 We are here to hear about a little bit of physical security stuff. How many people have seen those uh those uh keys that say do not duplicate? So ooh well in that case I'm definitely not going to duplicate that. These guys apparently have a different philosophy on this. Let's give uh Billy and Bobby a great uh welcome to uh Fancy Track. Have a good time gentlemen. Thank you. Alright so uh welcome everyone. This is duplicating restricted keys. I'm Bobby and this is my brother Billy Graydon. So first I want you all to take a look at your key ring. And almost all of you are going to notice one of them looks like one of the keys that's on this uh screen here and uh so these these are some of the most common keys that you'll find in North America um and they're relatively easy to copy. So if you want to copy them uh basically you go to any locksmith corner store and um they're going to be showing you or sorry we're going to be showing you a video if you can get that up. So what this machine here is called is a profile cutter and essentially how it works is it has a little probe that rides along the uh the key that you want copied and then a cutter on the right side that you can see here um and that's what actually cuts the bidding in the key. Yeah so you can see there on the bottom is the probe following the key and on the top is the cutter and that's going to create the exact same profile on the duplicate. And also for nope sorry folks. There we go. Okay so just for an example of one of the simple keys that you might be able to get copied with this technique um there's just regular keys like this here which is uh one of the keys for the Titan II nuclear missiles and you'd be able to walk into any corner store with this thing and they'd cut it for you. Thankfully high security keys have come a long way since then. And for any of you who don't have a background kind of on how a lock works um if you take a look at the bottom you can see how there's two pins essentially in each column there and the line between them is called the shear line and when the keys in there those are all lined up which allows the key to turn and when it's out at the top there you can see they're not lined up and uh that's why you need the key in there for it to actually work. And so next we're gonna be showing you a video of you know when you bring a key in to be copied you already have that key and that's what the profile cutter uh can do to copy it. Um how do you get the first one? So this is called origination and essentially how it works is similar to the other one there's a cutting wheel there however with this one you can very very specifically move the key forwards to take out little bites of the key and that will create the bidding and so you can see there's a wheel being turned there and so that's one of two that lets you precisely move the key side to side and in and out to get those cuts right. So again I'm gonna ask you take out your key ring um take a look on it or some of you might even recognize these immediately. These are gonna be less common but all of these that you see here are high security keys which means good luck going into any random corner store or locksmith in getting these copied uh they won't be able to do it or they won't do it for you. So we're gonna talk about how you can make that happen. When you take a restricted key into a locksmith and the locksmith says sorry I can't cut this for you. The number one reason for that is going to be that the locksmith simply does not have the blank. So the two videos we showed before of profile cutting and code cutting or origination of a key we started with an uncut blank and we added the cuts into it um that would then operate the lock. More the most important part of a blank is what's called the keyway. So that's the specific shape that that blank has. So the manufacturing process of a key blank is we start like image number one with a rectangular piece of metal and then we're going to mill along or mill out uh some hole or some grooves along the side of that key and you'll end up with something like image three over there and so if you look at your keys if you look at them head on you'll see a pattern similar to image three and that's going to match up with the lock similar to image five uh just for some terminology. In image two where we're cutting out the grooves along the key that's called millings and image four those pieces of metal that are put in the lock to prevent the wrong key from going in that's called warning. So uh we'll try to remind you but uh keep that terminology in mind. The purpose of this is all sorts of lock manufacturers have their own keyways and they try to make it unique amongst different lock manufacturers so you can't say take a Schlage key and stick it in a Weiser lock it won't even fit. Let's cover our first keyway exploit. So here we have what's called a master keyway system. You're all familiar with master keys I'm sure and that uses the bidding on the top of the key. You can also do it with keyways. So we have at the top the Schlage SC1 keyway probably arguably the most common in North America. Um but you have a whole bunch in its family. So third from the left on the top we have the SC8 and those two will not fit in each other's locks. However circled in blue just below it we have the H keyway and that's a mastered keyway it's going to fit into both the SC1 and SC8 lock. So in very large facilities or poorly designed locking systems as we'll go into um you can do mastering with that. So let's say I have room A that's an SC1 key and room B that's an SC8 key same bidding on top and then the master key is that H keyway there that's going to enter both locks. The exploit you can even do unintentionally and this is the real problem is if I take let's say I'm in room B I have a key to room B and I take that into a locksmith. Now that locksmith might not stock all of these blanks we see up here. He might say hey well at the very bottom there there's SC19 that's going to enter all these locks. So I can save some supply chain cost and just stock that and I can cut everyone's on that. So he cuts me a key a duplicate on SC19 it works perfectly fine in my lock but it's also going to work now in room A because it's a more higher level master keyway it's going to enter that. So that's the first exploit that some people can do completely unintentionally. The main focus of this talk though is on restricted keys. So this some folks might recognize is a 3D computer model of the medico M3 key blank and because they're just pieces of metal you can cad them up you can make models for them so here's one for a biaxial and here's that one that we 3D printed and this is now a functional blank we can add cuts to that and it works just fine in the lock. If you want to make it out of metal you'd be using a machine like this and this is very similar to what happens in the mass production system for all the keys that you'll have in your pocket right now. At the top you'll see that circular cutter wheel and that's what's going to mill those grooves along the key and you put it in the clamp there and mill the specific shapes out as we see here. So in diagram 2 it would be taking out that rectangle at the top and those two triangles at the bottom. I talk about restricted keys and restricted key ways wouldn't be complete without mentioning the easy entry that effectively does all of that for you. It's a complete black box or pink box as the case may be. Most people don't have access to them they're very expensive and a lot of the functionality is restricted and finally because it's a black box you don't really understand what's going on within them. So for that reason we won't say anything more about that. Key way research so finding key ways that fit in locks are not supposed to and doing various other things with that used to be a very tedious process and you ask any locksmith about this if you have a lock and you need to find the right key way for it you're kind of looking at it oh I recognize this is close to that nope not quite take your hand file out file it away nope file in the wrong place and then you just get mad about it. We've gone and automated that process. So we've written some software that takes hundreds of different key blanks and we brought them into a digital database and we've written a little scripting language with a UI similar to MIT scratch for those who've heard of it you might recognize those blocks on the bottom. So what they're doing is first we're drawing out the Schlage SC1 you can see in the top right there and then we're comparing the SC1 with the SC8 those are the two we talked about before on the master key ways and you can see in red where the SC8 is and the SC1 isn't and in blue where the SC1 is and the SC8 isn't those are the pieces of metal that prevents one key from entering the other's lock. So we add a bit more functionality to it so taking the reverse of a key way as you can see in the very top block there and so we can see that the Sargent RA and LA key way are the same when reversed and you can tell that because it's completely purple there's no metal that's unique to one or the other. We can also compare say how much a or how thick a flat piece of metal has to be to fit into that lock. So in this case we have the Medeco 9S blank that's a biaxial blank restricted you're not supposed to be able to get them anywhere but you can get a piece of a flat metal 32 thousandth of an inch thick and that'll work just fine as we can see here. We added binary operations in as well so to do sort of math with key ways rather than adding and subtracting them we're intersecting and taking the union of them so we have the Schlage CE and F key way by the way C and E are another name for SC1 and SC8 and so that's what we're seeing in the first three there. The intersection of those is the master key or master key way that's going to enter all of those locks and so we can calculate the intersection there and the union is the lock that will accept all of those keys. So that's a much wider open key way. We considered how you can machine and modify these key ways. So in this case we have milling with a ball cutter so that creates a nice circular groove along the key and so for instance if we have a best L key way and that's what we see up at the top and we wanted to enter both an L and an M lock. Well we first start by comparing them and you notice that red there that's where the L has metal where the M doesn't so that's what's going to prevent it from entering that lock. We can go ahead and play around with where we have to mill off and if we mill off with a 32 sorry 16 inch ball cutter we can take away that red and we see that in the image on the right and that will now enter that lock. Those of you who are familiar with scripting will notice that we're using variables for that as well. So in red we have the milled best L and we keep modifying it to be itself with some taken off on the mill. We went one step further built in control structures, for loops, et cetera and made a turing complete key way analysis language. So in this particular case we're looping through every key way in our database and we're checking to see is that key very similar to itself upside down and if so we're going to dump it out. This is a small sample of the output when we ran that script and we got a whole bunch of key ways that that are symmetric either way. So let's apply this to actually create restricted keys. So we see here the medical 1515, that's what's shown in red there and that's a restricted key way, that's for medical class you're not supposed to be able to buy those anywhere but you can buy a best A anywhere, most common best key way out there. If you look at these, this comparison here you'll see that they're the same in the bottom half of the key way. Well what sort of key only uses the bottom half? Well bump key. So we can take that best A and cut it to be a medical bump key and otherwise completely unmodified in terms of the key way and that's going to enter that medical lock and function as a bump key. Going back to our comparison we see that if we need to make uh make it a full height key that's going to work as a full fledged key we just have to take a little bit off the top there. Of course you can do it with hand files. We also made a little adapter that's going to fit on our code cutting machine and uh and that will allow us to mill it out as well and this also demonstrates for you what the key way milling process looks like. Alright so we have our blank clamped in at the bottom there, we're starting up the wheel and then we're moving it in so that it's cutting the right depth of the groove and now we're moving the blank up slowly and that's milling out a longitudinal groove along that key. And so that being a code cutter that lets us very precisely position where along the X, Y that groove is going to be as well as how deep that groove is going to be. You can also use an end mill so this is a picture of modifying a Yale Y1 blank on a milling machine. Um this is a much more common piece of machinery than a key way modifier a horizontal mill or a uh code cutter. Um so anyone that has access to hacker spaces, maker spaces etc. got 50 bucks for a month you can get access to one of these and they can modify your key way for you as well. So we took one of these best blanks and we modified it accordingly. Um this blank that you're about to see was actually the one that was shown in that video on the HPC machine and we added the medical cuts to it. And it's now a functioning medical key cut on one of the most common blanks in the country. We can get even stupider. So if we look at the bottom left here we see the medical 1515 to the far left and the Schlage E which is also SC8 right beside it. They don't look similar on first glance until you notice that they're mirror images of one another. Well we live in three dimensions not four so you can't flip a key mirror wise unfortunately. Um but what you can do is put it in backwards. So if you stick it in the back of the lock it actually fits. That gets your mirror image and we've chopped the head off of the key so you can see uh exactly how nicely it fits. That's completely unmodified. How do you fit it in the front cause usually you don't have access to the back? Well you chop the head off. And so we made these cute little key nuggets that you stick in backwards so you get the mirror image of the key way. And of course it works. And you might say well that's that's kind of cheating. You don't have a head you can't remove the key. You can only use this once. Well if you're a criminal do you really need to use it twice? Do you really need to remove that key? So this should be considered a security vulnerability. You don't necessarily even need the blank. So high security lock manufacturers tightly control the blanks because the blank can be used to create any key. Once it's a cut key it goes to the end user and they can lose it, sell it, whatever with it. And uh it's completely uncontrolled. So if you can get a cut key that happens to be the same key way and possibly has other uh similar security features as the key you're trying to duplicate you can cut it down where it's higher than the key you're trying to duplicate. And where it's lower you can just add metal to bring it up. So this one you see here it's uh a little hard to see so we have that close up in the bottom but that's actually been added some metal to with simple electrical solder. Um fits really well. You can get a good hundred uses of that out of that key before it wears down too much because solder is very soft. Um but because it's so soft it's real easy to hand file out the grooves so that it fits. As well as you can just stick in the lock a few times and the lock will uh do that machining for you. Another interesting key we have here is the USPS arrow key. So this is what your mailman will carry to get into your mailbox um to retrieve mail etc. Some enterprising criminals in LA found a good way to copy these which that blank of course you're not supposed to be able to get anywhere. Isn't that ingenious? You can see on the left some of the uh useless trinkets that they stole from the mail but um but that's that's an example of instead of using a key way um that isn't supposed to be for the lock using a completely different household object. There's something else interesting about these arrow keys though and that's that if you look at it it hasn't been milled out. It's different than most of the keys you'll have in your wallet. It's been pressed out of a flat piece of metal. Here's an example of the dies excuse me. Here's an example of the dies that are used to press something like that. So we made those on the mill and you can go ahead and put a flat piece of metal in between them and press down on it and it's gonna bend that flat piece of metal into a functioning blank that can then be cut and turned into a functioning arrow key. Of course we didn't cut that because that would be extremely illegal. That got us thinking though. What about the keys that are normally milled? Can we use this technique on those and press them um in a likewise fashion? And the answer is yes and you can go a step further. So let's think about it right? Those milling or those pressing blocks that we made we can just use the lock for that. Because the lock has the keyway built into it it is a perfectly shaped die that can be used to press flat metal into that keyway. So we've taken a lock here in this case it's a Schlage SC1 and we're cutting it in half. In this case on a mill you can do it with a dremel if you have more time and you get something like this. So that's what a lock looks like on the inside. Kind of cool eh? Uh but you can see how we had the top and bottom forms that can be used to press a flat piece of metal into a functioning blank. So we go ahead and do that. Put a flat piece of metal in between them. Press down hard. And now we have a blank. We can put it on the profile cutter, copy the bidding and we have a duplicated key pressed out of the lock that it's supposed to open. And of course it works. For really paracentric keyways like this, really nasty keyways, this is a heck of a lot easier than milling. So it's a good tool to have in your toolbox. Now you might ask can you do that with uh something that's actually restricted and the answer is of course you can. So here's a medical lock cut in half. Two interesting differences. The yellow arrow up there you can see that anti-drill pin, different colored metal that's to prevent you from drilling into the lock or cutting it in half but apparently not. Um and the red arrows there you see those rectangular holes, that's what the sidebar enters in. So for those who know how medical works uh that's where the sidebar goes and that gives it its high security properties. And we use that to press a functioning medical restricted blank. This is particularly concerning because if you lose a key you usually are going to go rekey your lock. If you lose a master key you have to rekey your whole facility and that's created some uh major incidents in the news because sometimes that can be a very very expensive process. Well what happens if you lose a lock? Most of the time you don't care. Most of the time you don't even know. Um so let's say you have a padlock on one of your perimeter gates someone snips it off. Most people don't care. Well what you can do with that is if that was a criminal that took it off they can open it up look at the pin lengths and create a key that fits that lock. And you might say well that's fine because we use a restricted key way. So so they can't make a key for that lock. Well they can go ahead and cut it in half and use the lock itself to press a blank that they can then cut with the bidding for that key and they now have a key to your facility. In the case of a master key system it's a little bit more complicated. So you can see the right arrow pointing there to the master wafers. That's what allows both the master key to work in the lock as well as the key that's only supposed to be for that single lock. It's a little bit more complicated from there to figure out which one is the master key. But if you have a little bit of information about the system you can do it. So you've taken the lock apart you know where the shear lines are that seriously reduces your system. In this case we know it's a very large medical system so that lowers the difference that's allowable between adjacent cuts. We know that there's some IC cores in the system. Let's say we found a random key that works on some other single or lock in that system. We can put all that information together and come up with just two possible keys to try. And it's very easy to try the first one and if it doesn't work bring it down to the second one. We have a whole other talk about this coming soon to a conference near you. But the point is it's possible. So if you lose a lock that's on a master system you should consider that as being that you've lost that master key. Let's talk about key mark. It's sort of a compromise solution by medico that has ostensibly restricted keyways but none of the high security medico angle cuts. If you take a look at this picture here you can see that the pins in key mark in the key mark lock only go into that nice straight flat part at the top. That nasty key way at the bottom never actually interacts with those pins. So if you want to create a key mark blank, of course you can press it. It's a really good lock for doing that but you don't even need to. You just need a flat piece of metal that's a little bit shorter than what the blank is supposed to be and that will operate the lock just fine. Let's talk about medico's main line products. So we see here an M3 key and the M3 keyway that we've generated on our computer program to the far right there. This is the code that does it quote unquote code and that's just taking a rectangular piece of bar stock and we're milling out those rectangles in the top and the various holes or the various grooves along the edge. Here's an example of what some different M3 keyways look like. And what we've found this is purely empirical so I'm open to being shown a counter example but what we found is that for the vast majority of M3 locks the wards or the milling at the top, the milling at the very bottom doesn't change. The milling in the middle stays the exact same geometry. It just moves up and down a little bit and that's what lets medico create so many different M3 locks or M3 keyways. So we just went ahead and removed metal from everywhere that metal could possibly be removed from. And we now have a master M3 blank. But it gets worse than that folks. It gets worse than that because we have this master M3 blank. We went ahead and took our database of common keyways that exist out there that you can get for 20 cents unrestricted and we looked through it and we looked to see which keyways have the least metal you have to file off to make it fit into that master M3 keyway. And this is what we found. Master lock. Most common padlock in the country. Most common padlock keyway in the country fits, unmodified in a medico M3 lock. Not quite all of them. Of the ones we tested about two thirds but that's a bit of a problem. So we took a master lock blank. We used an M19 which is a little bit longer than an M1 because a medico is a long lock. And we filed away to allow it to operate with the M3 slider. And we added the medico cuts to it. And we created a functioning medico M3 key on a master unrestricted 19 cents M19 blank. Let's talk about facilities that use proprietary keyways. Very high security facilities they're going to purchase a keyway that's only used on that facility. Well what can we do about that? If we can access a lock and presumably we can if we're a criminal trying to break in, we're going to go and take a photograph of that lock. And it's very easy image manipulation to then get that into a program that you can analyze. And so in this particular example we run through that same analytics. And in this case we're limiting ourselves to medico blanks that are available on the after market because everything before M3 is out of patent so you can. And we find medico 19S a very small amount that has to be filed off to make that work. Or medico 17S upside down. So when we're analyzing through all the different keyways out there turning it upside down effectively doubles possibilities that might work. We also have this little nifty tool. If you have access to the key physically you stick it in here, push those metal bits in to form along the grooves of the key. And now we have what emulates the lock itself. So if we have access to that key for a brief second on a pen testing job we can push that in, get that keyway and then take it back to our shop and see which blank actually fits in there. If you don't have physical access to the key you can still get the keyway from photographing it. So if you look at the keys in your wallet or in your pocket whatever you have on you you'll notice that at the very top of the grooves there's these artifacts that are left by the milling process. Those artifacts there tell you how deep that milling is. So the photograph on the side of the key it's hard to tell depth but that gives it to you in fact amplified. And that just comes from the fact that milling is done with a circular cutting wheel and do a little bit of math Pythagorean theorem there and it tells us that the amount it goes up beyond the end of the deepest part of the groove is related using the Pythagorean theorem to the depth of that groove. So what can we do with that? Well in this terrible security decision here we have the master keys for a facility I will leave nameless hanging on a wall behind the public security guards desk. It's been presented in research already that you can photograph a key and get the bidding from it. You can also photograph a key and now get the wards for one side. So we now know what one side of the key way looks like and it's real simple at that point to do some analysis and figure out what key way it is because for the most part one side is fairly unique. So that's all you can do with key ways and that's for getting a blank that's restricted will not fit in a lock it's not supposed to. Let's now talk about all the other stuff that different lock manufacturers do to prevent you from duplicating their restricted keys. I'll start by mentioning that for the most part keys are just pieces of metal. We're going to try to hammer that home and so you don't need any of this fancy equipment. Just about every duplication process you could need you can do with hand files. And in fact our sister was recently in India and the first thing she said when she got back is hey guys guess how they cut keys there. And so on the left you see that gentleman in blue sitting down and he just has some hand files and a set of blanks and the gentleman standing behind or in front of him is getting his key copied and he gets very very good at that and without whoopsies and without level of skill you can copy standard keys and just about any high security variant. With that said let's talk about medico. So there's a few different variations of medico that exist. At the top you can see medico classic in the middle there is medico biaxial and at the bottom is medico m3. So just for background here you can see that the cuts at the bottom of those valleys there some of them are straight some of them do have angles to them and that's one of the big security features that medico has and one of the challenges when you would be trying to copy it. So we've already talked about filing that's one of those options. Another one is anyone with access to a hacker space you would have access to a lathe. So here we have the medico cutting wheel which you can buy online relatively cheap 60 bucks and we have it set up in the lathe there. We have a key set up and this can be used to cut those quite easily. And another one that you would find that a hacker space is a mill and that's pretty easy as well to do copying with. You basically clamp the blank down onto the mill and then you can rotate the head and just use a regular end mill to get those angled valleys for the cuts. So another one that's really uh it's been documented pretty thoroughly but we'll just mention here is casting and this process is essentially you take your blank or your key that you want to copy you press it into a material that will take its form and then you would pour in something that would basically set in there and it would create a copy. So kind of a novelty here um this is a carbon fiber medico biaxial that we cast. And one of the important things to note with medico is even with the M3 um the blank is one solid piece. What you often see on high security keys is called an interactive element which is where you essentially have a piece inside of it that moves independently and that defeats the casting attack here uh because you can't cast something with two separate pieces inside of it that are moving freely. You can only do really one solid object and that brings us to multi lock which is one of those where you do need to consider the interactive element. Alright, let's talk about multi locks. We see here the three generations of multi lock key classic at the top and multi lock is what's known as a dimple key so the cuts are made on the side of the key rather than the top otherwise the operation is exactly the same setting pins uh to the right height as well as it has what's called telescoping pins. So you have an outer pin and an inner pin inside of it other than that it is um a standard pin tumbler lock. Multi lock interactive has that little black piece um on the second pin from the left and that actually moves within the key. So that's going to push itself up and um and one of the pins is actually too short so it will push that pin up and allow it to reach the uh shear line and MT5 which is their latest generation that just changes the interactive element around slightly to maintain patent protection. We went ahead and figured out a way to duplicate a multi lock on a standard drill press. So you can buy these multi lock uh cutting bits online for about twenty bucks and most many people have a drill press if not a hacker space surely will. And the first thing we do is we take the key we want to copy and we put it in our vice and we index on the cutting uh cutting head. We index where exactly that key should be placed by putting the vice at the right position. Index how deep the drill should go and you can set that once it's at the right depth so it'll only drill to that right depth. And we can go ahead and use a common drill press to copy a multi lock key. There we go. So we can see here that cutting head. Now that everything's been indexed we've replaced it out and swapped in a blank uh for that particular key. And there it goes. And then when it reaches the bottom stop that's as far as we know we have to drill down um because the depth is what's important here. And you can see that nice uh channel there or that nice uh hole there that will work for that outer pin. So here's the copy a little bit messy but it works. We can get stupider than that. We can copy key by mitosis. So multi lock you can insert it either way. And because of that it completely duplicates all locking or all important elements on the key. So we can just cut them in half and up with two functioning multi lock keys that have everything you need to make it work. Of course it works. And by the way um this one that we cut in half we cut on a drill press using blanks we bought on eBay. Let's talk about Abloy. So Abloy is probably one of the most well known names in terms of high security locks. And it's for good reason. So here we're showing uh three of the main most common uh generations that they have. There's the classic up in the top there. Uh the protec in the middle here and the protec two in the bottom. And something important to note is the protec two you can see the arrow pointing to that little sort of circle there. And that's the interactive or the interactive element of protec two and it's essentially a ball bearing that's captive in that key. So how these work um is we've already covered a lot of pin tumbler which is where you have a lock that has pins in it and the key will raise those to the right height. Similar to how you would have a shear line for that. Um instead here we have disks. And when the key is inserted into the lock it's gonna go inside of that disk stack which is in the red rectangle. And when you rotate it depending on the notches in the side of the key it's gonna rotate those disks different amounts and if they are rotated correctly then the key will be able to open. And here you can just see similar to how you would have different length pins for uh the bidding on a pin tumbler lock that would correspond to depths on a key. Here you have disks with those notches and depending on the radius and the angle of the cuts on the uh key it'll hit it after rotating a certain amount. And those little notches on the outside at the top of each disk uh those all need to be lined up perfectly for it to open. So let's talk about the uh keyway of abloy. So here what we're showing is a view of the uh keyway on a common abloy blank. And you can see in the red rectangle there that's essentially all that you have in terms of actual warning that's gonna be uh restricting this. Above that those two points below and above are what contact the disks. And so what we can essentially do here is looking at that that's pretty thick in the middle right? So we can take off all of the material where abloy has sort of accounted having that there for their warning. And what we end up with is on the right there. That's a master blank for abloy. It has enough clearance that it can fit past any of the warning that they have. And it still has those two uh sides there that you would put the cuts on for the disks. And so for cutting this they have real fancy machines in a locksmith shop. We don't have any of those. So again go out to your hacker space or wherever. Um and all you need is just a mill here. And we have that blank mounted and just a cutter there and you can easily get the cuts working with that. And so casting we discussed before uh this would also work for protec one because it doesn't have the interactive element. However protec two has that so we're gonna have to think of something else. So in the red rectangle there that's basically one of the only important new features on protec when it comes to what we're thinking about and it's called the disk controller. And so a close up of that here how that works is with the interactive element there's a ball bearing with a spring that you can see on the right side. And when the key is inserted all the way that ball bearing can be pressed into the key it pushes that captive bearing over which in turn pushes the blue pin you can see there. And that pin needs to be pushed outwards all the way for the lock to actually be able to rotate. So how do we defeat that? Well here we have a protec two key up top a protec one key down below both of them we have cut to the same bidding. And you can see it's kind of a little bit disfigured there the protec one at the bottom and that's because we've milled out a recess that allows us to put in a pick a piece of wire really anything and it's not hard to get that interactive element to set. And again with the master blank there there's more than enough clearance to insert that pick or piece of wire to interact with that. And here's just a little piece of metal that we've made as a tool that makes it incredibly easy to get that interactive piece set. And so now we're going to show you a video this is a protec two lock that you see and it's a protec one key. And normally there's no chance that's going to work. Here we show just how incredibly quick it is using that pick to get that to actually work. Let's play that again that was uh uh never mind my mouse is hidden. Let's play that again that was a real quick video. And you can see we're inserting that pick in there. And that's how easy it is. It's low tolerance there's really nothing challenging about setting that interactive element. So let's talk about the symmetry of abloy. Similar to multi lock um abloy if you look at that down the middle you'll realize it's entirely symmetrical. And in this case it's not so that you can have it uh similar to multi lock but it's because it needs to interact with the disc on both sides or so you think. Turns out you can cut it in half just like the multi lock that we showed. And you now have two working keys for abloy. Now abloy arguably I would say if I had to trust something to one lock abloy is the company I would go with. So let's talk briefly about the two man rule I'm sure a lot of you know what this is but it's essentially for very very high security applications we're talking nuclear missiles uh similar things to that. You have to have two people to turn two separate keys. And that would initiate a launch. Now let's say you have an abloy securing uh your two locks for the two man rule. And you only need one of those keys and two random people and they could set that off. So this is a pretty significant exploit. So one thing we haven't covered yet uh tip warding is similar to the warding on the blank of a regular key. Abloy also has warding on the tip of their key where when you insert it it can go almost all the way in but if that warding isn't correct it won't be able to go fully in and the bidding won't line up with the discs and the interactive element won't line up so it won't work. So you know this one's pretty simple um but some of them can be complex looking so you'd wonder how do we uh how do we throw it? Oh okay so we have a little bit of a snow storm here. Alright so let's use this one then. So um what you can see here basically is this disc is the tip warding disc it's at the end of the lock and when the key goes in you can see on the top left of that there's a little bit of an indent going into the key and that's their tip warding and both of these keys here were hand made by us. The left one we've followed fairly closely what the tip warding would be and you can see how it fits in nicely but you don't need to. That one on the right there is the master blank we created and it turns out it doesn't matter if you file off a lot more than normal it's still going to work in that lock and this is one of the keys that we created. And so then we'll briefly talk about uh these uh side vided keys so this is Primus and Asa and you can see those ridges along the side and those are their high security feature. In terms of copying those we have a machine hundred bucks online on ebay and it essentially has a probe that's on the right there that goes into any key that you already have and that could be any other key for the facility or even from the same locksmith that set up that facility the side bidding is usually exactly the same regardless of the key and then it's just copied onto this regular SC1 blank on the left and what you end up with is a blank for Primus and that can be applied to Asa as well. And then also we have how do you get it properly copied right? We're telling you all these ways to do it unauthorized. Um the way that you're supposed to do it is you have this card that you bring into an authorized locksmith you show it to them they'll look up that code and they'll cut it for you. Well this card you see here doesn't actually exist. We created software where you can input at the top what you want your bidding to be and it will generate an image with the code that corresponds to that and a lot of online locksmiths will accept these and all you really need is just one two and this is essentially a cut key. And here we have so here we have just the Abloy one again it's even simpler paper and there's just the codes there. Um patent that's basically what prevents regular locksmiths from normally copying it because legally they can't. Alrighty so we have about two minutes left to talk about what the blue team can do to remediate against all of this. Uh first off is mastered or sectional keyways they're great as an additional security feature not as the only one restricted keyways exactly the same thing great as additional not as the only security feature. If you've lost the lock you have lost the grandmaster key. Many people say well physical keys are dead herder um because of all of all of these exploits. We don't really agree with that. You need to understand your threat model. Number one most criminals aren't going to be picking that lock making duplicated keys etc. Locks is generally accepted in the security community they keep honest people honest. Um and so if you're using them for that purpose it's just fine. The other thing you need to keep in mind is your security to be truly robust should be uh air tight even if someone has a master key to your facility. So here we have the basement of Toronto City Hall we hail from Toronto go raptors and um let's say someone wants to steal the key to the city. Well they're going to go in they've got to bypass two doors this is the uh the um path we're most concerned about after bypassing the first door five seconds with the key sets off a motion sensor. Now sets the garden motion so he's got to follow through what he has to do to get there. First he has to finish his doughnut and then travel to intercept. Meanwhile the intruder is taking some time to break through or to key through the second door travel 120 feet crack the safe etc. If he can get through that safe before your guard gets there um you you have failed security wise and your system is not robust. If you can add enough delays and sense intruders early enough you can make your system robust even if a master key is lost. And that's what you should really be aiming for cause locks only keep honest people honest. The last remediation is of course forensics um so all of these techniques leave marks on the pins they leave slight chemical residue that can be tested for if you suspect that something has happened to your facility there are tests that can be done to tell what it was. So in short we have defeated a number of uh fairly well known big key types out there and um and we we just want everyone to be aware of uh the sort of exploits that are out there. Thank you very much. We welcome questions in lock bypass village which we are running right after this right now. Thank you very much folks.