 Hey everybody, nice to see you all. I was out here last year talking about the culture of lock sport and some of what had been going on up until that point. This talk today in a lot of ways is kind of a year in the life, one year recap of what's been going on. But there have been a lot of exciting developments and I think we have a lot of good things to talk about. So, name of the talk. How to make friends and influence lock manufacturers. I'm Skylar Town. This is John King right here. Wrestling is my name. Maybe not. This is Skylar, my name is John King. You're going to hear a little bit more about me later. I haven't slept in 48 hours and I'm a little intoxicated. Out of curiosity, last night and this morning, who had a drunken conversation with me? Anybody? Excellent. About 10 minutes ago. Alright, so how to make friends and influence lock manufacturers. The lock and key. The distinguished device of civilization and enlightenment. Or at the very least, that nice quote makes you feel really important if you're a lock picker. Alright, I am a tool member. That's the open organization of lock pickers. I was actually a co-founder of the United States chapter of that. I've since stepped down from the board but I remain a very active member and love that organization. I'm also involved with NDE magazine. That's non-destructive entry magazine. I realize I forgot to put the website on here. I'm the executive editor. That's NDEMAGMAG.com. This is the DEFCON preview cover. I'm trying to tell people that's Liv Tyler. It's not going over. Anyway, this will be coming out later on today. Check the website and check it out. It's got a lot of information about the upcoming contest they're going to be going on all weekend long. Alright, let's talk. I'm going to quickly go over what we're going to cover here today. It's in talking four parts, basically. We're going to talk about the RoboKey system at the top. It's an incredible new lock that was very much developed within the lock sport community. They relied heavily on input from the community and are well traveled in it as well. So we're going to talk a little bit about that company and the lock that they built. We're also going to talk about Quickset, a company that you wouldn't usually talk about in the course of a high security lock discussion or whatever the case may be. But they dramatically reinvented their product line and we're going to talk about the reasons behind that, the process they went through and a little bit about what's going on with the new generation. Again, a lot of this is tied into a direct response to the lock sport community. We're also going to be talking about the Abus Plus system. This is a disc detainer system. A near comical flaw in it, which was just sort of a forest for the trees thing that a lock picker came up with. He tracked down a way to decode it very consistently. The company themselves completely changed the design of it and we're going to talk about the challenge they issued him after that. We'll cover the whole thing. And of course, Medeco. This is where John will be talking. The Medeco and the magazine, ND Magazine worked together with the company and John in order to release the exploit via the magazine and our last issue. And John did quite a bit of work with them and he's going to cover all the bases on that and do a demo for you right on stage, opening up a Medeco M3, their newest generation. All right, now in the previous slides, the ones that you'll have on the CD or on the website or whatever the case may be, there's going to be a super secret announcement. I'll tell you right now that announcement was going to be about a grant program for high security lock research. One of the matters is the magazine is not organized enough at this time to go forward with that, so that's going to be delayed perhaps until another con. So there's your announcement. Sorry, it's a disappointment. You ruined the surprise. All right. First of all, I want to cover the making friends portion of this. This is fairly fast. All I really have to say about making friends is don't be a jerk and tell people if you see something they're wearing that looks nice. It works really, really well. But as far as making friends and communicating with lock manufacturers, Barry Wells, who's in the audience here today, he actually wrote a wonderful piece for the magazine in our last issue that's kind of a simple roadmap to carrying out responsible disclosure. And I'm just going to kind of cover his bullet points and talk a little bit about each one of those. I think it serves as a really convenient guide to folks who are going to be involving themselves in this field at any level. First of all, be professional. Approach them professionally. Approach the company with proper language. Don't, you know, no lead speak or anything like this. Present yourself in a respectable manner and you're more likely to be respected. Be honest. If you have something theoretical that you haven't actually managed to accomplish yourself, don't tell them that you've broken their lock, that everything is defeated. Be very clear with what it is that you've done with their product, which transitions into being thorough. Be very distinct about what locks you attacked, how many locks they were, exactly the method by which you did it, et cetera, et cetera. Make sure that you cover all of your bases. You're going to have to be very detail-oriented when you're going to be approaching a manufacturer. You want to have the whole package put together for them. Be very clear with them as well about your intentions behind this. What is it that you want them to do about this? Do you want to have them disclose it? Do you want the product fixed? Whatever the case may be. Be very clear with your initial intention when you're walking in. You do not want to be misrepresented or misunderstood. Don't ask for money. This is one that's kind of almost a personal thing. There's been a lot of debate about this. We personally believe that once you involve money, that's when things go wrong, especially if you come to a manufacturer and, for example, they offer to pay you. Right there, things can go wrong. For example, shut up money. The public should know about this kind of thing, we think. It's just not worth it. That's an arena that you don't want to tango in. Tango. There is a very thin line between consulting and extortion. They can be careful if you walk. It's thin to the point where they can pin you with that. You need to take very good care of yourself when you're approaching this. Be prepared. This very outlined an extraordinary system by which he approaches new locks when they need to be reviewed. He receives ten of them. He takes eight of those, that's two aside. We'll do those later. Of the eight, he disassembles several of them and refines and attacks the rest. He refines his attack. By disassembling it, you're able to see what it is they've changed to defeat your previous iteration of your attack so that you can update it and attack another small subset of those cylinders. Once you've done that, and this is very important, the two that you've set aside, those are for when they come calling, when they visit you or when you have to visit them so that you have a sealed cylinder that they have put into your hands that you can open for them by the same methods showing that your attack works across the bar. Works universally. Also, the purpose of asking for so many locks and taking them apart, you don't want the company pulling a fast one on you. Basically, you're challenging their product and their design. You don't want them to implement features that are not standard to try to trip you up whenever you're opening these locks. Absolutely. And finally, do not sign non-disclosure agreements. These will remove your ability to report on the situation independently. They will tie you to that company and they will keep you from being able to pursue disclosure beyond your interaction with that company. You need to remain an independent agent and there are people who can support you in this. You know, there is the Open Organization of Lockpickers. Barry has made it clear that he's comfortable being contacted via the magazine. Of course, anybody at NDE, anybody at Tool US, etc., etc. There's a fantastic community out there who can support you through this. So, don't sign the NDAs. Remain an independent agent when you're working on this. All right, so with the roadmap of disclosure covered, we're going to get into the meat of the talk. So, this is the robo-key system. This should be the first time many of you have seen this. It's a really nice quote out of John. It's easy to love your own baby, but we wanted to get this out into the community. We figured they wouldn't be shy about telling us what was wrong with it. It's absolutely true. So, a little bit of background on the company. John and Bob Laughlin. John was a telecommunications engineer when that bubble burst, he got together with his father, Bob, who was a retired lock engineer. The two of them got together and his father had previously formed a company called Stanton Concepts with his other brother, Tom. This was a couple of decades ago, I guess, but they revived the brand and started working together. The inspiration behind the lock and behind their renewed interest in the security field, they both have a healthy interest in security to begin with. As I said, Bob was a retired lock engineer. He and a couple of folks bought out a company in Connecticut that was producing the Tough Lock. I don't know if any of you have ever heard of it. They had a huge contract with UPS in Manhattan and brought their theft rate, I think, down from, well, I shouldn't quote numbers, I'm not 100% on, but they greatly reduced it. So, they realized that the world was dramatically more interested in security than they ever had been before. Not to throw the buzzword out there, but post 9-11, there were a lot of things being looked at that had not been looked at before. A lot of things that had long gone unscrutinized in security that people were now very interested in. They saw an opportunity to build a business up around those interests. The big question they had when beginning work on the RKS was how can we secure containers that have to change hands multiple times with multiple potentially authorized users that have to look through those containers and survive the conditions that those sort of shipping containers have to go through out in the sea. So, talk about the basic operation. The lock has a disc retainer appearance. It looks like, but it does not function like, an abloy cylinder. It has flies on each one of the discs, just like a safe lock does. This is a small protrusion of metal that picks up each disc in turn, a combo lock. You turn it around three times. Each individual disc picks up the one after it, the one after it, and then you turn them backward to leave them behind, back to leave the next one behind. This operates the same way, but there are six, seven discs in a cylinder, and they're extraordinarily small as well. They're able to fit into the form factor of a normal abloy cylinder. The thing with having this simple mechanical device, it's an extraordinarily rugged solution for the environmental conditions. By having the mechanical end of this lock separated from the electronic end, which we'll talk about in a moment, it allows it to travel safely without damaging any electronic component that might otherwise be carried on a different solution to this problem. So, the automatic dialer. This is the electronic portion of it. The operator of the lock does not need to know the combination. They simply have to be a valid user. This automated device. And I'm very sorry. I should address this right now. I do not have pictures of this at the moment. There will be some in the magazine, and I'll be providing some to DEF CON afterwards. There are plenty of pictures for the rest of the locks later on. My apologies about that. Negligent on my part. But we'll continue. There are various potential forms of authentication to use with the automatic dialer. Anywhere from just a standard password, RFID solutions, embedded dialer in a cell phone. You literally just need a small motor that can turn clockwise and counterclockwise, and from that point on, the whole process is authentication. So you can build these very compactly, very small. And the solution is all the way down to simply a matched pair. One dialer matches one lock. The range of possibilities is fantastic. There's also a manual dialer. If there is some sort of catastrophic electronic failure, you are able to use a manual dialer, authenticate yourself in some other manner to the owner of the cylinder or to another authorized user who can get you the actual dialed code for it and input that. It takes a little bit of tactile dexterity, but they have a very nice dialer and you can accomplish it. So, that's the basic concept. First introduction. This is a fantastic story that Bob Laughlin told me recently. He met Han Faye via eBay. Han Faye is one of the preeminent lock collectors in the world, also a member of Tool and a very nice guy who's sitting in the second row. He bought a lock off of Han and began talking with him. So, this is fine. They're both wonderful collectors. They traded the stories back and forth, traded locks back and forth, and in late 2005, Bob happened to be traveling for Holland, on a non-related trip. He got a hold of Han and said, you know, why don't you come up? My wife and I are going to be in town. Let's meet. Let's have lunch, whatever the case may be. And as Bob tells the story, Han said, I can't. I'm a thousand kilometers away, or I'm a hundred kilometers away. I wouldn't be able to come in. But as it turned out, Tool planned a meeting the night that they were in town. So when Bob and his wife arrived, they got a phone call up to the room and Han said, I'm here in the lobby. It was very whirlwind, and Han's a very energetic guy to begin with. But in particular, Han invited him out to the Tool meeting, which is at a sports complex a little bit outside of town. And when the two of them arrived, there was a large construction site. Now Bob Laughlin is going on 80 years old. Han looked around and said, well, it wasn't like this before. There was a large fence in front of him, about six feet tall. And Han started digging around, looking for a hole in the bottom of the fence. He went down an area in the bottom of the fence. He was able to pull up, and he invited Bob to crawl under it. Again, Bob is going on 80 years old. So, Bob, good sport that he is, gets down on the ground and he starts kind of shimmying under. And again, as Bob tells the story, Han put a foot right on his butt and shoved him right under. So Bob popped out the other side, and there they were in the middle of the construction site and kind of picking around in the dark trying to get at the sports complex. So they get all the way through that now probably a seven or eight foot fence. And Han kind of looks back, looks over at the fence, puts a foot up on something in the dark and vaults himself over. And Bob, one more time, going on 80 years old, standing behind the fence looking at Han and out of more faith than Han probably deserved at that moment, he put his foot out into the dark, found the same spot that Han had and vaulted himself over the fence, landing on a dumpster. So, getting off of the dumpster, he notices there's a little guard station out in front of this complex. And the guard is noticing what's going on. The guard starts to walk out of his little door and Han walks right in the little door, right past the guard. The guard says, well, that's not the way to get in. And Han says, oh, and just walks right inside with Bob falling behind him. So that was the introduction of the RKS to the locksport community. Bob said that he felt like he had been hazed and got out the other side, all right. So, after their meeting there, Barry Todd Bob had to pick a lock for the first time. He had a wonderful time. The RKS was passed around and one of the first prototypes was looked at there. And John Laughlin, his son, was invited to the Dutch Open. So, at the Dutch Open, John told me on the phone, he said, the people were very generous with their knowledge and that's both honest and a little bit tongue-in-cheek. The number of attacks that were tried to thrown at this thing, he had a whole talk at which the gross majority of the conference attended and threw around ideas as openly and wantonly as they could. There was a wonderful panel on any viable attack and any viable application of the lock to matching technology or security solution as well. From there, John attended to Loa with Han and Barry as well. They were able to showcase the RKS and their other products from the company. Things went fairly well and they actually got an article in the National Locksmith about the RKS out of that. So a little bit of attention was starting to be gathered around the lock. However, while they're actively seeking a licensing deal for the mechanical lock itself, they very much wanted things to move forward with the automatic dialer, get the product out into, if not the marketplace, they already found quite a bit of camaraderie and teta-teta. Money. They wanted to get the ball rolling while they were seeking a deal. So they have a microcontroller in this auto dialer. It's a PIC microcontroller. They're working on the software behind it right now. We're going to have some more details about that in a couple of weeks as they become available to us. But for the dialer itself, they're providing all of the source code and they're providing developer kits which include a lock, the current version of the dialer and again all of the code backing for it. What they want is for people to take their automatic dialer or build their own automatic dialer that could interface with their cylinder and add whatever functionality you see fit to it. They are aiming to get the total package of it, the lock and the dialer kit out for about $300. And again, what they want to see they're mechanical engineers and they said to me that we're mechanical engineers, we've taken this as far as we can take it right now. We've hit land's edge. We think we have a great product. We think that any number of emerging technologies can be applied to the electronic end of this product. We want to see what people can do with it. So they're opening it up to the community at large. You can have access to the microcontroller. You can have access to the dialer without need for a license. You can build a tool to interface with their lock. It's a little bit reminiscent of the video game platform. They've built a platform and now they want to see third party developers developing for it. And they would love to hear from you. John's always kept in touch with the folks in the lock sport community. I've been on the phone with them frequently lately. Other people have before me. I've been able to chat with people and see what's going on. This is the email address. If any of you are interested in the project or if you just want to know more about it, feel free to contact him. As I said in a couple of weeks, we'll have the full issue of NDE out with many more details, many beautiful pictures and the details of the software backing for it. That is the RKS. Quickset Smart Key. Quickset, I think, is a manufacturer. They're one of the cheapest people. You can walk into Home Depot and buy their lock. Put it on your door. They aim themselves at the suburban housing market. Yes. Has anybody here picked a quickset? Okay. Very good. Good call. Quickset. This is a good quote and it leads into the first part here. There's an article in the Wall Street Journal back in 2006 and I was reading it again and I noticed this quote. At least one lock maker says the hobbyist can help companies and turned out to be Walt Strader from Quickset. So I ask you, how blind were we as a community? Walt Strader told the Wall Street Journal that he had heard of bumping via the locksport groups, via the information that was getting out there because of the work of tool, what it was on, et cetera, et cetera. He told them this in 2006 and in the same article he talked about they were creating a solution to this. They were taking this seriously and creating a solution. And in the year and a half that I had that article tacked above my desk at work partially because my face is on the front page of it. In the year and a half I had only ever read to the part about Schlag where Schlag says that they would prefer that we keep the industry secrets in the room just like a magician's community. Something to that effect. And that's something that's always kind of riled me or whatever the case may be. But I had always stopped reading just before Walt Strader said we're coming up with a solution and we noticed it because of the locksport groups. So smart key launches. This lock is 100% bump-proof. It does not have a separation of two pins. They took their entire product line and changed it. They removed the pin tumbler mechanism from their product. And again, this is an enormous manufacturer and while there is fervor about bumping and scare pieces on local news and things to that effect nobody else has really gone this route. Nobody else has completely changed their product line to address this. There was no public outcry no large enough public outcry to force this company to do this. So they were moving ahead of the curve. The smart key is re-keyable. This is not the Uchange concept. A lot of people say this has been around forever. Uchange had it. That lock was awful and it's off the market now. And the Uchange was. It was not a particularly good lock. The smart key however works on a very different principle. We're going to talk about how it works in just a little bit here. They had a very subdued marketing campaign They certainly marketed their new product. Their smart line. They also have a biometric end of this as well. No particular comment on that. But in their very first packaging there was no mentioning of it being bump proof. I talked to Walt and I asked him why this was. They said they didn't want to repeat this mistake of other manufacturers. They didn't want to come out calling their product bump proof if there was some mystical way that it could be bumped. They wanted to get it back into the hands of a block sport community or various people here in and see what damage could be done against it before they were willing to put their name on the line for that. There's a very rigorous testing process and actually very interesting one that we'll talk about as well. So how does it work? I'm going to describe some pieces of it to you. Show you how they all integrate together. Try to keep the pieces in your head for when I get to the fourth slide. So this is the sidebar assembly housing and you can see that the sidebar there fits into that top section. You can see how it's cut out there. The serrated wafers in the bottom right. The sidebar itself will interact with where it's marked sidebar gate. So those will be facing in towards that housing. And each of those serrated pins is going to lock into the pins that the key affects. And you'll see that very clearly in the fourth slide but keep in your mind the way these will be integrated and you can see right here with them actually installed in that sidebar assembly housing. So again, each of those serrations, one on each wafer is going to catch one of the key pins. And that's just the sidebar in the other side of it so you can see how it fits in. So this is the actual plug assembly. The driver pins are installed and the sidebar is not on yet. When the sidebar is placed on you can see how the key actually lifts each of those pins to a slightly different height. Each one of those little teeth on the pin themselves, those are what are fitting into those serrated grooves on that wafer. And by lifting them to the different heights, it lifts it so that the sidebar in the back, here we go, so that the sidebar in the back is able to press in. Hold on one second. Just want to show you that first slide one more time. So again, see the sidebar gate? When these are all lifted up to the proper heights, the sidebar, that gate lines up all the way across so that there's a long channel that the sidebar can drop into. So that's how the key operates normally, but the re-keying feature is particularly interesting. The spring on the bottom here, there's a small metal tool that when the key is in the open position, you can slide that tool in and it will push the sidebar offline. It will actually shove it back the length of where that spring is. At that point, you're able to remove the key because the pins are no longer interacting with the serrations. When you put the new key in, it will lift the pins up to different heights, unique to the new key. When you allow the sidebar to slide back onto it, the sidebar has locked each of the wafers in place and each of the pins will line up with a new serration on each one of the wafers, giving you a new key combination. So that's how they're re-keable. It's a very interesting solution to the problem. And they're instantly re-keable by the home user. We hear from locksmiths, occasionally people screw this up one way or another and locksmiths are still seeing them every now and then, but for the most part they seem to be doing pretty well. I mentioned that they had a rigorous procedure, so I'll talk about that. So first of all, we saw it at the 2006 Dutch Open. We didn't have the name of the manufacturer at that time. We simply saw a prototype of it. The word got around fairly quickly who in particular it was. There we go, prototype from an unnamed company. The automista. As I remember it, he was the first person to open it and it took him, I don't know, a little under 20 minutes, I think, the first time he continued to work with it and got dramatically better with it. But we all got the chance to sort of see it and see it pulled apart that early. So already they were putting it in the hands of people who could bring it to the locksmith community. And it was providing a definite challenge to people there. It was obviously not going to be bump-able. We could just see that from the manufacturer of it. And people picking it, they were certainly getting through it, but it was providing a real challenge to people. Yes. Did he really? No. Oh, wow. Yeah, absolutely. For any of you who didn't hear that, I didn't realize this actually. I was fairly new to the field at the time. Archmeister was kind of a big guy. And apparently he managed to force the sidebar. He managed to actually damage the lock in order to destructively open it. Which I didn't realize. Yes. Really? So the pins themselves are actually bent out of shape, the teeth. Yeah, the teeth that interact with it, yes. Yeah, they were actually completely bent out of shape and Han was able to investigate it afterwards. That's excellent. So they took that and I can't believe I didn't know this. This is amazing. So they took it then and they redesigned it before it actually went into full production. And it's interesting. They love tail nicely with something they're doing in the new generation as well. So, that's very interesting. I just learned something as well. It's a good talk. So they also took it to Japan. And lock testing in Japan is very interesting. There's a very different culture of entry in Japan to begin with. Now I have this from a couple of sources. If people are lying to me, you can let me know after in the Q&A. But here's how I understand it. In Japan, the thieves still have that sense of extraordinary politeness. And they do not want to damage anything as they legally enter your home. So, where in America, one of the bigger concerns is somebody throwing a brick through your window. In Japan, there are actually people actively, surreptitiously defeating the locking mechanisms on people's houses. Yes. Would you have to respect on a technical level? So they have a very interesting method of testing which actually reminds me quite a bit of some lock-picking competitions that we have here. They will take some accomplished lock pickers, I assume either locksmiths or professionally working with the testing organization or whatever the case may be. And they'll have a panel of them who will each receive the lock and they'll begin picking the lock. And they will try to pick it in five minutes. And if they can't get it open in five minutes, they reduce the field a little bit to the people who seem to be the best of that. And that smaller field will try to accomplish it in 10 minutes. And if they can't accomplish it, they reduce the field again to I think maybe about four of the most accomplished people. And those people are given 15 minutes to pick the lock. And this is the way in which you get your rating for how resistant your lock is to surreptitious entry. Well, they pass the 15-minute attacks with flying colors in Japan. The lock would stood the attacks of the surreptitious of the pickers in Japan even at the 15-minute mark. And again, most people that I've talked to in our community who get the locks for the first time, we usually see times of around 20 minutes, maybe a little bit less when they first start working with them. Again, people get better with them. You know, you continue to practice. Of course, you improve your times on every lock. But first time in hand we're looking 15, 20 minutes. So the smart key too. This is a new generation. This is... Yes. So once again they've updated the materials for destructive entry concerns. More destructive entry concerns came out after the lock hit production. A lot of them around the locksport community themselves. And Black and Decker took that information and they updated some of the physical materials they're actually using in the lock. We're getting the details of all of that once again for the upcoming issue of the magazine. So we'll have a whole display of exactly what changes they made along the way. What we know is that they're addressing destructive entry concerns that grew out of the community of attacks that were theorized by folks in the locksport community. Once again, this is a similarly subdued rollout to the first generation. As a matter of fact, they're out right now. If you go today and you buy a lock that's been put on the shelf in the last month you're buying a new generation of this that's been updated. They simply started rolling out the updated version and getting it immediately out on the shelves to their vendors. So, as far as Smart Key is concerned, as far as Quickset is concerned and the Black and Decker Corporation also owns Wiser up in Canada who also have their own version of the Smart Key. What does the future hold? Well, first of all, there are Black and Decker employees who are actively keeping an eye on the locksport community. They have people in their organization who read the blogs, who check out the forums, who are actively accepting submissions of attacks on their locks. And to my knowledge I'm continuing to come up in this field but to my knowledge they're the first American manufacturer that has taken that dramatically a proactive stance actively keeping an eye on what developments are coming out of our community and this is great for them because A, it led to some of the current advances in the lock and B, it provides them additional free feedback just constantly from a group of people who obviously look at their product in a different way than they would. So lastly, they seem to be still excited for future collaboration. Walt in particular is working on an article with us for the magazine and very interested to see what new attacks are coming out. Right now in particular that's been sort of developing over the last couple of weeks and the last month or so, there seems to be a very specific decoding attack on the lock. The details are a little bit fuzzy at the moment but some people seem to be having limited success with it. A little bit of it is still theoretical but when that information hits the company we'll be very interested to see what they do with it. Doing good. This one's really clever. This one's fun. Here. Secretary. So the Avis Plus system Jacob Fagerloond is we call him everybody's favorite Finn. He's a really goofy guy and a really nice guy. Thank you. And as he said in this quote here I suppose that nobody thought you could actually look behind the discs. So the Avis is a disc-detainer system much like an Abloy. It has a small series of discs and we'll show you individual pictures of the discs in just a moment. So a little bit of background on the exploit. There's a guy in the community named Zeke and he actually provided all of the pictures for us and the diagrams of the Quickset as well. He's a wonderful member of the community and has been kind of an inspiration to a lot of us particularly on the American side of things. So everyone seems to have missed this flaw. It was very forced for the trees to the point where a gentleman named Michael out of Germany was actually participating in this contest that Zeke held that was inviting everyone to write sort of high security articles to benefit Lockpicking 101's advanced section to kind of drum up some more interest in that back end. And Michael took this lock and he did a breakdown of it and he explained how it worked and talked about maybe some theoretical picking of it or whatever the case may be. But he didn't see what this flaw was and I know I'm doing a lot of dramatic building up to it but you'll see just how obvious it probably should have been. So Yeko created a proof of concept for this and he submitted it to the contest and one in fact he took he tied for the win with somebody else but yes it was very well received in the community so here's how it works alright you can all see that fairly clearly do you see the four on the left hand side of it that's actually stamped into the disc and that four is the code for that disc now you see where we're going so now that's not a big deal there's another disc that's placed over it however when you turn that disc to 90 degrees as you do when operating this lock that four continues to be revealed I don't know how clear it is for you there but you can still see the gross majority of that four and again it's stamped into the disc so he took a little bit of blue tech and he put it on the end of a tool that he had built and inserted it through his lock turned it 90 degrees pulled it back like so and he got a very nice I know it's hard to see this distance in his lighting but he gets a very clear impression of the actual number and simply writes that number down and he has that disc decoded he knows what that is he can get a key cut once he gets all of the discs decoded in that manner so yes this is a high security lock that as long as you stick something tacky in it will tell you exactly how to cut the key with numbers and at least the key control on this lock isn't particularly great after trying this method out myself and refining it a little bit we'll talk about it here the goal of the simplification we wanted to build the simplest version of Yaco's tool that we possibly could we wanted it to be inexpensive as we possibly could as well we wanted to prove that this exploit could be carried out by someone with very little money very little time and very little experience so the tool that we constructed we took the advice of a couple of fellow lock pickers and we filed down the head of a nail just a large head of nail we filed down the head of it and we filed down the shaft of it and then on the back side of it so that it would fit into the key way we filed it down on the back side of it we tried a bunch of different things but nothing was really working what finally worked really really well was white glue if you allow it to settle and get no longer tacky but still slightly malleable you get that nice film over it if any of you have ever put glue on your fingers I used to do that all the time so yes and there was a big problem with the glue I thought I had a bullet about it there was a big problem with the glue in that it would wick up the shaft and when the glue would wick up the shaft and dry that way you couldn't really get an impression of it at all it wasn't working whatsoever so once of Josh Necrep who's the president of Locksport International he said that we should just drill out a little bit of a hollow in each side of the of the head of the nail and that way the glue would settle itself into that little bit of a hollow and there would be a nice layer just sitting right at the top and that worked beautifully we were able to get nice clear impressions so that was the concept alerting ABUS the first contact came via an LP101 member named MH on LP101 he works on the magazine as well, his name is Michael Hübler wonderful guy out of Germany and he contacted ABUS directly so the initial response was probably from their customer support, it was very polite but very non-committal saying things to the effect of you know nobody has opened this without use of a proper key before you know, they're very high security showing the company line and considering what they were saying so Yeko made a PDF of this with the proof of concept when that made its way through they got an immediate response and the response was there's a brief silence and then they updated their entire current line of production so MH got back something saying you know we're sending this off to our R&D department we'll have them look at it thank you so much for submitting this and there's a brief pause and Yeko and everybody just kind of thought well that's probably the end of it nothing's really going to happen and then they got the message saying we're changing everything so now inside of their locks they have both stamped and not stamped discs the reason they have a mixed production is fairly straightforward you don't want to remove that much stock they have a lot of money invested with bits of money to begin with so by mixing up the production it defeats this attack to begin with and they're able to move forward with the mixed stock so very interestingly they then sent Yeko a new lock of the mixed production and in that lock as I said there were some stamped some not stamped and they said to him if you open this we will send you the keys for it please cut pardon me pardon me so yes Yeko could only get the keys if he was able to decode it if he was able to uncover the bidding and send to them what the exact bidding was so Yeko's Abe is plus pic there was a brief silence Yeko himself had no machining training whatsoever he didn't have any tools to accomplish this so until his birthday the mini lathe from his father he didn't do anything on this he really wasn't able to move forward making a pic he had ideas for it he had great ideas for it he had plans for it but nothing was happening so a lot of his work has been community funded there have been people who have donated mini milling attachments for the lathe there have been people who donated a knurling attachment and there are people who are now today actively purchasing the tools that he's made from him so that he can fund his next trip out to the Dutch open and talk about everything that he's done so he did successfully pick the challenge lock and we have a little bit of video of it that I'm going to show here in a moment but here it is opened and I want to redress one thing that I was saying about the key control when we had the when we had the small prototype the nail and the glue and all of that sort of stuff after getting the code for it we sent off to a bike lock seller, one online and they had a very simple form where you would input your name and you would tell them how you wanted to pay, you could pay by check, money order, credit card whatever you wanted to do and then you would put in the bidding of the key and they would cut it for you and send it off to you so just to be cheeky I had it sent to a manual goldstein at a different address and it came and it worked beautifully in the lock and the handle was additionally subpar so with that being subpar you need the lock itself to be better security so I'm going to show a little video John in just a moment here is going to be speaking about his work with medico and it's a great story and ongoing as well you guys are wondering why is this guy sitting over here so quiet I'm just waiting alright I'm going to do this double time in the actual time it takes him just about three minutes so how you pick the disc container lock is you insert the tool into the lock and you're actually manipulating each disc in turn when you first picked it it took him just over three minutes that time as well and it took him three passes through the lock so he goes through each of the discs and when he was doing it the first time he was trying to decode at the same time crossing out each of the numbers that didn't make sense he would put the pick and it was obvious that couldn't be the possible position he'd keep a little chart and he'd mark it off he was very meticulous about the way in which he went about decoding it as he picks here disc container locks are considered very difficult to pick for beginning lock pickers to begin with particularly because we tend not to have access to the tools for it although there are some manufacturers that sell tools for different brands and additionally just because the way in which they operate is so unique to us and yet the technology has been around for more than a hundred years the Abloy company who right now have likely the highest security lock on the planet in the Abloy ProTech it's a disc container based system as well and fantastic yes Abloy basically works like a safe lock except that there's no dial sorry yeah incredible work and then he tries to get his pick out of it for a while he gets it out don't worry I'm sorry you were saying though Abloy basically works like a safe lock except there's no dial all the wheels are set by angled cuts on a key so you have to somehow get in there and manipulate those and that's exactly what aha my pleasure to reintroduce John King hey everybody this portion of the talk is going to be about Medeco and my experience with them my name is John King I'm currently working for the United States Navy active duty thankfully got to take a leave and come out here to DEF CON as well as Hope earlier I've been a locksport hobbyist for about three years now I started off on the easy locks just like all of you and now I focus mostly on the high security stuff because I find it just so much fun I've been a security geek for a long long time I started off with the same thing as most of you security exploits network attacks things like that and I moved on to locks what I'm not doing I'm not speaking on behalf of the Navy although I am a sailor what I say here is does not represent their views or anything like that yeah sailors don't curse I'm also not speaking on behalf of Medeco although I've had in-depth conversations with them my memory is not perfect and I'm not a representative of their company so if I say something take over the grand assault let's see okay why did I go after Medeco for a long long time I saw them as the holy grail of pentumber locks I think a lot of people still do they have a frightening reputation there was a time when if somebody said they opened a Medeco it was met with a lot of skepticism you know okay you did it once can you do it again that sort of thing a lot of YouTube comments oh my god fake the whole trick with Medeco is that the pins must both lift up like a regular lock and they also have to rotate to the proper angles there were lots of attempts by the community to develop tools and techniques to open these locks the one that sticks out in my head is one by a guy named lock newbie21 and he's not a newbie at all he developed a raking tool that a lot of people consistently open Medeco's with but I'm not a fan of raking I go for the more methodical approach okay I'm going to attempt to demonstrate in one slide how Medeco works there it is alright you guys see the key yeah the cuts on that key are angled it's not like your normal house key you see they're kind of skewed to the left and to the right and what that does is it rotates the pins there's a pin on the right over there on the side of it that little chisel tip fits into those cuts and when it does it rotates the pin to the angle it sets it to now remember I said that they have to lift and rotate there's a portion of this lock that isn't shown it's the rest of it the outer shell so imagine the rest of the lock working like a normal one but the part that really gives Medeco the security is the rotations and the sidebar the top plug up there is one that is not is not rotated properly the third pin from the front it's the one that shows up the best it's kind of skewed over to the right that groove what's happening is that there's a bar that has to drop into those slots there's one tooth on that bar for every single pin once you align all of those pins to the proper rotation those grooves will line up with teeth on the sidebar and it can retract and the plug can turn the plug on the bottom over there, the bottom right has all the grooves lined up that has the proper key inserted so you can see that bar with those teeth on it can just drop right in and the plug can turn and the lock will open I found some problems when I started looking at it the first one is open grooves this is the most obvious those grooves alongside the pins go all the way through to the bottom and this means that we have a way to manipulate the rotation that's been the big thing is how you control the rotation of little cylindrical pins and everybody's been trying to do it and recently anyway this seems to be the first time somebody's figured this out if you take a bent piece of wire you can hook in there and by pushing and pulling you can control the rotation of the pin this is that you still don't know where to rotate it to you have control but you don't know what rotation to set them to and that's where the other problem comes in even spacing this really is a built in design I don't want to call it a flaw because I can't think of another way to do it I'm not an engineer though you'll notice in this open medico lock all of these grooves are evenly spaced to meet up with those teeth on the sidebar this spacing has not changed since 1969 when the first edition of medico came out it's 0.17 inches between each one of those grooves this does not change by bidding so now we know where the grooves need to go and we have a way to control them so how do we leverage this to actually open the locks is the question I started from humble beginnings I wanted to what I wanted to do was hook in all the grooves at once and kind of do a little wiggle and magic it opens that wasn't realistic it turns out it's really hard to hook into six grooves at once with little tiny pieces of wire so that's why I tried these designs did not work at all so then I said maybe I'll simplify and try one pin at a time to get used to it but it didn't work up to doing all at once but it turned out there was a better way you can actually rotate medico pins and open one of the locks with a tool like this a bent piece of wire and it works alright but it's a pain so that second problem I found with the even spacing knowing where to position those grooves this is just to show you how the tool started out I'll explain a little bit more about how the tool itself works I just want you to see kind of the evolution here I started off with these scales printed on paper I used chisels to stamp them into the brass you know there's a lot of poor silver soldering here and then I found JB Weld and it was glorious it turns out that JB Weld plus the ghetto lathe I hope you guys can see that I'm not a machinist but I do have access to a power drill and clamps thank you so what I did was I took my power drill I clamped it to my desk and shoved a piece of brass tubing in it and stabilized it as much as possible this is not a good way to cut scales I get about one in five of them right which is why production is so slow for those of you who are waiting for tools but it does work and what I do is I angle a hacksaw blade off of my desk into the spinning brass always wearing safety goggles and I watch it and hope it doesn't wobble off you know and eventually you end up with a good scale and this is what happens whenever all this comes together you end up with these nice, pretty looking tools this is one that I made to have a replaceable tip um let's see can you go back yeah previous, there we go dammit let's see you can't see it what's holding that wire in the middle is an exacto knife handle which turns out works really well for holding bits of wire and then I use JB Weld again and I fix it in place so it doesn't move okay this one had a replaceable tip so the idea was if the wire bent or broke you could replace it without having to bug me to make you a new tool that one's out of aluminum looks like and that's another one's got a stainless steel jacket and every time I make one of these I try to experiment and do something new this is the point in the talk where I'm trying to demonstrate this I'm going to attempt to open the medico M3 it's the latest generation of this lock I'm going to be fair in the interest of full disclosure and admit that I have opened this lock many times but it's still a medico and it shouldn't be able to be opened in this manner so I'm going to give it a shot and scholars are going to provide some witty commentary if we can get the camera in on John excellent alright we were looking forward to a desktop camera or a tabletop camera but we probably should have checked in again recently what you're looking for there buddy I'm just going to try to find the key here John loses keys it's not usually a problem we we've got a hold of Doug Farr who was acting as the non-destructive entry magazine's editor and chief at that time who's helping the magazine get back on its feet and John got a hold of him wanting to publish an article about this alright here we go I can't do this you're really loud he's going to be first he says anyhow so John came to us wanting to publish an article he came to Doug wanting to publish an article and there was a lot of interest in it Doug and all of us at the magazine were obviously very excited to do it however Peter Field, the head of research and development at medico had attended the 2007 Dutch Open and myself and another member of the magazine John Norton were able to attend that and he gave this talk where he began the talk the very first thing he said when he introduced himself was and in case no one has done it yet I want to welcome all of you to our industry and he approached his time there at the conference with completely open arms talking to us about he gave a four hour talk that ended up running to almost five hours about the engineering and the design of locks throughout history with a lot of very specific examples seemed like a very open guy and very interested to communicate with all of us so when it came across my desk I said let's try to get a hold of Peter so via Hanfe he put us back in contact with Peter then we began our conversation with him so I wrapped up oh jeez this is getting awkward John actually just a couple of weeks ago was doing this on stage at Hope and well I don't know he did it there so I don't think he was any better rested he was partying all through Hope as well but our interactions with Peter were pretty good so far Peter came right on down do you have this in the rest of your talk? should I stop talking? no no you can go right ahead give me stalling for time so when we first got a hold of Peter his first request was can you hold the article until we can actually see this in person until we can evaluate it so that's exactly what we did we hinted that we had something coming up and Peter drove to John's apartment and I drove down from Boston and we were both driving to Virginia Peter however lived in Virginia I had a longer drive but anyway so we sat around and we talked for several hours again went over any number of very interesting things in lock engineering and particularly the different exploits taken against medical over the years and how they have iteratively responded to each one of those a couple of really interesting attacks that he reviewed with us so from there we had a hard deadline we had a hard publication deadline that we wanted to put the magazine out for so we said what do you want? can we publish at this point? when can we expose this? Peter came in saying the production line and John will talk about the new pins that they're installing in the locks but as far as the publication deadline was concerned we had to get something out very soon so Peter wrote a letter an open letter to the community talking about the process that we were going through we weren't ready to reveal yet we weren't ready to talk about the actual exploit yet but he provided to the magazine which was important to me because the magazine is my baby and I really wanted to have something interesting out there he provided a letter talking about the work that we were doing with Medeco talking a little bit about John and provided us the quote that we started the piece off with which is who is John King and what is he doing with our locks? what are you doing with their locks? not opening them at DEF CON yes we'll see we'll see when Peter came out it was a really good time we talked for hours about locks, exploits, responsible disclosure all that good stuff what we eventually agreed on was that they should re-implement a system called ARX attack resistance extended it was a pin type that was introduced back in 94 but it wasn't standardized there was a government tool that works on a similar basis to mine and the pins that protected against it were not available to the general public for the most part it wasn't advertised because it wasn't a perceived threat in fact they had actually stopped production of them and they were working out of back stock for many years nothing like a little pressure but I'm going to pass it back over to John but as I was just saying they had actually stopped production on the pins altogether and it was one of the reasons we had to wait on the article because they literally had to get the machines up and running again they had to get the parts in to get the machines operating as they were producing these pins they had a large back stock which they had been working out of for private batches for a while and as I said pass it back over to John thank you scholar this tool is not ridiculously easy to use fake that's F-A-E-K this is spelling on that can we get it back to the laptop? I don't know if that is under our control we're back excellent let's see what the rest of it covers some of the people that helped me out lockpicking101.com I don't want to pitch individual forums because this is a big community we're spread out quite a bit but I have to acknowledge LP101 this is basically from day one from those little rake comb tools that I produced I started posting the results of what I had done on there and asking for feedback you know what do you guys think balancing ideas around all the way through to the finished product and beyond they've been covering this and everyone's really excited about it the Yaco's work with Abus was also directly via LP101 his contact there I had mentioned it before but good to re-note in this context this community is the reason why I was able to contact medico and the reason why the locks are being fixed like I said it's ARX standard I'm going to have a slide up in a minute is being implemented as standard across the lock so that this tool is no longer effective which is a very good thing there's nothing better than seeing my tool being made being made not able to use like scholar said Doug Farr was instrumental in getting us in contact with Han Fei who got us in contact with Peter Field Mitch Kaeper provided support in the form of many medico locks him and several others in the community provided me with lots of practice material to see how universal is this does this work in originals does this work in biaxials does this work in M3 and the answer to all those questions is absolutely yes if I left anyone out I apologize as scholar said we wanted to get a manufacturer reaction from medico Peter Field came out and this is not an ARX pin although it's on the slide this is an this is a closed this is a closed groove original pin we sometimes call them an ARX predecessor this this technique was figured out back in the 70s this is not new and at the time medico closed off the grooves after doing some legal and financial wrangling with that company they put them out of business basically but at the same time they closed up the grooves great there's a little wire in there and the tool is no longer effective that one only probed it wasn't actually able to rotate the pins it just kind of probed up so you could decode the angle so you could cut a key or in this case assemble a key from parts for some reason in 1985 when they came out with biaxial they opened the grooves back up and what we believe this is due to is cost they had bought up all the tools off the market mostly this was really not seen as a threat anymore especially since the tool that was on the market was it didn't fit the key way it was simple little things but the concept was still solid so they opened the grooves back up because it was cheaper to produce and there wasn't as much of a threat in their eyes to be clear about the old tool it was built using a makeup key a makeup key that you would insert into the lock in small chunks that key however were actually medical keys so what brought them down legally was the fact that it was an infringement case because they were actually using a physical medical product branded and protected in order to sell their product and by the time they were shut down biaxial hadn't come out yet so when biaxial came out and there were four and aft positions as well it became slightly more complex and the old tool, the current version of the old tool was no longer effective so they moved on now, had I known all this and that the patent existed I probably could have saved myself a lot of time I figured this thing out like, you know, you can see I started from a very strange perspective this comb-like attack, you know and then I kind of worked it in the other direction you know, I wish I had seen it you know, after I made the tool and it worked I started looking around to see if anybody else had figured it out you know, I was maybe I'll patent the thing, you know and then I found out somebody beat me to it well and again just to give John his due John's tool specifically aids in the picking of the locks it actually allows you to have an effective hand tool for attacking the locks the old ones just decoded it you'd have to walk away and get your key cut the other difference is those required, I'm not going to say sophisticated machining mine requires $10 in a trip to ace hardware terrible drill lathe um this is kind of my little bit about the future um just because we're breaking medical all over the place medical is really getting slammed this year especially, due to my stuff and Mark Tobias, he's giving a talk right after this about some of the stuff him and Toby Bluzmanis have done with medical just because we've broken this thing is not a reason to stop I think we should keep going, you know they say Abloy Protek, FNCS all these locks are these goliaths that are never going to be picked um bullshit I think that we need to keep going no matter what if somebody says you can't do it, then do it and don't stop until you find a way um disclosure, this is kind of tying in when we find something really exciting my first thought is let's put it on the internet you know, I want to talk to you about this all that we ask that you think before you disclose, it could be something significant that could affect public safety, not just on corny, but it could affect a lot of people in ways that you're not thinking about you know, to us it seems like these locks are like toys almost you know, we don't think about the real security implications when we're messing with them I don't anyway, you know, it's a puzzle also, don't get wrapped up and have fun there's a lot of politics associated with this disclosure and networking and you know, am I irritating this person am I pissing off this guy how does the manufacturer feel if you have a good sense of humor and you just have fun with it it's a lot easier let's see, what do we got next final thoughts? those are my final thoughts do you have some final thoughts? yeah, those are kind of my final thoughts um well, I'll give Skyler's talk true, right? help I'm running a low he does not need another beer right now thank you us lock pickers, we consider ourselves fairly creative people but nothing compared to some of the people in this room at this conference there's a lot of really creative people walking around here and sometimes all it takes is a new perspective to solve one of these problems, even though these are mechanical most of us here dealing with digital world I mean we're hackers and that's where it's about would you like to? we, as John said we're starting to get our feet in the door with various manufacturers the name of the talk is making friends and influencing lock manufacturers we're starting to get our foot in the door in various places we're meeting a lot of people finding out that a lot of people know each other maybe some people don't we're a hub for a lot of really amazing lock pickers meeting a lot of really interesting dominant whatever companies and the communities are starting to merge as well the hacker and the lock picking communities I mean look at DEF CON of course the lock picking village now has two rooms there are five contests this year for lock picking we you know thank you for embracing us it's been fantastic so as our communities merge there's one very important thing that needs to be remembered is that the physical security disclosure is different than digital security disclosure and I'm going to elaborate on that a little bit before they want to help in digital security there is typically a distributed network by which to distribute a patch or a fix to whatever the problem may be the internet exists if you have any thoughts feel free to chime in yeah absolutely no no worries so there's an immediate distributed way to get to your customers and fix your install base with locks it's dramatically harder to fix your install base when medico told us that they were going to try and implement this within two months and get it all off the line and running that sounded pretty good these are physical changes to their entire lineup and we thought it was reasonable for two months maybe a month maybe three months the window of time that we should allow them to fix these problems I think should be a lot larger than what we give software vendors because again it takes quite a lot of legwork literally person to person work in order to get everything out the door specifically with medico they were able to get the fix into every new lock coming off the line but from there they had to move down to their locksmiths who are distributing their product try to get the part into their hands they have the new part on the market go ahead if you guys are related in any way to the physical security facility I would recommend you contact your local medico dealer if you have medico on your doors and start asking about an ARX pin kit this information is not quite reached the dealers with the enthusiasm that we think it should if you guys bug them enough it's going to get out there and it has to they're available right now I believe the part number is K-5004 but you can go to ndemag.com issue number four has that part number some more details about how the tool works and what we ran into so as you were saying with that deep and install base and we're noticing that companies in this companies physical security companies in this age don't seem to have built the infrastructure needed to disseminate this sort of information what we've noticed in dealing with medico is that there seem to be a lot of things that are very discreetly one person's responsibility or one department's responsibility and the intercommunication from our outsider perspective seems to be off as John was saying the new pin kits haven't been the information that they exist while it's now in the new catalog whatever the case may be the need for them and the reason these new pin kits are expensive also true your locksmith is not going to upgrade your pins they're not going to upgrade your locks they're not going to upgrade your security unless you demand it and given that we are talking about this in public with medico's blessing I think it would be a good idea to upgrade your locks now if you have them just a thought and again this is another one of the big distinctions between physical security and digital security so with your physical security solution you as the end user are dependent on your vendor to update that fix and if your vendor doesn't want to spend the money individually on their end to get the part in that you need if they are simply ignorant of what the problem is or willfully ignorant of whatever the case may be you do not have the opportunity to patch your own system conversely if a patch is released on the internet you are able to make the decision for yourself that you want to update your system with it whether or not you personally want to apply it to your own computer and another important distinction while the security of personal information is extraordinarily important and there are a lot of dangers inherent in that information getting loose the security of the physical person is exactly what we are dealing with when we are talking about physical security it allows somebody into your house to mingle with your family when they are not invited the stakes are simply higher this is the only barrier of entry between them physically and you in many many many cases yes I just want to add a note to that a lot of these new exploits as far as like the safety of your family why not with these specifically residentially and as far as small business is concerned there is admittedly little chance that the criminals are going to use techniques like this because they do take practice and it is easier to kick down the door or put a rock through the window whatever the case may be the people that really need to be worried about this are ones that have facilities that are at a high risk have high value information and things like that but remember in the end this is about people and property as opposed to data so keeping that in mind if you want to help you can get ahold of me it's Skyler at NDEMag.com and if there is anybody else in particular that you want to talk to that we talked about during the talk I can put you directly in touch with them I have a couple of final thoughts after this even though this slide is called final thoughts but people to think and that sort of thing I would encourage any questions that you have for either of us yes sir the blank brass stock I get it from Ace Hardware there is a display that you can find at most of them called K&S Metals they stock all kinds of different sizes of brass, aluminum and stainless steel tubing you can also find it at hobby shops I find that Hobby Town USA tends to carry that stock if you're interested the wire being used is a 0.02 inch diameter and that's also available under the name Music Wire and if any of you are interested in recreating any of the tools that we talked about today the Avis tool or John's tool plans for them are available online you'll particularly find them around LP101 I don't know I think you guys generally encourage people to go out and make the tools yeah whenever I found this and found out that somebody else already did it it kind of discouraged me it discouraged me but at the same time it was almost like a liberating thing I ended up giving the design to the locksport community that happened back in I think December that's how long this thing has been sitting waiting to be publicly released it's been sitting in the back corners of LP101 for that many months Hope was when I first talked about it and this is the second time I encourage anyone this simple little brass tool that can open these locks and improve it I'm not the most brilliant engineer out there there are people in this room that I'm sure can figure out a better way why did he do it this way I could do it this easier we're already seeing that on the forums there's a member named Ramunda that's been making these things experimentally out of big pens I think he wants to do the same process we did with the Avis to simplify it to the simplest, cheapest version he can make he was the one who gave us the suggestion for the nail head he's a pretty cool guy specifically about my tool if you guys have any questions about how to produce it how it works, any of that I'm probably going to be in the lock picking village for the next three days straight and I'll try to be sober but just feel free to approach me and ask anything even though I've been talking about this stupid tool for a few months I still have talked to people about it anyone else? yes sir yeah the trick with ARX is maybe several security features where do you want to go to? go back to the although it's not an ARX I wish I had a picture in there I know that's a beautiful picture but how do you get to see I had a picture of a pile of ARX pens no it's not I had a picture of a pile of ARX pens and I had a caption that said why isn't this shit standard you know and now it is again this is not an ARX pen this is an old school medical original pen but you can see that groove that the sidebar teeth drop into it doesn't go all the way through the pen it stops on that tip because it stops you can't get the wire in there it's not out of room it's wedged against the side of the plug wall there now we have Mike's article on ARX in issue 4 you keep talking I'm going to pull it up yeah pull up the article ARX there's another thing about ARX it's not just the closed grooves it's a whole system that was designed to make decoding and picking as difficult as possible it was really targeted for our government facilities as opposed to the average consumer and that's why we haven't seen anything about it until now the only reason we knew ARX existed was because we found one PDF file one document from like 93 that said it was coming out that was all the information we had they do all kinds of cool things like rings here we go we've got some images here these were drawn up by a member named Safety Off Safety Off did these in 3D these are some examples of ARX pins you can see it's not just the closed grooves you got some rings and what not the ARX pins actually solve more than just this one attack they defeat a very interesting sonic attack as well which is talked about in issue 4 in some detail there's all kinds of crazy experimental government techniques about weighing the pin stacks and looking for density and what not one that I noticed on the other one I don't see one here the true groove was closed off but there was a false groove they're meant to trick you whenever you're trying to rotate these pins on the one with the rings there's a false groove right there what I've found on some of these is that that false groove does go all the way through to the bottom of the pins now the issue with that is that all you have to do is make the wires smaller and you can hook into it but instead of the marks on the tool so that you're aligning the bar you do the opposite you misalign them because you know the false gate is not right and it takes a .005 inch diameter guitar string to get into that little groove and I'm going to be honest I haven't been this work completely yet but we have been able to hook into and control rotation so it's not over and an important note here at the bottom of the article the micro milled pins the ones with just that little piece taken out of the center so that it's just large enough for the sidebar they can't be used in the master keyed bin stacks and that's I mean the fact is medico is typically an institutional sort of lock that you need master keyed they call micro milled ones closed off at the top and bottom if those pins could be used and somehow compatible with master key systems it would solve a whole lot of stuff coming out right now but the fact is people still want to be able to put one key in and then put another key in and they both work I thought I might show a picture of the RKS now that I got a couple pictures so these were in the last issue of the magazine I should have simply implied them to this so this is the RKS that we talked about earlier you can see each of the discs inside and the sidebar on the top this is their manual dialer that they use for it really nice piece of, really nice dialer and these are each of the individual wheels that I'd like to point out you see the two brass wheels stacked on top of each other the one in the back okay so I kind of want to jump up there and point at it there's a small screw that's right here hey that's Andy small screw that's right here and a small screw that's right here those are the flies that we were talking about earlier each of those can be removed from their position installed in any other position along the rim of that disc and once you've done that you've re-keyed the lock so you're given, it's an extraordinarily versatile mechanical end to that lock so yeah there we go basically the way that I describe it to people it's like, how many discs is it is it seven or nine it's six with this fat one back here six so six or seven it's like a safe with six or seven numbers in the combination that fits in your doorknob and you don't have to remember the numbers so it's really ingenious that they thought of this and I hope they go a long way and we'll be able to break them and they'll fix them any other questions yes as a matter of fact no in particular it's extraordinarily hard any sort of feeling via manipulation on the RKS first of all you would have to get your hands on a dialer which should be restricted to authorized use even if you are able to the dialer itself has a tactile click every single time you move it and feeling anything through that that wall of sound and feeling is extraordinarily difficult and that's just kind of where it starts and you could of course build your own dialer for whatever the case may be there are false gates carved into each one of the discs the false gates will muck up your ability to feel where the true gate is of course when you're manipulating it or if you can physically manipulate it it will hamper your ability to set it into the proper gate to release the lock yes also in regard to traditional safe cracking how about manipulation like a group 2 safe lock for example that whole technique is based on measuring contact points on a cam wheel as you line up more gates the nose of the cam will drop further and further and it will make the contact region smaller and smaller and smaller in this it's a direct drive there's no cam wheel in there there's no nose on a lever that drops in it's if you want to compare it to something it's almost like a bad comparison of master lock in that you can't manipulate a master lock like you would a normal group 2 safe lock which is not to say that they're secure but with the addition of false gates it's a different process and if you or any of you have an idea for how to manipulate these locks open please do because we want to know about it yes and please contact us there's another very cool safe attack that was first demonstrated to me at the Dutch Open you take a palm sander you put it up against the face of the wheel you vibrate it for a while and if the bar is sitting at the top and if there's a big gate cut out of each of the wheels like there is in a safe eventually those wheels will sort of shift themselves and line up so that the lightest part is facing up of course so there will be a big gap the barrel drop right in you can open the safe up that works on some cheap safes that's a problem that's been solved in the wild but at the Dutch Open as well somebody grabbed John's lock they grabbed a palm sander and they started going at it and we saw movement now it was movement these are extraordinarily light discs the the difference between weight on either side is very very minimal but and again there are 6 or 7 discs on each one so the possibility of this working the probability of this actually working in the field on a shipping container out on a boat is very very unlikely that said his addition of the false gates stymies the attack from the get go it sets off the balance of the wheels and it gives it something else to catch into as it's being shaken around and this is a good thing whenever we talk about you know I found an exploit for this lock we don't think the question should be oh can you open one in front of us like it shouldn't be like a proof of demonstration sort of a thing if you can prove the theory of sound and the thing will work there should be no reason to open 10 of them or in my case 3 of them in front of a medical representative if you can demonstrate that what you have is sound that should be enough for them to at least look into it and make design improvements if they can and I think that was the case with the false gates here just because the palm standard didn't open the lock doesn't mean that it was meaningless it was the beginning and eventually somebody might be able to leverage it and as such they addressed it despite it being fairly improbable that said an embedded lock company and your approach to them you know you should still cowboy up and open the thing if you're going to approach an embedded lock company because the costs there are significant for them anybody else? sweet, alright I just got a couple of final things to say and we'll be done ahead of schedule because I'm not good at timing my talks that's alright I'll let you get a beer I'd like to very specifically thank, oh hey Abus is going to thank this whole time here we go, I want to thank Zeke 79, he's the guy who provided the pictures for the quick set, he's the guy who ran the high security contest that led to some of the developments with Abus and he's just an incredible member of the community who continues to do amazing work, he's been a little bit out of commission for a while but he's coming back strong Rae Mundo and Digital Blue these are the guys who helped me in particular simplify Jaco's attack and in general just fantastic people in the community, great Ed Mike Baruch and MBI, he is in the audience today he's waving he's the managing editor for NDE and does incredible work getting that out the door he also provided me with pinned up medicos he has the ability to pin medical locks which really helped in a lot of testing in the process of my tool and I'd like to thank him for that Lockpicology.com have been gracious in providing us room to discuss articles that are in the magazine some wonderful people over there and LP101 is just the hub of all things lock sport and great work for us forget this John King guy John King is fantastic Peter Field, that's not supposed to be plural he was great and wonderfully gracious to work with and looking forward to many future conversations Walt Strater over at Kwikset when I saw that quote in the Walt Street Journal I rushed around calling every single person I could at Black and Decker Home and Hardware I left messages on so many random people's phones just desperately trying to get a hold of them he called me the next day and talked to me for two hours talked to me all about the work that they were doing and we're putting together a fantastic article on that and really excited to work with him John Lachlan of course of the RKS provided us a great deal of information for this presentation for the article and it was just a good friend and his father Bob I should have mentioned here as well Bob Lachlan also you want to talk about Jacob who has been a staple in the community LP101 and also if you guys haven't seen it there's an LP101 IRC channel it's on Slashnet it's Pound LP101 there's a lot of separation of material on the website and the forums about what you can and can't talk about and I don't want to say that the channel disobeys that but it's a lot looser and you can generally meet some very very creative people with new experimental stuff coming out it's official with quotes and Jacob was one of those he's always in that channel whenever he finds new things with Abloy or Abus he's always on there posting them so we kind of bounce ideas over each other but the fact that he discovered this thing that you can take a piece of white glue and stamp the num wrap the back of a disc and you can find what the code is as he said the IRC channel is shockingly the hub of a great deal of work that's going on in this community and some amazing high security advancements and Abus of course just an absolute class act as a company and incredible to work with as they as they approached Yaco and fixed that problem for locksport for locksport thank you all very much