Bill Graydon - Duplicating Restricted Mechanical Keys - DEF CON 27 Conference
ฝัง
- เผยแพร่เมื่อ 26 มิ.ย. 2024
- Secure facilities in North America use lock systems like Medeco, Abloy, Assa and Mul-T-Lock partly to resist lock picking, but also to prevent the duplication and creation of unauthorised keys. Places such as the White House and the Canadian Parliament buildings go so far as to use a key profile exclusive to that facility to ensure that no-one is able to obtain key blanks on which to make a copy. However, there are tens of thousands of unrestricted key blank profiles in existence - many match very closely to these restricted key blanks, and can be used instead of the real blanks to cut keys on. Moreover, keys are just pieces of metal - we will present numerous practical techniques to create restricted keys without authorisation - including new attacks on Medeco, Mul-T-Lock and Abloy key control systems. We will touch on all aspects of key control, including patents and interactive elements, and discuss how to defeat them and how facility managers can fight back against these attacks.
Bill Graydon
Bill Graydon is a principal at GGR Security Consultants, and is active in research in electronic surveillance and alarm systems, human psychology in a secure environment and locking systems analysis. He received a Masters in computer engineering and a certificate in forensic engineering from the University of Toronto, applying this at GGR to develop rigorous computational frameworks to model and improve security in the physical world.
Website: ggrsecurity.com/DEFCON
Robert Graydon
Robert is a principal at GGR security. With a strong interest driving him forward, he is researching lock manipulation, picking, bypass, and other vulnerabilities, to discover and evaluate possible flaws or methods of attack. He has well-honed skills such as lock picking, decoding, locksmithing, as well as a thorough understanding of the mechanics and function of many types of high security locks, and electronic security systems and components, allowing him to effectively search for and test methods of cracking high security systems. - วิทยาศาสตร์และเทคโนโลยี
A master key will unlock anything, a Master lock will secure nothing.
This should be called "When lockmakers cut corners"
haha . . . cut . . . corners
As a locksmith and expert witness, Do Not Copy or Do Not Duplicate is an only an instruction to the holder of the key not to copy it. The exception are US Postal and US Government keys which make it unlawful to copy. State Universities may also have a State law protecting them. Then there are patent controlled keys, which the manufacturer has the option to sue anyone who replicates those keys. If the manufacturer determines a threat to the patent, they may sue - even if they just want to prove a point and drain your bank account and run up your credit cards in legal fees. Medeco is a good example of a company that has an aggressive legal position. Holding a key you copied is also potentially a legal burglary tool. I also have the side milling machine in this presentation and it’s a royal bitch to get it right. The side milled key is not held in place as well as it’s a bit sloppy. The high security locks are really tight tolerances. Literally one thousands on an inch can be the difference in a working key and not. I don’t agree it’s easy to use a lathe to copy these. The spacing is so tight that you will be spending a great deal of time. Many test keys get ruined. And I know exactly what I am doing... It’s never impossible, but really something far more for machine precision type of people who are THE most determined and willing to accept a slow and for some endlessly agonizing torment and defeat. There is a big difference between an experienced locksmith and am amateur in reality.
Very interesting!
Losing a lock is a threat model I've always found interested
Paging lockpickinglawyer and BosnianBill please pick up the pink courtesy phone.
2-man rule has two different keys too... to prevent someone from duplicating... so that is not a huge risk. 2man rule is also done via software for high security areas, like inside an HSM... where two or more people have a "password" and when all people type in their "password" it makes the master password via salting the final insert to match the encrypted master.
Tough audience; I was applauding ;-)
My favorite security system was Rand Corporation in Santa Monica in 1970. There was a guard who knew everyone and had book of individuals authorized.
This was fantastic. Really great stuff!
35:15 you can simply rotate all the disks as far clockwise as they will go and then get the pick that LockPickingLawyer and BosnianBill made
Good luck with that Protec2. No one has picked that lock (yet)...
Thor Lancaster th-cam.com/video/6UZ6tcvgd9U/w-d-xo.html
Great research and work. Thanks for a great presentation!
that titan 2 key looks exactly like my ring of newspaper rack keys. . . .
I made several copies of the public housing keys for my friends using Jet's commercial/AIR NS blanks [green color] for 6-pin Biaxials while I worked in my dad's hardware store.
1) Configured the copies by the Medeco machine 2) Then use an automatic machine to trim down the sides of the neck, with a monster-locking-wrench for stability
They all work seamlessly, I charged $10.00 for each copy, I have no licenses of any kind for key cutting just working out of passion.
excellent talk
Fantastic talk! Thank you for sharing =) Are there plans to publicly release the keyway-comparison software?
Never been interested in locks, but this is fascinating.
Interesting presentation. I rarely encourage an end user to buy restricted keyway locks because the lock cylinders and key blanks have a 4-6 week lead time from any given manufacturer. On top of that the owner must provide a letter of authorization for a distributor to purchase these products and it must be snail-mailed to the manufacturer (most commercial hardware manufacturers only sell to authorized distributors, not directly to end user). If a building owner needs keys in a hurry that ain't gonna happen. I'm skeptical that the average hacker will have the skills to make a restricted keyway as shown in the clip but I admire their ability to do so. Bottom line: there's faster and easier ways to breach physical security.
Medeco gets defeated.
Bowley: Hold my pick set.
Pff, Bowley aint a patch on Medeco.
Great presentation 😊
Does the AWS disc at the rear of Protec II not have any bearing?
For a few months, my local Fry's Electronics had one of those automatic key machines. This one must have been configured differently, because it would duplicate ANY key. You could do electronic car fobs and restricted keys, too. It didn't ask. I had my mail key, pool key, and gate keys all duplicated (good thing, too, since I lost one of the pool keys at the pool.) The apartment complex where I was living at the time charged $50 for replacement keys. Unfortunately it was eventually changed to do only house keys. Bah.
It's also how I discovered that the USPS does _NOT_ change the locks on the apartment complex's mail box. You have to pay the post office (or maybe the apartment? I remember paying at the post office, though) $25 for a mail key because they claim they have to have a new one made every time someone moves into/outof an apartment. After I had moved out, I still had the key duplicates and had forgotten about them for well over a year. I went to the apartment to drop them off, and out of curiosity I tried my mail key on my old post box. Still worked.
Billy’s a big boy!
There's one huge difference between hacking a software lock and a physical lock.
For the former the « thief » can possibly take all the time he wants before even being noticed, whereas the later the « thief » needs to be fast.
That to say if your house is harder to get into un-noticed than your neighbour you're already diminishing by a lot the odds of being robbed.
7:50 Machine is a Wenxing WX-22
The funny thing about those USPS arrow keys is that is is a felony to even posses them.
It should be a felony to use same key on multiple locks instead.
All that pointing to the screen and walking away from the mic could have been avoided with a 2 dollar laser
I want that software! 9:15 Is it available for download ?
Lookup "Key Blank Cross Reference" I found one site that gives a pdf of 190 most common for free and another site that gives access to their database of over 84k for $20/yr (4,500 pictures)
Keyline and Silca sell machines that has complete databases of key profiles inside. Just insert your key and it will show which blanks fit and how much filing needs to be done. Locksmiths have used these for decades.
An XTS3000? Might as well be rocking an Astro Saber
You know this seems like a fuck ton of work when you could probably slip the latch or do other more low tech attacks
that leaves visible and distinct tool marks on locks whereas this wouldnt. Its for sure a rare occurrence but sometimes its important to breech a lock without anyone being able to know because of an obvious brute force entry or less subtle marks made on pins when a lock is picked.
So basically, James Bond could still make a quick clay model of a key and still get laid! Excellent!
Yeah, "safe places" do exists but only in our imagination! It's only a matter of invested time to go through any security measures, either physical or cyber! The question is: to who are you standing in the way!?! Between the illegal government activities, and the "civilian" AKA not backed up by corrupt law enforcement groups the lines are very blurred!
Is a safe place like a safe space, because master lock makers might get triggered.
what about keys with magnetic elements?
The Two Man Rule can be overcome with one man,two keys, and some string....
Or abnormally long arms.
Well, Rob Ford got in to the Toronto City Hall...
The man knew his cracks.
I believe LockPickingLawyer did a video on decoding master keys.
Deveint has a talk about it as well
This doesn't help with my combination. I've been trying to get into the box for 13 years, now
Solve it algorithmically.
whyyyy vertical videos?!
A nit. The color is magenta, not pink.
Not talking about "black boxes" and how they work isn't very hacker-ethical, no?
I think it’s because it was too expensive for them to get their hands on one. They mentioned the price was prohibitive. Also it’s more valuable to learn about the cheaper and easier methods they discussed.
The version a locksmith can buy is right around $10,000 and uses proprietary software that doesn't allow for you to cut restricted keyways. They do also offer a version of software to law enforcement that supposedly does allow for restricted keyways .However i have never heard of it being made available to the public.
Go on then big guy, go buy one and reverse engineer it. Afterwards publish the results with your full name attached to it. We're all waiting.
Nuclear missile example, that's if the keys are the same.
i seem to recall atleast the russian ones needing special alloys due to the heat the equipment generates.
Excellent point, does anyone have info what ever that is the case? Easy enough to fix, but again cloning key if you are one of the operators is not that difficult.
@@Hellsong89 yes I would think the training and gaining entry would be more difficult. Not to mention that the missiles would have to be prepped ?
@@km5405 firstly, the russian ones need codes to arm the warhead. Not sure about the Titan II, but all newer US ones do as well. Those codes are what actually keeps the nuclear arsenal safe.
For the 2 keys it would be best to get unique keys, possibly from 2 manufacturers. The government would have the type of money to spend on having a completely unique key made for such things.
locks, security by obscurity at its finest, or it's dumbest
The latter for sure, being that security>obscurity is 100% impossible. Now the feeling of security is a completely different thing, I call that delusional thinking.
These nerds brought it but why do they keep stepping away from the mic to breath?????
If there's anything Chocolate Rain taught me, is to move away from the mic to breathe.
Filip Suciu
Ha! That’s got to be one of the best replies I’ve ever read! Seriously.
I’m glad someone got the reference 😂
@@blakeeverett6267 Ahhhhhhhhhh, ok. So you created the (chocolate rain) comment first that allowed Filip to make his excellent reply. I see! I thought Filip had the most excellent reply to some totally random message. So Filip's reply is still most excellent, but quite as excellent as I first thought. lol.
i love these videos but that tactical vest is some cringy shit
If you don’t cut the damn lock in half wtf you need a key for?
Because this talk is about when you want permanent access to a facility with hundreds of locks. Where they've spent money to have a "special" keyway unique to that facility / organization. This talk can be summed up as, if someone manages to steal at least one of those facilities locks, then they can make master keys for the entire building!
Love the canadian
Lots of locks today combines Key + NFC-Code sent by the key. Still can be defeated by serious hackers, but if you use the same model as for car-keys it basically becomes a total bother to defeat, and the intruder will have to get hold of a legit key instead.
why does this guy always sound like he's asking a question when he talks
He is Canadian
Vertical filming on all their demonstrations.
Can someone give a TL;DW for this?
There are many different things here, but this is one that should stand out. If someone manages to steal at least one of a facilities locks, then they can make master keys for the entire building!
Its fairly easy to make aut, that these guys are from Canada, aye? Its funny how easy they get around with out saying "Like" every 3 word. Makes them sound so much smarter than their southern neighbor.
So many decent concepts but not sharing anything with the community isn't really useful and doesn't bring anything forward. Also no mention of individuals who did a lot of the work before You is pretty lame.
As a locksmith I’m not even going to get into how many things these guys got wrong, I don’t have the time or patience.
Reg Rock lazy
Honest question: If I am an adversary duplicate a key wrong but it works in the door I'm trying to get through, is it still wrong?
Reg Rock Ouch you sound a bit sour.
Jesus, there are simply too many presentations on keys. WAY too many.
If you ignore half of them, you'll reduce your stress by 50%.
Really grasping at straws here.... just useless