DEFCON 27 Conference. Duplication of mechanical keys with limited access. Part 2

DEFCON 27 Conference. Duplication of mechanical keys with limited access. Part 1

Let's talk about one of the main products of the Medeco company - this is the M3 lock. Our computer program produced such a key blank profile, and all we need now is to take a flat rectangular piece of metal and make longitudinal grooves of the corresponding shape in it.



The next slide shows the profiles of various variations of the M3 keys, also computed by our program. What we found is purely empirical - it turns out that for most M3 locks and keys, the profile of the bores of the upper and lower parts does not change. The longitudinal milling of the grooves in the middle retains its geometry, just their position moves up or down along the height of the profile. Thanks to this, Medeco creates many variations of locks and keys M3. Therefore, we just went ahead and removed the metal from everywhere we could, and as a result we got a blank of the M3 master key.

Further it becomes even more interesting - having prepared the M3 master key, we decided to go through our database of keys for general purpose locks, which can be duplicated for 20 cents.



We began to look for keyholes, the profile of which has the minimum amount of metal that needs to be removed so that the M3 master key comes up to the lock. And here is what we discovered - the master castle! To the most common ordinary padlock in the country, with the most common keyhole profile, the unmodified Medeco M3 master key is designed for locks with limited access!



True, not to all padlocks, but to about 2/3. Next, we took a key blank M19 for 19 cents, which is slightly longer than M1 due to the longer core of the lock, cut a beard and turned it into a Medeco M3 master key.

Now let's talk about enterprises using locks with proprietary keyholes. Security organizations order special locks that are used only in that organization. How can I crack such locks? You can simply take a picture of the keyhole and then analyze the photo in our computer program.



With it, you can choose a workpiece with the most suitable profile, for example, for the key to the old Medeco 19S lock, because all keys produced before the M3 series were not patented. It is enough to cut a little metal, and this workpiece will be able to work in a more modern castle. An inverted Medeco 17S blank can also be used.



There is a very useful miniature device that determines the size of keys. If you have physical access to a key, you insert it into the groove and install metal strips on both sides of the key so that their ends fit snugly against the side surface. Thus, you can get the exact outline of the keyhole for any key to which you have at least short-term access, and then go with this device to the workshop and pick up a workpiece that will fit exactly this keyhole.





If you do not have physical access to the key, you can take a picture of it. If you look at the keys in your wallet or pocket, you will notice that at the very top of the groove there are artifacts that remain during the milling process. These artifacts can tell how deep the groove milling is. From the photograph of the side profile of the key, it is difficult to determine the depth of the longitudinal groove. However, it can be calculated on the basis of the fact that milling is performed using a circular cutter of a certain standard diameter, and use a little mathematics from the Pythagorean theorem.



This theorem allows us to calculate the depth of a groove based on its width and the known radius of the disk cutter.



The following photo shows the entrance to a high security facility. We see the keys to the rooms hanging on the board behind the guard. I have already said that you can take a picture of the key profile and pick up a blank for it. In this case, you can photograph only one side of the key. This way we will find out what one half of the keyhole looks like. After analyzing with a computer program, you can figure out how the second half will look, because usually one side of the key is quite unique.

So all you can do with keyholes is simply to forget that key blanks with limited access do not fit locks that they are not designed for.
Now let's talk about the rest of the things that manufacturers of locks use to prevent duplication of keys with limited access.



I’ll start by mentioning that for the most part keys are just pieces of metal, so a set of metal files is enough for making duplicates at home. Our sister was recently in India, and the first thing she asked, returning home, "Guys, guess how the keys are cut out there"?

On the left in the photo you see a sitting gentleman in a blue shirt who is working with a file, and in front of him is a gentleman waiting for a ready key. With this level of skill, you can certainly make both standard keys and keys with a high level of security.



Robert Graydon: let's talk about Medeco brand locks, which come in several variations. At the top is the classic Medeco key, in the middle is a biaxial Medeco with a double profile groove, and below is the Medeco M3.



In the enlarged image of the key beard, you see that some protrusions are cut at an angle, some straight, some have additional bevels. This is one of the security features that makes duplication difficult. One way to achieve such a shape is to use hand files, the second way is to purchase a $ 60 Medico cutter on the Internet that can cut metal at an angle.



Another tool that can be found in Hacker Space is the swivel head into which the end mill is inserted. The key is clamped in the clamp, the head is rotated to the desired angle and the cutter makes cutouts of the profile of the desired shape.

Another thing that is described quite widely is casting, or the manufacture of a key casting on its print. You take the key you want to copy and press it into a special material that takes its shape. Then you fill it with something that freezes and becomes a copy.



The novelty of this classic way of copying keys can be considered a special material - carbon fiber, or carbon fiber. You see the Medeco two-axis key, which we cast from carbon fiber. The important thing is that even in the case of Medeco M3, the workpiece is one single piece. Higher security keys contain an interactive element. In essence, it is a piece of metal inside a key that moves independently. It is impossible to fake such a key by casting, because you cannot cast two independent moving parts - you get one solid object. This brings us to the locks of the Mul-T-Lock system, the keys to which contain interactive, moving elements.

Bill Graydon: Let's talk about the Mul-T-Lock locks and keys, examples of which are shown on this slide. We see 3 generations of the Mul-T-Lock key, at the top is a sample of the classic key. The Multilock is known as the dimple key, or “key with recesses,” because its profile contains rounded hollows that look like holes in a punch card. At the same time, the longitudinal grooves of the profile are arranged on the end side of the key, and not near the head, otherwise it works the same as a regular one-piece key. In addition, he has the so-called telescopic pins - inside the external pin there is an internal pin. Below the standard Multilock key is an interactive key with a blue head, on the beard of which you can see a small black ball that moves inside the key.



After inserting the key into the keyhole, this ball will protrude outside the key plane and push up the short lock pin so that all the pins line up exactly along the shift line. At the bottom, you see the latest-generation Mul-T-Lock MT5 key with redesigned interactive elements to provide better patent protection for the design.

We came up with a way to duplicate Mul-T-Lock keys on a standard drill press. You can buy such drills on the Internet, or Mul-T-Lock cutting bits for keys for about $ 20, and finding a drill machine for a hacker is not a problem.



We take the original key that we want to copy, put it in a vise, mark the places of drilling and set the amount by which the drill should lower to make a funnel of the desired depth. The following video demonstrates how to make a copy of the Mul-T-Lock key from a flat rectangular blank of suitable dimensions on a conventional drill press. We drill a funnel of a given depth under the external lock pin.

The resulting duplicate looks a bit messy, but works great.



You can make it even simpler - copy the key using division, or mitosis, as happens with living cells. Since all the important structural elements are duplicated on the key on both sides of the beard, we can just cut it in half lengthwise into 2 parts and get two Mul-T-Lock keys, which have everything to make them work.



By the way, we cut this key on a drilling machine using blanks that we bought on eBay. Now let's talk about Abloy locks.



Robert Graydon: This is probably the most famous brand of security locks, and there is a reason for this. The slide shows 3 main generations of Abloy keys: at the top is the Classic key, followed by the Protec 1 and Protec 2 keys. The red arrow shows an interactive element - a ball hiding in this key.



As we already know, in the core of the lock there are pins that the key raises to the desired height, building an even shift line. Instead of pins, disks are located in the Abloy lock. When the key is inserted into the lock, it enters the stack of disks, which is located in the red rectangle, and when you turn it, then depending on the location of the notches on the side of the key, it rotates these disks by a certain amount.



If the discs rotate correctly, the lock can be opened. Therefore, all the cutouts on the key must be made with perfect accuracy to match the corresponding cutouts of each of the disks. The next slide shows the cutouts of the disks and the corresponding sections of the key profile with different radii, turns and turning corners.



Consider the keyhole Abloy. The next slide shows the profile of the most common key blank, where the red box indicates the part that provides limited access. Below and above are parts in contact with the discs. As you can see, here is a rather thick middle, so we can remove all the metal that Abloy has provided for copy protection, and get the master blank shown on the slide on the right.



She has enough profile width to cut through all the necessary grooves that enter into the holes of the disks. For this operation, real locksmith miracles are used, which we do not have. Therefore, we again turn to Hacker Space and find there the only thing we need is a conventional milling machine. We set our master blank in a vice and make all the necessary cuts in the profile.



By the way, the casting method will work with the Abloy Protec key, because it does not have an interactive element. However, Protec 2 has it, so we have to come up with something else. The red rectangle shows the only important new Protec protection feature - the disk controller.



With an increase, it looks as follows. You see the spring-loaded balls, and when the key enters the keyhole to the end, it releases the gray ball, which depresses the blue pin, which allows you to rotate the key in the lock.



How do we get around this protection? The next slide shows the Protec 2 key at the top, and the Protec 1 below. We cut both of these keys from the same blanks, and you see that the lower key is a bit disfigured. This is because we polished a recess that allows you to insert a hairpin, a piece of wire, anything that plays the role of an interactive element that will release the locking ball. As you can see, the master blank has a gap that is more than enough to push a master key or piece of wire into the keyhole.



On the next slide, you see a small metal master key hook that we made for sharing with our duplicate. Now we will show a video on how to use the Protec 1 key to open the Protec 2 lock. Usually there is no chance that this will work, but you see how quickly it can be done with our simple lock pick.



Let's talk about Abloy key symmetry. It is not as symmetrical as Mul-T-Lock, but still has longitudinal symmetry, because it must interact with the lock disk on both sides. Therefore, it can also be cut in two lengthwise into two halves and get two Abloy working keys.



I want to remind the “rule of 2 people”, I’m sure that many of you know about it. This rule is used when dealing with enhanced security facilities such as nuclear missiles. To launch them, 2 people are required, each of whom will insert his own key into the launch console. If you apply this rule to two Abloy locks, then we need only one key, cut into 2 halves, and two random people. So this is a very useful exploit.

We have not yet discussed key tip protection. For Abloy keys, it is similar to protection on the workpiece of a conventional key, and when you insert it into the keyhole, it can enter to the end only if the clove on the tip has the correct shape. If the key does not fully enter the keyhole, the protrusions of the beard will not be able to coincide with the slots of the disks, and the protective interactive element will not push out the locking pin. In this case, it will be impossible to turn the key in the keyhole.



Basically, such protection is simple, but some instances of locks use a more complex form. On the slide, you see the last disk in the core that interacts with the tip of the key.



At the top left, you can see a small pin that goes into the key recess, this is the end protection. Both of these keys were made by us manually. In the left blank, we carefully machined the tip so that it fits well into the disk, but as it turned out, it doesn’t matter. On the right is a master blank of coarser outlines, and it works in this lock no worse than the correct key with end protection.

Let's talk about locks that use keys with a multi-level side channel key profile keyhole. These are Primus and ASSA, whose high security is provided by the longitudinal ridges of the key beard.



Duplicates of such keys can be made on a machine, which is sold on eBay for $ 100. This is a copy machine, which with a stylus removes the contours of the original key, and a parallel head with a drill cuts out a copy. In our case, we used the usual SC1 blank, from which the blank for the Primus key is obtained. This duplicate technology also applies to ASSA keys. On the first slide on the right you see the original key, on the left - the blank, on the second - the result of the work.





So far, we have been discussing how to search for or make blanks ourselves and grind keys. But we went further and modernized the process of duplicating limited access keys by inventing an electronic card with key codes.



There are plastic code cards, on the reverse side of which are indicated all the technical parameters for the manufacture of a key with limited access. You come with such a card to a locksmith who has the right to work with secure keys, he looks at this code and cuts out the key for you.

The Medeco map shown on this slide does not actually exist. We have created software in which you can enter the necessary parameters - angles, groove depth, type of keyhole, and generate an image of a code corresponding to the entered parameters. Then you send it to the online locksmith, and all that remains for him is to cut out and send you the key you need. The following slides show what the face and back of the original Abloy key code card look like.



Next, you see a patent for a key with limited access, this is a thing that prevents locksmiths from duplicating such keys, because it is illegal.



Bill Graydon: So, we have 2 minutes left to talk about how BlueTeam can counter such hacking tricks. Firstly, the master key system is an excellent additional security tool, but it’s not the main way to prevent a lock from breaking. The keyhole system with limited access is exactly the same additional, but not the main means.

If you have lost a lock with limited access, consider that you have lost the master key.

Many people consider mechanical keys to be a relic of the past, because they are easy to fake. We do not agree with this. You need to understand your threat model. Firstly, most criminals are not ready to break locks, make duplicate keys and the like. Typically, castles are used in order not to seduce honest people into crime. If you use them for this purpose - excellent. The castle reminds a person that he is not allowed to enter here, that this box or cabinet cannot be opened, and then he will not do so.

Secondly, remember that in order for your security to be truly reliable, you must be able to restrict access, even if someone has a master key to your object.

On this slide, you see a plan of the basements of Toronto City Hall.



Suppose someone managed to steal a master key from City Hall. Then he must go through 2 doors, and this is the path that bothers us the most.



According to the time schedule, 5 seconds after the offender passes through 1 door, a motion sensor will work, which will inform the guard about unauthorized entry. What should he do? Finish your donut and go to intercept the cracker. It will take some time for the criminal to open the second door, walk 120 feet, crack the safe, etc. If he can get to the safe before your security guard gets there, then you have failed in terms of security and your system is not reliable. If you can make it so that the attacker is detained longer on the way to the target, you will ensure security even if the master key is lost. Here is what you really should strive for. Because locks are only needed to keep honest people honest.

Finally, I want to recall the examination. All master keys leave marks on the keyhole pins, and if you suspect that someone was trying to break the lock, you can conduct tests that will determine what it was.

In short, we managed to “defeat” most types of security locks using the most common brands of keys with limited access. We want you to simply be aware of what can happen to such locks.

Thank you for the attention!

A bit of advertising :)

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to your friends cloud-based VPS for developers from $ 4.99 , a unique analog of entry-level servers that was invented by us for you: The whole truth about VPS (KVM) E5-2697 v3 (6 Cores) 10GB DDR4 480GB SSD 1Gbps from $ 19 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper at the Equinix Tier IV data center in Amsterdam? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands!Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to Build Infrastructure Bldg. class c using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?