 Okay, this is Attack the Key, Own the Lock. This is Datagram. I'm Skyler, about us. This is the only animation in the whole thing, just because it's kind of funny. So, I'm Skyler. I was one of the founding board members of the Open Organization of Lockpickers US. I stepped down. I still pick under the tool banner, but I'm not really involved with the tool all that much anymore. I launched and let die non-destructive entry magazine, but the band's back together. Hopefully we'll launch again. But most importantly, I was on Wheel of Fortune. And we got to talk about Locksport. I'll put a link to the clip some other time. Okay. Hi, I'm DG. I'm a part-time forensic locksmith, full-time douchebag. I haven't been on any game shows and I run a few lock websites that apparently the front row says suck, but you'll catch them at the end. Yeah, we'll get those in the resources. Okay, go for it. Does everybody know how locks work? You know, you came to a lock talk. We're hoping that you know how locks work. Show of hands, how many people don't know how locks work? It's okay if you don't. We'll do a brief overview. Okay. All right, we'll do a really brief overview. Okay, here we go. Okay, the red pin is the key pin. The blue pin is the driver pin. There are typically five or six sets of these pins in a line in a lock. We call them key pin and driver instead of top and bottom because they're mounted upside down in other countries. So no confusion. You can see that the driver pin right now is blocking what we call the shear line. That's the line between the bible of the lock, the round part, and the... Oh, I'm a liar. The plug of the lock is the round part and the bible of the lock is the part that contains the driver and the spring. So the key pins are of different lengths. They correspond to different cuts of the key. When the key is in the lock, the top of the key pins will be raised to the shear line. The bottom of the driver pins will be sitting at the shear line and the whole system can turn freely. Thank you very much to Deviant for these wonderful animations. Yeah, big thanks to Deviant for these great animations. Always, always. That's how a lock works. I know we sped through that, but we have a lot of cooler stuff to talk about. Okay, so in a lock, we have two kinds of security. You have the lock itself, but you also have keys. You can think of it similar to cryptography and a lot of digital stuff where you could always do this really crazy stuff to break the system itself, like the crypto system itself, but you could also steal keys, modify keys, do other interesting attacks. And so a lot of the talks at DEF CON and a lot of other conferences are about ways to pick locks and open locks, but we never really get into this issue of key control and what can we do with modified keys. Now, obviously, nothing in this talk, we're going to talk about using the working key, because that's kind of obvious that the working key opens the lock. The best lock pick is the functional key for the lock. So if we can do attacks with keys, then how do we prevent people from doing this or try and limit it? So higher security locks will have the blank distribution or availability will be limited, and getting the actual blanks or the locks themselves or the keyway profile, the cuts on the side, that may be limited as well. Key control is also very important to prevent just casual duplication, which is just going into a hardware store and getting a key duplicated. If you've ever had a better than shitty lock, you've probably had a problem like finding somebody to copy it. And simulation is when we don't need, per se, the key blank, because all keys are a piece of steel arranged in a pattern. So simulating that is easy on a lot of locks, even some of the higher end locks. And so simulating a key is important in security. If we could build a key that's very hard to simulate, either because of the shape of it, the type of cuts, or some have moving elements. Interactive elements as well. We'll get into it a bit later. If you can't simulate that, that's better for security in a very small way, but it all adds up at the end of the day. I mean, everything we're going to show you today is based on key-based attacks. So yeah, it can be really important to keep us from getting access to one. Okay. All right, so we're going to talk, obviously, about attacking the key here. The bidding depths and the code. The bidding depths are the lengths of those key pins that we just saw and how a lock works. And every lock has a bidding no matter how ridiculous or elaborate it is. It's just based on different mechanisms. So pins, tumblers, et cetera, et cetera. The keyway is a big part of this as well. Very restrictive keyways can be extraordinarily hard for you to manipulate with picks getting in there. But if you can actually reproduce the key or even the key blank, the restrictions of the keyway don't matter anymore. We're also going to talk about a... Well, you'll see that in a little bit anyway, the best situation. The model of the lock, of course, very important. I'm actually not entirely sure what more there was to say about the model of the lock. Okay, we have this key here, right? So if we just have a key, if we've never seen the lock, the key tells us a lot about the lock. So the bidding depths are the pattern of cuts on the key, right? So this, you can see, why don't you all pull your keys out? That'll be hilarious for later. Yeah, yeah, yeah. Yeah, if you have keys with you, feel free to pull them out. We're going to do a demo in a second. Okay, so if you can see the pattern of cuts and you could remember that, you could simulate or duplicate the key. Now, just the key bow itself tells you what model lock is. Because this key bow is, well, it was patented for a long time. So this is a Schlage key bow. So every time I see this, I know that this goes in a Schlage lock. And even reproduced ones, you know, generic ones tend to use the same bows for their own sudden identification. Yeah, the two most common are Schlage and Quickset in the U.S. I'm sure everyone has one or both of those on their key ring right now. So on top of that, the key might be stamped with the manufacturer and the model. In this case, this is a Primus. So it's not a normal Schlage lock. On top of that, we get the keyway. Sometimes there's a keyway number. A lot of information comes from just this one key, even though we may not know what lock it goes to in a certain facility or at all. Sweet. All right, yep. Okay, so physical access to keys. This talk is broken down into the different levels of access you have to the key. Visual access, physical access, getting a key blank and incorrect key, et cetera, et cetera. Physical access, of course, is the holy grail. You can do a lot with it. The amount of time that you have access to that key will very much determine the quality of the attack. But even if you only have physical access to a key for a couple of seconds, you can already do this wonderful attack that we're going to demonstrate for all of you. Anybody who has keys out right now, if you want to be super brave, pass it to your neighbor. If you don't, that's okay. Take your key out. The soft skin of the inside of your wrist. The supple skin. The supple skin. I moisturize so this goes better. And really just press the key in there. And you really only need a few seconds on it, two or three seconds. And you get a beautiful, beautiful impression of all of the cuts in the key. And that'll stay on there for plenty of time. Certainly more than enough time for you to, you know, oh, that's nice. Yeah, it looks like Mikey. Oh, very cool. I got to go to the bathroom and sell a phone photo. You know, so immediately. One thing you should consider is that you're saying, well, physical access to keys. All of you, especially if you work in IT, you've been on site somewhere, you've been a job. You may not have the key all the time, but people are just like, you're like, hey, I need to get into that room. And they're like, well, here's the key. Just give it back to me real quick. So the security lies in them getting it back. But they have no idea what you might have done with it while you had it. And again, this is very common. Even in higher security situations. You even get the sidebar pins. I'm sorry. I've never done a primus before. I get the high security part, too. This is beautiful. Sorry. This is awesome. You keep going. Yeah. Just consider that now I forgot. Yeah. Even temporary access. You'll get temporary access to people's keys all the time if you really pay attention to it. Yeah. And it's convenient. Yeah. Again, security versus convenience. Everybody chooses convenience, especially with locks and keys. Absolutely. Sweet. Okay. So direct measurement. If you have access to the key for a little bit longer, with these key gauges that we have pictured here. This one has, looks like, I'm trying to figure out what one is. Well, it's got three different locking systems on there. Three different key types on there with their exact cut depths. And with one of these, you can very quickly just shink it right through each one of the cuts and very quickly figure out what the actual numbered bidding is. Because each of those key pins actually have a number associated with them. You know that code. You can walk into a hardware store and say, hey, I need to da-da-da-da cut. I need to do a key that will work forever for you. You just need that numbered code. Yeah. With further access, you know, you can go with the micrometer, really get down to exacting depths. And with higher security locks, you know, the key gauge isn't going to do it for you every time. You're going to need to get micrometer, calipers, et cetera. And we're going to talk in just a second here about even longer access to the key. Yeah. And the other thing is that almost all keying systems are freely available. It's not secret knowledge. And it can be, because you know, you can just buy enough locks until you figure out every bidding depth for it if you really, really wanted to get that deep into it. But all of this stuff is available online. All of these depths, like I can tell you, I'm pretty sure the top is Schlage and the second one is Kwikset and so on and so forth, or the bottom one's Kwikset. But I'm sorry. Boom. Thank you. It's the best system. It's the best series. We're retarded. He's retarded. And shit-faced. Excellent. So longer access to the key. So if you want to take a very good impression, you know, with your wrist, you're basically restricted to either sight reading by just looking at it or quickly measuring it. If you have longer access, you can create an impression with which you can cast a working key. Now it doesn't work for some higher security locks that have advanced features, but as you'll see next, it works for some very, very, very good locks. So this is just a simple two-part putty and you just rub it together. You put the key in and then you let it dry and you take the key off. And then with this, obviously this isn't very good and it's only one-sided, but you can do full 3D stuff and it's very easy. How long does that take? To harden only about three or four minutes. Not very long. With something like this, especially not very long, something that's more complicated, you might want to leave longer just to make sure you get it. But it is very quick and this is, once this dries, it's actually pretty rubbery. You just pull the key out and the impression will be fine. So it even works on very secure locks. This is an EVA 3KS lock and you can see there's all these little squiggles. And in the key, these are laser track, little laser tracks. And so we can cast a key off this, even though this is a very, very nice lock. And you see, we even get additional stuff like I'm pointing on the screen like you guys can see it. On the left, we have that big bump. That's when you turn the key, little pieces come in to hold the key in place while it's turned. And then on the top and the bottom, you can't quite see it because it's a full 3D, but there's a profile on the top and bottom, which we'll talk about key profiles later. The next one is your? Yeah, and this is one of the best, well, reputed as one of the best locks in the world. This is an Abloy ProTech and even has a restricted keyway. I would still say it's one of the best. It's probably one of the best mechanical locks in the world. But you can easily 3D impression a key. And the bottom is a casted key. So we took a 3D impression and then we casted it with just, it's just like very hard plastic or like glass reinforced epoxy or something like that. And you can see this lock has angled bidding cuts and all these little careful tracks down it and some dimples on the right. And we replicated all that and the key works. So it works perfectly. So once again, just to drive the point home, you know, this is a product that's been on the market for more than a decade. There are only some fairly sketchy rumors and a little bit of video in the last like year, year and a half of potential attacks on this lock. It's a very high security lock. But if you lose access to your key for even the five minutes it takes to get the putty to dry, it doesn't matter. It doesn't matter at all because we now have the key to your lock. So visual access to the key. You know, this is obviously a big step down from physical access. But a lot of people and you can too, it doesn't take. How many of you are wearing your key, your keys outside your pocket like on a little key ring connected to your belt loop? Yeah, it's okay. Everybody's going to look at you and try to read your key but it's okay. Raise your hand. I actually, on the subway, so I found out that my cell phone which always makes the picture noise when you're taking pictures, if you put the headphone jack in it only makes the sound in your ears. Yeah, yeah. So I was on the subway taking... That's an ode right there. I was taking pictures of people's keys on the subway. Not to do anything terrible with just... Research people. Yeah, research. Just to confirm and I mean people would sit down and their keys would just sort of splay out on the, you know, on the carabiner there on or whatever. And really a quick cell phone photo and I was given enough time to get a good site read and get an easy estimation. So we talk about site reading and estimation. The big thing there is that, you know, in general, a lot of us can look at a key and very quickly say, okay, that's, you know, three, three, four, five, seven, five. You know, we can see by the variations in the key itself what that code is that we need to get it cut by. On top of that, a lot of the lower security ones, you can look on your own keys right now. Again, play along. They have the code printed directly on them. Oh, yeah. And that's tragic. So the reason that we say estimation, though, is that maybe you're like, oh, yeah, you know, I saw that for a second. It's blah, blah, blah, blah. Most of us, I would say, that really try to practice at it. Within three, maybe five keys, we can cut three or five keys and one of those is going to work, you know. One of those is going to be the accurate one. Because you don't always need to know the exact code, but the variation between them is a very, very big step. And on top of this, there's keying specifications and sometimes in a keying system, you can't have a zero depth next to a six depth. There's a maximum limit in a lot of locks. So you can know this can't possibly be more than four up from whatever this is. And then from there, you can just narrow it down really quickly. And you don't need a lot of experience to do it. Is that mine or yours? That's yours. Oh, boy. You don't need a lot of experience to do it. And again, you can estimate and you can also get photography. And in the last two or three years, a lot of research has gone into long range photography on keys. The University of California at San Diego, there's a team there who... Yeah, the important thing is to note that it is just Kwikset and Schlage, I think, that they managed to finish with their project, but they were just doing this as a scholarly work. You could easily extend this. Yeah. So basically, obviously, we all know what's going on. That little tiny table in the photo is exploded with the long range camera. And from there, they could read the bidding on that. And they're not just reading it by looking at it. They're developing computer software to just tell you what the bidding is. And they're trying to work it out so even if it's bent in all these different angles, they could still... Because you have the bow and the blade of the key as a reference point for how big whatever in the photo is. So using fancy math, which we cannot fathom to even get into, they can figure it out. And they're working on moving on to like the angled key that we had. If that's tilted at the wrong angle, maybe you can't see it. They're working on figuring all that out for more advanced keys. And maybe not that one specifically, but better keys. Yeah. And just in this picture here, the parts that are circled in red, those are the shoulders of the key. And there are several known points in the systems they were working with. The shoulders is just one of them. So you have a key that's slightly angled, slightly tilted, but they can use those points to normalize the rest of the key and get that straight bidding again straight from code. This is kind of a cool story. So we have both of them, right? No, I think we only have this one. Well, we may have two cool stories, but this is one. Dibald made these voting machines. Someday you two will be voting machines. And they were so proud of these voting machines that they showed they were like, these are so secure. We do have both of them. I'm sorry, we do have both. I know we have both. Sorry, sir. So you get two good stories. So Dibald was like, we are so proud of this. And they had, you know, just some guy like, yeah, like holding up the picture of the key on their website. And so some cunning genius decided, well, I'll just make a copy. And so can you tell which one's a real one and which one's a copy? And of course it's the same key for every lock. Yeah. And it's the same key for every voting machine, which is the... I fucked up. No, no, no, that's fucking... Actually, yeah, go for it. The next cool story is the New York MTA. Idiots. So their subway system uses a... They have a restricted keyway Yale cylinder, right? So it's a normal basic cylinder, but they have their own keyway. So, oh, you can't get our keys. Well, people are selling master keys to the system. So not only are they selling keys, they're selling master keys, which we'll get into in a second. Yeah. And so this reporter, we haven't confirmed, but this reporter bought one of the master keys or obtained it somehow, and this is his article showing this is the key to open everything on the New York MTA. So nobody needs to buy one anymore. And there's better pictures of the key. This has really shrunk down to fit in here. But... I love the look on his face, too. Yeah, he's like... Just go. Just go. And the key only costs like $20 street value or something ridiculous, but it opens every type of that lock in the MTA system. And this became enough of a story that I'm hoping that somebody there managed to go through and re-key and upgrade, et cetera, et cetera. Yeah, okay. So the next section is key blank. So, okay, you can't get access to the key that you want to attack at all, ever. But most of the time, you can get access to a blank for that system. And do we talk about easy entry at all? Okay, real quick. Even if you can't get the blank to that system, if you can get access to an incorrect key break briefly, there's a machine called an easy entry machine that will, with a small filament, actually feel through your key and then mill you a blank for it so that you can then carry out any of the key blank attacks. On top of that, it's actually illegal to manufacture patented key blanks, which there are a lot of. The easy entry is awesome. It goes, okay, that's a patented blank. Well, we'll take out this section here or slightly, it'll move around the pieces so that it still fits in the lock, but it's not the same key way. It's really, really awesome tool. It's really cool, it's really cool. It's got kind of a weird spelling, but you can track it down. Okay. And the best part, all the keys have smiley faces on them. Yeah, they're awesome. They're really cool. Smiley face bows. Why don't we just go through the list as we go through? Yeah, I think that's the better way to do it. How many of you saw the talk in here the last hour? Was it good? Yeah, okay, that's most of you. Good, good. Okay, well, what they figured out is that handcuff keys are all similar. They're similar, but they're not universal. So you can't just have one handcuff key open everything. Well, they measured the tool team, DVN and friends. They went through and they measured all the different kinds of handcuff keys to try and do basically what the easy entry does. Find one that fits in all of them, but is different. So they made this, this is a Smith & Wesson cuff key, and they added this little groove in the center, and that works on a surprising number of locks. Like, what is it, I didn't see the last talk because I was in the prep room. Was it dozens of locks I think they're up to? Yeah, awesome. The count right now, the current victim tally is about 14. Cool. And again, more smileys. Okay, so overlifting. Overlifting is an awesome attack. I really, really, really like it. This was a gift to me from Barry Wells, the head of tool in the Netherlands. And it was actually his lovely wife, Charlotte, that showed me the attack for the first time. So I'm gonna just sort of talk you through the slides here. Wafer tumblers are different than normal pin tumblers. Over on your left there are the different lengths of the wafer tumblers. So they have the same outside dimension, but inside they're cut to different lengths. Those different lengths, your key actually moves through that wafer. And those different lengths are pulled up or out of. My phone is ringing over on the other side of the table. They're pushed up or down to a line in the center. Yeah, the big circle with the like Green Lantern looking logo. That is the inner chamber of the lock. So those tabs can push up into the upper chamber or down into the bottom chamber. And your key as it enters it brings them both. And you'll see right here. Oh, and that's a key and a key blank. So in the first of these images, the wafers are at rest. Second of the images, the correct key is in. We're going top bar. The correct key is in the lock and the wafers are pulled out of their chambers and can now, when you apply that turning pressure, rotate inside the lock and your lock can open in the third picture there. Okay, all the way down in the lower left we have the blank inside the lock. And what's happened now is that the blank is pushing these wafers into the opposite chambers. It's pushing them away from their at rest chambers into the opposite side. When you apply your turning pressure, they bind. Okay, the little red X's, which I think are probably super tiny and I'm sorry about that. The little red X's are where they're hitting the sides of the incorrect chamber. As you remove the blank, because you've applied that pressure, they don't snap back into their chambers. They hit the side of the chamber. Yes, yeah, yeah. That guy, you got it. So yeah, instead of being able to actually go back into their chamber, when they snap back, they hit the side of it and stay in their unlocked position. You can then turn it with anything to open the lock. And I'm going to try to demo this on stage, which is always a terrible idea. Don't fuck up. All right, normal key in the lock. Got it. Such a good sound. Okay, awesome. These are bike locks, I believe. Yeah, these are Dutch bicycle locks. They go around like in the tire like you would on a motorcycle. Okay, this is the key blank. Does not operate the lock. Oh, you can do it, buddy. Oh no, I did it on video twice this morning in my room. But my stupid Linux laptop can't play the video. Oh man, can you do it? Yeah. Okay. It's actually, this is super embarrassing. This is totally demonstration effect because it's actually a really easy attack. And my drunken roommates were doing it for a while and really messed up the lock pretty badly. Okay, so I am going to let DG talk really quickly about this delightful pink key while I keep doing this and I'll yell when it opens. Okay. There's kind of an old thing and kind of a new thing about this. They're called rake or gypsy keys. And so basically, again... I don't have your other picture, sorry. Oh, that's okay. Basically, what it is is we take this key and we file down everything except for the tip. In the rake key, we file like a kind of a wave pattern. So it's not the working key, obviously, but we just modify the bidding pattern. Oh, isn't it, no? Oh, he's toying with us. I was just toying with us. Okay, so what we do is we're going to use this kind of like a pick. We're going to put it in. We're going to do what he's doing where you're applying tension and we're just going to run through the lock and have it... It's kind of like overlifting except we're not starting. Oh! I'm sorry that took so long. I really shouldn't have. Thank you. I think we still got it. What, a minute? I think that's pretty good time for answering. Yeah, that's all right. Okay, why don't you explain? Yeah, no worries. So another important part of both of these... Basically, you're making a pick out of a key, right? So you're both applying tension and running it through the lock at the same time. The gypsy keys usually just had a large bump at the end of them. I know that light pink on white might not be the best visual here. Okay. And the rate keys and Marshall keys as well. Marshall keys are for autos. Both rate keys and Marshall keys have different patterns of cuts throughout them. That while applying tension and running lightly through the lock will hopefully set your pins. Really, the whole concept is you make a pick out of a key. And the huge benefit to both that attack and overlifting is if anybody catches you with this, it's just a key. These are incredible surreptitious tools that really can do a lot of damage. Important note, this doesn't just work on Dutch bicycle locks. All of your cars are wafer locks. I've seen a VW overlifted in 47 seconds. Brand new, about like two years ago. Awesome. Impressioning. Okay. Okay, so I made these lovely little images here. Probably hitting you with a lot of information. So what you need, basically impressioning, you are taking a key blank and you are turning it into a functional key by getting information back from the lock. You're giving it the information of the blank. It's giving you the information of where you should be cutting the key. So you need a file for this. You need some sort of magnifying lens. These are symbols. These are not the sort of files of magnifying lenses you want. You need an impressioning handle or a pair of vice grips. Basically, you need something to hold the key with very firmly. And you need key blanks. You probably want a few key blanks, especially if you're just starting out. The amount of pressure, the amount of force that you're putting into the key blank will often actually damage and break the key. So you might need to move through a few to get this done. Okay, so with the key blank inserted in the lower left there, you can see that now the key pins, the red pins, are blocking the shear line instead of the driver pins. And this is a good point, a good note for any of you who are doing lock picking. It's not just shoving the pins up as far as you can, because those key pins will block it just as easily as the driver pins. A lot of people shove them up way too high, but that's not what we're talking about. Okay, so all of the red pins are binding right now. You turn the blank in the lock and then lift up and down. I typically just go turn one, two, three, turn other direction one, two, three. And as you'll see on the next slide, the marks that you get, it's going to give you information so that you are slowly removing material from the key blank. When the pins are binding, like in the first of the two pins there in the lower right, you're still getting marks on the key. The way it works is that when those pins are bound, they can't move. So by moving the key up and down, you're making marks on the soft brass of the key. Those pins are pushing into it, making small but discernible marks. And then that's how you know which pins to file. And once a pin is in the right position, it stops making marks, or it makes very, very light marks. It looks different. Yeah, once it can actually turn with you as you're turning it, it stops making those big marks. And you can't see it anymore. And that's when you know you have the right height. So it's really just telling you how to do it. So the marks very light. You really do need magnification to see them. People have all sorts of different ways to do it using different colored lights. Charring the blanks so that there's a little bit of like soot on it. Sharpie marking, all sorts of things. Ultraviolet works really well. Absolutely. You just get like a $5 light and ink set, and you just coat the blank. And then when you put it in and you do your impressioning technique, you take it out. All the spots that don't have UV on it are the spots you're supposed to file. And it's very, very easy to do. And then once you've filed it, you have a fully functional key. It'll look a little weird. It'll have those little scoopy bits. Technical terminology. But it will work forever. And this impressioning, I think, is one of the coolest attacks in lock picking. And it's one of the most useful for locksmiths because they can go in not knowing at all what the key should look like and come out with a key that they can decode again to make a real key so that the cuts look right or they can make it on a more durable blank and so on and so forth. So it's very, very useful for them. And this, and DG is going to talk about this. This is my new favorite attack in lock sport. Okay. So we have the man that invented this here in the room. Big hand for Josh. Really? My new favorite attack. Yeah. Okay. So what Josh did is the... Do we have a picture of the lock? No. You didn't put the lock in? Okay. I'll explain it. How many of you saw Mark Tobias' talk on the smart key and other stuff? This is the smart key. Okay? So in the smart key, there's wafers. And each wafer hooks into another wafer and those all get raised to the right height by the pins. Now, if you can look inside the lock, you could see that the wafers inside are sitting at different heights where they connect into each other. And from that, you can decode the key bidding and make a key, you know, whether by hand or with machine. Again, you're getting the code with which to make the key. If only you could somehow see inside the lock. If I... So what Josh did is he took a key blank and put it out. And at the end, he put this angled piece and it shined to a mirror finish. So just inserting this in. Insert this into the lock and then use a light to see. And if you're doing it by hand, you use a small magnifying glass to help you. But we took pictures of it. So you can do it with photography too. You can actually go in and decode all of this. So if you look, you see, we're looking at this and you see on the right hand side, there's that little cutout. So you remember how the traditional wafer lock work? It's very similar. There's this cutout here. And we could see, you know, how deep down this is. And Josh could probably better explain this, but we don't have time to have a smart key talk again. But so here's an example. Josh, do you know what bidding that is? It's a four. Boom. Josh, what bidding is that? That's a five. So you see, you could get good at this so that you could just look at this and go boom, boom, boom. You definitely have to see it a little bit first. It'll take a little bit to get your site reading down. But once you have it. There's only, what, six steps in it? So it's really easy to just remember what all of them look like. I mean, you could take Josh's photos and just lay them out, you know, one through six and then just find which one works. And so here's another one. What depth is that? That's a one. Another big hand for Josh. Yeah, we think stuff like this is really cool. Something you might like to know. This is probably, it also works on the Schlage secure key. These two locks are taking over the residential lock market. Within a decade, you will all probably have something like this on your door. So if you watch Tobias' talk, you know how easy it is to just break it open with a screwdriver and a partial key blank. Important note that no longer works on the signature series. That's true. On the quick set, it doesn't work on the signature series and the torque attack doesn't work on the Schlage. But maybe somebody will come up with something soon to replicate it because they're very similar locks. And also, a really important note, there are some awesome attacks on these locks. They're super vulnerable to all sorts of things. They are still better than those company's previous locks. They are moving forward. So keep that in mind even as we destroy them. Okay, so we talked about what if you don't have the right keyway? Well, just in a sense, let's say you have an organization and you need various levels of security. So obviously you could have straight master keying. But then that might not be as secure as you want. You could go farther and have this sectional keyway thing. So A is one keyway. We could put any key in that lock. B, we could put only keys that have a ward on that little bottom right portion and so on and so forth. But then if you take a D key, again, you could fit into everything above this. Whoa. And so it's just this idea that if I know or I can figure out all the sectional keyways in the system, I can make myself a D key. And then I can have it work for all of those. And I can make D key blanks to impression all of those. And I can make D key blanks to bump all of those and do all these other things we've been talking about. So in Europe, it's kind of crazy how many keys they have because they have all these competing countries and companies. It's a lot different than the U.S. where we can count all of the major lock manufacturers on one hand, on half of my hand. I'll let you guess which half. But what they've done is that locksmiths there have needed, required to get so sophisticated because when you want to duplicate keys for people, you can't have 200 key blanks for this and hope that you have the right one. So what they did is they'll go through these systems, figure out what key blank fits the most number, and then they'll get a lot of that. And then whatever else they can't get, they'll make 10 or 20 of those. And then you have 200 of D. And then if somebody really wants these other stuff, then maybe you can make a form. And again, we could do this with the easy entry. We could just mill the key. You could do it if you have a mill at home or a CNC kind of thing. A mill at home. I have a mill at home. I mean some people do, yeah. It's a good crowd for them. Yeah, a lot of you people would have a mill at home. And that's just... So here's just an example. So that would be the D in the B key way. So maybe you don't have the key blank. Maybe getting a key blank is very hard. You know, maybe it's one of these restricted locks where it's really hard to get just a direct key blank. Well, what if we could just get the wrong key and we could somehow modify that? Well, getting the wrong key is really easy because we could just buy the same lock and then we'd have a... You know, it'd be a similar key, but the cut pattern would be wrong. So from that, what can we do? Well, we'll just go through it again. All you. Really? No, that's all you. Oh, okay. Okay, so the basic way to master key a lock, a pin lock. I know how it works. Better talk about it. Sure it does, sure it does. So the way it works is that in the traditional system we have a top pin and a bottom pin, and there's only one point where those can split and the inner piece can rotate, right? What if we put a very small pin between them? Now we can raise it to both of those positions. You know, we can have the green pin up to the shear line and we can have the green pin above the shear line, you know, and then we can open the lock that way. And so by adding these pins and different pin stacks, we can make master keys. And then the different master keys have different cuts to raise these differently to determine your level of access. So here's just some examples of how it works. Here's just the normal lock. Here's maybe, you know, one type of key. Here's a different type of key. And again, we can have, you know, the first green pin be above and all the rest be below and that key would work. So the more master pins you add, the more key codes in the system work. So you reduce your number of, you know, keys that don't work. And so it could be problematic if you have a very complex system where you get to the point where just almost any key will work. And so, and this works perfectly. The Quickset Smart Key has 243 possible key codes because the bidding is just really bad. It's not master keyed, but there's only 243 keys. And if you use a subset of that, a 32 set, you could probably open the vast majority of them. You might have to force it a little bit, but again, we found out they're quite easy to force. And again, so just different stuff. And so that would be that. Why don't you talk about Dakota? Oh, that's the part I needed you to talk about. Really? Yeah, no, I could have talked about everything you just talked about. Yeah, well, apparently, chemical. All right, yeah, I know. So what if you're in a system that's master keyed and you don't have the master key? How can you get the master key? Now, again, this is all for fun and research and profit. Don't pick a lock you don't own or have permission to pick or open with keys and so on and so forth. So what if you wanted to figure this out? You had to as part of your job. Well, we could take a blank. We could cut it similar, but we'll leave one cut really high and we'll see if that works. And then we'll file that cut down one cut depth. And again, we could use the key gauge or direct measurement to make sure we're cutting down one depth at a time. And we'll just cut that down one by one until we get another key that works. And then we figured out, okay, that back pin stack has the master key at this position. So these two keys for that back pin will work. And then you can go through this, you know, doing all of these depths and figure out the full master key system. That's really simple. I should have known that. Geez. And if you have access to enough keys in the system, if you haven't access to enough keys in the system, you can look at the patterns of cuts because, you know, there's different systems for master keying so that you increase security and reduce the chance of a user key being able to be modified into a master key. So they'll have this thing where, okay, a four cut can only be in this spot and it can't be on a user key. It could just never be. So if you have access to enough keys, you could just look at, you know, you can sort through them and find the patterns and try and decode master keys, or even not the master key, but like higher level keys. Looking at people's keys at parties is one of my favorite things to do in the world. And just kind of giving them a quick overview of the security in their lives. The big one is occasionally if people, you know, I can figure out that people know each other because I will see two keys that are obviously in the same master system. They're like, oh, you know Kenny or they're like, oh, it's magic tricks. It's awesome. It's my favorite thing. Okay. How many of you know how key bumping works? Okay. I'm going to teach you that a lot of you actually don't at the end of this, though. Because it doesn't actually work how we all say it works, but go ahead. Go ahead. Apparently. So everybody says that it's this Newton's cradle effect, right? And we have a bunch of slides to that point. Those are good slides. They're great slides, and we're going to show them anyway. And then at the end, I'm going to tell you why they're wrong. So you take a key. It can even be a usable key. I may have one on my key ring that I can pass around. Fabulous. And you cut it down to its, and we should have a picture of, oh, okay, so this is just showing the Newton's cradle thing again. Basically, it's a transference of energy. When you have this special key, it sits down in the bottom of the keyway just touching each of the bottom of the key pins. You strike the bow of the key, the part you hold in your hands with, like, the back of a screwdriver or something, and there are bump hammers. We'll have a picture of those in a minute. The energy transfers into the bow of the key, into the blade of the key, into the key pins, which then transfers into the driver pins, which then dissipate their energy on the springs above the lock. And I should have put these in a slightly different order. This is what the bump key is going to look like made from a user key. I'm passing around two bump keys that will probably work on the majority of your doors. One's a quick set, one's just a leg, and there's a very, very good chance you all have that on your doors. Unless you've got the new smart key. The smart key, and then I'll just bring a screwdriver. Okay, so, yes, so that's the theory, is that there's this big separation, and I think we have, yeah, that's going to take a while on my poor little computer. It's a huge, huge gif. It's loading. We have technology. Why did I have to load that one so long? That's embarrassing. Boom, this is the theory, and then those driver pins in theory dissipate their energy on the springs and come back, and in that moment that they're separated, there's a big gap where the shear line is supposed to be, and you can just turn the bump key in the lock. So, again, we talked about all about key blanks and how to get this. Now, obviously, theoretically you need every key in the world to have 100% efficiency, but in the U.S. we only really sell two locks. Now, all of these locks can be open with those two keys. Maybe one more, maybe a master, because there's no master in there. But we don't sell a lot of locks and a lot of keyways, especially for residential loot. Diversity in America is pretty weak. Yeah. Diversity, always better. But really importantly, it doesn't work this way. This isn't how it works, and all of you can, when you hear some other idiot yapping about this and telling you how it works, you can say, haha, idiot, no, this isn't how it works. The amount of energy you're putting into the bow of that key is far more than the small brass parts can handle. In fact, the people at Master Lock and D-Team actually took some great high-speed photography of this phenomenon, because the first generation of bump-proof pins and things like that all failed miserably because they were all working off of the theory, and none of them had done the due diligence to actually watch how the attack happened. Holy crass. Sorry. Oh, sorry. Huge bug, huge creepy bug. Yeah! Nice work. Okay, anyway. So in reality, what's happening is that they're ricocheting. Each pin, each keypin, driver pin combo will ricochet against each other two to three times per strike. So what you're really doing is just creating chaos inside that lock and then finding a path through it. It still works. It still works great. But until you know how something actually works, you're not going to be able to build a solution to it. End of my rant. Okay. So again, okay, thank you. 100% efficiency. Even if you have a crazy, you know, rare keyway you never underestimate your attackers. And again, a tool is used to bump them. No big deal. Just a piece of rubber on another piece of rubber. Yeah, cool. Yeah, let's roll through this one. Okay, so these two are going to roll together. This is the Schlage Everest. This has a small pin on the bottom side of the plug that actually fits into a small hole in the housing. It's called a keypin, or a checkpin, sidepin. Sidepin, checkpin. Those are two are right. The other one, wrong. And so this is fantastic because now you can't actually, you know, you put your tension wrench in, you apply your tension, you go through and you pick and either nothing happens because you can't actually apply appropriate attention with that one blocking you, or maybe you set some things but nothing turns anyway, because once again, that's still blocking you. This is what the key inserted. It pulls that checkpin back into the plug of the lock and now you can rotate fully. And the key has a little extra ledge here, and that's what raises it. That's a good point. That lower part there is so that you can't modify the key to be one of their next line of keys, which we'll talk about in a second. However, you can make a tension wrench out of the bottom of one of these keys. They're all raised to the same. The side pins are all identical and the cuts on the keys are all identical. So you could just file a key in half to be able to defeat the pin and you also have a tension wrench with which to pick it. So obviously you still have to pick the pins in the lock but this defeats half, you know, about half I'd say, because that's also part of the locking mechanism. And so I guess you just put that in there. Okay, so I feel a little bit ashamed to continue with the meme of the con but Schlag is continuing to do it wrong. So there, the regional sidebar attacks. So you have your check pins, that's super simple. All of those check pins are exactly the same. But now you have crazy high security stuff that are still working sidebars. You have the acid twin combi, great lock. Schlag Primus, the fichet 480, on and on and on and on. All of these locks have sidebars and there's a, you can see in this key, the normal Schlag and you see those cuts on the actual blade itself facing you. Those are operating small finger pins which set a sidebar in the lock and I have some photos of that in a second. So the problem with Schlag though is that their primary locking mechanism is very weak and the secondary locking mechanism of the sidebar is regionally coded. What this means is that there's a national level. So if you go into your locksmith and you buy it from somebody over in California and you both happen to buy the national level, well you actually both have the exact same sidebar. It's just the primary locking mechanism that's different. The primary locking mechanism is super simple. They'll get down to regional and then most importantly and this is why the Schlag Primus should never be used for institutional security every lock in your building, every lock in your campus. If you work at a hospital, if you work at a large tech campus, if you work at a school, anything like that, if it's Schlag Primus and you have access to one valid key, you can use the sidebar once again just like attention wrench to attack all of the other ones. So I asked some friends to take some pictures of me. This morning I was just going to talk about the talk but then I decided I would go for it. It turns out that these are the photos that I transferred. So this is me this morning with a Dremel as you can see and then here's another one that I transferred. These are my friends in the front row who actually were taking the photos but I grabbed the wrong ones and I'm really sorry but freak show was a blast. So this is the correct key inserted and you can see that the finger pins, you see how it's very even across there. I should have put one with the wrong key in. That even facing out key pin is what we're trying to produce. Here it is cut down. You have the exact same thing and you have plenty of room to work and I was terrified to try to pick this on stage because once again, I've never actually tried this attack. I just know that it's possible. So this morning I figured I would go for it at like 8 a.m. So while he was talking about the master key stuff, I did pick it on stage. I know that you can call bullshit on that so. I think he should do it again. But because we only have the five more minutes I do want us to be able to continue on. He's going to pick, he's going to talk. Oh, my last thing. Schlage LFIC system. So there's the best small format interchangeable core. Schlage, large format interchangeable core. Best, it's for convenience but it makes it super secure. It's really hard to pick. It's really frustrating for us to try to pick them. Great little pit tumbler locks. Schlage comes along and says we need something for convenience as well. You can remove the core of your cylinder with your normal user key and you can add a dollop of solder on it because the master key for that lock, the control key that will pull the core out so you can slap a new one in and rekey it really quickly. It's just cut on what they call a 6.5 control blank. So you add a dollop of solder to your, thank you very much. You add a dollop of solder to your key and you can pull your core out and inspect your core. Being able to directly inspect a master key system on your lock, great knowledge. Okay, and then there's other stuff. There was the EVA 3KS earlier that had a profile bar and what a profile bar is it's basically a solid bar in the lock and when you try and tension, turn the lock that profile bar pushes into the key and if that, the pattern of cuts whatever it is, in this case it's these dimples along the keyblade, if that's not the same, the profile bar cannot go all the way into the lock and it doesn't clear the plug to be able to rotate. So what's the problem here? Can't we just take a dremel and just cut all of that off so that there's nothing there and there's never a problem with it? Yes. And it works on this lock. It works on the EVA 3KS. Open! I don't pick high security. This is awesome. You can all do this. This works on a lot of different locks because these are all passive components. They're not active like the sidebar where we need to set them right. I'm sorry. Anyways, so what have we learned? That having locks is great, but we need to consider the security of how we store our keys, how we manufacture our keys and how we disseminate knowledge and information about our keys. Personally, I think it all should be public to force people to build better key systems. Yeah. But, you know, some companies just don't like to do that and a lot of companies just want to do it their way and we'll be happy to keep giving talks about how they're doing it wrong. Yeah. So just resources. Thank you all so much. I got some stuff up at openlocksport.com. He's got amazing pages. Lockwiki. Lockpicking forensics. He's doing work that nobody else is doing in the country right now. It's amazing. Yeah. Non-destructive entry mag, ndemag.com. And I've designed my own line of lockpicks. I'm running a Kickstarter to fund it. If you want lockpicks designed by a guy who's got a black badge right here for picking locks Kickstarter.com slash project slash Schuyler or you can just search Locksport on there because it's the only project. Thank you everybody. Thank you!