 I'm David Larch. Unfortunately Rob couldn't be with us today but he contributed a lot to this project. So we're just two MIT students. We don't really have any more credentials than that. It's playing with locks as a hobby for us as I imagine it is with a lot of you guys. If you want to contact us, locks, L-O-C-K-S at MIT.edu. And I hope you enjoy this talk. We're going to talk about the Schlage Primus lock. How many of you guys were just here for Mark's talk? Mark and Toby. Fantastic. The first part I'm going to talk about is how Pintumbler locks work. So I guess we can do more of a quiz than an informational session here. So when you have a Pintumbler lock, you have a plug and you have a body and you have a bunch of pin stacks constraining them together. Now, if you insert the correct key, you raise all of the pin stacks up to the interface between the plug and the body, which allows the plug to turn. Now, what's that interface called? Sheerline. Wonderful. And so we have a video here. You want to do this? Sure. This is a cutaway lock so you can see the pins inside of it. You see that? Now, as you insert the key, you can watch the pins move up and down. When it's not inserted all the way, you can see there's a split that's above the shearline. And so the bottom pin is blocking the plug from turning. If you insert it all the way, then all of the splits line up and you can turn the plug. Everybody see that? Great. Now, these locks are vulnerable to a lot of different things. One thing, as Mark and Toby talked about, is key duplication. You can take these keys to any old hardware store and they will copy them for you. Now, another attack that you can perform in these locks is manipulation attacks. This includes picking and impressioning. And inserting long wires in the keyway to get the tell piece. Now, I'll go over those quickly since Mark and Toby didn't talk about them a lot. Picking is where you exploit the mechanical defects in the lock. By applying torque to the plug, you can cause all the pinstacks to bind. Now, if in a perfect lock, they would all bind at the same time and at that point you'd be screwed. But because the holes are slightly misaligned, when you put torque on the plug, only one of them is going to bind. And if you use a pick to then raise that pin up to the shearline, then it will set. The plug will turn a very small amount and it will trap the top pin up and the bottom pin down and then you don't have to worry about it anymore. And you can repeat that for every pin until the lock is open. Impressioning, I'm not going to go into great detail on that because I'm not very good at it. It involves taking a blank key, wiggling it up and down a lot and using the torque and binding action to produce marks on the key. And then you can file down those positions until you end up with a working key. So, Pintumbler locks is a necessary background for the Schlage Primus because if you look on the top of the Schlage Primus key, there is a standard Pintumbler top bidding. The Schlage Primus just adds a second independent locking mechanism, which is this little squiggly line at the bottom of the key. And we're going to call that the side bidding. And now, an important part about the Primus key is that you can completely separate these two things. In fact, we've cut a couple keys in half so that we can play with just the side bar or just the top bidding. Now, you can see here is a side bar only. And then here, here's a full key. It's actually a blank key with just the side milling on it. Now, you can pick these locks. Can anybody in the audience pick a Primus lock? Has anybody done it before? One guy in the back. Well, I salute you. You're much more skilled than I am. We cannot pick Primus locks. I know I have one friend who can do it. He's very good at it. But we have to resort to more primitive methods of opening these. Now, so what we're going to do is we're going to not look at keyless entry. We're going to look at key duplication attacks. So this is basically using information that, you know, you gather somehow about the key and producing a working key to the lock. There's a lot of things in place to restrict this. For instance, the way you actually get these keys from Schlag is you have to send them your proof that you are who you say you are and that you are entitled to get these keys. And what they will send you is they will send you a blank key. Now, this key is blank in the sense that it doesn't have any top bidding on it. But it does have a side bar. Schlag claims that they are the only ones who can produce this side bar. And they go through great extents and charge you a lot of money to get sidebars. And so in order to attack this lock, we go through four steps. First, we need to figure out how exactly this side milling works and how it actuates the parts in the lock. We're then going to create a 3D model of the Primus key, which is, you know, of course, the first step in any good manufacturing process. Then we're going to look at several different ways of fabricating keys, both additive and subtractive processes. And the implications of this for Primus and high security locks and pretty much mechanical locks everywhere. All right. So we'll start out with reverse engineering the Primus. And now we're calling it reverse engineering, but there is nothing difficult about this. There's no great amount of intelligence required. So start out with a Primus key, as you don't know anything else about the lock. And what does it say on it? Primus, do not duplicate. Actually, we may have to end a little early now. So thank you all for coming. But then the third line of the key is quite interesting. It's a U.S. patent number. Now, I'm guessing Schlage thinks that the patent makes the key more secure. They can use it to pursue a legal action against anyone that's so foolish as to try duplicating these. But actually, U.S. patent filings are public. So you look it up and you get... This is one of about 20 pages of technical drawings and documents explaining exactly how it works. So you can see that on this key there are the usual six cuts on the top of the key. There are five additional cuts on the side of the key. And there's the second independent mechanism in the side of the lock which is actuated by those five cuts on the side. And we'll take a closer look at that soon. So you read through this patent and you get a basic idea of how it operates. But there's a lot more information that's easily accessible. So suppose you do a Google search for Primus Service Manual. Well, there you are. They have it up on their website. And if we look inside there, there are some fantastic technical drawings that they've provided to us. So here you can see how that side mechanism is actuated. There's a L-shaped pin called a finger pin which rides up and down in those grooves on the side of the key. And that meshes into this sidebar, very similar to the sidebar in the previous talk if you were in here. And when those finger pins are lined up properly with the sidebar, as you can see in the drawings at right, the sidebar can retract and the cylinder can open. And if those finger pins are not aligned correctly, they will block the sidebar and that will prevent the lock from opening. So the finger pins have got to be lifted to the correct height and rotated to the correct angle. They have two degrees of freedom. So let's take a look. Here is a cutaway lock and a sidebar. So you can see in there the finger pins, you'll see them moving and you can see they're going to be misaligned until the key is all the way in and then suddenly all five of them will be lined up. So can you maybe rotate it back and forth a little just to get the right angle of light on them? So they're all lined up when the key is all the way in and not in any other circumstance. And if the wrong sidebar is used, then of course they won't line up. Do you want to show this one? Not yet. So that's basically it for the operation of this lock. If there are any missing details, you can of course take one apart and look. But it turns out that the awesome folks at Lock Weekie already did that and put up the trick. Thank you, Datagram. So all you have to do is look around for Schlage Primus photos and you can see exactly how this sidebar works. It's got little notches in it and there are bumps on the finger pins that fit into those notches exactly as long as the bump is in the right spot. So this is the lock and Schlage believes that because of the sidebar, it's quite secure, resistant to duplication and manipulation attacks and they're almost right. So the next thing we'll take a look at is 3D modeling primus keys. So that is now that you have an idea of how it works, figuring out the exact dimensions that are needed in order to align those finger pins and the pins on the top as well as to make a key that will fit into the lock. So we'll start out with the top cuts because that's the easy part. This is a page from the service manual. This is backwards compatible with non-primus Schlage locks so none of this is a secret at all and this is all the information you need for the top of the key. The side of the key is a bit more interesting because Schlage tells you that there are six positions for each cut. They can be left, center or right and high or low. So what we did to figure out the dimensions for this, not using any special tools, we just put some keys on a flatbed scanner, run them through at 1200 DPI and extract the parameters. And we got nice results. Here they are. Now you know. And you can also see here a picture from the service manual showing how those different positions actually map onto a key. So this is the side bar that would be called 62426, deep right, deep left, deep center, deep left, deep right. And that's about it for the side bidding. There are a couple of other things we have to take care of in order to make a key that can be used. We have a minimum slope on the ramps leading down to each cut because these pins have the freedom to rotate. That's got to be steep enough that they'll actually slide down to the bottom of the cut. Otherwise the friction will keep it misaligned. There's also a maximum slope there because if the ramp is too steep, the finger pins will get hung up and the key won't be able to go in and out. So because there's this rotating pin, you have to balance out these two factors. And there's only a fairly narrow range of slopes that work. And finally the bottom of that cut has just got to be radius to match the curvature of a finger pin in the lock. So we went through and figured out those parameters as well. And that's it for the dimensions you need for all of the control surfaces of the lock. With this you can put all of the top pins in the right place, all of the finger pins in the right place, and then it's open. Of course the last piece is we do need a key cross-section that will fit in the lock. Now conveniently Schlage has this LP keyway which fits in all of their standard Primus locks. And if we just remove a bit more material from that, it fits in their restricted keyways as well. And we speculate that the reason this is possible is that this sidebar mechanism imposes such severe constraints on the key in that the key has got to have this, I'll show you, where's the real one? There's got to be a big hole in the side of the key so that the finger pins can ride on those grooves. There's got to be a sidebar, there's got to be material here for the side cuts. There's very little flexibility to remove additional material around the sidebar. So in that respect the sidebar is actually making it less secure than a regular lock where there could be a very complicated warding blocking a key. And once we have that key cross-section, the last thing to do is to put all these pieces together into a 3D model. And to do that we used a really cool program called OpenSCAD. Now OpenSCAD is a programming language with a C-like syntax that actually compiles to 3D models. It was first used to model keys by a guy named Naira Patel. It was in 2011, so we saw that and thought it was really cool and went ahead and implemented the Primus key. It was only a few hundred lines of code, not a lot of work, considering the purported security of this lock. Here's an example of what it looks like. This is our top level function called key which is taking the top code and side code as arguments and it's calling out to a bunch of different functions that are going to draw the top of the key and the side of the key and subtract out all of the bumps that need to be subtracted out. And this is what you get. You call the function key and you get a 3D model of a working Primus key. And now in order to make this useful, we'll tell you about a bunch of different methods that you can use to easily and cheaply fabricate these. Yeah, so 3D models are great for eye candy, but it's useless if you can't actually make it. Now, back when we, has anybody filed keys by hand, show of hands? You know, it's not too hard, you just take a file, you work at it for a while, it takes, you know, a steady hand, a pair of calipers, and a little bit of your time. Now, we thought that for hand machining a Primus key would be impossible. Until one day our friend Rob sends us an email with a key that he cut by hand opening a Primus lock. And we're like, wow, how did you do this? Well, he used very complicated tools, actually, he used a Dremel, a pair of calipers, and a hardware store key blank, that's the only material cost, is a stock Schlage blank. And he basically, you know, scribed onto the key with the calipers all of the dimensions from our 3D model, and then went at it with a Dremel for about an hour, and stuck it in the lock and it worked. And he's done this a few times now to the point where you hand him the 11 numbers describing the key, and in 45 minutes he'll hand you a key that'll open the lock. It's fantastic. Now, here's some photos of the process. You can see the stock Schlage key blank doesn't fit in the Primus key way, because they add a few additional wards to prevent you from breaking the finger pin mechanism. So, you'd thin down the key a little using the Dremel. You can see some of the complicated tools we have in our key duplication lab, such as calipers and the Dremel, also happens that our key duplication lab doubles as our kitchen table. So once the key is thinned down enough to fit in the Primus key way, you can start cutting the valleys for the finger pins to settle into. Here we've cut two of them, and you basically scribe onto, like I said, scribe onto the key with the calipers, Dremel, you know, scribe some more measure, repeat ad nauseam. Here's it with almost all the cuts completed, just sort of polishing it up, and then you stick it in the lock and it opens. And we have that to show you now. So, here is the hardware store key blank. This one, I think, was 25 cents, because we got it online. Here is the result. Can you get that? Yeah, there's the part we Dremel'd out. Here's the stock blank from the Schlagg factory, you can see the bidding there. Compare that to ours. And let's put it in the lock. Here's the stock key blank opening the lock. So that works fine. Here's our key opening the lock. So that's it, you can Dremel it. So if you've had a couple too many cups of coffee, and you don't have a steady enough hand to Dremel this, of course, the next logical step is to try a CNC machine. This is how the Schlagg factory makes their keys, is they start with a key with too much material and they put it in a high speed mill, and they mill out the sidebar using computer numerical control. If you are interested in outsourcing this job to a machine shop, if you want to try to produce a prime ski yourself, you'll find the setup cost is enormous, simply because you have to, there's a lot of work involved in fixturing the key, and a lot of common milling machines don't have the spindle speeds necessary to operate the small tool diameters you need. And so a better tool than a large, unique style mill is probably a desktop micro mill, and these are slowly percolating through the market. Keep an eye out for ones in the near future that'll run you probably $1,000 or a little less. The one shown here is the other mill by other labs, which, according to the specs, would be capable of milling down a stock Schlagg key blank into a primus key. This one's not out yet. It's a funded Kickstarter project. But the most exciting thing that we tried was 3D printing, and that's a sort of a new space because it's only recently that 3D printers have hit the levels of precision necessary to open a high security lock. So we took that 3D model and just sent it to our favorite 3D printing websites, Shapeways.com and iDot Materialize. We got keys back in three different materials here. We tried two different plastic processes and titanium, which was pretty cool. And, well, it turns out that they all worked. So we're going to show you that now. So the first material we tried was the Shapeways process called Frosted Ultra Detail because we thought we want to get as much precision as we can here. And this is a stereolithography process, UV cured. It's very expensive. There's a $5 setup cost and then it's going to run you $2 per key. How much does it cost to get you regular keys to be headed at the hardware store? $3? And we found the precision was excellent. Excellent on the key that came back. We measured it. It was great. The issue with this material was that it's not that strong. It was plenty strong to, you know, attack the sidebar and turn the cylinder. But when it comes to actually pulling back a latch or freeing the hasp on a rusty padlock, we'd be worried that it would break off. But there are a lot of things that don't require that like figuring out whether you have the correct key for a lock or removing the cylinder from an interchangeable core system. So let's take a look at this key here. That's what it looks like. We don't put the bumps between the cuts because they're useless and they just add friction. There it is, going into a Primus lock and it's open, real smooth. So the next thing we tried was a different shape ways process. This one is called white strong and flexible. And this is laser centered nylon. This one was actually cheaper. It was only $3 total. The issue here was the precision. This is not a very high resolution process but it turns out it's enough. And when we got the key back, it's a little less smooth going into the lock. Sometimes you've got to give it a jiggle. But it works and it was strong enough to operate most locks because it's a more elastic material. So we can take a look at that. See if you can see the sidebar there, it's a little bit hard. Yeah, there's a side bar, it's just hiding. It's a little bit harder to insert into the lock. But once it's in, it opens fine and it's quite strong. Oh, by the way, we brought an old failed attempt here. This was for a key that didn't open anything but just to give you an idea of how brittle the first one was. There, that's it. So you don't want that happening in a lot of cases where you might be using a plastic key. And then the third thing we tried sort of just to geek out was this titanium process which sounded amazing. We're gonna deposit titanium powder and fuse it together with a laser. And that turned out awesome. The downside is that it ran us $150 for one key. But, you wanna show that? It is an amazing looking thing. We measured it and it was more precise than my calipers so I can't actually tell you how good it is. But it's certainly within the... It's better than the Schlage factory, most likely. Yeah, so here it is. We can go into the lock and no problem. And this stuff is super strong. So there it is, 3D printing three different ways. And I suspect there are many more ways that you could get this. A lot of these outfits are just starting to do a lost wax casting where they actually have 3D printers that print in wax and then they maybe they'll even give you a key out of brass. So we have no reason to suspect that any of these other processes wouldn't work just as well. And we also expect to see these prices drop quite soon because the two laser-sintered processes which is the white one and titanium are both currently covered by patents. So there's a royalty fee that's part of each of these costs and those patents expire in 2014. And historically speaking, when the FDM patents expired those prices went down, I don't know, 25, 30%. So... And we started seeing things like MakerBot. So it's gonna be exciting. Maybe we'll even get down to a one or $2 key here. So finally, let's take a look at what this means. So first for Primus locks, key decoding is easy. We know all of these dimensions now. All you're gonna need is a key or else a picture of a key or else a good look at a key if you've got a sense of how deep those cuts are. But it's not gonna be hard, especially for decoding that sidebar which is the high security part because there's only six possibilities for each cut and they look quite different. And of course that means that key duplication is going to be easy because once you've decoded your key you're going to need the open SCAD code that we're releasing and a few dollars to send off to ShapeWaste and that's it. You've got your copy of the key probably even easier than going to the hardware store because you can do it from home. So one thing that this means is that master key extrapolation is easy. There's a standard attack that can be executed on regular pin tumbler locks in which you start with your known change key and a couple of key blanks and you can use them to test out one pin at a time to find where the master cut is. Well in a master system the sidebar is the same on every key because that's just built into the key blanks. And now that we have the ability to produce blanks with that sidebar you can execute the same attack and this is effectively just a regular pin tumbler lock. Have you guys seen the Matt Blaise paper on that? Show of hands? Yeah. It's a great paper. Google Matt Blaise key or writes amplification in master key systems. But keyless manipulation is still hard. These things are still a real pain to pick and so we're just looking at starting with some source of the information contained in a key. Although know that that's not gonna be too hard to come by. There's been other work in decoding keys from photographs. There's a team at Berkeley I believe with a project called Sneaky which may have been at one of these conferences a few years ago. They successfully decoded a regular pin tumbler key from a guy sitting at a table in the street from the roof of a four story building across the street with a telephoto lens. So if you see anyone walking around with their keys hanging from their belt you could probably get a copy of one of those. All right, so we're gonna have to recommend that you probably don't wanna use a primus lock for high security stuff and if you're using primus locks already definitely consider what it means if anyone at all can go duplicate a key. I mean, it's not new that you could duplicate a key. You could get a machinist to do this before but what's new is now anyone can do it. There's no barrier in terms of knowledge needed no cost barrier, anyone who feels like it. But the interesting thing is this methodology is not really specific to primus locks. There's no specific weakness in the primus that we're exploiting here. Any physical lock with a physical key can be modeled and printed. So it's an industry wide problem that's probably gonna start cropping up now because 3D printing is really just starting to have these precisions. Key duplication will be much more accessible. It'll be sort of like the scene right now for pirating movies. It still takes one person who can go and decrypt the Blu-ray disc or go take their video camera into a theater but as soon as they've done it the entire internet can download the movie. So now it's gonna take one person to go ahead and model a key and the entire world can go and download and print them off. So I think we'll find those people to make the models. And so physical security is gonna start depending on information security. We're breaking into physical systems here by writing code for a key. I think that's pretty cool. And patent protection, I think that's gonna become a lot less of a useful buzzword for the lock companies because they can use the patents to threaten legal action against people who are making physical reproductions of their patented key design. I don't think they'll be able to go after people who are merely releasing 3D models of the keys because that's effectively the same information that's contained in the patent filing. So they could go after each individual person that is known to have printed one of these keys but I don't think they'll be able to do anything to stop the distribution of these models even on a patented key system. Though we're not lawyers, so you should probably talk to Mark Tobias if you want more information. We picked Primus here because its patents expired in 2007 and lawyers can make your day suck even if you didn't do anything. So. So here's some other keys that have been 3D printed. Now this is a space that's really just starting to develop and this is all recent work but you can 3D print a car key. This is for a mini grouper. Of course this does nothing about the chip in the key so this fellow had to keep the real key nearby to drive the car but it works through the physical section. Disc detainer key used commonly in bike locks and some other stuff. People have 3D printed handcuff keys. So in the field is wide open. Anything that's just a physical lock, you can model it, put that model up on Thingiverse or wherever it is will be distributing key models and people can print it out. So we have some audience projects here that would be really cool if someone else wanted to do. We'd like to see 3D models of other keys here in open SCAD because it's not that hard. Especially Medico which a lot of people think is the highest security of the high security locks. If you've ever looked at Mark Tobias' book about Medico he's actually published most of the dimensions that you'll need already. Probably could crank out a model of that in a day if you wanted. It would be neat to integrate these 3D models with existing image-to-key decoding software to make that process fully automatic and especially for regular residential keys that should be fairly straightforward. Maybe there's a market for an Android app, iPhone app, take a picture of your key, get a new key in the mail. Really? Take a picture of it and keep it off. And it would be neat to have a place to go to exchange these 3D models. The Pirate Bay for keys. And well here's some food for thought. If you're from the New York area you may have heard about these a few months ago. There's a lot of people that got sort of upset because a retired locksmith was selling this set of five keys on eBay. The New York Post published the story, called them the master keys to New York. And these are keys that are used by law enforcement personnel, fire departments in New York City and they operate things like the fire overrides and elevators and the keys to electrical circuit breaker boxes and other cool things. And people were starting to get sort of upset that a single set of these keys had leaked out. But what's gonna happen when someone makes the 3D models for these keys? These have got to be in hundreds of different buildings. There's no way to change these locks. And the interesting thing is this picture here published by the New York Post has probably got enough resolution. And you could go ahead and do it right now. And also one of the major voting machine manufacturers uses the same key on all of their voting machines and I believe they at one point put a picture of this key on their website. But even if not, I mean, how long will it be until a single one of those keys leaks out there? Someone models it, $2, you can buy a voting machine key to play with. So if 3D printing keeps picking up, we don't see how this isn't gonna be just a major, major change in the field of physical locks. So I think that's about all we have here. We have a couple of people to thank. Do you have the? Yeah, sure. We have, of course, like I said, a lot of people worked on this, but it would be silly to have all six of us up here. So I'd like to thank Gabe, Vicki, and Brian for helping out with the decoding. Of course, Rob, who couldn't be here. But also Vincent, who was the person manufacturing the here with the Dremel and the photos we showed. And of course, Schlage as a company for publishing all of their fantastic drawings. And the MIT locks for community for getting us interested in this in the first place. Thank you very much. So yeah.