Bill Graydon - Duplicating Restricted Mechanical Keys - DEF CON 27 Conference

DEFCONConference
DEFCONConference
105,625
0
Published 2019-11-15
Secure facilities in North America use lock systems like Medeco, Abloy, Assa and Mul-T-Lock partly to resist lock picking, but also to prevent the duplication and creation of unauthorised keys. Places such as the White House and the Canadian Parliament buildings go so far as to use a key profile exclusive to that facility to ensure that no-one is able to obtain key blanks on which to make a copy. However, there are tens of thousands of unrestricted key blank profiles in existence - many match very closely to these restricted key blanks, and can be used instead of the real blanks to cut keys on. Moreover, keys are just pieces of metal - we will present numerous practical techniques to create restricted keys without authorisation - including new attacks on Medeco, Mul-T-Lock and Abloy key control systems. We will touch on all aspects of key control, including patents and interactive elements, and discuss how to defeat them and how facility managers can fight back against these attacks.

Bill Graydon
Bill Graydon is a principal at GGR Security Consultants, and is active in research in electronic surveillance and alarm systems, human psychology in a secure environment and locking systems analysis. He received a Masters in computer engineering and a certificate in forensic engineering from the University of Toronto, applying this at GGR to develop rigorous computational frameworks to model and improve security in the physical world.

Website: ggrsecurity.com/DEFCON

Robert Graydon
Robert is a principal at GGR security. With a strong interest driving him forward, he is researching lock manipulation, picking, bypass, and other vulnerabilities, to discover and evaluate possible flaws or methods of attack. He has well-honed skills such as lock picking, decoding, locksmithing, as well as a thorough understanding of the mechanics and function of many types of high security locks, and electronic security systems and components, allowing him to effectively search for and test methods of cracking high security systems.
All Comments (21)
  • @bjfincher773
    A master key will unlock anything, a Master lock will secure nothing.
  • @jrchicago9216
    As a locksmith and expert witness, Do Not Copy or Do Not Duplicate is an only an instruction to the holder of the key not to copy it. The exception are US Postal and US Government keys which make it unlawful to copy. State Universities may also have a State law protecting them. Then there are patent controlled keys, which the manufacturer has the option to sue anyone who replicates those keys. If the manufacturer determines a threat to the patent, they may sue - even if they just want to prove a point and drain your bank account and run up your credit cards in legal fees. Medeco is a good example of a company that has an aggressive legal position. Holding a key you copied is also potentially a legal burglary tool. I also have the side milling machine in this presentation and it’s a royal bitch to get it right. The side milled key is not held in place as well as it’s a bit sloppy. The high security locks are really tight tolerances. Literally one thousands on an inch can be the difference in a working key and not. I don’t agree it’s easy to use a lathe to copy these. The spacing is so tight that you will be spending a great deal of time. Many test keys get ruined. And I know exactly what I am doing... It’s never impossible, but really something far more for machine precision type of people who are THE most determined and willing to accept a slow and for some endlessly agonizing torment and defeat. There is a big difference between an experienced locksmith and am amateur in reality.
  • @Novers
    Losing a lock is a threat model I've always found interested
  • @JlerchTampa
    Paging lockpickinglawyer and BosnianBill please pick up the pink courtesy phone.
  • @MikeHarris1984
    2-man rule has two different keys too... to prevent someone from duplicating... so that is not a huge risk. 2man rule is also done via software for high security areas, like inside an HSM... where two or more people have a "password" and when all people type in their "password" it makes the master password via salting the final insert to match the encrypted master.
  • @saltyroe3179
    My favorite security system was Rand Corporation in Santa Monica in 1970. There was a guard who knew everyone and had book of individuals authorized.
  • @DrTune
    Tough audience; I was applauding ;-)
  • @boshypatry
    35:15 you can simply rotate all the disks as far clockwise as they will go and then get the pick that LockPickingLawyer and BosnianBill made
  • @samsunglg6671
    I made several copies of the public housing keys for my friends using Jet's commercial/AIR NS blanks [green color] for 6-pin Biaxials while I worked in my dad's hardware store. 1) Configured the copies by the Medeco machine 2) Then use an automatic machine to trim down the sides of the neck, with a monster-locking-wrench for stability They all work seamlessly, I charged $10.00 for each copy, I have no licenses of any kind for key cutting just working out of passion.
  • @ericrieckers2321
    Interesting presentation. I rarely encourage an end user to buy restricted keyway locks because the lock cylinders and key blanks have a 4-6 week lead time from any given manufacturer. On top of that the owner must provide a letter of authorization for a distributor to purchase these products and it must be snail-mailed to the manufacturer (most commercial hardware manufacturers only sell to authorized distributors, not directly to end user). If a building owner needs keys in a hurry that ain't gonna happen. I'm skeptical that the average hacker will have the skills to make a restricted keyway as shown in the clip but I admire their ability to do so. Bottom line: there's faster and easier ways to breach physical security.
  • @LockpickingDev
    Great research and work. Thanks for a great presentation!
  • @TheLoiteringKid
    that titan 2 key looks exactly like my ring of newspaper rack keys. . . .
  • @danielluna7648
    Never been interested in locks, but this is fascinating.
  • @BboxBoy24
    Medeco gets defeated. Bowley: Hold my pick set.
  • @olepigeon
    For a few months, my local Fry's Electronics had one of those automatic key machines. This one must have been configured differently, because it would duplicate ANY key. You could do electronic car fobs and restricted keys, too. It didn't ask. I had my mail key, pool key, and gate keys all duplicated (good thing, too, since I lost one of the pool keys at the pool.) The apartment complex where I was living at the time charged $50 for replacement keys. Unfortunately it was eventually changed to do only house keys. Bah. It's also how I discovered that the USPS does NOT change the locks on the apartment complex's mail box. You have to pay the post office (or maybe the apartment? I remember paying at the post office, though) $25 for a mail key because they claim they have to have a new one made every time someone moves into/outof an apartment. After I had moved out, I still had the key duplicates and had forgotten about them for well over a year. I went to the apartment to drop them off, and out of curiosity I tried my mail key on my old post box. Still worked.
  • @Riyame
    The funny thing about those USPS arrow keys is that is is a felony to even posses them.
  • @langeludo
    There's one huge difference between hacking a software lock and a physical lock. For the former the « thief » can possibly take all the time he wants before even being noticed, whereas the later the « thief » needs to be fast. That to say if your house is harder to get into un-noticed than your neighbour you're already diminishing by a lot the odds of being robbed.
  • @curiouslockpicker8971
    Fantastic talk! Thank you for sharing =) Are there plans to publicly release the keyway-comparison software?