 Well, good morning, everyone. Welcome to DEF CON again. We're glad to see you all up this morning. And my name is Mark Tobias. This is Tobias Blues-Manus, my partner. And hopefully they'll get our audio problems dealt with and our ‑‑ hey, okay. Okay. So we got video on both screens. Right, no teleprompter, but the president is not here either. So Tobias and I work for security labs, which is in our office, and we work for a number of major lock companies in the world. We have a team that analyzes mainly high security locks with some consumer level products as well for security vulnerabilities, mainly for covert entry. So a few years ago at DEF CON, we talked about a number of different consumer level locks, but not really in detail. And as a result of that, we ended up filing a complaint with one of the standards organizations about the lock we're going to talk about today. And we figured a couple years ago by some things would occur, maybe the problems would be remedied, but they weren't. So today we're ‑‑ now the monitor went away here, but I guess we're okay. So today we're going to talk about one of the most popular consumer level mechanical cylinders in the United States. And the problems, the design problems that we found. How many of you guys have this lock on your doors? So everybody knows what this is. Okay. So this is probably in the United States. There's really two major consumer level brands in the United States. This is one of them. And they're in every DIY store, hardware store. And a lot of folks believe that these are really secure. And in many ways they are. The problem is, as we'll point out to you, in critical ways they're not. So we're going to go through ‑‑ we've done a pretty detailed slide presentation and with a lot of graphics and animation that we hope you guys enjoy to detail the problems. And we recognize that a lot of folks can't afford high‑security cylinders that are $7,500, $150 apiece. We do understand that. And I guess some locks is better than no locks on your door, but there's also a false sense of security that these kind of locks provide a higher‑level security than they do. And that's also enhanced by packaging and marketing statements by the manufacturers, especially with regard to the Builders Hardware Manufacturers Association standard. It's a consumer commercial level standard that has much more to do with endurance and durability than security. And that's the case in this lock. So quick sets are really easy to understand. Today we're going to talk about their smart key versus conventional pin tumbler locks and a number of ways that we've determined to open them very rapidly and to present some serious vulnerabilities. Now you'll notice that the lock on the left‑hand side of the screen, that's a smart key because it's got a little slot to the left of the keyway. That means that it's a reprogrammable lock. So what we're going to do is begin this morning, letting you listen to a couple pieces of audio. We called customer service repeatedly to ask them how secure their locks were as if we were going to buy some. And we wanted to set the stage because this ‑‑ either these folks aren't trained properly or they're making statements that they shouldn't be making. So either way, we thought you would enjoy the questions. These are about two minute clips each. And nothing's been edited out that was relevant. Only the chit chat between us. But these ‑‑ I tried to edit out to the relevant statement. So this first one was in June of this year with Brian. Quick set, this is Brian. Can I help you? Say a couple questions on smart key. Okay. So my only concern is, is quick set comfortable and basically debunk this, that there's no way to stick a screwdriver, you know, just a common tool, into the lock and open it. No, that would be a negative. I mean, if it was that easy to pick a quick set lock, they would be having to do recalls, okay, if this customer's got this unit, you get a call tag and have a prepaid label sent out and send that back to our quality control. There's nothing like that. It's business as usual. Is there any ‑‑ are you guys aware of being trained any tools out there that will open these or is this just all nonsense? No, without the actual key for the unit itself, no. You can't open it. Okay. So as far as ‑‑ just so I can tell my boss, as far as quick set is concerned, other than drilling these, if you don't have the key, you're not going to get in. No. And that's the bottom line. Just sticking anything foreign inside of the keyway is just going to make it that much harder to open up. Okay. So basically what you're telling me is it isn't going to happen. You can sabotage the keyway, which will ‑‑ Yeah, but ‑‑ Okay. So that was ‑‑ that was Brian. Okay. So you're starting to get the picture. So this is Satima. Oh, and sir, how can I help you? Are you tech support? Yes, ma'am. Ma'am, we're looking at buying a large amount of your smart key cylinders. And then I have some questions. Sure, go ahead. Are you technical? Yes. Okay. How about forced entry? How difficult are they? Like the old locks, you could like take a screwdriver and put a lot of pressure on it. Yeah, same thing with these. I mean, you can line up the springs. That's what the screwdriver would do, right? Force the springs to align and open the lock. With these ones, you can't even put a flat screwdriver in there. You can't. You can't, no. Because there's racks, we call them. Okay. Coming from up and down, you know, up and down direction, not just up. Okay. So this stuff on the Internet is not true. That you can take a screwdriver and open them. No, no. We were aware of that video and, you know, we found out about it. But they did something else before they showed that video. That's what it was. I believe that's what I heard, that it was, they had to do something else to the cylinder and then they recorded the video with just using a flat screwdriver and opening. That's not how it works. So if somebody walks up to a lock on one of our apartments, unless they can take that lock apart, you're telling me they can't open it without the right keys. That's correct. Right. Is there a quick way of forcing these open? No. That a burglar could do like in 30 seconds, you know, 15 seconds. No. Is there anything that you guys have been trained on or aware of? Oh, no. I don't know. Nothing like that. There's no tool that you can just put in the cylinder and pop it open. There isn't. There's no emergency key that you can, or we send you that will open it. Nothing like that. What to say with all, I mean, how long you've been with Kwikset dealing with these? Four years. Let's just take a four inch or a 16 screwdriver, which everybody has in their kitchen drawer, and you stick it in the lock and you take a pair of pliers or a vice grip and you turn it. Can you open the lock? No. What about sticking a wire through the, where the key goes in or any other way? Now don't jump ahead of yourself. No. You can't put it up a wire or anything like that. You cannot. No, you cannot. Okay, so you wouldn't worry about putting these to protect valuables, you know, to put at your house or your apartment? Not at all. Okay, so that's what the public is told if you call in and want to know if these locks are secure. So unfortunately, and I don't think there's any malice on the part of their employees, they just don't know. They have not been educated. There was plenty of stuff on the net a couple years ago that they referred to and I just don't think they know or they've been told not to say it. We don't know. So the reality is, as we can see from the show of hands, there's millions of these locks used in America, homes, apartments, businesses. They're inexpensive. The cylinders run $20 to $30, maybe $40 apiece. They have pin tumbler models and they have smart key models. They have dead bolts and they also have electronic cylinders. So it is one of the most popular locks in America. And they've been in business actually for about 60 years and again they have a very diversified product line. These are some of their distribution channels as you recognize home depots, Lowe's, Ace Hardware, lots of folks are carrying these locks. And mainly they're sold through DIY channels and DIY channels rather than the locksmiths. A lot of locksmiths actually don't care for these cylinders because it circumvents their revenue and their low quality locks. And this is a shot I think from Home Depot. And they're very, very prevalent. They've got great marketing. They're in residential and apartment facilities. So Kwikset, Weiser, Baldwin, the basics. Toby? All right. We're talking about pin tumbler locks, which is their older version and smart key. Smart key will show you the difference. In some ways it is a very clever lock. The pin tumbler locks they sell are five or six pin. The smart key is five pin. The smart key, there's some attributes that the pin tumbler locks don't have as far as security. The pin tumbler locks, if some of you guys were around several years ago, we had little 11-year-old Jenna Lynn bumping them open. Y'all remember Jenna Lynn? She's probably in college now. But she became a YouTube star. A little girl in one minute figured out how to open these locks. Whack, whack, they're open. The problem is they all have the same keyway. There's no duplication protection. There's no key control protection. These are definitely not for high security installations. They're mainly residential and apartments. So Kwikset history, as I said, they've been around about 60 years. They're very easily compromised. And the smart key actually was introduced around 2008. But probably a lot of you folks still have pin tumbler locks. You probably wouldn't know the difference unless you look at the little slot, the right-hand photograph, the little slot to the left of the keyway, that indicates Kwikset. But it's the same key that will open these locks. So here's the difference. On the left is a pin tumbler where it's a conventional lock with two pins and a spring in each chamber. On the right-hand side is smart key. It's much more complicated design, but same key will open it. Yeah. And actually... You can see also that what they share is the same key. What Kwikset did with this design is trying to use the same key for their locks. So you have one that is a pin tumbler design. And the other one that you can reprogram and supposedly be more secure, you cannot bump. You cannot pick. Pick open the lock. You can probably... Other attacks like impressioning the key. You cannot do that with Kwikset. But on the trade-off, we find ways more easy to open these Kwikset locks. Okay. So pin tumbler design, they're essentially not secure unless they're a high-security lock with a number of added-on attributes. Pin tumbler locks, essentially, in this category are easy to pick, easy to bump open, easy to impression. They're easy to mechanically bypass. They can be master keyed. And it's also fairly easy to determine what the top-level master key is. And there's limited number of combinations. And these locks are fairly low-tolerance locks. So there are many fewer keys that in the universal keys will open these locks. So the pin tumbler lock... Go ahead. Okay. So we're going to go first on how a pin tumbler cylinder works. Okay? In this case, we have a Kwikset cylinder. This is what you see from the outside. And the parts, we have a shell that is the outside portion, the plug, and the key slot where you put the key. That's what mainly more people know about the lock. So what is inside is a pin stack. You have a spring and a series of pin tumblers. And you have a shear line. That shear line is where you have to move the pin stack in order to create a clear surface. Separate those pins in order for the lock to turn. Okay? So that's the basics of a pin tumbler. You have to get that pin on shear line, depending on the height of the key, so you can unlock the cylinder. Now, that's one pin. On a regular pin tumbler, you have more than one pin. You have, in this case, five pins, different heights on the bottom pin, which is the portion that fits the key. So when you put the key, you see all the bottom pins line up with the cylinder. So that cylinder can turn if the matching pins match the key. So if you put a wrong key, what you have is some pins either extend to the block or something from the top blocking the rotation of that pin. It's a very simple design. Has been for many, many years. And most manufacturers work around this design, adding sidebars, third levels of locking devices. But it's the most common element. Are we okay? Okay. Okay. So that's what is inside on a regular pin tumbler. And we said this mark key is not a pin tumbler lock. If you look inside these very different components that will make that lock be able to reprogram the lock to any specific key and to make it more secure against bumping and peeking and some sort of impressioning with techniques. Okay. So this is what the inside of a smart key looks like and we'll blow this up in just a minute. But this is a sidebar based lock, which means that it's a different locking mechanism that keeps the plug where you stick the key into from turning. And this design actually was developed in 1978. The original design here was in over a million hotel rooms because it was the first real programmable lock. Very, very clever. And then it was improved by a company in Italy called Rialda and then Quickset took the Rialda design and modified it for the consumer market in the United States. So attributes of smart key, it's only a five pin lock and when we say pins, they're really not pins, they're sliders and there's a really big difference. Pins mechanically and physically are secure against torque and forced attack. The sliders in these locks are not quite so secure. In this lock, there's one sidebar that really provides the entire security of this lock. It's extremely pick resistant. There's an underwriters laboratory standard 437 which defines picking for commercial and high security locks. Quickset actually meets this standard. That means these cannot be picked in under ten minutes. They are very, very pick resistant and they also cannot be bumped, period because there's no pin tumblers. And so there's nothing to bump open which in a way as we refer to this lock it's one of the most secure insecure locks in America. Now, obviously those are opposite ends of the spectrum but that's what it is because from the picking standpoint from the impressioning standpoint from the bumping standpoint you're essentially not going to open them. Because that's trumped by other ways that we'll show you. The other really cool thing how many of you have smart key versus the old pin tumblers or do you know? Oh, so not that many. Well, smart key they're actually backwards compatible. Smart key you can instantly reprogram them without a locksmith. You stick the correct key into the lock turn it about 30 degrees it's a very, very clever and desirable option in the marketplace but there's a lot of security trade-offs to get there. No, definitely. We have to also understand that the space that they have to work is always the same. So to put all these different attributes in a lock it becomes very difficult task to do. Attributes that has one primary keyway everywhere which is really a problem because it's easy to make keys or duplicate keys. There is no key control. Now, they make a special deadbolt lock for master keying limited master keying for like apartment houses that we'll show you. And they think that that key cannot be duplicated easily. We'll show you how that happens. This one? We show you at the beginning how a pink tumbler lock works and this is the smart key. The first thing that you notice from the outside is that little slot on the side. That's to change the combination when you follow the right procedure. So we told you that on the inside it's totally different. This lock is based on a sidebar design. You see a pin, you see a slider next to the pin and the sidebar. And the sidebar is in purple. So when we put torque on that cylinder the sidebar tries to retract but it's blocked by that slider. So in order for that lock to open the pin has to move the slider to the right height so the sidebar can enter the groove of the slider and the lock can be open. So that's the principle of the smart key as far as the slider sidebar combination. So and the way that they can make the different with that they fit the pin to the slider with these different channels the slider is at the same position the sidebar at the same position but the pin configuration changes for the different depths from one through six. The relationship between the pin tumbler on the right hand side and the yellow slider those separate in reprogramming mode so that they index to one of the six different little teeth on the slider and then they bring it back together that's how the combination has changed in this lock. And it's the same thing it's not only one pin a slider combination we have in total for the smart key we have five pins and five sliders so the sliders are the ones that sets the combination inside the smart key cylinder so when you put the key and the key is set to that combination you see the red dot that's where the sidebar drops okay so when the sidebar drops at that combination that lock can be open and the pins just follow the combination of the key in this case we have two six three four one is the individual depth of each key so if we want to rekey the lock we have to put the working key into the lock they have a special tool that it will move a block in like a hob that house all those sliders and what happened is that the sliders separate from the pins so now we can remove the pins but the pins the sliders are at the same they're a shear line with the they're locked into position so they can't go anywhere until we stick another key in so we can put another key that key sets to the combination of the key and then we have to bring all those sliders back to engage again to the sliders the pins so we have a new key working for this lock so it's a very clever design that they have a bolt bearing to prevent also yeah okay so these are the components that okay so this shows the five pin tumblers that the key responds to lock together to make this lock work so and the two bottom pieces are the sidebars that actually stop that plug from turning and this is what the plug looks like yeah, their pins are like hallows so you can put the pins they have a cover so you see the tabs where the sliders goes and you have that hob that puts the slider together with the sidebar so can now let's talk about master key systems before we get to the attacks so in conventional master key systems and pin tumbler locks we have one key that can open many locks and there's potentially many different levels of keying because we have an extra pin in each chamber and that creates a whole bunch of different shear lines conventional locks are expensive and there's also what we call incidental master keys there's a lot of keys that will open a master key cylinder that really aren't intended and that's a problem and that's a problem well actually what happened with master key system those unintended keys they tried to use those to work in the system so it depends how the people who's doing the master key but you have more than two keys working on the system and we're going to show pretty much how a master key system works and as we pointed out many years ago conventional master key systems if they're not high security they can be also easily compromised but in a different way so we can figure out what the top level master key is in the system so remember the pin tumbler lock and then it has one pin the spring, top pin, bottom pin now we have another pin that we are that we are creating two shear lines you see right there we can split the pin and the lock opens we have one depth for that pin but it's also another shear line so we have two depths that opens in that specific chamber but again if this is not a lock is not one pin so we for this example we put another split pin we put a master that's called a master wafer and the rest we left the pins like that so we have a key that makes the shear line so that key will open the cylinder we also have a B key that can open that cylinder where the two intended keys when we are making a master key system and we have to understand also that when people say I have a master key there's no such thing that as a master key for a GM car you have to set a master key system in a pin tumbler lock when somebody said I have a master key the system is set to work with this master wafer in order to set the system to open different locks so the problem is now that we have two unintended keys key C and key B that will also open that lock and if we add more master wafer that number is going to increase it's an exponential number and in some cases depending on the person who is doing the job they can put even more master wafer and that creates many many coincidences of keys and they are not secure and it can also make the lock a lot easier to pick the other problem with Quixit for example is the keyway is so common and they have so many different individual keys that they can use probably your home key a commercial facility that has been rekeyed and has a master key system is potentially that one of your keys can open one or more of those locks so Quixit came up with what they call key control which is actually it's basically a one level master key system there's two cores in one cylinder it's actually a clever system for apartment houses where you only need one level of master keys there's two separate keyways supposedly that are secure that one won't go into the other so the apartment user the apartment tenant has one key their change key and the management has a key that will open the other core in the lock it's actually very clever no locksmith is required they instantly change your master key systems there are 46,000 theoretical combinations they're good for facilities that need a very limited kind of system so actually it's a very clever system however it's got the same security vulnerabilities as the single lock and again they can be instantly reprogrammed so and you do not have the cross key problem in the Quixit system that you have unconventional master key systems it doesn't exist so the problem is they can also be compromised in 15 seconds so security what you get is what you pay for does anybody expect a 20 to 30 dollar lock to actually be secure and that's the question and again we understand that a lot of folks can't afford high security locks but we also believe that the public has a right to understand so they can make the decision knowingly and intelligently whether they'll accept the risk so as we say there's millions of facilities that can be at risk here and there's a false sense of security as we talked about between the BHMA standard that says this is the highest grade of security for residential and the anti-picking anti-bumping so we're going to go through we've heard the tech reps at Quixit say there's no way to get into these locks if you don't have the key or you got to drill them and destroy them okay so smart key design issues the problem is with the sidebar and the sliders there's only one layer of security and our problem is these little sliders that you see they're very fragile and there's also maintenance problems mobility problems and low tolerance with the lock so we're and the real problem is we're going to show you in a minute you can apply torque to these plugs and open them so here's the attack methodology that we came up with try out keys wire through the keyway visually reading the sidebar and the slider positions torque the plug other than that they're very secure locks okay so first of all try out keys probably most of you guys aren't old enough to remember in the 60s we had 64 keys that would open all General Motors cars 64 because we split the difference we exploited the tolerance in the locks I'm talking that there's no such thing as a master key system for GMs and you say that they're try out keys you jiggle them in the keyway sometimes they would open most of the time but what you're doing is cutting the tolerance in half and the same thing in quick set so basically with six depths in a quick set most of the time we can make three depths equal six depths so here is a graphic the six steps on a quick set key one, two, three, four, five, six cuts depth increment key of one, one and a half and two three, three and a half and four, five, five and a half and six we didn't do this this is something that we test on their smart key this is an old type of attack try to split the difference between one cut and the other one because the tolerances you need tolerances for this lock to work so the next problem has always been their problem and it's called the tail piece design and this is the linkage when you insert the key into the plug the plug has to talk to the bolt or the latch to communicate the energy to withdraw or lock the bolt so with quick set this is hollow on one side it's square and it's hollow so it'll interface on both sides of the door together with the bolt so this is a huge problem so this is one of the attacks that we developed on one of their older key and knob cylinders this is a special key that we made on the bottom that if we knock out the piece at the end of the key way so there's a slot we can go right through that and open the lock so should we run it? so if you stick that in literally in five seconds the knob lock is open this is another design this is an old design and actually this is a pin tumbler lock they share the same configuration but the back was covered by like 20,000 of an inch thick of brass so we were just piercing that with an old quick set key that you can get anywhere like a piece of wire that it was bent to accommodate the this one this is on the quick set smart key and we're going to show how we can access the tail piece you tell us whether you think this is secure whether you think this is secure this attack on the tail piece quick set smart key and earlier cylinders is based on the design of the tail piece by quick set it's hollow and it's square which allows us to pierce the cap at the end of the plug and insert a wire that's been formed to catch the edges of the tail piece and turn it okay the first thing is to introduce the tool like a regular key I'm going to put tension and that tension is going to make the sidebar block the slider so I can remove the tool and the reason is I need to put the tool backwards so we can start piercing from the top that's the complicated part yeah a sharp piece of metal that's the complicated part now so you can see the back on one side and let's see this so this is a complicated part that you have to use the pliers yeah that's why I let him do it you know I always get the complicated part and now we have an opening for the wire so now we can access the tail piece that is attached to that that right here you see I'm moving the keep going because and that's it and that will open the lock so so that's it you put this on the lock there's no damage to the lock your key still works so how many of you still trust your door locks okay next one visual decoding and we didn't show this but we'll tell you you can actually take a little mirror insert it into the lock it takes a little more talent and you can read the position of each of the sliders okay here's the really good one this is as I told Toby he's been torqued off so this is torquing the plug and we actually filed a complaint with the builders hardware manufacturers association a couple years ago it was essentially ignored that we didn't think this lock should be certified as a grade one lock this is the entire security of this lock as far as we're concerned these are sliders as you saw in the diagrams the one on the left is normal the one on the right has been warped maybe it's not straight okay and this is also what happens when you stick a screwdriver into the plug of the lock again it's warped the geometry changes you know we said that the lock is going to be as secure as his weakest link and if the material is not strong enough that's the end of it we also ran some tests and we were able to torque this lock at 112 pound force inches the standard actually requires 300 but their argument was well yeah but you're either sticking a paper clip or a piece of key a broken off piece of key into the keyway there's one element that there's one element that on the cylinder that when we torque the plug we have to introduce a piece of key wire because we need to to lift that slider that is blocking through the the housing because there's three different depths depth one the depth two and the depth three that it will block the physical slider will block the rotation for that for that pin but there is a specific position and it doesn't matter which depth is set the slider the slider is going to get inside the plug so the the only prevent element preventing the cylinder for opening is the slide so here's what happens based on the slider design the six set smart key we contend so that's the smart key we just need to a specific height and we're using a piece of paper clip the sliders to a specific height we just that's also the complicated part and of course I did that part with a very short screw so this is just a standard little screwdriver we just seeded into the keyway you really don't have to bang on it this is a very small vice grip this is your door on your house you see it's already turned you can see the the plug is already turned and once is that you know those sliders bend the plug compresses so now the cylinder can go back and forth there's no now you have to put that piece there and that's the reason why they pass the test of the certification because when they test for this lock they put the screwdriver they torque and they say but the cylinder is open right now okay same problem no key control plastic keys okay this is very impressive that's a master car no that's chase sorry I didn't know so then we figured out how to the lock because we're going to run out of time so basically there's a procedure that we can take six different keys and we can figure out how to decode it those are the depths of each pin but now if we notice that sidebar it really does not engage on the false gate so we design a key that can move basically what we're going to you're going to see here in this video is that if we can remove the key from the cylinder with a specific depth that is an indication that that depth we have decoded the so I don't think we have time to run this video but these are the six keys let me just do part of this okay this is going to be decoding the control cylinder on a quick set this is the problem with our master key depth analysis keys depth probing keys for each of the six depths that we're going to probe in rapid order and determine the essentially the gate positions on each of the sliders so let's start with number six we just have to put the key in put a little bit of torque and try to remove the key if we cannot remove the key it's an indication that that thing is not set for that depth okay basically we go through and probe each of the six sliders and then once we figure out the code we generate a key for it in like ten seconds so we go pin by pin we just put the key in that position try to remove it if it can be removed we record the number that we're using and so basically Toby goes through decodes the entire lock creates a key for it so making the control key as we'll wrap this up this is their master key scheme this is the way that quick set takes the approach for the master key system this is what they call the key control it's not playing it's not playing go ahead so that cylinder has another cylinder on top so that's the scheme that they use it's two cylinders because their platform now is so small that they decided well I can have one key for a user thing is they're so close and all this attack also can be performed under their lock that we thought well this is not secure it's even more insecure because you don't see the cylinder it's on top that the cover has to turn so you can expose the other cylinder so if you torque the plug or you pierce the plug you're never going to notice something that you as a consumer should know that here's the bottom line as we'll sum up this is a very clever design lock in certain respects but it's also extremely insecure in certain respects and so there's really a trade-off and you need to understand when you spend money on locks it's an insurance policy you need to understand that you really do get what you pay for and it may look secure but that as we've shown you it doesn't mean that it is I think that wraps it up for this DEF CON this year we thank you very much for coming and we hope you enjoy this thank you