 Greetings. Welcome to Track 4. This is the 4.30pm talk. You're going to hang out a while with Bill Graden, and he's going to talk about physical security, which is something that should get more attention, I think. So he's going to talk about defeating moving elements and high security keys. Awesome. Thanks, everyone. Thanks, Flicktid. So to get started, we'll give a brief overview of what we're going to talk about and then go through it. So we'll first introduce what is a moving element and why it's used. Go over some of the more naive ways to hack them, like a 3D printed cap development, a compliant mechanism, and then we'll get into sort of what the abstract said is the big reveal of this talk, which is a way to do it without using those, with having a static non-moving piece of metal that will actually actuate these mechanisms. We'll talk about the vendor disclosure process and how that went, and some of the implications and defenses. That's a very high level. So what is a moving element? So here's sort of some of the four most common, at least in North America, keys that use them. It is a piece of the key that moves relative to the rest of the key. So with multi-lock interactive, you've got this what's called the interactive component, and it slides in and out. With the multi-lock empty five, you've got a spring within the key so that can compress down, and otherwise it will spring out and have a little bulge at the end here. Medical M4, which is just rolling out now, it's got a similar thing. It's a pin that slides back and forth, and with Abloy Protect 2, they've got a ball bearing, and that ball bearing will move, it's captive within the key so it can't fall out and it moves side to side. And so that creates a protrusion on the key there, and that protrusion will then interact with an element in the lock, and it has to be sticking out in order to work. Now, why can't you just make that, or why does it have to move? Why can't it just be static? Well, because it won't actually fit in the lock if that happens. And we'll show a couple examples of that in a bit. So what does this protect against? Well, it protects against casting of keys, because if you cast a key, it's going to be completely static. It won't move, and so that solid cast is not going to work to operate this lock. It also provides some protection against 3D printing, because a 3D printed key, same thing. We'll talk about some ways around that, but generally 3D prints are a solid piece of material. So let's start our discussion by looking at the Abloy Protect 2. So we've got three main generations of Abloy, the classic, which was the original mainstream disc container lock. And then we added the Protek, which is a bit of a twist on disc container, really a beautiful design. And then Protek 2 came out a couple years ago and now adds that captive ball bearing element. And that element makes it a lot harder to, you know, the patent protects that element. So it means that you can't mass produce blanks for this. And so it helps with their key control in general. So this is sort of what it looks like when sliced open. So you've got the two halves of it there, and then this channel that contains that ball bearing that goes in the middle of it. And the mechanism works like this. So the ball bearing within the key is this one we can see on the left. And then there's a spring that pushes it up, and this is within the lock. And that pushes up this little shaped piece of metal here that then allows it to move within this channel. If that were not present in the key, this would fall down, and this channel would block it, and it would not open the lock. So we need to find a way with casting or 3D printing or whatever technique we're going to use to actuate that little piece of metal and allow it to go up in that channel. So sort of a naive approach is if we take a protac one that doesn't have the ball bearing and make a little slot for it to allow us to stick a lock pick in. And then we have this little tool here we made that works, and a lock pick works as well. And so if you have that channel, you can stick in a key and use a lock pick to actually actuate that and make it open. That's not the sort of thing that Abloy is all that concerned about because it's not something that you're going to be able to do as, you know, selling to consumers. Here's a blank that will work on Abloy Protac 2. We'll know you've got to also stick this lock pick in. And that video is also a bit deceptive because that was one of many takes, and that was the best one. So, you know, it takes a bit of skill to get the exact right position on it and to do it consistently every time. So, you can do it, but that is a good illustration of why when making moving elements and keys, it is a good idea to not have your moving elements be the first thing right closest to the keyhole because if there's some pins and whatnot in the way that prevent you from sticking that lock pick in around them, that would prevent this attack. Right, but that's old news. And specifically, it's three-year-old news. My brother Bobby and I, we talked about this attack amongst many other things. At DEF CON 27, we talked about duplicating restricted keys in general. And so this talk is sort of a part two of that, if you will, to talk explicitly about the moving elements because those are being sort of the industry trend right now, particularly a number of patent courts have started saying, well, you can't just patent a piece of metal. You can't patent a static shape. It must have something else to it. And this moving element is the solution that lock makers are converging on there. So it is a trend that we're seeing. Okay, so let's take a look at what we can do to actually make an Ably Protect 2 key and 3D printing is one way. So there's this really excellent library on GitHub that lets you generate a Protect 2 key to a certain code and then print one. And 3D printing keys in general they're terrible, honestly. They don't work well, right? The material's not strong. It doesn't let pins glide across them very well. 3D printing is it works for keys, but don't think you're going to 3D print your house key and use it every day. This, though, actually works pretty well. Like the nature of Ably Protect locks and disc detainers in general is there's springless designs. There's nothing dragging on anything else. 3D printing in this library does it extremely well. So kudos to them. And so I forked that and did a find and replace of everywhere that said Protect with Protect 2 and the documentation. And on this fork I've been adding everything that I've been working on that we're talking about in this talk to make Protect 2 keys 3D printable. And I do want to give a quick shout out as well to Molex Incredible Def Con 26 talk that goes much more in depth about 3D printing high security keys in the context of Noxboxes. So check that out if you're interested. So the first technique and sort of the naive approach that we're going to try with 3D printing, a key with a captive element is to just 3D print the captive element. So we'll take our 3D printable model of an Ably Protect key and we'll add a spherical hole in it. And then within that spherical hole we'll add a sphere. And so in theory this will simulate that captive ball bearing and we print it and that sphere is able to move but it's stuck within there and it will work in the lock. And not so much because the nature of 3D printing is you don't get perfect tolerances and especially with resin printing you get things if they're too close together they stick. And so trying out different spacings between that sphere and the hole that it's in if it's too close they stick together, they merge and it's just a static piece of material if it's too far the spherical ball bearing simulator falls out and it turns out there is no happy medium it's one or the other so I was not successful in getting a 3D printed captive element to work that doesn't mean you won't be but it's not as trivial as you might think. Okay so if we need a certain minimum space but we also need something to keep this sphere from falling out we could try adding a thin piece of material to hold it in and make a compliant mechanism. And so that's a nice thing with 3D printed materials is that they bend a little bit without breaking and so we try this design and so it's got that ball bearing in the right place and then just a long thin tongue holds it in place and lets it spring back and forth and it turns out that works fairly well actually. So here's what it looks like when printed. You can see that the printer really had a problem on the head it doesn't look very pretty but it works so we got this captive element and it's able to spring back and forth and simulate that key so we'll just take a look at that in operation so there it is we stick it into the lock and it works really nicely now this was again one takeout of multiple and it took a lot of like little tweaks and filing on that key because the supports add little elements and 3D printed keys they really don't work very well the first time out but it does work and so it is a cause for concern there right and so I added that to the GitHub repo as well that you're welcome to check out and print your own another thing that's worth mentioning about this you can 3D print them you can 3D print a whole bunch at once and so I gave a talk two years ago at DEF CON SAFE mode about what you can do with information theory and key codes and sort of brute forcing mechanical locks and so that's something that this allows you to do pretty effectively with something as high security as an Able to protect too now and so if we turned these keys vertical we could have fit hundreds of those on that one print bed so before we get into the big reveal of how to do it with a static piece of material let's switch gears a little bit and look at multi lock multi lock is sort of the the one that really popularized these moving elements and was I don't know if they were the very first ones to do it but they got a patent on it so if they were not there was no prior art that the patent office found not that they ever try very hard so multi lock interactive there it has these telescoping pins which was was a holdover from the previous design but it's not particularly important for what what we're doing today what's important here is that one of those pins on the key it moves and it has to move a little bit higher than the plane of the top of the blank in order to actually set that pin right so the pin looks identical the pin looks identical to all the other pins except it is shorter and that pin is too short to be actuated by anything but a key with a moving element that sticks up beyond the plane of the key alright and then we've got the moving element and the key that we can see here and in the bottom of the plug there's this little spring loaded um piece of metal that pushes up and pushes this moving element which pushes this pin up and allows the key to operate the lock so looking at sort of a cutaway version we'll ignore the pin and pin design of multi locks for now this is essentially what's happening right we've got the key protruding above the head of the key um and so let's take a quick look at a demo for that actually I'll see if we can do a courtesy zoom here right so here is an example what that lock might look like and just a blank so I'm inserting this blank in and blanks are cut as high as you can possibly cut them and notice that when the blank is inserted in this one pin here is still too low so even the blank with the highest possible cuts does not put that pin at the shear line if we add a little protrusion to the blank then it does right and so that sets that to the shear line and then of course if we add all the rest of the cuts we're now going to open that lock right so we have those cuts but here's a problem is that if I now try to take this key out of the lock well it won't fit you know this metal is getting in the way of the actual lock plug so this doesn't work you can't just add a protruding element over top of it because it is thicker than the keyhole is and so that's sort of been the conventional wisdom behind interactive elements you need this moving element to open the lock but you need it to move back to the other position to insert and remove the key right and so so that's what's happening in multi-lock we've got the moving element is able to move up and down when it's pushed up by that little spring-loaded element inside the core and that lifts this key or that pin to the shear line okay here's the big reveal and it's so stupidly simple I, someone else has got to have thought of this before but I'm the first one that has published about it that I can find here's the big reveal to avoid that problem we just take a bit of metal off the back of the key that's all it takes and with that we can move the entire key and so now it fits in and we move the whole key we angle it up a little bit and it sets that pin to the correct height and again like it's so simple there's, I can't be the first person who's thought about this but I couldn't find anyone else that's published on it and lock makers are putting out designs as if this as if they haven't thought of it either so we're getting it out there now and this is something to start thinking about when doing new iterations on lock designs right so to actually fabricate this we talked about how you can do the regular cuts on a multi lock on a drill press right so you can check out that talk if you're interested right so we can add the cuts but then we have to add this element protruding out as well so what can we do about that well we'll start with a classic key blank and so those you know that gives us the overall shape it gives us everything we need except that element protruding out one thing is the classic key blanks are ludicrously expensive you know seven dollars a blank that's not something that we want to be spending so we go to our old friend AliExpress and this is if you search for multi lock key blank on AliExpress you're not going to find this it's just a very generic name key tool, home door key blanks, locksmith supplies, blank keys but I was browsing around looking for other things and happened to stumble upon this and I'm like, huh that looks a lot like a multi lock and so I ordered some and it turns out they actually work perfectly they actually got extra metal taken away so they fit in a number of different sections of multi lock locks okay so we take this not nearly as expensive key blank and when we insert it into the lock we'll see that this pin here is too low it doesn't have that element protruding out and to fix that I'm just going to shave away a bunch of metal on the pin side of the key except for that one place right and so I'm leaving now a little bit poking out in that one part of the key that's got to be poking out to actually that element and shaving away the back right and so now the entire key is able to move within the lock right so you can see that the whole key can bounce back and forth and the pins are too low when it's in the position that'll allow it to insert but that that moving pin that pin that's too short does get set when it's pushed up right you'll notice it's a little bit lower than the others it is still within tolerance and it does open that lock alright so then we have to add the cuts to it right and so if we're doing that we just got to put a little piece of metal to shim the back of the key and it doesn't move up too shallow this happens to be on an actual multi lock machine but you can do it on the drill press as well right and so we add this cut these cuts to our surrogate key and now we have one that will actually work right so you can see on the side all of those bidding cuts there and then the little element that's sticking out beyond the top plane of that key and it doesn't work perfectly and you have to know to move it when you insert it right so it's a little bit of a back and forth but it works well enough right like this if my house key were a multi lock I would be perfectly fine using this every day right so that is a bit of a problem something that's worth dealing with multi lock interactive is long since out of patent so it's not stopping anyone from manufacturing key blanks that have that moving element no one has that I've been able to find but a bit less of a concern because it's out of patent so you can go print your own so I polished all of this on my github as well as some elements that you can use with JSCAD so it's a javascript version of the OpenSCAD and so you can play around with it and do it entirely within your web browser as well right so I was mentioning patents patents last 20 years and so this is why we see these many generations of these major lock designs that we see out there right so with multi lock the classic came out in 1977 and then in 1994 the patent was getting close to expiring and they released the interactive to keep that in patent and allow them to maintain control over their key control alright and then in 2007 another almost 20 years later they released the MT5 same thing they're changing up how that moving element is done to a spring instead of a solid element and that's primarily done to keep things in patent and maintain legal enforcement ability over their key control alright so let's take a look at how we can apply this to the multi lock MT5 alright so the MT5 works similarly to the others except it has this spring in the tip of the key and it's in the center not collinear with the rest of the cut so the pin for it has to be this funny little thing that's got a little secondary pin stuck to it over the side it's an interesting looking pin and I shuttered to think the expense at which they manufacture that but they do and so we've got to push this pin up by having a protrusion on the top of our key so we do the same thing right we add that protrusion just with an open SCAD which is the software that this was created in just a cylinder and you rotate it and position it correctly and union it with the rest of the key and then we just knock off the back of that key so that it has space to fit in the lock and that will work for us it is worth noting that the MT5 has a variation called MT5 plus that has a track to it so it's also got a slider track and so we just have to add that to the back of the key as well but nothing about this technique prevents us from doing that so here's one that's 3D printed and we can see a protrusion at the end of the key and then on the backside we've got that slider track printed as well so in one place it's actually so thin that there's no material in between them but that's okay, the rest of the key supports it just fine and so it operates it just fine there so we can see this protrusion from the 3D print sticking out there so when we insert this into a lock we're now it's at the end rather than the base of the key that's moving as I tilt it back and forth this pin here at the far end is bouncing up and down and so I am successfully setting that pin that should be set by the moving element as well so you can print your own of these as well at the same URLs and try it out for yourself so now that we've got both interactive and MT5 and MT5 is still in patent so this is something that they would be potentially concerned with I reached out to them so part of the responsible process of discovering this sort of thing is you reach out to the manufacturers and let them know in advance of publishing it and give them a chance to fix things or at least respond and be prepared for it so I reached out and the response crickets so I sent multiple emails to their online forums I even reached out to some people I knew and I just could not get on the phone with the right person so if you happen to be watching this video on YouTube after or in the audience and you're from Multilock and you are the right person please reach out to me I would love to work with you to help mitigate this and there are mitigations available which I'll talk about at the end so hopefully we can see that happen now that this is actually being released but it does give attackers a bit of a head start now alright let's talk about Ablai so we talked about that a bit at the first first part of this presentation we're going to come back to it it's a bit more complicated geometry which is why I covered Multilock first alright so we've got the disc detainer cuts are a bit more complicated we have to treat those with a little bit more care when we're removing the metal from the backside of it but otherwise the process is pretty similar right so we've got in OpenSCAD which is this really awesome software that does this and you'll see why in a second we add a sphere to it which adds that element that's sticking out and we've got to remove material from the back of the key so it will actually insert and fit within that lock now we can't just chop it off the way we did with the Multilock because this is a disc detainer and it has to be able to interact on both sides of the key with the material so what we can do is draw a second one alright so I'm just doing Ablai Protect 2 twice and then I'm rotating it so in this case I'm rotating it by 2 degrees in the y-axis so you can see here that this is two keys that are rotated and one of the beauty of this software is that I can take the intersection of those two and so there's the intersection and so that pretty perfectly chops off metal from the back in exactly the way that I need that to happen in order for it to actually fit into the lock right and so you can see I'm doing this in the code drawing one Ablai Protect 2 and another that's rotated and just taking the intersection of the two alright so this is what it looks like when 3D printed and we can take a look at it in operation alright so there's the key with the element... there's the key with the element poking out and you can see when I turn it it's thinner at the base of the key I insert it in and I push it to the left and then I quickly defeat that element detecting the moving element and then after a bit of wiggling I turn the discs as well and get those all to set in the sidebar to go in so this works now with Ablai Protect 2 and it allows you to 3D print not just with a compliant mechanism but also a completely static mechanism and so that's not just 3D printing that that interacts with but also you can make this out of metal right so we can now make a metal key that will work for Protect 2 so again something that we want to potentially mitigate if there's a good way to do it so I reached out to Ablai with the same process and Sponts Crickets so same deal if you are with Ablai and you are the correct person to talk to about this please reach out to me I would love to work with you to help get this mitigated let's talk about Medico right so when we started this work right Medico did not have any keys with moving elements he had the classic and the biaxial and the M3 just added a slider there but soon after we were starting this work they announced the M4 and so the M4 has this sidebar with finger pins that get set as well as a moving element okay so this is a pretty good opportunity right we now have a lock that is not yet out to the public and we've got a potential vulnerability with it and so we've got an opportunity to actually get this vulnerability fixed before it's released that's pretty awesome right so how does the moving element work within Medico well we've got this the moving element for that the M4 is called a shuttle pin and it interacts with one of these finger pins called the lift pin and that lift pin just doesn't have a protrusion deep enough for anything else in this sidebar track to operate it and so the shuttle pin has to be sticking out in order to interact with that lift pin right and so reached out to Medico with now this potential vulnerability of course untested because we didn't have an M4 to test with at that point because it wasn't released yet and said hey let's see if we can talk about this and so the vendor response was actually incredible they got back the same day and they emailed me and then I got a phone call and you know this is like the day before New Year's and the guy that reached out to me his name is on many of their patents so they took it quite seriously and actually reached out promptly and were very responsive with that so this is a good response right and so we had a number of calls with them we discussed the technique and made sure they understood how it might potentially operate on the Medico M4 and Medico's team tried it without success right and so it's now our turn to try it but before we were able to do that before they were able to send us any information or even a lock about about the M4 so we could try it out we had to deal with the NDA process right so I'm sure most people in this room are familiar with that and that's something that when you're a hacker that discovers something and you're requested to do this it's kind of a big decision right and so we took this to our legal team and they looked at it and said like NDAs in general are fine the problem is when it's you, the little guy in a contract with a giant conglomeration like ASSA Abloy Group even if you are totally legally in the right they can put hundreds of thousands of dollars after lawyers to just make the process drag out and bankrupt you on the legal process so that was one of the warnings that we got and based on honestly it was pretty heavily based on how responsive and reasonable the gentleman from Medical we've been talking to had been, his name is Clyde Roberson by the way he was responsive and reasonable and we decided to take a leap of faith and do it solely based on his demeanor and our read on the situation based on that but do beware before you sign these the other important thing to keep in mind is make sure you read it and if you can make sure you send it to someone with some legal expertise to get it reviewed right so we've worked with NDAs loads of times before and we know what's standard and we noticed one paragraph in there that wasn't completely standard so foreground intellectual property is within a contract it is intellectual property that's generated as a part of that contract and this was an NDA it's supposed to be non-disclosure it's also said well by the way anything that you or us develop as part of this communication we now own so we being the ASA Abla group and so we looked at this and we're like we don't want to do this we want the NDA to be about non-disclosure and not intellectual property ownership as we got back to them about that and said we got a concern with this paragraph the response was okay here's a new version that paragraph deleted and this is actually pretty standard with NDAs right if you don't like an NDA that someone sends you you express your concerns and companies are usually very happy to modify it for you and so that happened here and it worked out quite well right so we're all signed we're good to go we're NDA and we can now actually test this thing right and so Clyde got a sent a couple of the M4 locks right some of the early production versions and we were able to actually start testing this and see if we could find a way to make this new method work with the M4 so attempt number one we took a Schlage SC9 blank and when you file off enough metal on it it will fit into that M4 key way and we also press fit in a piece of metal to have it stick out on the other side right so it's sticking out here and that's simulating the static component of where that shuttle pin would be moving out the problem with this is the sidebar and these finger pins here which is that the entire key has to move right so the entire key has to move to insert it and then to actually actually that interactive component or not interactive that's the multi lock term that moving component which medical calls the lift pin and we also need to have these standard finger pins riding along this sidebar here and what happens is when you move it to the side to insert it the finger pins are all now down here and they're spring loaded and so those finger pins act like a ratchet mechanism and it prevents you from actually moving the key over and actuating that okay so that doesn't work so we need a way to get those finger pins lifted to the correct height and give them a little ramp to do that and our solution was to create individual ramps right so we added this these channels here and so now we have a ramp for the first the second and the third finger pin individually and so now we can get all of those lifted up to the correct height right so that's oh there we are that's a bit of a close up there and so we can see this in operation and it works fairly nicely right so it's interacting with those finger pins and pushing them up to the correct height meanwhile the protrusion we press fit in is pushing the lift pin up to the correct height the problem is the old problem with with keys with moving elements it will not insert or remove from the lock right so this protruding element it just is binding with these finger pins right so it fits in the keyway just fine but now these finger pins are in the way and we could make it thinner on the backside and mitigate it that way but there's just no more metal to remove this thing was paper thin already so because of the particular shape of the M4 keyway we couldn't make that happen if the keyway were ever widened right and so this is a bit of wisdom with the M3 that did have the keyway widened from from biaxial if the M5 has a wider keyway this attack will start to work so it's now something that they can be aware of which is good the other element is that corallity matters with this and so for anyone who's ever tried to pick a medico before you know that if you tension it one direction the top pins bind first if you tension it in the other direction the sidebar binds first and what was happening with using this technique is that when we inserted this surrogate key the direction we had to twist it to move it in and cause this lift pin to actuate is actually the direction that causes the sidebar to bind hard against these finger pins so we're now trying to turn it in a way that will set that finger pin while we're binding the sidebar hard against it it made it not really a viable attack for that reason as well okay so let's look at what we pivoted to when those didn't work we started to think out of the box a little bit and looking at the actual design of the lock this is the lift pin and there's this element here that can be pushed down and it's within the plane of where that key would insert without a moving element sticking out it's just it has to get pushed down deeper than the plane of the cores milling there so we need an overhang on our key to cause that to happen and so to make one we took pieces of metal and bent it so we have this little J shape and that allows us to create an overhang and then we added this little little peak to it and so that peak, the finger pins are able to ride over that peak just fine but it can push in and hit that little part and push it down to get the finger pin to the correct height and it works badly, it honestly doesn't work very well it's like you got to try it a bunch of times and two times out of ten you're able to get it to work and it's got to get perfectly positioned but it does in theory allow a blank to be mass produced that might not work great but does work so it's something that's potentially worth mitigating and this last element we just sort of had a stroke of the idea there fairly recently so this was only presented to medical fairly recently and so they're still in the process of deciding if and whether they're going to mitigate it the mitigation is fairly straightforward you just deepen this or possibly add sort of a bowl concave cut to it to prevent that from working and currently the responses are towards doing the mitigation but it requires tooling changes and things are further along the production schedule now so it is something that takes a bit of time to figure out so there's a good outcome here so we've got a not a great attack but it's something that they're still likely going to mitigate there for the actual fabrication and I've talked a little bit about how you don't want to have a stockmaker's perspective they really don't want something that anyone can make so like those ones that you could buy on AliExpress they don't want that happening for their own keys and so to make it yourself if you can't have one that anyone can make 3D printing is one option these are the two main types of printers filament printers are just not detailed enough for printing most keys when we do it we print the blank and then add the cuts using traditional methods but resin 3D printing is absolutely the way to go for making keys it gives you 10 times better resolution for making it out of metal so in this case adding that J-shape we were able to do with just a little clamp except we had to give the clamp some help with the hydraulic prints so these fabrication techniques are not necessarily something that everyone has the ability to do when adding the cuts to it because these blanks are imperfect they come out of the clamp and bend nastily and you also would need a machine that's capable of adding these top cuts which not everyone has have to do all jump through all sorts of hoops doing it so when adding the cuts to this particular version we had to put three keys together one to prevent this clamp from pushing in the press fit element and misplacing it and another to give support on the bottom side because this blank was paper thin at this point you know so it's not a trivial process and then we had to mill out a little bit at the end to allow it to insert all the way and have the tip tip warning not be a problem for it so in general these fabrications are something that you can do if you're a major lock and keener like us and have all this equipment a lot of people don't it's the sort of thing that lock makers are considering when they're deciding whether to mitigate is what is the effort required to carry out this attack and patents are effective against mass production against someone in China going and making a version that does work in China you can't really control that with a manufacturer but you can at least control it on the import side and you can certainly stop someone doing that domestically so one of their key concerns with key control here was that any attack we were able to successfully do did not allow someone to make this key in a way that bypassed the patent so a valid consideration there we'll chat a little bit briefly about some alternative attacks so things that people should consider before they're worried about this and then some defenses available to you as well so one is this is one of the gates of the New York City subway station and they've got two locks here you'll notice security medico with great key control on it one is a Yale and so Yale locks the keys are not at all controlled and it's also this which most people in this room will have heard of is this the same thing for everything in that in New York City and people are getting it so it's something that you gotta make sure that you're not gonna be doing something like that if you're worrying too hard about the key control for one of your two locks you can also attack the the code card and so in this case what we've done is taken a multi lock interactive code card and it's just got the code stamped onto it and so we've just re stamped it so on the original this 264S is the key way and we've changed it to 200S and so in this case you can see that little artifact there we didn't do it great but up here you take that to a locksmith he's not gonna know that it's been modified or anything on this and get a code card that authorizes a locksmith to create an entirely new key for us and of course the blanks are once they're out of patent they're not necessarily as easy to control the sale of so you can buy these blanks on eBay and so these are two of the ones that we bought and there's actually a bit of a story with this one up top here which is that when we received this it had one side for a locksmith that was actually local to us a locksmith that we knew and they were in business still cutting multi locks and so I reached out to them and I said guys I just bought keys on eBay coined with your business is this right? there's a bunch of things about this that don't add up they got back to me that very same day and said yeah this is not right there's clearly a problem here and so I've blacked this out to not dox them they're an honest business trying to do standard locksmithing and they don't want to deal with all of this crap that us in the hacker community get up to but yeah so we reached out to them and they did some investigation and it turned out that three years before they had a package arrived by Courier with more blanks in it and the package was manifested for 25 pounds and the delivery driver said something's wrong here and it turns out at some point they don't know when or how those keys got stolen out of the box in transit so talk about a supply chain vulnerability there so they reported it to multi lock and then when I reached out they were able to recover 9 out of 10 of the stolen boxes from the seller on eBay that was just selling all 10 of the stolen boxes and so when you happen upon stolen property there's no compensation owed to you for that belongs to them but they insisted on compensating us and so I eventually gave into that but you know that's something to be wary of when buying stuff on eBay that might potentially come from less than up-rate sources so what can we do to defend against this well the first one and one of the first ones we thought of is take the moving element put another one beside it and have it go the opposite direction and the key is actually widening and so that prevents us from moving the entire key because it's getting wider right so that's one option available to us multi lock actually has already two moving elements this isn't for that purpose it's just so you can insert the key in either direction and it's going to work but that's something that potentially could be modified to apply this attack for there's a reason it can't and I've got a nice shiny new set of medical bump keys for the first person after this talk to think of what that trivial work around is and if you're watching this talk on YouTube afterwards put it in the comments and I might send something your way so that's one option another is these sidebars this secondary locking element itself prevents motion of the entire key because it interferes with the operation of the secondary element so far as it turns out is a great example of a good defense against this particular technique right the one that actually was valid used a completely separate and happenstance vulnerability in the lock right so the multi lock MT5 would have that defense available to them with the finger pin line on the bottom except that those finger pins are not spring loaded which means that I can insert the key in one position and set all the finger pins at the bottom and then set the top pins on top and there's no spring to spring the finger pins back and frustrate me there right so the mitigation here is pretty simple just add a spring behind even just one of these and that's going to prevent this attack from working right so a mitigation that's available there to you and you know if you happen to have MT5s you can even do this yourself right get a little tiny spring and stick that in behind that pin you'll have to drill it out a bit for as well so so there are options available to you and the last thing is to defend against this you don't want to be laser focused on the wrong thing you need to make sure that there's no other glaring problems in your facility before you're worried about something as niche as this right so here's I'm sticking a key in key turns I open the door right well that's the wrong key that that key is not turning in the lock the entire lock is turning in the door and that's because there's a retaining pin that's supposed to hold that lock in from doing that that has not been properly installed there we see crap like that all the time in facilities and so you really want to make sure if you are running a facility that you get all of that looked at and fixed before you're worried about extremely niche attacks like what I've just talked about now so with that I'd like to thank everyone for listening if you have any questions I'm going to be running the physical security village in 202 right after this so please come find me there and I'm happy to take them there thank you very much folks