 Hey and welcome to Keystone of the Kingdom. This is a talk on targeting best SFIC locks and you'll know in a second about what that is just in case you don't. This is a talk being given to DEFCON 28's lockpicking village. Unfortunately, we have COVID going on in the world and we are not going to be able to meet in person. So I would encourage you to reach out to me on Twitter, reach out to me on Discord inside of the DEFCON channel and I'd love to have your thoughts, your opinions, any questions you have set on my way. I'm very happy to discuss. Who am I? My name is Austin Mark. I'm a security enthusiast, first and foremost. I have been doing pen testing for a number of years for a small to mid-market tax consulting and audit firm called RSM and doing red team assessments where we regularly run into best SFIC locks. We see them in the field. On the right hand side, you also have my hack the box profile, Twitter, website. Feel free to reach out to me on any of those and you have a disclaimer. I am not a locksmith. So my thoughts, opinions on how to secure locks probably should only be taken as an attacker, things that I think work, but really remediating these issues or operating your locks is something that's best sent to a locksmith who can give you better advice than I can. On the left hand side, you have a photo of me at IKEA. I don't believe I ever got that mirror, which is unfortunate, but as I was flipping through photos trying to find something that I thought was appropriate for this talk, this was the one that stood out to me. All right. So this is anthology. This is a collection of talks that I'm giving at DEF CON and hopefully years to come. Other conferences. This is just how I organize my talks is all under this anthology brand. Left hand side, you got this little picture of an ant. It's kind of like a circuit board. That's just my little anthology symbol. So while parts of this lab should be done with locks and keys in hand, I'd really prefer this to be a hands-on talk. We're going to deal with COVID and we're going to have some parts of this be a web-based CTF where you can at least learn a little bit about Vest as Fix. When we get done with the talk, I will open up the CTF and anybody who'd like to can join in, chase down some flags. There will be a prize for whomever wins. So feel free to reach out if you believe that you're the winner and I think we'll wrap this up 24 hours after the talk. Down at the bottom, you have some logins. You have a CTF login at PCTF.ant.red. That is a CTFD instance that has some challenges. I think there's something like 10 challenges. Just kind of shooting the gambit across different parts of a targeting a Vest ESPIC system. You also have course materials that just links out to a GitHub page. You can pull down some PDFs and some further learning resources. If you're interested in Vest ESPICs. And then you've got a Keystone web instance. You'll learn a little bit more in a second about what Keystone web is. But there it is out at ksw.ant.red. And down at the bottom, you have a login for that. All right, so let's jump into the agenda. So here's what we're going to try to cover. What are ESPICs? What are keymarks? It's kind of in the name. It's the marks on the best ESPIC keys. Where are ESPICs? So where are you going to find them? And then what can we do once we found them? So first and foremost, what is an ESPIC? SFIC stands for Small Format Interchangeable Core. Let's see. Yep, you guys can see it there. They're a way for businesses to change which key goes to which door quickly. They can also provide a means of access control. So Sally shouldn't be able to go into Jim's room. But the janitor should probably be able to go everywhere, right? So that janitor needs to be able to get access to both of their rooms. So to be able to do that, you have a master key that will open both doors. So to that end, these pins that go inside of these locks are considered master keyed. There's a number of different segments and you'll see in a second what those kind of look like. Moving on from that, where are we going to find SFICs? SFICs are in schools, office buildings, hotels, and very large businesses. So you'll see them very regularly. I remember when I gave this talk or a talk similar to this last year at DEF CON, I noticed a ton of SFICs all around me. It's kind of one of those things where you get a new car and all of a sudden everybody's driving your car, right? So this is kind of the same thing. You figure out that you have an interest in SFICs and everybody suddenly has a SFIC and it's always something to look at, right? So what are key marks? Key marks are exactly what they sound like. It's simply a stamp that is put on a key for tracking. Should help you know if a key goes to a door. And it'll also help you track who has access to what. So what can we do once we know that there's an SFIC that is part of this environment that we're targeting? We could potentially pick it. We can potentially duplicate some of those keys. If we're able to get access to them, we're able to move laterally with those keys because they are part of the system. So if you know where you are within a system, you can potentially move from one door to another. And that all gets kind of done by doing what is called system decoding. And we'll walk through some of what that is and how we do that. So we'll talk a little more about what these SFICs really are. So an SFIC as it would be installed is on the left hand side. You can see on the front, you've got a core mark of what appears to be PG7. And it says best. So you definitely know you're dealing with a best SFIC rather than another manufacturer's SFIC. For this talk, we will be specifically talking about best. A2 system SFICs, which is the most common. These are the ones that I see the most often in the field. This is a door that would only be openable by the PG7 key or another master key or key that is mastered to the PG7 core mark. So if I were to get a key at an elevated part of the hierarchy, I could also operationally open this door. You also have a control key control keys can open any door in a system. And they're particularly sensitive. And we'll talk a little bit about how to get access to those a little bit. So on the inside of an SFIC, this one has been fully gutted. So you don't really have any pins in here, but it helps us kind of walk through what the different items are. There is a cap that typically goes in the top. You have an operating shear line that will allow this to turn freely, which would move these throw pins and unlock a door. Or if there is a different, the control pins are set in such a way that the control log would turn. This would allow the core to then rotate and pull in the control log, which would allow you to remove the core from the door. So that is the parts and pieces of an SFIC core. We'll have a kind of exploded picture after this that should help explain that a little further. And really the goal of this slide is to make sure you're familiar with the control log, which allows this to be placed in a door, secured to a door, and then operated with operating keys. Cool. All right. So I see cores. These are interchangeable cores. On the left-hand side, you have a standard housing that will typically hold one of these cores. It's not exclusively these indoor cores. You might actually have padlock, much like this one. Yeah. So you could potentially gain access to one of these. And when we start talking about removing cores and walking off with something and gaining access to the full system because you have something in hand, something like a padlock like this is particularly useful. Right? And then on the right-hand side, you have an exploded version where you can see the key, the plug, the bottom pins, the cylinder cover, cylinder itself, all of the segments we talked about. So that's part of that master keying. And then your springs and your top pins that you will be bumping out. If you're going to get one of these locks. All right. Moving on, let's talk about S-FIT keys. So these are S-FIT keys like this. And you can kind of see on the front there a key mark. So on our screenshot, it's BA1. On the one in hand, it is SR1. On the key in hand, we also have a key way marking that is H, if you can see that. I hope. And then there's also key way mark A on the key in the picture. The serialization marking is particularly useful for tracking multiples of the same key. So let's say we had 10 of these, and I wanted to know if Stu lost his version of the key. I'd like to be able to know which key is missing by maybe taking a count of all the keys and saying, hey, serialization key is missing this specific serialization. Stu, what happened? I thought we trusted you with that key. All right. And then lastly, it's just this tipstop. So let's talk about systems. So this is the hierarchy of a best S-FIT system. The top, you have the control. The control key will operate every key within a system and also allow you to remove one of these S-FIT cores from the door. And if you can remove a core, you can decode the entire system. We'll talk a little bit about what that means and what the impact of that is. But if you can get a control key, you're golden. If you can get a grandmaster key, you're also golden. A grandmaster key will operationally turn every lock within a system. So if you can grab a grandmaster key, you can open up any door within that system. So typically, you'll see GM written on a key that is a grandmaster key. So if you can find a key on a lanyard or sitting on a desk that says GM, that might be one to take a picture of or borrow for a moment or what have you. Typically, if there's different systems within, there might be a master of system A, master of system B, and those are just submasters. So many times you'll see written as MA, MB, MC, MD. It's not a hard and fast rule. It doesn't have to be true. It's a general thing that has been observed over the years. Operating keys. As we've discussed, these are keys that you typically give an authorized user to access their office or their door or the server room or some other sensitive area. I've been told by a number of college students that they see these operating keys or they're given them as part of their dorms. So maybe they have the operating key to their door and a submaster belongs to a... whoever runs that part of the dormitory. A CA, I think, if you call it. Moving on. Keyways. So let's talk a little bit about keyways. The best SFIC keyways are a part of their control system. The keyways are intended to increase the complexity of an attack against best SFICs. So if I were to hold up this best SFIC that has, I believe, to be an H keyway and I were to pop that key in there, he works no problem. So he fits in there no issue whatsoever. And then if I were to hold these two SFIC keys together, you should see they're very different. Very different cuts. So unfortunately, even though this is a completely empty keyway, I'm not going to be able to fit that in there. And that's just a function of a control of the best SFIC family. So in the middle, you can see a chart of all the different keyways that best offers on their standard non-Cormax, non-overly complicated best course. Again, this is just targeting, this specific talk is just going to be about best SFICs inside of the A2 system because these are the most common ones that I see. There are also multi-keyway keys. So this is kind of exciting. So if you take a look at the WAWBWC items on your chart, you'll see that those keyways are kind of similar. So you could potentially have a single key that works for all three. And this just adds additional complexity and mastering opportunities between different best SFIC cores. On the right hand side, you can see a Falcon multiplex family set of core keyways. Those, I think it's just a good example of an all-section key up at the top and then you've got two multi-section keys that are kind of unique. And then it steps down into single-section keys and then another keyway that would potentially open for any key. So the e-keyway is potentially openable by all the other ones above it. So moving on. Let's talk about lateral movement. This item here on the right is straight from a code book. A code book is something a locksmith uses to track what the key codes are for a key. If you hold this key up for you, you can see the bidding. That bidding directly relates to the key code. So if you can get a key code, you can cut a key. Up at the top, you have SMBA. So that's a submaster for the BA system. And then you have a couple other keys that are part of the BA system. All right. So if you note, there is actually a pattern going on between the fifth and sixth columns of the key code where it kind of steps up by two and then down or vice versa. It could be if you're going from the third column from the right to the column second from the right, you're going down and then up, up, up, and you're cycling every four by two. So it's a lot easier for me to show you a video of what this actually looks like, because it looks a little complicated here, but there is definitely a pattern that you can abuse. So potentially you can move laterally. All right. So we talked a little bit about the keys themselves and kind of the key codes and what they mean. Let's talk about what happens if you get a key in hand. If you can get a key in your hand, you could use a key to coder and you could quickly discern the bidding and recreate those keys or at least get an understanding for where that key goes within a system. And then you could also use calipers. So calipers, probably not these little tiny measuring calipers on the right-hand side that attach to a key chain, but calipers will measure your pins or your bidding on a key and you can use that to recreate either a core or the key itself. So if you can get a key or core in hand, you can definitely duplicate it then. All right. Key and photo. You could use one of these decoding charts. These are provided by DB and Olam. I find these ones very useful. Their usefulness depends on the quality of the photo that you take, of course. If you have a photo that's kind of jostled or shot from across the room, it might be a little more difficult to actually make that photo work for you. But with some Photoshop magic, you might be in luck. There's also an app called Snaptacoder. I have had mixed results with this app. Honestly, I haven't gotten much usage out of it, but I figured I'd share it. This app promises to be able to discern the bidding of a key by holding it up to the app. So in an ideal world, you would be able to take this app and maybe in a future update or maybe an update that I haven't seen, you'd be able to point this app at a key, tell it it's a best-espect key, and it will tell you the bidding, and then you can go off-site, recreate that key, and start opening doors right then and there. These are two ways that you could take a key and a photo using a decoding chart or an app and start to understand what the bidding is for that key and potentially recreate it before handing it back to a marker or having to leave it somewhere so you're not being detected. So we talked about key in hand, key in photo, what about key on web? So keys on websites that are directory integrated. That sounds great to me as an attacker. As a red teamer, I'm always targeting active directory. That's something that we're always looking for. It's a way to move laterally within AD. Keystone Web is an active directory managed and active directory joined website where you can, their phrase is it will help the user manage keys and core records for multiple personnel throughout various locations. This product allows for importing and appending data, mass deletes for employees, key and door key data, and an activity log that tracks user transactions. So if we add a new employee, maybe he gets a new key to his door. If I have access to this website, I know exactly what that key is. And then I also know the master key, right? So if I look on the right hand side here, we see the master key code is 8301836. If I recreate a key with that code, I can now open every door within that system. And then you also see the control key bidding. So that one was 4189250. That's particularly useful because that tells me that I can now start removing some of these cores from the system if I want to and adding my own for potential denial of service, of course, but there may be more interesting things that you can do by swapping out a core. You might be able to start decoding the system if you don't have access to something as powerful as Keystone Web. We can also see up at the top the system type, which is an A2 system. I know we spoke about specifically best SFIC A2 systems, and that's what we would be targeting. We see the keyway for this system. So this is an A keyway system. And we see it's a 7-pin system. So we know that we're going to be working with 7-pin locks. The majority of the best SFIC systems I see are 7-pin systems. And part of what makes them difficult to pick is the fact that they're 7-pins but then also they have master keying. And because they have master keying, it's very easy for those as wafers to fall as you're picking. And it's very hard to line them up consistently with what would be an actual operating bidding. But we will talk a little bit about picking to control. And that's something you would do if the core is in the door. So if the core is in the door, you can pick to control with a Peterson iCore tensioning tool. So this is a Type A tool. This is for tensioning a SFIC. And what it's doing is it's putting pressure on the bottom of the core inside of those holes that we saw, these same holes here, if you can see that. So those holes are getting tensioned by this tool. And what that does is that forces pressure on where the control pins would be. And because there's now pressure there, when you pick the lock, you have a higher likelihood of picking to control. And if you pick to control, you could potentially get this core out of the door, which would be great because now we can open that door, but we can also replace the core with a core of our choosing or begin to decode the system. And we'll talk about that just after this. There is another option. You could do what is referred to as bitch picking. It's not my name for it, but that's basically jamming a pick inside of a best SFIC over and over again, fairly aggressively. These locks are actually fairly prone to that. Something to do with the way that master wafers work. A lot of times you'll get lucky enough to pick to control. And if you're able to do that, you kind of have the keys to the kingdom. You can decode every part of the system once a core is in your hand. So then I also have a photo of the Leishi best SFIC 2-in-1. This is a decoder for best SFIC locks that you can decode. This is the operating key as you pick. So you put tension on the core and you're able to decode it using the chart on the right hand side. They're a little spendy, so I don't carry one, but I do have a couple for non best SFICs. Cool. So core in hand. So let's say we're able to get one of these cores in hand. What we might want to do is pull the pins out so we can actually understand how the system works and decode that system. So we might 3D print one of these. This is a SFIC pin extraction tool or repinning tool. Red Cat Imaging put this out on Thingiverse. I strongly recommend you go pull it down from there. A standard, all metal version of this goes for well over $100 everywhere that I've ever seen them. And a 3D printed version is pennies. And they work beautifully. So from what I've been told, they're not an easy print, but if you were to pull one in and run it inside of a Prusa, apparently they've been fairly successful. I had a friend print this off for me and it works great. Essentially you're going to take your SFIC, pop them inside. You can do, you can hammer on to the number of different ways. Some people like to use the like a flag pin that you could stick in the top of one of these holes and knock the pins out of the bottom. What you're going to do is you're going to pop the caps on the back here and hopefully all of that gets collected. Hopefully just the top caps. And then you can slowly remove the rest of your pins. And really what you're interested in is the top pin. So we're going to talk a little bit about the coating pins. So we've extracted pins. We've hammered them out. And you can see I've got them sitting inside of a little sparrows tray that I've got with the top pins up top. And we can begin to kind of measure those. So there's my calipers on the right hand side. We were able to measure them. And for whatever reason this is in millimeters, but it needs to be converted to inches for the chart that's provided by, I believe this was from Best. And it comes out to for this specific pin that I was measuring 0.07. So that 0.07 pin lines up with a 6B pin. So we know that that top pin is a 6B pin. So that helps us understand, OK, so here's our top pins. Here's what each of these items are if we want to recreate this core. But where this gets really helpful and really interesting is when we start to decode a system using this. So this is a decoding chart. So we can fill this out with your top pins, your build-up pins, master pins. If there are any, of course, they're typically will be in a lock like this. And then you will subtract from 13 the measure of your top pin. And that will give you the control key bidding. So as we discussed, a control key thing is something you can use to create a control key. And if you create a control key that can open every lock in the system. If you can open every lock in the system, you can go into any door in the organization that you're targeting. So if you can potentially gain access to a lock like this or perhaps it's the core of a bathroom or something that's non-sensitive and you're able to decode the control key, you can now leave, come back with that control key and start removing cores to very sensitive doors that you'd like to gain access to. And that's it for this talk on Keystone to the Kingdom, a talk about targeting best S-FIC locks. I would ask for a Q&A here now, but because this is COVID, we're all remote. We can't do that, but I would encourage you to reach out to me on Twitter, send me a DM on Discord, and don't be a stranger. Feel free to reach out, give me your thoughts, ask questions. If something wasn't clear, let me know. And I welcome it, so thank you.