Bill Graydon – Duplicating Restricted Mechanical Keys – DEF CON 27 Conference

>>We are here to hear about a
little bit of physical security
stuff. Uh, how many people have seen those uh those uh keys that
say, “do not duplicate”? Say,
oooh, well in that case, I’m definitely not going to
duplicate that. [laughter].
These guys apparently have a different philosophy on this.
Let’s give uh Billy and Bobby a
great uh welcome to uh Fancy Track. [applause] Have a good
time, gentlemen.>>Thank you.
>>Alright, so uh welcome, everyone. This is duplicating
restricted keys. I’m Bobby and
this is my brother Billy Graydon. So first I want you all
to take a look at your key ring.
And almost all of you are gonna notice one of them looks like
one of the keys that’s on this
uh screen here and—>>Go ahead, pull them out!>>[laughs] And uh
so these these are some of the
most common keys that you’ll find in North America. Um and
they’re relatively easy to copy.
So if you wanna copy them, uh basically you go to any
locksmith, corner store, and um
they’re gonna be showing you, sorry, we’re gonna be showing
you a video, if you can get that
up. So what this machine is called is a profile cutter. And
essentially how it works is it
has a little probe that rides along the uh the key that you
want copied and then a cutter on
the right side that you can see here, um and that’s what
actually cuts the bitting in the
key. Get that going.>>Yeah. So you can see there on the bottom
is the probe following the key
and on the top is the cutter, and that’s going to create the
exact same profile on the
duplicate.>>Come on, open up for. Nope. Alright. Sorry,
folks. [laughs] There we go.
>>Okay, just for an example of one of the simple keys that you
might be able to get copied with
this technique. Um, there’s just regular keys like this here,
which is uh one of the keys for
the Titan II nuclear missiles and you’d be able to walk into
any corner store with this thing
and they’d cut if for you.>>Thankfully, high security keys
have come a long way since then.
>>And for any of you who don’t have a background kind of on how
a lock works, um if you take a
look at the bottom, you can see how there’s two tints
essentially in each column
there. And the line between them is called the shear line and
when the key’s in there those
are lined up, which allows the key to turn, and when it’s out
at the top there, you can see
they’re not lined up and uh that’s why you need the key in
there for it to actually work.
And so next we’re gonna be showing you a video of, you
know, when you bring a key in to
be copied, you already have that key, and that’s what the profile
cutter can do to copy it. Um how
do you get the first one? So this is called origination. And
essentially how it works is
similar to the other one. There’s a cutting wheel there,
however, with this one you can
very, very specifically move the key forwards to take out little
bites of the key. And that will
create the bitting. And so you can see there’s a wheel being
turned there. And so that’s 1 of
2 that lets you precisely move the key, side to side, and in
and out to get those cuts right.
So again I’m going to ask you, take out your key ring. Um, take
a look on it. Or some of you
might even recognize these immediately. These are gonna be
less common, but all of these
that you see here are high security keys, which means good
luck going into any random
corner store or locksmith and getting these copied. Uh they
won’t be able to do it or they
won’t do it for you.>>So we’re gonna talk about how you can
make that happen. When you take
a restricted key into a locksmith, and the locksmith
says, sorry I can’t cut this for
you. The number 1 reason for that is going to be the
locksmith simply does not have
the blank. So the 2 videos we showed before of profile cutting
and code cutting, or origination
of the key, we’ve started with an uncut blank and we added the
cuts into it um that would then
operate the lock. More, the most important part of a blank is
what’s called the keyway. So
that’s the specific shape that that blank has. So the
manufacturing process of a key
blank is, we start like image number 1 with the rectangular
piece of metal, and then we’re
going to mill along or mill out uh some hole or some grooves
long the side of that key, and
you’ll end up with something like image 3 over there. And so
if you look at your keys, if you
look at them head on, you’ll see a pattern similar to image 3 and
that’s going to match up with
the lock similar to image 5. Uh just for some terminology, in
image 2 where we’re cutting out
the grooves along the key, that’s called millings. And
image 4, those pieces of metal
that are put in the lock to prevent the wrong key from going
in, that’s called warding. So uh
we’ll try to remind you, but uh keep that terminology in mind.
The purpose of this is all sorts
of lock manufacturers have their own keyways and they try to make
it unique amongst different lock
manufacturers so you can’t say take a Schlage key and stick it
in a Weiser lock. It won’t even
fit. Let’s cover our first keyway exploit. So here we have
what’s called a master keyway
system. You’re all familiar with master keys, I’m sure, and that
uses the bitting on the top of
the key. You can also do it with keyways. So we have at the top
the Schlage SC1, probably
arguably the most common in North America, um but you have a
whole bunch in its family. So
third from the left on the top, we have the SC8, and those 2
will not fit in each other’s
locks. However, circles in blue just below it, we have the H
keyway, and that’s a master
keyway; it’s going to fit into both the SC1 and SC8 lock. So
very large facilities or poorly
designed locking systems, as we’ll go into, um you can do
mastering with that. So let’s
say I have room A that’s an SC1 key and room B that’s SC8 key,
same bitting on top, and then
the master key is that H keyway there that’s gonna enter both
locks. The exploit you can even
do unintentionally. And this is the real problem is if I take,
let’s say I’m in room B, I have
a key to room B, and I take that into a locksmith. Now that
locksmith might not stock all of
these blanks we see up here. He might say, hey, well at the very
bottom there, there’s SC19,
that’s gonna enter all these locks. So I can save some supply
chain cost and just stock that
and I can cut everyone’s on that. So he cuts me a key, a
duplicate, on SC19, it works
perfectly fine on my lock, but it’s also gonna work now in room
A because it’s a more, higher
level master keyway it’s gonna enter that. Um so that’s the
first exploit people could do
completely unintentionally. The main focus of this talk though
is on restricted keys. So this,
some folks might recognize, is a 3D computer model of the Medeco
M3 key blank and because they’re
just pieces of metal, you can ___ them up, 07:41 you can make
models for them. So here’s one
for Biaxial and here’s that one that we 3D printed, and this is
now a functional blank we can
add cuts to that and it works just fine in the lock. If you
wanna make it out of metal,
you’d be using a machine like this, and this is very similar
to what happens in the mass
production system for all the keys that you’ll have in your
pocket right now. At the top,
you’ll see that circular cutter wheel and that’s what’s gonna
mill those grooves along the key
and you put it in the clamp there and mill the specific
shapes out, as we see here. So
in diagram 2 it would be taking out that rectangle at the top
and those 2 triangles at the
bottom. A talk about restricted keys and restricted keyways
wouldn’t be complete without
mentioning the easy entry. That effectively does all of that for
you. It’s um a complete black
box, or pink box as the case may be. Um most people don’t have
access to them. They’re very
expensive and a lot of the functionality is restricted um,
and finally because it’s a black
box, you don’t really understand what’s going on within them. So
for that reason, we won’t say
anything more about that. Keyway research. So finding keyways
that fit in locks they’re not
supposed to and doing various other things with that, used to
be very tedious process. And you
ask any locksmith about this, if you have a lock and you need to
find the right keyway for it,
you’re kind of looking at it, oh I recognize this as close to
that, nope, not quite, take your
hand, file out, file it away, nope, file the wrong place, and
then you just get mad about it.
We’ve gone and automated that process. So we rented some
software that takes hundreds of
different key blanks and we’ve brought them into a digital
database and we’ve written a
little scripting language, um with a UI similar to uh MIT’s
scratch, for those of you who’ve
heard of it, you might recognize those blocks on the bottom. So
what they were doing is first,
we’re drawing out the Schlage SC1, you can see in the top
right there, and then we’re
comparing the SC1 with the SC8. Those are the 2 we talked about
before on the master keyways.
And you can see in red where the SC8 is and the SC1 isn’t and
blue where the SC1 is and the
SC8 isn’t. Those are the pieces of metal that prevents 1 key
from entering the other’s lock.
So we add a bit more functionality to it. So taking
the reverse of a keyway, as you
can see in the very top block there, and so we can see that
the Sargent RA and LA keyway are
the same when reversed. And you can tell that because it’s
completely purple, there’s no
metal that’s unique to one or the other. You can also compare,
say, how much uh a or how thick
a flat piece of metal has to be to fit into that lock. So in
this case we have the Medeco 9S
blank that’s a Biaxial blank restricted, you’re not supposed
to be able to get them anywhere,
but you can get a piece of uh a flat, metal 32 thousandth of an
inch thick and that’ll work just
fine as we can see here. We added binary operations in as
well. So to sort of math with
keyways rather than adding and subtracting them, we’re
intersecting them and taking the
union of them. So we have the Schlage C, E, and F keyway. By
the way, C and E are another
name for SC1 and SC8 and so that’s what we’re seeing in the
first 3 there. Uh the
intersection of those is the masterkey or master keyway
that’s going to enter all of
those locks. And so we can calculate the intersection
there. And the union is the lock
that will accept all of those keys. So that’s a much wider
open keyway. We uh considered
how you can machine and modify these keyways. So in this case,
we have milling with a ball
cutter so that creates a nice, circular groove along the key.
And so for instance, if we have
a best L keyway and that’s what we see up at the top, and we
wanted to enter both an L and an
M lock. Well we first start by comparing them and you notice
that red there, that’s where the
L has metal where the M doesn’t, so that’s what’s gonna prevent
it from entering that uh that
lock. We can go ahead and play around with where we have to
mill off and if we mill off with
a uh 32 sorry, a 16th inch ball cutter, we can take away that
red and we see that in the image
on the right and that will now enter uh that lock. Those of you
who are familiar with scripting
will notice that we’re using variables for that as well. So
in red we have the milled best L
and we keep modifying it to be itself with some uh some taken
off on the mill. We went one
step further, built in control structures, for loops, S, etc.
and made a Turing complete QA
analysis language. Um so in this particular case, we’re looping
through every QA in our database
and we’re checking to see, is that key very similar to itself
upside down? And if so, we’re
going to dump it out. This is a small sample of the output when
we ran that script. And we get a
whole bunch of keyways that uh that are symmetric either way.
So let’s apply this to actually
create restricted keys. So we see here the Medeco 1515, uh
that’s what’s shown in red
there, um and that’s a restricted keyway that’s for
Medeco class. You’re not
supposed to be able to buy those anywhere. But you can buy a BEST
A anywhere. Most common BEST
keyway out there. If you look at these this comparison here,
you’ll see that they’re the same
in the bottom half of the keyway. Well what sort of key
only uses the bottom half? Well
a bump key. So we can take that BEST A and cut it to be a Medeco
bump key and otherwise
completely unmodified in terms of the keyway and that’s going
to enter that Medeco lock and
function as a bump key. Going back to our comparison, we see
that if we need to make uh make
it a full-height key that’s going to work as a full-fledged
key, we just have to take a
little bit off the top there. Course, you can do it with hand
files. We also made a little
adapter that’s gonna fit on our code cutting machine and uh that
will allow us to mill it out as
well. And this also demonstrates for you what the keyway milling
process looks like. Alright, so
we have our blank clamped in at the bottom there, we’re starting
at the wheel. And then we’re
moving it in so that it’s cutting the right depth of the
groove, and now we’re moving the
blank up slowly. And that’s milling out a longitudinal
groove along that key. And so
that being a code cutter, that lets us very precisely position
where along the XY that groove
is gonna be as well as how deep that groove is gonna be. You can
also use an end mill. So this is
a uh picture of modifying a Yale Y1 blank on a milling machine.
Um this is a much more common
piece of machinery than a keyway modifier horizontal mill or a uh
coat cutter. Um so anyone that
has access to hacker spaces, makers spaces, etc, you got 50
bucks for a month, you can get
access to one of these and they can modify your keyway for you
as well. So we took one of these
BEST blanks and we modified it accordingly. Um this blank that
you’re about to see was actually
the one that was shown in that video on the HPC machine. And we
added the Medeco cuts to it. And
it’s now a functioning Medeco key cut on one of the most
common blanks in the country. We
can get even stupider. So if we look at the bottom left here we
see the Medeco 1515’s the far
left and the Schlage E, which is also SC8, right beside it. They
don’t look similar at first
glance until you notice that they’re mirror images of one
another. Well we live in 3
dimensions not 4, so you can’t flip a key mirror wise,
unfortunately. Um but what you
can do is put it backwards. So if you stick it in the back of
the lock, it actually fits, that
gets you your mirror image, and we’ve chopped the head off of
the key so you can see uh
exactly how nicely it fits. That’s completely unmodified.
How do you fit it in the front
’cause usually you don’t have access to the back? Well you
chop the head off. And so we
made these cute little key nuggets that you stick in
backwards. So you get the mirror
image of the keyway and of course it works. And you might
say, well that’s that’s kind of
cheating. You don’t have the head, you can’t remove the key,
you can only use this once. Well
if you’re a criminal, do you really need to use it twice, do
you really need to remove that
key? So this should be considered a security
vulnerability. You don’t even
necessarily even need the blank. So high security lock
manufacturers tightly control
the blanks because the blanks can be used to create any key.
Once it’s a cut key, it goes to
the end user and they can lose it, sell it, whatever with it,
and uh it’s completely
uncontrolled. So if you can get a cut key that happens to be the
same keyway, it possibly has
similar security features as the key you’re trying to duplicate,
you can cut it down, where it’s
higher than the key you’re trying to duplicate, and where
it’s lower, you can just add
metal to bring it up. So this one you see here, it’s uh a
little hard to see, so we have
that closeup in the bottom, but that’s actually been added some
metal to with some simple
electrical solder. Um fits really well, you can get a good
100 uses of that out, out of
that key before it wears down too much because solder is very
soft. Um but because it’s so
soft, it’s real easy to hand file out the grooves so that it
fits, so well you can just stick
it in the lock a few times and the lock will uh do that
machining for you. Another
interesting key we have here is the USPS arrow key. So this is
what your mailman will carry to
get into your mailbox um to retrieve mail, etc. Some
enterprising criminals in L.A.
found a good way to copy these, which that blank of course,
you’re not supposed to be able
to get anywhere. Isn’t that ingenious? You can see on the
left some of the uh useless
trinkets that they stole from the mail, but um but that’s
that’s an example of instead of
using a keyway um that isn’t supposed to be for the lock
using a completely different
household object. There’s something else interesting about
these arrow keys though. And
that’s that if you look at it, it hasn’t been milled out. It’s
different than most of the keys
you’ll have in your wallet. It’s been pressed out of a flat piece
of metal.[clears throat] Here’s
an example of the dies, [coughs] excuse me [drinks water]. Here’s
an example of the dies that are
used to press something like that. So we made those on the
mill and you can go ahead and
put a flat piece of metal in between them and press down on
it and it’s gonna bend that flat
piece of metal into a functioning blank that can then
be cut and turned into a
functioning arrow key. Of course, we didn’t cut that
because that would be extremely
illegal. That got us thinking though. What about the keys that
are normally milled? Can we use
this technique on those and press them um in a likewise
fashion? And the answer is yes.
And you can go a step further. ‘Cause let’s think about it,
right? Those milling or those
pressing blocks that we made, we can just use the lock for that
because the lock has the keyway
built into it, it is a perfectly shaped die that can be used to
press flat metal into that
keyway. So we’ve taken a lock here, in this case it’s a
Schlage SC1. And we’re cutting
it in half and in this case on a mill you can do with a dremel if
you have more time. You get
something like this. So that’s what a lock looks like on the
inside. Kinda cool eh? Uh but
you can see how we had the top and bottom forms that can be
used to press a flat piece of
metal into a functioning blank. So we go ahead and do that. Put
a flat piece of metal in between
’em, press down hard, and now we have a blank. We can put it on
the profile cutter, copy the
bitting, and we have a duplicated key pressed out of
the lock that it’s supposed to
open. And of course it works. For a really paracentric keyways
like this, really a nasty
keyways, this is a heck of a lot easier than milling so it’s a
good tool to have in your
toolbox. Now you might ask, can you do that with uh something
that’s access restricted and the
answer is, of course you can. So here’s a Medeco lock cut in
half. Two interesting
differences. The yellow arrow up there, you can see that
anti-drill pin, different
colored metal. That’s to prevent you from drilling into the lock
or cutting it in half, but
apparently not. Um and the red arrow’s there, you see those
rectangular holes, that’s what
the sidebar enters in. So for those who know how Medeco works,
uh that’s where the sidebar goes
and that gives it its high security properties. And we use
that to press a functioning
Medeco restricted blank. This is particularly concerning. Because
if you lose a key, usually
you’re gonna go rekey your lock. If you lose a master key, you
have to rekey your whole
facility. And that’s created some uh major incidents in the
news because sometimes that can
be a very very expensive process. Well what happens if
you lose a lock? Most of the
time, you don’t care. Most of the time you don’t even know. So
let’s say you have a padlock on
one of your perimeter gates, someone snips it off. Most
people don’t care. Well what you
can do with that is if that was a criminal that took it off,
they can open it up, look at the
pin lengths and create a key that fits that lock. Well you
might say, well that’s fine
’cause we use a restricted keyway, so so they can’t make a
key for that lock. Well they can
go ahead and cut it in half. And use the lock itself to press a
blank that they can then cut
with the bitting for that key and they now have a key to your
facility. In the case of a
master key system, it’s a little bit more complicated. So you can
see the red arrow pointing there
to the master wavers. That’s what allows both the master key
to work in the lock as well as
the key that’s only supposed to be for that single lock. It’s a
little bit more complicated from
there to figure out which is the master key. But if you have a
little bit of information about
the system you can do it. So you’ve taken the lock apart, you
now where the shear lines are,
that seriously reduces your system. In this case, we know
it’s a very large Medeco system
so that lowers the difference that’s allowable between
adjacent cuts. We know that
there’s some IC cores in the system, let’s say we’ve found a
random key that works on some
other singular lock in that system. We can put all that
information together. And uh and
come up with just 2 possible keys to try and it’s very easy
to try the first one and if it
doesn’t work, bring it down to the second one. We have a whole
other talk about this coming
soon to a conference near you, um but the point is it’s
possible. So if you lose a lock
that’s on a master system, you should consider that as being
that you’ve lost that master
key. Let’s talk about key mark. It’s sort of a uh compromise
solution by Medeco that has uh a
ostensibly restricted keyways but none of the high security
Medeco angle cuts. If you take a
look at this picture here, you can see that the pins in KeyMark
in the KeyMark lock only go into
that nice, straight, flat part at the top. That nasty keyway at
the bottom never actually
interacts with those pins. So if you want to create a KeyMark
blank, of course you can press
it. It’s a really good lock for doing that, but you don’t even
need to. You just need a flat
piece of metal that’s a little bit shorter than what the blank
is supposed to be. And that will
operate the lock just fine. Let’s talk about uh Medeco’s
mainline products. So we see
here an M3 key and the M3 keyway that we’ve generated on our
computer program to the far
right there. This is the code that does it, quote unquote
code, and that’s just taking a
rectangular piece of barstock and we’re milling out those
rectangles in the top and the
various holes, er the various grooves along the lock, the
edge. Here’s an example of what
different M3 l— um keyways look like. So what we’ve found, this
is purely empirical so I’m uh
open to being uh shown a counter example, but what we’ve found is
that for the vast majority of M3
locks, the wards or the milling at the top and the milling at
the very bottom doesn’t change.
The milling at the middle stays the exact same geometry, it just
moves up and down a little bit.
And that’s what lets Medeco create so many different M3
locks or M3 keyways. So we just
went ahead and removed metal from everywhere that metal could
possibly be removed from. And we
now have a master M3 blank. But it gets worse than that, folks.
It gets worse than that because
we have this master M3 blank, we went ahead and took our database
of common keyways that exist out
there that you can get for 20 cents unrestricted. And we
looked through it and we looked
to see which keyways have the least metal you have to file off
to make it fit into that master
M3 uh keyway. And this is what we found. [audience laughs].
Master lock. [audience claps.]
Most common padlock in the country. Most common padlock
keyway in the country fits
unmodified in a Medeco M3 lock. Not quite all of them, of the
ones we tested, about
two-thirds, but that’s a bit of a problem. So we took a master
lock blank. We used an M19,
which is a little bit longer than an M1 because of Medeco’s
long lock. And we filed away to
uh allow it to operate with the M3 slider and we added the
Medeco cuts to it and we created
a functioning Medeco M3 key on a master, unrestricted, 19 cents
m19 blank. Let’s talk about
facilities that use proprietary keyways. Very high security
facilities, they’re going to
bulk purchase a keyway that’s only used on that facility.
Well, what can we do about that?
If we can access a lock, and presumably we can if we’re a
criminal trying to break in, um
we’re gonna go and take a photograph of that lock. And
it’s very easy image
manipulation to then get that into uh a program that you can
analyze. And so in this
particular example, we run through that same analytics. And
as case preliminating ourselves
to Medeco blanks that are available on the aftermarket
because everything before M3 is
out of patent so you can. And we find Medeco 19S, a very small
amount that has to be filed off
to make that work. Or Medeco 17S, upside down. So when we’re
analyzing through all the
different keyways out there, turning it upside down
effectively doubles um
possibilities that might work. We also have this little nifty
tool. If you have access to the
key physically, you stick it in here, push those metal bits in
to form along the grooves of the
key, and now we have what emulates the lock itself. So if
we have access to that key for a
brief second on a pen testing job, we can push that in, get
that um get that keyway and then
take it back to our shop and see which blank actually fits in
there. If you don’t have
physical access to the key, you can still get the keyway from
photographing it. So if you look
at the keys in your wallet, or in your in your pocket, whatever
you have on you, you’ll notice
that at the very top of the grooves, there’s these artifacts
that are left by the milling
process. Those artifacts there tell you how deep that milling
is. So the photograph on the
side of the key, it’s hard to tell depth but that gives it to
you in fact amplified. Um and
that just comes from the fact that milling is done with a
circular cutting wheel and do a
little bit of math, Pythagorean theorem there, and it tells us
that the amount it goes up
beyond the end of the deepest part of the groove is related
using the Pythagorean theorem to
the depth of that groove. So what can we do with that? Well
in this uh terrible um security
decision here, we have the master keys for a facility I
will leave nameless um hanging
on a wall behind the public security guard’s desk. It’s been
presented in research already
that you can photograph a key and get the bitting from it. You
can also photograph a key and
now get the wards for one side. So we now know what one side of
the keyway looks like and it’s
real simple at that point to do some analysis and figure out
what keyway it is because for
the most part, one side’s uh is fairly unique. So that’s all you
can do with keyways and that’s
uh forgetting a blank that’s restricted will not fit in a
lock it’s not supposed to. Let’s
now talk about all the other stuff that uh different lock
manufacturers do to prevent you
from duplicating their restricted keys. I’ll start by
mentioning that for the most
part, keys are just pieces of metal. We’re gonna try to hammer
that home. And so you don’t need
any of this fancy equipment. Just about every duplication
process you could need, you can
do with hand files. And in fact our sister was recently in
India. And the first thing she
said when she got back is, hey guys, guess how they cut keys
there? And so on the left you
see that gentlemen in blue sitting down, and he just has
some hand files and a set of
blanks and the gentleman standing behind er in front of
him is getting his key copied
and he gets very very good at that and without, whoopsies, and
with that level of skill you can
copy standard keys and just about any high security variant.
With that said, let’s talk about
Medeco.>>So there’s a few different variations of um
Medeco that exist. At the top,
you can see Medeco classic. In the middle there uh is Medeco
Biaxial, and at the bottom is
Medeco M3. So just for background here, uh you can see
that the cuts at the bottom of
those valleys there, some of them are straight. Some of them
do have angles to them and
that’s one of the big uh security features that Medeco
has. And one of the challenges
when you would be trying to copy it. So we’ve already talked
about filing, that’s one of
those options. Another one is anyone with access to a hacker
space, you’d have access to a
lathe. So here we have the Medeco cutting wheel, which you
can buy online relatively cheap,
60 bucks. Um and we have it set up in the lathe there, we have a
key set up, and this can be used
to cut those quite easily. And another one that you would find
at a uh hacker space is the mill
and that’s pretty easy as well to do copying with. You
basically clamp the uh blank
down onto the mill and then you can rotate the head and just use
a regular end mill to get those
angled valleys for the cuts. So another one that’s really uh
it’s been documented pretty
thoroughly but we’ll just mention here is casting and this
process is essentially, you take
your blank or your key that you wanna copy, you press it into a
material that will take its
form, and then you would pour in something that would basically
set in there and it would create
a copy. So kind of a novelty here. Um this is a carbon fibre
Medeco Biaxial that we cast. And
one of the important things to know with Medeco is even with
the M3, um the blank is 1 solid
piece. What you often see on high security keys is called an
interactive element, which is
where you essentially have a piece inside of it that moves
independently. And that defeats
the casting attack here, uh because you can’t cast something
with two separate pieces inside
of it that are moving freely. You can only do really one solid
object. And that brings us to
Mul-T-Lock, which is one of those where you do need to
consider the interactive
element.>>Alright. Let’s talk about Mul-T-Locks. We see here
the 3 generations of Mul-T-Lock
key, classic at the top, and Mul-T-Lock is what’s known as a
dimple key, so the cuts are made
on the side of the key, rather than the top, otherwise the
operation is exactly the same.
Setting pins uh to the rights height. As well as it has what
is called telescoping pins. So
you have an outer pin and an inner pin inside of it. Other
than it is a um standard pin
tumbler lock. Mul-T-Lock interactive has that little
black piece um on the second pin
from the left and that actually moves within the key. So that’s
going to push itself up and um
one of the pins is actually too short, so it will push that pin
up and allow it to reach the uh
shear line, and MT5 which is their latest generation that
just changes the interactive
element around slightly to maintain patent protection. We
went ahead and figured out a way
to duplicate a Mul-T-Lock on a standard drill press. So you can
buy these Mul-T-Lock uh cutting
bits online for about 20 bucks and most many people have a
drill press, if not a hacker
space surely will. And the first thing we do is we take the key
we want to copy and we put it in
our vise and we index on the cutting uh cutting head, we
index where exactly that key
should be placed by putting the vise at the right position.
Index how deep the drill should
go and you can set that once it’s at the right depth so it’ll
only drill to that right depth.
And we can go ahead and use a common drill press to copy a
Mul-T-Lock key. There we go. So
we can see here that cutting head. Now that everything’s been
indexed, we’ve replaced it out
and swapped in a blank uh for that particular key. And there
it goes. And then when it
reaches the bottom stock, that’s as far as we know we have to
drill down um ’cause the depth’s
what’s important here. And you can see that nice uh channel
there or that nice there uh hole
there that will work for that outer pin. So here’s the copy. A
little bit messy but it works.
We can get stupider than that. We can copy a key by mitosis. So
Mul-T-Lock, you can insert it
either way. And because of that it completely duplicates all
locking ele—or all important
elements on the key so we can just cut ’em in half, end up
with 2 functioning Mul-T-Lock
keys that have everything you need to make it work. Course it
works, and by the way, um this
one that we cut in half, we cut on a drill press using blanks we
bought on eBay. [laughter] Let’s
talk about Abloy.>>Abloy’s probably one of the most
well-known names in terms of
high security locks and it’s for good reason. So here we’re
showing uh 3 of the main, most
common uh generations that they have. There’s the classic up in
the top, uh the Protec in the
middle here, and the Protec 2 in the bottom. And something
important to note is the Protect
2, you can see the arrow pointing to that little sort of
circle there and that’s the
interactive er the interactive element of Protec 2 and it’s
essentially a ball bearing
that’s captive in that key. So how these work um is we’ve
already covered a lot of pin
tumbler, where you have a lock that has pins in it and the key
will raise those to the right
height. Similar to how you would have a shear line for that. Um,
instead here we have discs. And
when the key’s inserted into the lock, it’s gonna go inside of
that disc stack, which is in the
red rectangle, and when you rotate it, depending on the
notches in the side of the key,
it’s gonna rotate those discs different amounts and if they
are rotated correctly, then the
key will be able to open. And here you can just see similar to
how you would have different
length pins for uh the bitting on a pin tumbler lock that would
correspond to depths on a key.
Here you have discs with those notches and depending on the
radius and the angle of the cuts
on the uh key, it’ll hit it after rotating a certain amount
and those little notches on the
outside at the top of each disc, uh those all need to be lined up
perfectly for it to open. So
let’s talk about the uh keyway of Abloy. Here what we’re
showing is a view of the uh
keyway on a common Abloy blank. And you can see in the red
rectangle there that’s
essentially all that you have in terms of actual warding that’s
gonna be uh restricting this.
Above that, those two points below and above are what contact
the discs and so what we can
essentially do here is, looking at that, that’s pretty thick in
the middle, right? So we can
take off all of the material where Abloy has sort of
accounted having that there for
their warding. And what we end up with is on the right there,
that’s a master blank for Abloy.
It has enough clearance that it can fit past any of the warding
that they have and it still has
those 2 uh sides there that you would put the cuts on for the
discs. And so for cutting this,
they have real fancy machines in the locksmith shop. We don’t
have any of those. So again, go
out to your hacker space or wherever um and all you need is
just a mill here. And we have
that blank mounted and just a cutter there and you can easily
get the cuts working with that.
And so casting we discussed before. Uh this would also work
for Protect 1 because it doesn’t
have the interactive element. However, Protec 2 has that so we
are gonna have to think of
something else. So in the red rectangle there, that’s
basically one of the only
important new features on Protec when it comes to what we’re
thinking about, and that’s
called the disc controller. And so a close up of that here. How
that works is with the
interactive element, there’s a ball bearing with a spring that
you can see on the right side
and when the key’s inserted all the way, that ball bearing can
be pressed into the key, it
pushes that captive bearing over, which in turn pushes the
blue pin you can see there, And
that pin needs to be pushed outwards all the way for the
lock to actually be able to
rotate. So how do we defeat that? Well, here we have a
Protec 2 key up top, a Protec 1
key down below. Both of them we have cut to the same bitting.
And you can see it’s kind of
little bit disfigured there. The Protec 1 there at the bottom.
And that’s because we’ve milled
out a recess that allows us to put in a pick, a piece of wire,
really anything, and it’s not
hard to get that interactive element to set. And again with
the master blank there, there’s
more than enough clearance to insert that pick or piece of
wire to interact with that. And
here’s just a little piece of uh metal that’s we’ve made as a
tool that makes it incredibly
easy to get that interactive piece set. And so now we’re
gonna show you a video. This is
a Protec 2 lock that you see. And it’s a Protec 1 key and
normally there’s no chance
that’s gonna work. Here we show just how incredibly quick it is
using that pick to get that to
actually work.>>Let’s play that again. That was uh uh,
never mind. My mouse is hidden.
Let’s play that again. That was a real quick video.>>You can
see we’re inserting that pick in
there and that’s how easy it is. It’s low tolerance, there’s
really nothing challenging about
setting that interactive element. So let’s talk about the
symmetry of Abloy. Similar to
Mul-T-Lock, um Abloy if you look at it down the middle, you’ll
realize it’s entirely
symmetrical. And in this case, it’s not so that you can have it
uh similar to Mul-T-Lock. But
it’s because it needs to interact with the disc on both
sides. Or so you’d think. Turns
out you can cut it half, just like the Mul-T-Lock that we
showed, and you now have 2
working keys for Abloy. Now Abloy arguably I would say, if I
had to trust something to one
lock, Abloy’s the company I would go with. So let’s talk
briefly about the 2-man rule.
I’m sure a lot of you know what this is. But it’s essentially
for very, very high security
applications, we’re talking nuclear missiles, uh similar
things to that. You have to have
2 people to turn 2 separate keys, and that would initiate a
launch. Now let’s say you have
an Abloy securing uh your 2 locks with a 2-man rule, and you
only need 1 of those keys and 2
random people and they could set that off. So this is a pretty
significant exploit. So one
thing we haven’t covered yet, uh tip warding is similar to the
warding on the blank of a
regular key. Abloy also has warding on the tip of their key
where when you insert it, it can
go almost all the way in but if that warding isn’t correct, it
won’t be able to go fully in,
and the bitting won’t line up with the discs, and the
interactive element won’t line
up so it won’t work. So you know, this one’s pretty simple
um but some of them can be
complex looking. So you’d wonder how do we uh how do we uh how do
we throw it. Oh. Okay so we have
a bit of a snowstorm here. Alright so let’s use this one
then. So um what you can see
here basically is this disc is the tip warding disc, it’s at
the end of the lock and when the
key goes in, you can see on the top left of that there’s little
bit of an indent going into the
key. And that’s the tip warding. And both of these keys here were
handmade by us. The left one
we’ve followed fairly closely what the tip warding would be
and you can see how it fits in
nicely but you don’t need to. That one on the right there is
the master blank we’ve created.
And it turns out it doesn’t matter if you file off a lot
more than normal. It still’s
gonna work in that lock. And this is one of the keys that we
created. And so then we’ll
briefly talk about uh these uh side bitted keys. So this is
Primus and Assa and you can see
those ridges along the side and those are their high security
feature. In terms of copying
those, we have a machine, 100 bucks online on eBay, and it
essentially has a probe that’s
on the right there that goes into any key that you already
have and that could be any other
key for the facility or even from the same locksmith that set
up that facility. The side
bitting is usually exactly the same, regardless of the key. And
then it’s just copied onto this
regular SC1 blank on the left, and what you end up with is a
blank for Primus. And that can
be applied to Assa as well. And then also we have, how do you
get it properly copied, right?
We’re telling you all these ways to do it unauthorized. Um the
way that you’re supposed to do
it is you have this card that you bring into an authorized
locksmith, you show it to them,
they’ll look up that code, and they’ll cut it for you. Well,
this card you see here doesn’t
actually exist. We created software where you can input at
the top what you want your
bitting to be and it’ll generate an image with the code that
corresponds to that. And a lot
of online locksmiths will accept these and all you really need is
just 1 to and this essentially a
cut key. And here we have [applause]. So here we have just
the Abloy one, again that’s even
simpler paper and there’s just the codes there. Um patent,
that’s basically what prevents
regular locksmiths from normally copying it uh because legally
they can’t.>>Alrighty. So have
about 2 minutes left to talk about what the blue team can do
to remediate against all of
this. Uh, first off is mastered or sectional keyways, they’re
great as an additional security
uh feature, not as the only one. Restricted keyways, exactly the
same thing. Great as additional
not as the only security feature. If you’ve lost a lock,
you have lost the grand master
key. Many people say well, physical keys are dead hurr durr
because of all, of all of these
exploits. We don’t really agree with that. You need to
understand your threat model.
Number 1, most criminals aren’t going to be picking that lock,
making duplicated keys, etc.
Locks are generally accepted in the security community. They
keep honest people honest. Um
and so if you’re using them for that purpose, it’s just fine.
The other thing you need to keep
in mind is, your security, in order to be truly robust, should
be uh airtight even if someone
has the master key to your facility. So here we have the
basement of the Toronto City
Hall. We hail from Toronto, go Raptors. And um let’s say
someone wants to steal the key
to the city. Well, they’re going to go in. They’ve got to bypass
2 doors. This is the uh the um
the path we’re most concerned about. After bypassing the first
door, 5 seconds with the key,
sets off a motion sensor. Now sets the guard in motion. So
he’s got to follow through what
he has to do to get there. First, he has to finish his
donut. And then travel to
intercept, meanwhile the intruder is taking some time to
break through er to key through
the second door, travel a 120 feet, crack the safe, etc. If he
can get through to that safe
before your guard gets there, um you you have failed security
wise and your system is not
robust. If you can add enough delays and sense intruders early
enough, you can make your system
robust even if a master key is lost. And that’s what you should
really be aiming for. Because
locks only keep honest people honest. The last remediation is
of course forensics. Um so all
of these techniques leave marks on the pins, they leave slight
chemical residue they can be
tested for. If you suspect that something has happened to you
facility there are tests that
can be done to tell what it was. So in short, we have defeated a
number of uh fairly well-known,
big um key types out there. And um and we we just want everyone
to be aware of uh the sort of
exploits that are out there. Thank you very much. We welcome
questions in Lock Bypass
Village, which we are running right after this right now.
Thank you very much, folks.


  • Losing a lock is a threat model I've always found interested

  • Paging lockpickinglawyer and BosnianBill please pick up the pink courtesy phone.

  • that titan 2 key looks exactly like my ring of newspaper rack keys. . . .

  • Not talking about "black boxes" and how they work isn't very hacker-ethical, no?

  • An XTS3000? Might as well be rocking an Astro Saber

  • Nuclear missile example, that's if the keys are the same.

  • Yeah, "safe places" do exists but only in our imagination! It's only a matter of invested time to go through any security measures, either physical or cyber! The question is: to who are you standing in the way!?! Between the illegal government activities, and the "civilian" AKA not backed up by corrupt law enforcement groups the lines are very blurred!

  • I believe LockPickingLawyer did a video on decoding master keys.

  • The Two Man Rule can be overcome with one man,two keys, and some string….

  • excellent talk

  • Medeco gets defeated.

    Bowley: Hold my pick set.

  • I want that software! 9:15 Is it available for download ?

  • Well, Rob Ford got in to the Toronto City Hall…

  • Interesting presentation. I rarely encourage an end user to buy restricted keyway locks because the lock cylinders and key blanks have a 4-6 week lead time from any given manufacturer. On top of that the owner must provide a letter of authorization for a distributor to purchase these products and it must be snail-mailed to the manufacturer (most commercial hardware manufacturers only sell to authorized distributors, not directly to end user). If a building owner needs keys in a hurry that ain't gonna happen. I'm skeptical that the average hacker will have the skills to make a restricted keyway as shown in the clip but I admire their ability to do so. Bottom line: there's faster and easier ways to breach physical security.

  • Curious Lock Picker

    Fantastic talk! Thank you for sharing =) Are there plans to publicly release the keyway-comparison software?

  • Vertical filming on all their demonstrations.

  • Does the AWS disc at the rear of Protec II not have any bearing?

  • Justin Revelstoke

    This should be called "When lockmakers cut corners"

  • The funny thing about those USPS arrow keys is that is is a felony to even posses them.

  • This doesn't help with my combination. I've been trying to get into the box for 13 years, now

  • Jesus, there are simply too many presentations on keys. WAY too many.

  • whyyyy vertical videos?!

  • There are tools to dig out that headless backwards cut so they do not even have to know how they were had.

  • Lol all of the abloy ones are considered the older old ones here in Finland 😀 34:40

  • Lawrence Redmacher

    why does this guy always sound like he's asking a question when he talks

  • As a locksmith and expert witness, Do Not Copy or Do Not Duplicate is an only an instruction to the holder of the key not to copy it. The exception are US Postal and US Government keys which make it unlawful to copy. State Universities may also have a State law protecting them. Then there are patent controlled keys, which the manufacturer has the option to sue anyone who replicates those keys. If the manufacturer determines a threat to the patent, they may sue – even if they just want to prove a point and drain your bank account and run up your credit cards in legal fees. Medeco is a good example of a company that has an aggressive legal position. Holding a key you copied is also potentially a legal burglary tool. I also have the side milling machine in this presentation and it’s a royal bitch to get it right. The side milled key is not held in place as well as it’s a bit sloppy. The high security locks are really tight tolerances. Literally one thousands on an inch can be the difference in a working key and not. I don’t agree it’s easy to use a lathe to copy these. The spacing is so tight that you will be spending a great deal of time. Many test keys get ruined. And I know exactly what I am doing… It’s never impossible, but really something far more for machine precision type of people who are THE most determined and willing to accept a slow and for some endlessly agonizing torment and defeat. There is a big difference between an experienced locksmith and am amateur in reality.

  • Love the canadian

  • 7:50 Machine is a Wenxing WX-22

Leave a Reply

Your email address will not be published. Required fields are marked *