacturing process begins with the selection of a rectangular metal blank that can be cut to fit the keyhole.



As a result of longitudinal trimming of the bar of the required length, we get a blank of such a profile, which is shown in Fig. 3. In this case, the key profile will correspond to the keyhole profile shown in Fig. 5. The process of cutting longitudinal grooves in the workpiece, shown in Fig. 2, is called millings - "workpiece manufacturing." A special shape of the well that prevents the possibility of inserting the wrong key into the lock is called warding - “protective groove”. The protection of the locks is that all manufacturers try to use their own unique profile of the well, so it is impossible to simply take the Schlage key and insert it into the Weiser lock - it will not go there. Let's take a look at our first keyhole exploit.

What is shown on the slide is called the “master key system”. All master keys have a longitudinal groove that allows you to insert it into the lock. At the top of the table are profiles of the Schlage SC1 key, the most common in North America, forming a whole family of keys of the same type. The third key in the upper left is the SC8 key, and they will not go into one well. However, a master key 1145H is shown below in a blue circle, with which you can open both locks - SC1 and SC8. In very large enterprises or in buildings with a poorly designed security system, a master key opens almost all the locks. If room A opens with the key SC1, and room B with the key SC8, then you, having master key H, will open both rooms. And you can do it unintentionally, and this is the problem.



Suppose I have a key to room B, with whom I go to a locksmith. However, he may not have all the blanks that are shown in this figure. Therefore, he can say: "OK, I will make you an SC19 key that will open all these locks." A locksmith can save on buying blanks for different keys in this series, making identical duplicates of SC19 for all locks. So, using a universal key of a higher security level, I can get into room A.



This is the first exploit that people can use completely inadvertently. The main topic of our presentation is limited edition keys that are prohibited from duplication, so for demonstration we will use the computer model of the Medeco M3 key blank. Since the original is just a piece of metal, we printed our model on a 3-D printer. This is a fully functional blank that can be cut as needed so that it works in the lock like a real metal key.



If you want to make it out of metal, you can use the machine shown in the next slide. It is very similar to the machines used for mass production of keys that are in the pocket of each of you.



At the top you see a round mill with which grooves are machined along the key, which will allow it to be inserted into the keyhole of a certain shape. Speaking of keys forbidden to duplication, it is necessary to mention a small red metal box called Easy Entrie. This is an automatic copy-milling machine with CNC for cutting key profiles, manufactured in Germany. Most people do not have access to these machines, because they are too expensive, and besides they are forbidden to use privately. This is one of the reasons why we will not dwell on them in detail.



Key selection for keyholes is a very tedious process. If you ask a locksmith about this, he will say that this lesson is capable of driving anyone crazy. Therefore, we decided to automate this process by developing software that includes a database of hundreds of digitized pictures of key blanks and lock well profiles, and wrote a scripting language with an interface similar to MIT Scratch. Those who know him will recognize a few lines of this language at the bottom of the slide.



We take the profile picture of the Schlage SC1 key blank, this is the black profile at the top, and compare it with the SC8 profile. As a result, the program produces a picture with overlapping profiles, which shows in red which part of the metal is available for SC8 and which is missing for SC1, and in blue - which part is present for SC1 and missing for SC8, which does not allow the first key to be inserted into the lock for second. A purple figure is a profile that fits both locks.

The next slide shows that the left, “inverted” version of the Sargent 1007 RA key - the Sargent 1007 LA key practically matches the keyhole profile for the Medeco 9S key. The purple bar indicates that there is no metal in this zone that is unique to one or the other key, and how thick the workpiece must be for the key made from it to enter the keyhole.



So, in this case, we have a Medeco 9S blank, which is biaxial and forbidden to duplicate, so you can’t order such a key anywhere, but you can take a piece of metal 32 thousandths of an inch thick that fits perfectly with the lock. We have added several binary with mathematical calculations to our program. We do not add key profiles and do not subtract them from each other, but we superimpose one on the other and get a profile with outlines common to both keys.



Well profiles for Schlage C, E and F keys are shown here. By the way, C and E are just another name for SC1, SC8, and so on - you see them at the top of the next slide. The intersection of the combined profiles of these keys will be a master key that will go into each keyhole. Thus, you can take a universal workpiece of a suitable size and cut into it the grooves we need with a circular cutter.

So, we take the most suitable key L, which we want to insert in the lock for both L and M, compare it with other profiles and see how the program shows in red the pieces of metal that prevent it from doing this.



Next, we turn the workpiece with a 16-inch milling cutter, removing red areas, and see that the profile in the right figure becomes universal for both keyholes. Those of you who are familiar with scripts will notice that we are using variables here. Then we use the profile analytics language of each keyhole in our database to compare with the profile of a particular key.



Having made such a comparison, we see that this key is very similar to itself in an “inverted” form. If so, we exclude it from comparison. On the slide you see a small example of the output when we ran our script and as a result received a whole bunch of keys that are symmetrical in one way or another. Let's apply the same algorithm for keys denied replication.

On the next slide, you see a Medeco 1515 key, which is compared to a Type A key blank, which can be bought at almost any locksmith's workshop. This blank is most suitable for the profile of the key we need. It is enough to cut the pieces of metal marked in red and it can be used for keyholes of Medeco 1515 keys.



If we want to use a full-sized, fully working key, we will have to remove some metal at the top of the workpiece profile. This can be done using hand files. We also developed a small adapter that fits into a CNC fitter, expanding the possibilities for precise turning of the workpiece. The video shows how this process is performed.



Well, that means we have a workpiece clamped. I insert the workpiece, start the cutter, and slowly pull out the clamp with the workpiece up, dragging a longitudinal groove along the key. CNC machine allows you to very accurately determine its location and groove depth. You can also use a drilling machine, as shown in the next slide. This is workpiece A, modified on a CNC machine, which can be modified on such a publicly available device. Anyone who has access to Hacker Space or Makers Space for $ 50 a month can use this technique to make their key blank.

So, we took the most suitable blank, modified it a bit and made beard cuts like Medeco 1515. Now we have a duplicate of the “safe” key, made from one of the most common blanks in the country.



We can do even easier. Look at this slide - the leftmost profile at the bottom corresponds to the Medeco 1515 key, and to the right is the Schlage E profile that matches the SC8. At first glance, they are not alike until you notice that these profiles are mirror images of each other. Unfortunately, we live in 3 dimensions, not 4, so you simply cannot turn the key inside out to insert it into the keyhole.



However, you can insert it into the lock with the back side, chopping off the head. In this case, it ideally enters the well. We made these cute key stumps that you can insert backwards into the lock, and now we have perfectly working mirror reflections of the keys.



You can say that this is a kind of cheating, and such a key with a broken head can be used only once, because it will be difficult to pull it out of the lock for reuse. But in any case, there is a security vulnerability, because you do not even need a workpiece to crack such a lock. That is why manufacturers of locks with a high level of security tightly control the workpieces, otherwise they could be used to make any limited access key. As soon as this fragment of the key falls into the wrong hands, it can be lost, sold, done with it anything, it is completely uncontrollable. So if you have such a cut-off key, the beard of which does not fully correspond to the outlines of the original key, you can solder the missing pieces of metal to it. Such a key can be applied 100 times,before the solder is grind off. The solder is a fairly soft material, and this is good, because you can insert the key into the lock several times, and it will process the key properly.

The next slide shows another interesting key with a convex beard, the head of which is indicated by an arrow with the letters USPS. This is the key of the postman, which is used to open your mailbox and pick up outgoing mail from there. Enterprising criminals from Los Angeles have found a good way to copy such a key, a blank for which can not be obtained anywhere. On the left on the slide are a bunch of trinkets stolen from mailboxes, and on the right are modified household tools, in particular scissors that were used instead of the postman's key.



There is something else interesting in this vein with the arrow - it was made not by turning, but by pressing. This is different from most keys in your wallet. Such a key is “squeezed” out of a flat piece of metal under a press. On the next slide you see examples of molds that we made on a milling machine. Between them, you can insert a piece of metal, squeeze it with a press and get semi-circular billets, from which you can then make such a key with an arrow.



Of course, we did not do this, because it would be completely illegal. But such a manufacturing method made us think - what about the keys that are usually milled? Is it possible to use this technique for their manufacturing by pressing method? It turned out that it is possible.



Let's think about it. The core of the lock itself can be used as a mold by cutting it along the longitudinal axis. So, we took the Schlage SC1 lock and cut it with a mill in half. If you have the time, you can do it with a dremel. This is what the castle looks like inside.



We have received two forms that can be used for pressing a flat piece of metal into a fully functional key blank. We did just that, as a result of getting a blank of the desired profile. Then we inserted it into the Profile Cutter and cut out the beard that matches the beard of the original Schlage SC1 key. For the complex paracentric keyholes depicted on the next slide, this is much easier than milling, so this technology definitely needs to be adopted.



You may ask if this can be done with the restricted keys, and I will answer: “of course you can.” You see a Medico castle cut in half. The yellow arrow at the top points to a stud of another non-ferrous metal, which is designed to prevent you from cutting the lock in half. By the way, she could not cope with this. The red arrow points to the rectangular slots facing the side of the lock. For those who know how Medeco locks work, this solution indicates a high level of security. We used these molds to make a Medeco limited access key blank under the press.

Everything is relative - if you lose the key, then you change the lock, but if the master key is lost, you have to replace all the locks in the enterprise. Such incidents are often covered by the media, as this is a very costly process. What happens if you lose the castle itself? In most cases, this will not cause any problems. Suppose you have a padlock that opens with a master key. And this castle, which locks the gates around the perimeter of the building, someone cuts. It will not matter to you - well, they cut it off, and okay, because we use keyholes of such a form everywhere that the criminal cannot make a key for them.
However, the criminal can disassemble it, cut the core and use it as a mold for making blanks for master keys to all the locks of your object. The only difficulty is that when using the master key system, it will be much more difficult to make such a key on the basis of only the keyhole profile.



On the slide, a red arrow indicates a special pin that allows you to use both a master key and a single key to this lock. Finding where this pin is located is quite difficult, but if you have some information about the master key system, you can do it. So, if you disassemble the lock into two parts and are able to consider the joint work of the code and lock pins, when they line up along the shift line to a position that allows you to turn the key, this will seriously reduce the number of possible options for the Medeco master key. For example, we have a random key that opens some other lock of the same system. You can collect all the information about such keys together and reduce the combinations to only 2 possible options - if the first one does not work, the second one is tried, and so on.



So the difference is decreasing. In our program, we set several selection parameters, including the relative position of the pins along the shear line, the location of adjacent pins that allow you to use a random key in two different locks, and so on. On this occasion, we have a separate report, which we will present in the near future at a neighboring conference. Therefore, know that if you have lost a lock that can be opened with a master key, consider that you have lost the master key itself.

Now let's look at the KeyMark system lock. This is a kind of compromise solution from Medeco, designed for enterprises in which key management is more important than resistance to physical attacks. However, this lock also offers basic protection against burglary or destructive penetration.



The key lifts all 6 pairs of pins so that it can be rotated, while there are no Security Pins in the lock. The safety pins are designed so that using a tool other than the key activates them and blocks one or more pins on the shift line. When triggered, the safety pins do not allow the core to rotate until the voltage is removed and the pins return to their original position.

If you look at this photo, you will see a completely straight groove in the upper part of the core. An inclined keyhole never interacts with this cutout, so if you want to make a blank of such a key, it is very easy to make it by pressing. This is a really good lock, but you absolutely do not need to repeat the shape of the original key with a protrusion under the head, which is included in this straight groove - you just need a flat piece of metal that will be slightly shorter than the workpiece should be, and the lock will work perfectly.

23:10

Conference DEFCON 27. Making duplicates of mechanical keys with limited access. Part 2

A bit of advertising :)

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to your friends cloud-based VPS for developers from $ 4.99 , a unique analog of entry-level servers that was invented by us for you: The whole truth about VPS (KVM) E5-2697 v3 (6 Cores) 10GB DDR4 480GB SSD 1Gbps from $ 19 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper at the Equinix Tier IV data center in Amsterdam? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands!Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to Build Infrastructure Bldg. class c using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?