DEF CON 30 - Bill Graydon - Defeating Moving Elements in High Security Keys
ฝัง
- เผยแพร่เมื่อ 12 ต.ค. 2024
- A recent trend in high security locks is to add a moving element to the key: this prevents casting, 3D printing and many other forms of unauthorised duplication. Pioneered by the Mul-T-Lock Interactive locks, we see the technique used in recent Mul-T-Lock iterations, the Abloy Protec 2 and most recently, the Medeco M4, which is only rolling out to customers now.
We have identified a major vulnerability in this technology, and have developed a number of techniques to unlock these locks using a key made from a solid piece of material, which defeats all of the benefits of an interactive key. I’ll demonstrate how it can be applied to Mul-T-Lock Interactive, Mul-T-Lock MT5+ and the Medeco M4, allowing keys to be duplicated by casting, 3D printing and more. I’ll also cover other techniques to defeat moving elements in a key, such as printing a compliant mechanism and printing a captive element directly. With this talk, we’re also releasing a web application for anyone to generate 3D printable files based on this exploit.
Finally, I’ll also discuss the responsible disclosure process, and working with the lock manufacturers to patch the vulnerability and mitigate the risk.
4:30 AM talk would be interesting ;)
💨 😂
you know how many humans don't know where they are or what time it is? haha
🤣
When you mentioned the potential Mul-T-Lock improvement my immediate thought was twisting - it should be possible to shave the key at an angle, then to twist the key into position. I can't think of a way to fix that that wouldn't compromise the either-way-up insertion feature, though.
13:58 This is why I love talks like this. Absolutely hilarious
LETS GOOO
let the talks flood in plz
Fantastic talk! I think that these are really some solid points, but kind of sad to see that you were ignored a bit by the manufacturers. I'll still hold onto my Protec2 lock (for now). With that unique lock from mul-t-lock, couldn't it be defeated by some kind of pick or shim inserted with the key to bypass one of the moving elements? I mean if both sides are keyed the same, then you really only have to worry about just one of those elements.
Either way, sad I missed Def Con this year but have plans to get out there next year!
I'm guessing that the way around if they had used l both interactive elements in the MTL key is to make it rotate like you did with the protec key. I'm curious if anyone at your talk answered and claimed the medeco bump keys. Great talk! I'd love to see one of your presentations in person someday!
There's a certain irony in the MTL bypass only working because if the non-available blanks!
Also, Bill, you really need to see a Wormald gas meter padlock - moving key elements have been around for centuries, the Wormald being the best, and in use until relatively modern times (post WWII, just about)
Thank you for the talk and the upload. Please upload more talks!
my favorite key bypass is C-4. Works every time, flawlessly.
8:44
It's funny when you are like: "Why isn't he just doing this" and then he just shows you "We also tried this, and..."
I’m guessing you could beat the multi-lock by shaving the key at an angle, allowing it to insert at an angle and twist into alignment? If correct, could you fix that by revising the positioning of the moving elements?
Most of those moving elements can be replaced with a plastic pin held with some fresh spit.
multi part bypass tools probably would be interesting way create a wider element inside the keyway, be it 2 slim parts ][ or even 3 parts ]|[ - 2 elements with key elements and final shim like element to push the key to the final width - things probably would become fragile with some elements tho
This is the Lock Picking Lawyer, and what I have for you today...
so i'm commenting having only watched 15 minutes into this but: instead of printing the ball bearing inside the key or attaching it to a compliant spring of sorts.... why not just print the key with the capturing chamber and press the ball bearing in?
Huge fan of DEF CON
I still trust Abloy as they're one of the most difficult locking system to pick.
The fragile illusion of security locks provide. After taking a locksmithing course and studying bypass techniques for lockouts, there is little true security in locks. Physicist Richard Feynman was picking high security locks at the Manhattan Project.
Let's see a medico lock with a widening spot I would think would be trivial to bump correct granted it would be like a one in two chance or something like that.
make 3d printed key out of 2 halves, insert it into keyhole and then slide a shim between those 2 halves to increase thickness
I was thinking along the same line. Or insert one half, and then the second half... or make it ramped/wedged?... slide the two halves to make it wider?
Can stop the attack because of chirality and would mean that the pins would not be the correct orientation for a top to bottom flip of the key. becuase the key would have to be a directional key - eg top up only for insert (sorry english is poor)
Great talk
how about printing two halfes with a hollow channel glued together where you can insert a solid core wire to push those dimple pins inside the lock
re: 17:00 what if you put a ramp in your multilock keyway on your house so youd need a shaved down key and a normal key would just jam XD
I’ve used zip ties for Bi lock.
As someone whos career got effed over by an NDA, yes read NDAs carefully and be skeptical.
well lets hope the vendors reach out soon mate as these keys are being used everywhere in NZ for hunters to get into 'crown land' for hunting (all use those abloy locks) good job i was wondering how the bros were doing it and they sent me here Haha
PLEASE DEFCON, I NEED MORE TALK UPLOADS. I BEG YOU.
My prayers have been answered :D
🙏
Show of hands, how many are here because you're a fan of the "lock picking lawyer"
if your intent is to break into a locked property then the captive ball isnt required all you need to do is have a slot in the key going to the hole and then have a lock pick.
or if the lock is smooth all the way up to the interactive element you could make a reed spring that goes into a slot and you squeeze the spring to put the key in and once it interacts with the element in the lock you should be able to open it.
wont the rocking of the key cause some other pins to be slightly out of line with the shear line causing wear that would be detectable if the lock is forensically analyzed?
even if it is still in patent the chinese will still make keys.
can you renew a patent as simple as you renew a video rental? (pay the fee and have it for another term)?
if the manufacturer does not respond in timely manner then release a mt5 exploit and make it so widely available that the manufacturer will be forced to mitigate it.
again with ably release and force their hand
you cant completely prevent imports.
while customs can stop a shipment like fluke vs sparkfun the mail requires a warrant to raid.
the retaining pin problem sounds like you can work the lock with a regular screwdriver or some lock picking turning tool.
Casting after 3d printing helps
Has he never seen LPL? He opens such locks in 30sec videos. 😊
wow
Rav bariach?
I hate people adding images of bugs to slides
Where’s lockpickinglawer?
Why would you resin print something that needs to be precise ? Why do you think the 3D printing gun community uses PLA +.
anyone else have to hunt for the phantom notification @31:17?
Definitely con?
#HackTheGimme5
Can someone please de-mouth-noise this video?
**inhales**
Someone give this guy a tissue. This constant snorting is disgusting...
Great talk