 A little bit about myself. I'm Moloch on Twitter. I'm 18. I'm a student from the Bay Area and I really like locks and computers. Lately I've been getting really interested in duplicating high-security keys. This is my second time going to DEF CON and my first time speaking. And if you're working on any interesting lock projects, come say hi. I'd love to hear about them. So you've probably seen these things before. There's a good chance you even live or work in a building that has one. And these boxes contain the keys to the building. So when the firefighters show up in an emergency, they don't have to start breaking stuff to get where they need to be. They can just open the box, get the keys, and let themselves in. A low-tech way of doing this would be to just keep copies of everyone's keys in the fire station, but having a single key for an entire area saves a lot of time in an emergency. The most popular rapid entry system is made by NOx, and the NOx box is mostly what I'll focus on today. In a lot of places, these things are required by law on commercial buildings. So you can have the best high-security locks in the world on your doors, but you still have to put your keys in this metal box so the firefighters can get in. Sometimes these things even have alarm codes in them. They make really big ones for commercial buildings and tiny ones for people's houses. Again, same idea. You put your keys in the box and the firefighters can open the box. They also make padlocks and key switches for overriding gates and even boxes with circuit breakers inside. And all of these devices take the same keys, which are held by the local fire department. Sometimes one fire department will get their own unique NOx key, and sometimes many departments will share the same system. Sometimes even an entire state will use a single NOx key throughout. So this is basically a physical back door to an entire city or even state. Bruce Schneier referred to it as physical key escrow, and as I'm sure you all know by now, key escrow isn't really that great for security. These are pretty powerful keys, and as you can probably imagine, it's kind of bad when they fall into the wrong hands. Here's some footage from a burglary in Seattle. This guy walks up and starts messing with something on the wall, and then he comes back with someone else and enters a code into their keypad that was supposed to be reserved for the fire department. And they open the door, go in the building, and leave with some packages that they were not supposed to leave with. Seattle then spent half a million dollars to rekey their NOx boxes. Something similar happened in Austin. Someone used a NOx key to break into a children's hospital and steal $31,000. Austin then spent $300,000 to rekey their NOx boxes and one and a half million to make sure it never happened again. They also didn't know how many NOx boxes they had in their city, but they thought it was around $6,000. Also, NOx's website seems to be claiming that only the fire departments have these keys. They've got some videos on their website where people say things like, only the fire department has access to that box or only we have a key to open it. And I'm just not sure if that's 100% accurate. I mean, the Phoenix fire department somehow managed to lose 850 of these keys. And they didn't even notice until they counted them after hearing about the burglaries in Seattle. So, who knows where they are? People can also get in a lot of trouble for refusing to install these things. There was an article last year about a butcher from Pennsylvania who didn't want to install a NOx box because he didn't like the idea of giving strangers access to his keys. The city threatened to put him in jail for 30 days, find him $1,000 and condemn his building as a fire hazard. So, if people are going to be forced to use these, I think they have a right to know what's inside of them. A couple of years ago, I got in touch with NOx to ask about the locks they were using and they pretty much told me to pound sand. They did not want to talk to me at all. So, NOx boxes almost exclusively use Medeco's 72 series cam locks. Older ones use the biaxial and newer ones use the M3. These are really cool locks that work a little bit differently than what most people are used to. I don't really have time to go into exactly how they work, but basically the cuts on the key can have different angles as well as depths. With a normal key, the only thing that really matters is how deep the cuts are. But with Medecos, the angle of the cuts is also important. The key rotates the pins as well as lifting them up. So, if you look at a Medeco key from the top down, you can see that some of the cuts have been twisted one way and some have been twisted the other. They also don't have any driver pins. This is what the key pins look like and I think it's a very clever design. These things are physically very tough and the lock is super hard to pick. It's rated by UL to withstand many different types of attacks for 30 minutes. I only know a handful of people who can pick these things, but unfortunately, I don't think they offer enough protection against unauthorized replication of keys. Knox is pretty serious about key control. The keys are supposed to be kept inside these electronic boxes, which I'm sure are completely unhackable. They're also connected to radio and Wi-Fi sometimes, which is great, but the firefighter has to enter a pin in order to remove the key and it keeps track of when that happens. So these keys are pretty well protected, but even if someone has physical access to a key for just a few seconds, they can still gain a lot of useful information about it. Someone could make measurements of it by taking a clay impression or by using a key decoder or just a photograph. You don't even need a good photo. In 2008, some students at UC San Diego showed that they were able to copy a key that was photographed from around 200 feet away and sometimes it's not even necessary to take your own photo. After about 10 minutes of searching on YouTube, I found several videos of people showing off Knox keys. It's probably not good that these keys are being posted to the internet. A key is pretty much just a metal password. Anyone who can read it can copy it. That being said, it's not always easy to replicate a medical key. You wouldn't just be able to get one copied at the hardware store because they use special restricted key blanks and only certain people are allowed to make copies, but these keys are just chunks of metal and with the right tools, any chunk of metal can be reproduced. If you already have the blank, you can make the cuts on certain key machines or even just by hand with a metal file, but getting restricted key blanks can be kind of tricky. There are plenty of ways to make key blanks though. For example, modifying another similar blank until it fits into the lock and there have been some attacks presented at DEF CON before. In some situations, you can make a key blank out of a thin piece of metal or plastic like a credit card. This will work if the keyway is wide open but not so much on the more paracentric keyways. If you want to make a better blank, milling is a pretty good way to go. CNC is good. There are also mills built specifically for duplicating key blanks, but they are very expensive and have some drawbacks. If you don't have access to one, a good 3D printer will work too. Cheap FDM printers are usually precise enough to duplicate something like a house key pretty easily, but with higher security locks, sometimes you need more precision to make a reliable key. SLA printers are really good for this and Shapeways has some extremely precise materials. Shapeways is a service that will 3D print things for you. You just upload your file, choose your printer, pay a couple bucks and they mail it to you. I've tested most of their materials and I like their MJF process the best. So I've been wondering how hard it would be to print one of these keys from scratch. It turns out it's really not that difficult. The printing is pretty easy, but the real fun begins when you start trying to model the key. Obviously, I don't have access to the original key to begin with and I can't easily get a hold of one. I mean, all things considered, I think Knox is doing a pretty good job of key control. They're using patent protected keys that are slightly harder to duplicate than normal keys and the keys are kept in special boxes and obviously they won't just sell you the key, but what they will sell you is the box. And the interesting thing is the lock in the box contains all the information necessary to reproduce the key. The lock and the key are pretty much mirror images of each other. I mean, it has to be this way because the lock has to somehow check if the key is correct. There's no encryption, no challenge response, just some pieces of metal interacting with each other and they'll sell one to anyone who wants to put one on their building. So I bought one to check it out. It came with some cool documents which I immediately ignored and sure enough it shipped with the lock installed. These things also ship open so it's really easy to just unscrew the thing and pop the lock out. So now I have the Knox lock for my city and that means I effectively have a negative image of the Knox key for my city and so does everyone else who has one of these boxes. If I can make a key to open my box then I would have a key to almost every commercial building in my city. I didn't really want to mess with mine so I bought some very similar locks on eBay and started trying to make a model in OpenSCAD. It's a 3D modeling tool where you define your shape in a language similar to C but instead of compiling into a computer program it compiles into a shape and since it's completely parametric it's perfect for modeling things like keys. Once you have your model set up if you want to change something it's as simple as just updating some numbers and recompiling. I'm not the first one to use it to model keys. Nirv Patel, Christian Haller and Eric Van Albert have done that before but I wanted to try making my own tool that suited my needs a little bit better. So one of the first challenges I ran into was modeling the keyway. Sometimes Medeco will remove a lot of metal from the face of the plug and this makes it kind of hard to get a good image of the keyway. Like if I try to scan or photograph it the wording is really hard to see because it doesn't start until about a few millimeters back from the face. But a quick and dirty way around that is to just slice the plug in half and look at a cross section of it. You can just cut it with a hacksaw or something. It doesn't really matter if it leaves a nasty rough edge because you can just lap the face until it's perfectly even and then if you polish it and put it down on a flatbed scanner you should get a pretty crisp image of the keyway. The next thing to consider is that this cross section is not perfectly circular. We're taking a cross section of a cylinder and if the face we're scanning is not absolutely parallel with the front and back of the plug the picture we'll get will be slightly elliptical. This is pretty easy to correct for though. I made a program that just transforms the ellipse back into a perfect circle. And then once we have the image we can bring it into Inkscape, trace it and we have our profile. And then if we extrude that profile we have a blank. Then also if you didn't thin the profile down at all when you traced it it probably won't quite fit into the lock. Maybe it wasn't traced properly or the image wasn't completely accurate or the printer wasn't calibrated properly. So I recommend thinning the blank down a little bit to give it some room. You could just try to eyeball it but I made a program that lets you print a bunch of keys all stuck together like this and it smoothly changes the parameters from one side to the other. So you can start it out thick on one side and have it get thinner towards the other and then just snap them apart to see which one works the best. And then to model the cuts we can just take the pins out and measure them. The key pins are kind of hard to measure because they all have the same height. So I recommend making a 3D printed measurement tool. I'll open source mine when I'm done with it and you don't have to be super precise when measuring the pins because you can just compare your measurement to the closest one published by Medeco. Also the only difference between a biaxial key and an M3 key is this groove that's been cut out of it so the key can interact with the M3 slider element. This element is protected under patent but it would be trivially easy to print a key with a similar cutout. This element does give the key some legal protection against duplication but it provides almost zero technical protection and people have attacked this element at DEFCON before. It was shown to be very secure as long as the attacker doesn't have access to a paperclip or something similar. So after some tweaking and trial and error I was able to make a working Medeco key. Here's the... ... is sticking out and it won't go in unless the correct key is in the lock. And here it is with the correct key. It's a little... So that really wasn't all that hard. The process would be exactly the same to produce the NOx key to my city. This means anyone who has access to one of these locks and a good 3D printer could produce one of these keys. Also if someone really wanted to get a hold of one of these locks they wouldn't even need to buy one. When these things are properly installed they're really tough to remove if you don't have the key. Like good luck getting that thing off. But they're not always properly installed. Here's a NOx box on a chain link fence. So anyone with some wire cutters could take that thing. Let's see. It would also probably be pretty easy to take one of the padlocks if someone had some bolt cutters or lock picks. It would be pretty hard to pick the NOx padlock but what about that other lock? What if someone just left one open? That lock is available to anyone who has access to a wrench or a pair of pliers. I took this photo about eight months ago and it's still like this today. I'm also releasing the program I made for this. It's on GitHub right now. The repository is called Gatekeeper. It's a couple hundred lines of open SCAD code designed to help make keys for locks without requiring access to the original key to begin with. It's not necessarily for medicos but it can reproduce all of the elements of a biaxial key. Unfortunately, I'm not releasing a version which can do this cutout for the M3 slider because that's still under patent and I'm not entirely sure if it would be that but to do that but someone could modify this program to include that feature. So check it out if you're interested but please don't mess with locks that aren't yours. I'm not talking about this because I want people to start breaking into buildings. I'm just trying to show that these things are a security risk. I'm also not trying to talk trash about medico. I think the M3 is a very nice lock. I just don't think it should be used for this application. So how could we improve these? Nox could try switching to a different mechanical lock but then people like me would just do the same thing to that one. There are some keys which are a real pain in the ass to duplicate like the Multilock Interactive or the AVA MCS but you're never going to stop people from recreating chunks of metal. I think the best way to avoid this kind of attack would be to avoid key escrow altogether. I think the biggest flaw in the Nox system is that all of the locks in each area are identical. I can reverse engineer my Nox box and gain useful information about my neighbor's Nox box or the hospital down the street or the bank. Things might be more secure if we switched over to electromechanical locks because electronics let you make it very difficult to extract secret information since you have challenge response and all that fun stuff. It took years for the Desfire EV-1 chip to get broken by a differential power analysis attack and that's a lot longer than it took me to make a medical key. But the most secure way to do this would be not to store any secret information in the lock. Each lock could have its own unique credential. That way if I reverse engineer my lock I would have no useful information about my neighbor's credential and I think that's how it should be. And it would be much harder to do stuff like this. There's a very neat combination lock called the RKS which is like a very tiny safe lock that's dialed with a robotic key. If they use something like this each building could have its own unique combination and they could just load them onto the key when they need to. Nox also recently announced an electronic version of their product. Coincidentally, they released the promotional video for it last week. It's a completely electronic system kind of like the Medeco XT. I don't know how they're doing the electronics but they say the key can hold a hundred codes. That's not very many so it leads me to believe that they're not doing away with key escrow altogether just making it electronic. So you're probably wondering what if someone hacks the electronics? Wouldn't that be really bad? Well, don't worry. According to Nox, it cannot be hacked. They say it is a completely hack-proof system. They also say that it can't be hacked via RF or Bluetooth which kind of makes sense given the fact that it doesn't use either of those things. But until we do get these 100% hack-proof locks, what can building owners do to mitigate key duplication attacks? Nox does offer to sell them with a tamper alert which is nice. It's got two buttons. One is to detect the box coming off of the wall and the other is to detect the door being opened. You hook them up to your burglar alarm so it can go off if someone messes with the box. This is a nice feature but it's almost never hooked up. Pretty much nobody uses these things. They probably should, though. The tamper alert seems to be pretty well designed but on the Residential 3200 model, Nox was kind enough to include a drain hole on the bottom. This allows me to just hold that button down with a bent piece of wire and defeat the tamper alert. Here's what that looks like from the inside. There's the button and I go in and grab it and I can open the door and the button stays down. And if I let go, it pops back up. Nox's website says that the tamper alert provides highest security and I really hope this isn't the best they can do. So if you are using that switch, maybe don't get one with an exposed drain hole. Also have cameras pointed at the box. Don't rely completely on locks for your security. Get an alarm and maybe don't put your alarm code in the box. I know you're supposed to but if your building is on fire or something, I guess it's not a huge deal if your burglar alarm goes off. And as for long-term solutions, I think we should be switching over to a system where this is just intrinsically not an issue. I'm not saying this is a huge issue but just that we can do better going forward. If you're interested, check out the GitHub page for helpful resources and the programs I used. Also, huge thanks to the Electronic Frontier Foundation for answering some of my questions about this. Please go donate to them and thank you for listening. I hope you found this interesting.