 Welcome. Thank you for your patience. This talk takes some amazing setup. I took some pictures of the tables up here because this is by far the most elaborate setup we've had for any talk. As far as I'm aware at EMF camp this year, I've seen this man do key impressioning in videos that I've seen presented by other people, but this is the first time I've had a chance to see him in person. I can't wait and I'm sure you're as excited as I am. Presenting key impressioning, please welcome Joss Weyers. Good day. Is this? Yes. There we go. Hello. Well, I'm Joss Weyers. I'm going to talk about impressioning, lock impressioning. That's a technique of opening locks, maybe in a different way than normal, and I'll also be explaining what lockpicking is all about for the four of you who didn't go to the lockpick village this week. So that's good. Like I said, I'm a member of Tool. The tool is the open organization of lock pickers. We open locks as a sport, because we like it. We do that without force, mostly without the keys, and basically it. Being a sportive lock picker, so doing lock sports, you have to abide to a couple of quite simple rules. Rule number one, only pick your own locks. Rule number two, or 1.5, whatever. If you do not own that lock, you need explicit permission from the actual owner to pick that. And another rule is do not pick locks that you rely on, because if you will start practicing on your front door, at some point you will fail, and then maybe your door won't open or won't close again. Both are bad. So abiding to living up to those three rules will keep you out of troubles-ish. So that's the idea. Okay, we're going to open locks. Sorry, I'm also a member of Hack 42, which is an awesome hacker space in Arnhem, that is the Netherlands. We're going to open locks. First, we have to look at locks, so now how to open that. Hold on a sec. Yeah, this is a lock. It's a euro profile cylinder, like commonly used in Europe, as we all know. If you look at the lock, you see a cylinder, a round thing that we want turning. If it's actually mounted in a door, it matters which way it turns. As a sports picker, I don't care. Normally I'm having the lock in my hand, and as long as it turns, we consider it open, and you get points or timing or whatever. Well, if we try to turn this lock now, it won't turn. If you look at that schematically, you see a round bit with a hole in it, and if you look into that hole, you see something, no idea what, and that won't turn. So let's take one layer off and figure out what's going on here. Well, actually, there's not just one bit. There's a red bit, so a blue bit, and the blue bit is actually the part that's preventing it from turning. Because if you turn, the blue bit gets squished between those metal sides, and the spring all keeps it up. So what you need to do is put it down to the correct level so that your lock will turn. That's quite straightforward. I'm doing it like kindergarten technique, and we'll speed it up later. Okay. Well, that's just one pin stack lock. These two pins stacked on each other with a spring under it is called a pin stack. A normal lock, if it's a decent lock, if it's a half, they have decent luck, consists of more pin stacks. This one has five. Five is a typical number. In the UK, you see a lot of six pin stack locks. That can go up to way higher. I've seen 21s. So whatever. In order to open this lock, there are, if you turn this lock, there are eight blue bits preventing this from turning. No, there are eight blue bits preventing this lock from turning. So what you should do is push all the pins down to a level that those are out of the way. We use the special key for that, well, special tool. And now you see all the blue bits are lined up. And so the dividing space between the blue and the red bits, those are of the exact shear line where the lock will turn. If that one is even off on one position, it won't turn. That's when it's too deep on position number five, because we start counting off from the shoulder, one, two, three, four, five. And this one is too high and it still don't work. So the idea, so like I said, the idea that if you start turning this lock, there are five bits of metal preventing it from turning. Now, if you don't have the key and you want to pick this, it will be quite hard to put all those five pins at the correct depth simultaneously. That's hard. I mean, you can get in with all sorts of metal picks and do whatever. Luckily, this is not the perfect world for us. There are tolerances because locks get made amass. So you have a machine that keeps on drilling holes. There is a rod that will produce the pins. And if you look at these pins, they're supposed to be cylindrical. Well, there are ash, but it's the ash that counts. And if you see the holes, those holes are in the cylinder that should turn. Those edges are supposed to be 90 degrees angle straight. We say clearly are. We say clearly aren't. There is a, they have a give. And if you look closely, you also see that those holes are not completely aligned. They are a bit crooked. Actually, I don't care what's wrong with this lock, but as long as I know there's something wrong with the lock. And if you look closely enough, there's always something wrong, well, wrong, there's always tolerances because you can't make two metal objects exactly alike. You can make them look alike, but if you zoom in enough, you'll see differences and that could be on the micron level or even further. I don't care, but they won't be exactly the same. So what that means, if I start turning this lock, there are not five pieces preventing it from turning. There's one piece preventing it from turning first. So if I start turning that cylinder, the first bit of metal that they get stuck, that's the one I'm after first. And well, and that could be because the hole is a bit more to the left or the pin is thicker or care. I do not care. So what we can do is just look at that one pin stick. Then what happens is, well, if you turn it, it gets pushed to the side. We saw that already. And if we push that down ever so slightly until we reach the shear line, that lock, that tiny piece of a lock, will open. So that pin stack will be open. The lock won't because there's more pin stacks, but then this one does. So basically now your lock is 20% open because one out of five and you repeat the process. Schematically, we apply some turning force. This is just spring, spring, spring. That's one doesn't want to get down because it's quish to the side. That's the one we push down and we keep on feeling for the one that doesn't want to go down and that's the one we push down. We repeat that over and over again about five times and then it opens. That's lock making. Okay. Demo. A lock. I use an American quick set because I do not want my demo to fail. And a tiny pick, not unlike the one you see there. Go in, feel about one that doesn't want, that goes in and we have an open lock. So like I said, American. Better. That single pin picking is that's called because I go for pin for pin for pin one at a time. If you know it's a crap lock and then you can cheat a bit. If you go in with a Reiki or a snake or there are several weird terms for different picks and basically brute force is a bit and we're going to do that with a different tool. There's a mountain six actually. We have weird names and that's supposed to go. There you go. It's a bit faster than the other one. So it's actually in and boom open and yes, this is normal pick. This has not been altered. Actually, when I bought this on one of my first trips in the US quite some time ago, it took me way longer to get it out of the shrink wrap than actually open it. We have good shrink wrap. You can do this with lock picks and you can buy these quite legally. Well, not everywhere. France is a bit picky about them. So is Bulgaria I think. So I'm definitely not a legal counsel. So don't call me. Basically, in most countries, it's considered a form of a burglary tool. So it's as illegal as a crowbar. You're allowed to have a crowbar just well if you have your hoodie on and you are in the dark in a place where you don't belong and you have your crowbar, you'll be fucked. And same goes for so if you behave, you can carry lock picks. I carry lock picks all the time. Last week I came back from the US even there. I carry them all the time. I do not leave the house without lock picks. So I do that. They look like this. That's a decent beginner set. And if we look at keys, our locks actually, this technique also works on these locks. Well, on the locks that these keys belong to, that key belongs to Jesus. Because this is still a pin stack. It's just coming at a weird angle. It's still a pin stack. You can get in with a piece of metal and feel those pins and which one is stuck before. And you see that there's a, well, quite a lot of holes in there. Well, actually this is a Lips Wendish Lussel. That means that you can take the key out, turn it 180 and put it back in. Because, well, there's no up and there's no down on that. Both sides work. So only half of those pins are actually working because they have to have it for all of them. The Kensington-like lock at the bottom, basically the same as long as you can turn it, you see the pins actually. So you can push them down like that. So technically that will be easier, but there are some other, with a normal pin, with a normal pick set, you can do that. It's a bit more work because every time you turn what is it, 20 something degrees, everything gets stuck again because it reached a new hole. So you have to pick it seven times to open, but still doable. So that's normal pin stacks. But if you look at rooms, oh, wait a minute. Yes, if you look at rooms like this, actually, if you look at computer cabinets, they have, most of the time, they have different locks and they look like this on the left, I hope, on the right, that's, I have gutted. These work a bit differently. So schematically you still have a circle we want to turn and there's a hole in there, that's the black part and there's some metal, that's the red part. If we take a layer of material off of that, we see why it's not turning, because now there's no blue part or springs in this particular moment. You see that the red bit is stuck on the bottom, that's why it can't turn, because if you do want to turn it won't, now it's too deep, now it's too high, and in the middle it does open. These things want to open. There's one. And I'm going to hold on a second. I'll just take my pick, go in there and it's open. Now this could be the lock protecting your infrastructure from the guy who is renting the computer box that's next to you. So if you're hosting in a code location, this could be your ultimate security. I don't think so. That should be the case. So that's it. And if you, most of the time, if you go to the supplier and said, I want to change this lock, they do that for you and they give you the other lock. So it's same diff, so that's wrong. It can be opened with normal picks, as it just described, but if that's even too slow for you, you can use a set of jigglers. Those are in the middle at the top. Those are specially made for these kind of locks, and then it should be even easier, but I don't think I can beat this time, but try it again. Take a nice one. That should work, I think. Normally it's mounted, should be easier. That's stupid. Need to have the proper size because, well, size matters, right? Yeah, in open. So that's almost like a key. I mean, if I would be doing that in your computer room and I'm allowed to go in that box, and I'm trying to get in this box, which I don't have the key for, if it takes me this long to open it, you'll assume I have a key, right? So I will probably not be questioned how to, well, what the heck am I doing there? Mr. Newton. Billiards. What happens if the white ball hits the red ball? Come on, you got this. The blue one moves. What does the red one? Nothing, it stays, correct. And to prove that scientifically, we have an animation. So, yeah, that's what happens. That scholar scheme is, of course, not chosen on randomly, because what happens if we hit, well, actually, it moves already. If we have a way of putting a piece of metal in that lock and hit all the red bits at the same time, Newton says they stay in place-ish and the blue bits should shoot away. Of course, there are some springs under it pushing them up, so you have to hit it quite hard. But if you timed it correctly, now it's open. Because there's a gap, now I can turn that lock. Let's see how that happens. So we have the high-tech American lock. I need more hands. Okay. Still need a turning force, ever so slightly. Use a piece of metal. This one is just this straight thing, and that goes up and down, down quite forcefully. Put that in, align it, open. That's not really a lot of technique needed. Of course, that took a long time. So let's speed it up a bit. Of course, it doesn't. Should have slaughtered more sheep to the demo guards. There you go, open. Okay, so that works. But then again, that looks like a gun. It's actually called a pig gun. Of course, well, that's basically what it does. It has a trigger and picks a lock. On an x-ray, that looks quite interesting. Like I said, I travel to the States a lot, and that's the problem. This one is basically a hunk of metal that vibrates. It gets me different questions, but it still gets me questions. And well, it's sturdy enough to be a weapon, I reckon. So this is not nice in travel. And of course, well, they're bulky. So what if there would be a way to get inside a lock and touch all the pins at the same time? What could we use for that? Well, actually, we have stuff for that, and that's called a key. I mean, your key goes in and touches all the pins at the same time. That's what it's supposed to do. So what you can do is take a key that fits the lock and cut it to the deepest, well, this is, well, cut, make the cut as deep as possible and take a bit of material off the shoulder. So the key has some give. So if you let it go, then it'll spring back. Just a mil or something like that, or half a mil, play with it. So what you see, if you push that key in, the pins go down, right? So if we push that key in a bit more forcefully, wait for it. There it is, bang. Newton kicks in. Let's see how that works. We have a, whoa, this is kind of destructive. I mean, you get dents in your, so this one didn't slide in. This is a lock and this is the bump key as it's called. So if I push that in, it comes out automatically just a bit and of course it doesn't open it. That would be cheating. Take a mallet or something hit-ish, open. So I guess I did slaughter enough sheep. Again, ah! There you go, open. So now you have an open lock and that's quite easy. But of course the key I use for this has to fit in the lock. So it has to be, well, same brand-ish, and of course the pin positions also have to match. So I kind of need a key for every brand of lock. Well, in America, that's an easy feat, because in America you don't have that much choices of normal consumer locks that you want to have. You have Schlag, you have Quitsect, and the rest is very expensive. They do have very good locks, but they tend to be very expensive. And so a normal consumer will go for a Schlag of a Quitsect, which means I need two bump keys to open up, let's say, 80% of all households. Now, mind you, they do have guns. So in Europe, well, actually there are some protections against this, but when this first came out there weren't hardly any. At that time, this set of keys would open up, I don't know, 95% of all Dutch households, because if you go into a key copy shop, you see this whole stack of keys scattered about, and you go like, well, you can't have all those keys turned into a bump key because you need a van to actually go. Well, proper locksmith does take a van, but if you ask that key copying guy, actually what do you sell the most? They'll probably go, oh, these eight, or these 20, whatever. So if you take those, there you go. So this is an opening technique that is, well, you saw it's easy. So when some Germans from SS Dev, that's basically a tool in Germany, when they looked at this and, well, they basically... This is a very old technique, but a couple of years ago, they did some extra research, and... What? Oh. I've just been informed that we are now the only talk, so I'm the keynote. Hi. So let's start over, then. That's not... Welcome to this keynote. So that's an alternate way of opening a lock, and that's quite easy. So we, as stool, we decided to go public with this, which is kind of unheard of within the lock community, but it is this easy that, well, any layman can do this, and we think that's wrong. And a couple of lock manufacturers said, no, it's not really a problem. So we basically challenged them to up their locks. And now, I believe every European lock manufacturer at least has a bump-proof choice within their repertoire. And there are several ways to actually... There are several ways to undo this, and, well, a couple of them actually work. Some just don't. But the talk is called impressioning, not picking. Impressioning. The question is, how long can our standers in front of a important door, like your front door, computer room, whatever, without being shot, questioned, dragged away, or whatever? Would that be two seconds? Would I get arrested within two seconds if I stand at the wrong place? I think two seconds is a bit of a short timeframe. Can I be there for a minute? Can I stand in front of your server room for a minute without being questioned? I don't know, 10 minutes? I think if I can stand 10 minutes in front of your server room without getting questioned, you have other problems, because that shouldn't be the case, because within that timeframe, I can pick the lock properly. But what if, option one, two seconds would be all I need, but just a couple of time. So two seconds for twice a day for about a week. I'm pretty sure I will not get questioned within two seconds, especially if I'm holding a phone in the wrong door. If I do that twice a day for about a week, I could be in. Bit of a background. This is Mr. Tickle. Well, it was Mr. Tickle, because he died a couple of years ago. And before I heard that he died, I had his picture in my slide deck also, and normally I asked, does anybody know this guy? Because I really want to pick his brain. He used to be the FBI go-to guy when they had to go into a door that they didn't have keys to. And he used this technique over and over again. One of the stories is that at one of his first assignments, the FBI at that time, they wanted to get into the house of a mafia boss, and he wasn't at home. And actually they wanted the key to that house so they could enter over and over again to play some wiretaps or something like that. At that time, they couldn't be done digitally just talking ages ago. What they did, they put at in a cardboard box like as if they were delivering a refrigerator. And they did deliver that box next to the front door. That's scary. And there was a hole cut in the cardboard and it went out and did his stuff. And in the morning they picked the box up and he had a key. Interesting. How did he do that? Well, there's actually books written about, well, not that story, but about impressioning technique. This book is called impressioning technique. This is the German version. It does exist in English-ish. But that doesn't really matter because it's all about the pictures. The pictures are awesome. This book is written by Oliver Dietrichsen. He's been championing this technique for about three times now, so he knows his stuff. And he literally wrote the book about it. There are pictures in there, well, even with other kind of keys, as you can see, the dimple keys. They also work car keys. They work like a charm. And it even has pictures of the Kaminal Prüflabor, which is basically CSI in Germany. Okay, enough about the background. How does this actually work? Impressioning, I do not start with a cut-down key like a bump key. I start off with a solid key. So this is a totally uncut key. And of course, in all those previous slides, the blue bits were preventing it from turning. But now it's the red bits because there's a chuckload of metal in there. There's a chuckload of metal in there. So all the pins are lifted up to their highest position. So, yeah. So what we can do now, if we turn this key same as before as with the picking, yes, there are five bits of metal preventing this cylinder from turning, but there's one bits preventing it from turning first. Okay, that's interesting. And also, now because there's metal in the middle, the key, I can move... I can turn the key to the other side as well without everything falling down because the pin stacks are holding up. With some luck, another pin will be preventing it from turning first. Okay, what can we do with that? Another thing is... Yes, so if I start turning it, there's one key that doesn't want to move up because you can wiggle your key because if you come home at night and you'd have your key, yes, it fits in your keyhole, but it has some slack. You can still move it up and down because if it would just fit, so not moving up and down, it would be quite hard to put that key in. So there is some give. So you put your key in, turn to one side, move your key up and down, turn to the other side, move your key up and down. It's totally animated. Yes, so turn, up and down, turn, up and down. With some luck, on position one that's close to the shoulder, that pin stack is moved basically against the spring. That's all. The other one will be forced, the second one will be forced harder into that key because both are quite soft metals. So if you look at that key closely, so you probably need some magnification aid or very weird eyes, then you would see tiny dense spots on that key that something has happened. On UV light it looks like this. They are tiny. So what we can do now, on the places where we spotted those spots, we take away a bit of material, not too much. And if you know the brand type of your lock, you could probably go online and figure out what that exact depth should be. That's still not a working key. So what we do then, we reinsert that lock. You see it's not a working key, there's still five bits preventing it from turning. So rinse and repeat, we go over. We start turning this, and again the same pin is preventing it from turning because it's the widest or bit more to the left, whatever. So that'll make a mark in the valley we just created. And well, same goes for the other one. So we end up with a key with marks in the valleys we just created. Easy peasy. So we have valleys with marks, and what we do, we take away even more material on the spots that have those marks. Rinse and repeat. We keep on doing this. But now something happened, because if you start turning this, that pin is on the correct level. So according to that pin, the lock is open. So if we start turning this lock, the other one on position two, that one is still on the correct level. So that will mark if you start turning it one way and moving it up about. But pin number four will not mark anymore because that will just slide. That's open. Ever so slightly, but it's slide a bit. So with some luck, we'll get marks on a different position. And indeed, it's on position number one. So going through this process step by step, in the end, we'll get you a weird key that opens your door. A copus d door. And it will look weird like this one. The lower one, that's the one I did. And the top one is the one that's the original key that I didn't have when I was filing, of course. And they both work. And they don't look the same. But if you look at the bottom of the valleys on both keys, they are alike. So the important bits, those work. And if you're any good at it, you win medals. And now it's time for a demo. Test. Yeah. There you go. That works. Everybody can hear me? No answer? Hello? Okay, good, good, good. Key. Actually, a factory cut key is a bit higher than actually needed on our position. So I'm going to take off some material even before I start. I normally use a workbench for this, which is controlling all the factors a bit more. Okay, so now we have, are we there? Yes, hello. So now we have a key that is cut to, well, quite shallow actually. So I put it in. Turn one way up and down, up and down, up and down. Turn the other way up and down, up and down. It should be enough, but I'll repeat it a couple of times so we got very good, fresh marks. And indeed, I got marks. As you can see, I'm not that much at the lock. I mean, if I go in, it just takes a couple of seconds and I'm out. Those are the two seconds I was talking about. A friend of mine, he's a pentester and his office is on the fifth floor. And he's not allowed to go to the seventh because that's seven because that's a different company. So he started by, every day he's in the elevator because that's got operated by a key. If you want to go to seventh, you just use the key and then you go up. Every day he's in the elevator alone. He does this in one time, one time. And it took him two weeks and then he had to work from 17 to the seventh, which he didn't go to, of course, because, well, not allowed. Second, mind you, there are competitions on this. And first round normally lasts an hour and about half of the field opens within that time. So this could be a long talk. Hello, newcomers. I think I overfiled at some point so I have to start over again. Yes, you get more action for your buck. Thank you, yes, thank you. No pressure. Keep it coming. He did it.