 Hello everyone and welcome to my DefCon talk all about locks and keying systems and how to hack them There's gonna be a lot of math and problem-solving involved in what we're talking about today So those of you who like that sort of thing I think we're going to really like this talk for those of you who don't like that as much I'll be releasing a number of software applications that will do all the hard work for you This is all about decoding locks despite the very verbose title So taking all the information available and creating a key for a lock or we didn't otherwise have one Is a fairly long talk So if you're watching this on YouTube after I'll put a comment below with links to times in the video So you can skip to the parts of the talk that happened to interest you I will just mention that this feels incredibly weird The energy is so low compared to giving a main or a talk on the main stage at DefCon So I will do my absolute best to stay engaged and keep you awake and to stay awake myself But the good news here is that this talk involves a lot of software demos and me going through the software Releasing that would have been absolutely terrifying to do on the main stage at DefCon So what you get out of that is the speaker who is going to be a lot less stressed out and making a lot fewer mistakes So take a look at your key ring and see the keys on there and see how much you understand about what they are Beyond just shapes of metal and how they interact with the lock And that's what we're going to be talking about all through today The way we're going to attack that is looking at how locks and keys work and the introduction to the tools I'm releasing to analyze them. We'll look at the economics and practicality of brute-forcing all possible keys and reading the pins In a lock to get information from that We'll improve on impressioning by implying the extra information that we have and we'll look at key-like systems and locked Disassembly to get information We'll then formally introduce information theory and see how it applies to mechanical locks and keys We'll introduce master keying systems and drive master keys for multiple low-level keys and perform other great Samplification attacks to create a master key where we didn't have one before We'll look at a couple special cases like construction keying IC cores and high security secondary systems like medico and multi lock And finally we'll talk about what the blue team can do to remediate from these attacks All of the software that I'm releasing as a part of this talk can be found at these links here Both a version that you can try writing your web browser as well as the source down below So before we jump into the new content, we'll give a very brief overview of how locks work for those who might not be familiar So we have a key and it enters the lock and interfaces with a number of pins We have key pins close to the pink the key and driver pins higher up And if they all line up with the top of this plug, it will allow the plug to turn What do I mean by that? Well, let's take a look at a 3d model for what this is representing so here is a familiar lock and this inner Insert called the plug when all those pins line up it allows it to turn so if we look at The cross section of it here when those pins line up as I showed in the two-dimensional diagram That's what then allows that to happen and if any of those pins are not at the right height So we have a driver pin Into the plug or a key pin up into the driver up into the housing Then that will not allow it to turn and the lock remains locked Within the plug we have holes for the key pins to go into and those holes don't go all the way down So that's what stops the pins from falling right out of the lock And so in this cross section we see here This is where the key enters and then this is where the pins are and that's what we're representing in our two-dimensional facsimile that we have here so the key goes in it raises the pins to the right height the lock opens if some of these pins are or these Key cuts are too high or too low Then it will not open because we have a driver pin or a key pin in the way And we can see these shear lines are now binding the lock does not open It's worth noting that the positions in the key are all discrete so we can have a set number of intervals for depths that these positions can take on and That is defined by what type of lock it is as well as the position of the pins Of course is defined by what type of lock it is so you can play around with this software yourself to understand what that top profile of a key actually means in In terms of what key code it creates so this is an example of what a Corporate a plug cut in half actually looks like so you can see where the pins go and where the key goes in here a Key itself is just mechanically encoded information So I showed how we can change the code to different heights Key codes are a number that represents that so this is a Schlage key. We read it from shoulder to tip So in pin one we have from zero down to nine So this is an eight cut and we can get seven et cetera So here's a two we have zero one two and from that we can get the full bidding code of eight seven five two seven and that makes sense when we look at the Profile of this key deep shallower shallower very shallow and back to deep again The thickness of the key from the base to the point of this cut here is given by this chart for the Schlage system So an eight cuts is going to be 215 thousandths of an inch from these two positions Here's another example. We can see so five two eight six four We can see it makes about sense There's five in the middle a two is high up eight is low cut and then it's increasing from there One thing we need to be aware of is the maximum adjacent cut specification We can't have a very shallow cut beside a very deep cut or in one case It's going to be too steep and we can't put the key in or get it out or in another case We're going to start impinging on the neighboring cuts So if you look at how a key is actually originated So we can see in this lower left corner here this cutter wheel that's taking bites out of the key And so we're moving it along to predefined positions along the key And then cutting down to predefined depths into the key in this case We're cutting it to the bidding code one two three four five So here we are on the fifth position cutting it down to a five down We can see that the way that cutter wheel cuts into the pins actually creates a sloped angle and so Here's an example of one key where we have a code zero four zero three seven So that's again from shoulder to tip If we wanted to bring pin two down so that it matches not this shear line But this upper one we can start cutting the four down and it works down to a five down to a six is fine But now these shallow Slope sides around it are getting very close to the neighbors And in fact we put it down to a seven those neighbors are now lowered by that So that's a bit of a problem for us It means that we cannot have a zero cut next to a seven cut zero next to six is okay But not seven so that's our maximum adjacent cut specification is six Likewise, we can't have a one next to a seven or next to an eight, but it can be next to a seven So the difference there is six. That's okay because it's the maximum um, and that's a property of Almost all pins humber locks and that's going to limit what our key space is as well Here's a chart of the most common max that we see so most of them are seven They have in the case of Schlage sergeants Yale and Weiser They have 10 different depths that are allowable. So it's seven. That's fairly permissive Quickset only has six so that means that our max is a little bit less at four Now that we understand max we can start to look at the key spaces so the total number of differs or number of possible keys that exist on a system and Naively, it's the number of depths to the power of the number of spaces So for a Schlage key there are 10 depths to the power of five or six spaces for five or six pins Is a hundred thousand or a million and for medico it's six depths to the power of five or six So seven or 46,000 So we can calculate that fairly easily here a Schlage system with five pins and 10 depths We have a hundred thousand possibilities And six pins is going to be a million And if it's a medical lock with six pins six steps, that's 46,000 and that's six to the power of six We can also add in our max here. So let's say that this is a quicksat key with five pins and six depths We can now scroll down and add some rules to this system to limit what our key space would be So we start with seven thousand We find under max and add a max of four for it being a quicksat system And that now limits it to 63 oh six And we can see that the number of possible differs is less with cuts very shallow and very deep So this number here 941 means that 941 total differs have a zero cut in pin one That's smaller than the number that can have a one cut in pin one Because a zero cut can go up to four. That's within max, but it can't go all the way to a five That would be too much of a difference. That would be a max violation This one here can go to anything because it's close enough to everything that it will not violate max To take this to the extreme We can reduce max down to one And so we now see the impact that has we're down to only 340 possible keys and if By some decoding that we'll talk about going for we know that say the shear line and pin one is a three We now see the pin two can only be A two three or four anything else is too far from it. It's a max violation and that extends outwards So that is severely limiting now the number of possible keys that are in our key space And we'll look at how to drive these rules throughout the rest of this talk In this case, we're down to 74 possible keys in our space And so it's enumerating all of those key codes here So these are the bidding codes we could cut a key to these and try them and it might work in this lock We can take a brief look at keys versus passwords in terms of the brute force ability of them So the cost to try a password is very close to zero not quite negligible And the case of a key is quite expensive We have to pay for the blank and cutting the key and our time to actually go and physically try it That's all quite expensive and time consuming Keys can be or passwords can be an unlimited length and complexity Keys are severely limited in both lengths and length and complexity due to the mechanical nature of them And a password if it gets compromised, it's easy to change and a key is very costly and time consuming So what this means is with mechanical keys things are harder for both the red team and the blue team It's harder to brute force and try a whole bunch of combinations, but if a Vulnerability is discovered by the red team. It's a lot harder for the blue team to actually mitigate it and work against that To try a brute force attack economically If we look at just the cost of the blank and we assume that if we own a code cutting machine the marginal cost of cutting a new A new key on it is just your time So keys are not particularly expensive in that case between 13 cents and three dollars And if you don't you would have to use a locksmith who might do it for three to ten possibly more for high security keys So for instance if we can reduce the key space of a given lock down to a thousand possible keys Using the software that I showed you in applying rules that we're going to learn about soon We might be able to try all of those one thousand keys for $450 if we own a core code machine if the blanks are 45 cents each If we have to go to a locksmith to get to get them cut then he might charge four dollars each for four thousand dollars And at that price we're better off just buying our own code machine What's important about this though is that if whatever is being protected within that room is worth less than four thousand dollars It now becomes an economical attack to actually brute force all of these possible keys in the key space One really good example of a lock where this is not just possible, but Imminently feasible is the sergeant and green leaf environmental padlock It's a very well bit built beefy padlock meant for highly punishing outdoor environments And there's very few small parts inside as well It's a disc container lock So it looks a bit different than the keys we've looked at so far, but we can analyze it exactly the same It has three different discs and the key can be cut to either 180 degrees as we see in the middle here 135 or 90 degrees so three discs and three different positions that each one can be cut to Let's put that into our key space software so get rid of those rules And this is a disc detainer one based with Three discs and three possible depths each And we see 27 is our total key space that is everything that that sergeant and green leaf environmental can possibly take on And that's three to the third power that makes sense and we see them all enumerated here It's a little bit more complicated than that because If we insert this key and we turn it and open that lock One design feature is that they want it to be key retaining. We can't pull the key out if the lock is open If this were say cut 180 180 180 that would be possible to do and we don't want that Um, so we actually want to remove all of these key combinations that would not be key retaining That we can pull that key out of the lock for So 1 1 1 is no good 1 1 2 is no good because 2 is lower than 1 so it has to go up at least once So 1 2 1 is good 1 3 1 is good 1 3 2 is but 1 3 3 is not because it doesn't go back up at least once throughout it So we can add a rule for that under max and stuff. We can add a rule for key retaining and that's going to reduce those That key space to remove Differs that are not going to be key retaining in this particular case And so we can see now that there's More with a deeper cut in disc one and a shallower cut in disc three And that's because if it steps down from 1 2 to 3 That's not going to be key retaining So we could create all 17 of these possible keys And that might make sense because it'll work on all sergeant and green leaf environmental box If we have say a budget limitation, we don't want to pay for 17 blanks, which would be Um, we've put 41 here. It would actually be a bit more because these blanks are worth more But this is just in order of magnitude calculation You can click down here and click brute force save blanks where it'll run a little algorithm to try to optimize for you Cutting one blank and then filing it down. So 1 2 1 files 1 3 1 to 1 3 2 etc And that way we can test out the entire key space in as few blanks as possible This particular algorithm here to find the optimal solution turns out to be an NP complete problem It ends up being reducible to would be set cover problem But we have a somewhat sub optimal greedy algorithm that I've implemented here that empirically I found is good enough For getting us a decent algorithm of saving ourselves some blanks So in this case it goes from 41 Dollars to get all 17 blanks down to just 12 since we only need five blanks now So that's the sergeant green leaf environmental padlock. It's a very good padlock for what it's designed for It's not really designed for security of the key space Um, and that's okay. It was used For a number of years back before people knew this and so it sort of benefited from security via security But for that reason this particular lock is not used for high security applications anymore So let's shift gears a little bit and look at locks where we can try the entire key space not by Reducing possible differs but by trying multiple at once So this is the quicksets smart key lock It's smart key so to speak because it has this hole you can insert a special tool to rekey the lock without ever taking it apart Kind of a cool design. Unfortunately. It's manufactured with extremely loose tolerances And what that allows is us to actually try half heights So normally if you have a one cut in a particular pin, um position That will work if the pin is a one or a two will work for two What this lets you do is cut it to one and a half and that will work for both a one and a two um So by allowing us to do that we can reduce it down to 200 and some odd possibilities. So let's Simulate that in our key space software here So quick set locks what has five pins and six depths and then six to the five is 7700 as we looked at before When we have to try all of one through six When half heights work though it turns into three to the five Because we can use 1.5 3.5 and 5.5 to try everything from one to six And so we can see here that trying out all of these half height keys to exhaust the entire key space would cost about 500 dollars to make all of them and There actually exist Commercial sets you can buy that cost on that order as well Um to try all of these different options So that is something that's out there for the quick set keys. Um the quick set smart key in particular and that Is something that usually wouldn't be your go-to attack methodology because the quick set smart key by virtue of those um loose tolerances is easy to pick but if you wanted to use Use it to say determine the key for one lock and then you could get in very quickly in future or if you uh Had multiple locks that you know are all key to like once you figure out the key for one It's going to work for the rest. That's something that you can do Let's examine for a few minutes Why this actually works and why locks sometimes accept keys that are cut incorrectly? So in this particular case, we have a set of probability distributions. So this is the one cut two three four to six um for a quick set lock and we can notice that This is where it's supposed to be what it's supposed to be cut at And if we're a little bit above that or below that the probability falls off relatively slowly So that if we go exactly between two cuts It still has a very high chance of actually working on either the lower or the upper This distribution here a fairly normal looking one Um exists because the quick set smart key lock is a type of wafer tumbler So wafers are symmetric in what they'll actually accept and it's also one with very bad tolerances If we pump that down a little bit We start to get it accepting less and less and so a lower probability of actually having a key that's cut halfway in between work and We can also look at what happens with a pin tumbler lock in particular When we have pins involved it becomes a much faster fall off When the key is cut too high and the reason for that is because if we look at what a pin tumbler lock looks like on the inside If that pin is too high it's going to stick out above this core here And when it sticks out above that core It is now physically blocked by the housing It needs to Stick up into this and so we cannot turn that core at all If it's more than one or two thousand eleven inch too high So both the fall off on the probability distribution is significantly Faster as well as the amount too high it can be before it starts falling off Is also significantly lower. Whoops that was the wrong slider there um, and so we get a probability distribution that looks something a lot more Like this for a pin tumbler lock. So this would be a quick set probability distribution for accepting a one cut Key so if it's a little bit too high it falls off quickly if it's a bit low It works out okay, and then two through six as well um In the case of a slag We have 10 cuts and they're much more closely spaced together So now we have even though it's a pin tumbler lock, which generally has better tolerances now we have um A much higher probability of it working if we are somewhat between these two positions As that slag lock gets worn out that increases as well significantly. So a very worn out pin tumbler lock um Will now accept even if it's a full height below it'll still let it work a lot easier The way that that actually happens is if we look at a lock here and we cut one height too low We can see that as that key jiggles and moves in and out of the lock a little bit It only has to bump this driver pin up a tiny bit for it to actually get launched into housing and allow this key to turn And so that's something that does not have this hard mechanical constraint of housing It just has to bump up a bit and that's why if a key is cut too low for a pin tumbler lock It's a lot more permissive for what it will actually allow So for a very worn slag lock these are very close together and so being close together means that uh the Probability distributions overlap by a lot as well as it's quite wide in a worn lock We get it to be somewhat Permissive as well for what it will accept So that's lock tolerances. That's sort of an interesting aside there This particular mathematical model that we've derived is uh from both theoretical and then empirical confirmation That this is actually how Locks behave when the keys are slightly too high and too low And this is of course an n-dimensional distribution where there are n pins So what I was showing here is a slight simplification of that So 243 keys is is possible to brute force but not practical in many situations So what can we do to actually reduce that key space even further? One thing we can possibly do is get a photograph of that key So oftentimes you see security guards and users leaving keys lying out on the desk in the public view This is one of the most egregious cases of these key watchers with transparent windows Behind a publicly accessible desk with the facility's keys visible and photographable through that And of course people like to wear keys on their belt as well and that can be photographed as well If you can get a good enough photograph You can superimpose these depth and spacing lines and determine directly from the photo what that key cone is And this is something that I've got another talk coming in the next year or so About all about how to do this and how to work with poor quality photographs And releasing software to do this as well, but that's not this talk What happens though if that photograph is Not great quality and how can we use other information to help to do what it is? So here's an example of a vehicle key that's left on a desk photographed at a distance of about 10 feet We can try zooming in but that doesn't do much for us. This is incredibly grainy There is not a whole lot that we can tell from it. So what can we do? So let's first recognize that this is a Ford vehicle key And by looking it up we can find that it is Eight positions by five possible depths And it is a wafer tumbler lock And of course half lights will visit in a few minutes about this. We will come back to that But we have naively now 390,000 possible key differs for this particular key Based on the photo, we can't get a whole lot, but we can get something from it So we can go on over to our photos tab here And add a rule basically looking at that picture and saying well We know that one pin is a little bit high cop one is low and see if we can narrow it down a little bit from there So we have eight pins here We can see in the middle These two this is number four and five are lining up with The top blank height So this four and five we can be relatively confident even from this poor quality picture is a one cut And then six seven eight is beyond that six is fairly deep It looks to be a three or deeper But it's not the deepest because we have one that's deeper here So this is a three or a four And then beyond that it's fairly shallow. It might be a one It might be a two. It's likely not a three or anything deeper than that So we can start adding those rules in So four and five are both one cuts Six is fairly deep, but not the deepest And then seven and eight are fairly high cuts, but we don't know Exactly what popping back to our picture and looking at the first few pins We see one two and three kind of make this bite pattern here So this pin two is fairly deep We don't know if it's the absolute deepest, but it's say a three four or five And then pin three. Well, we know it's not the shallowest. We know it's not the deepest That's about all we can tell and pin one. Well, we know it's fairly shallow So we can Add that here as well. So pin two is quite deep at three four or five pin three We know it's not the shallowest or the deepest And pin one is quite shallow And we can add that rule here And we now get this 390,000 possibilities reduced to 216 That's pretty good But that's still a lot to try The other thing that we can look at doing Is recognizing that this system is actually on what's called code books So this particular type of ford key Is one of only a few Different differs that will be manufactured not all 390,000 possible ones And that's just done to make keying The locks up easier at the factory effectively So we can add a rule for that as well under code books. This is a ford fleet Keying system and by adding that we now see that there's only one key That's actually in the code books that follows these rules that we determined And that's the 0151x And so Getting a better picture if we're able to come back and get one We would see that it is indeed an 0151x that we were photographing And we can see now from this much better picture. We can read off the code So we have a two cut here. It's slightly below the blank Followed by a very deep. This is a 4 or a 5 12 by 3 1 1 3 2 2 And so we can see from looking at At it here that that is indeed what we found For this particular key. So that is a combination of both the Photograph limitations that we found as well as knowing that it must be in the code books So if you remove this rule, we can see that the code books actually only have 1,700 possibilities. So that gives us a lot of narrowing down of what that particular key can be And in pin eight it can never be a one depth because It starts to taper off at the tip of the key there. So one will not physically fit on that key So that's sort of a cool example of combining code books with Photographs to determine what a key's final code is We can also combine it with these half heights that we talked about before So if half heights are available for this particular type of key If cutting it halfway between a one and a two will work for both a one and a two We can see the effect that would have and that would reduce it from 1700 possibilities To 460 that would try out all possible locks that would be manufactured based on these code books And for many vehicle locks because they're wafer tumblers. They have relatively loose tolerances That is actually the case. You have both code books and half heights will work And so you have many of what's called tryout key sets for vehicle locks Which is a number of keys that will try out Most or all of the code book keys that are possible That will let you then determine what key is used in a particular vehicle or a particular fleet of vehicles Auto jigglers are sort of the next stage down from that And so they are not keys at all. They allow you to move them up and down and angle them And sort of do some fuzzing to try even more combinations quickly And the high quality auto jigglers were somewhat intelligently designed to be effectively These tryout key sets except adding that degree of freedom for up down in out tilt tilt So that we have rather than just rather than 80 or 400 We have only 10 of them that can work on many many automotive locks and not manufacturers specific either And of course further down that continuum is raking which works in a similar way So what happens if we don't have a key to photograph or other information like that? Well, but then we can decode by looking at the lock itself So here's sort of a funny example where the keypin is visible in its entirety through the front of the lock And so from this we can tell the length of the keypin and therefore the depth of the first cut on that key We can look deeper in the lock using this device here, which is called a lock scope So it's like the autoscopes that are used to look into your ear At the doctor's office and they shine light through the back of this lock And we can see then every pin through it with a little magnifier that's inside of it So this is cool. We can't tell a whole lot from this wouldn't it be nice if just by looking at the bottom of the pins We could actually tell how long they were in terms of their total length Well enter colored painting kits I kid you not and they are colored. I kid you not by length So by seeing the color of the pins that we actually look at in this lock scope We can tell how long our keypins are and therefore the key code So that last picture was a locksmith's re keying version This is for an end user and we see colored pins as well. It makes it a little bit easier to use But you can read the pins from that So here's an example of looking down a sergeant lock with that lock scope And we can see there's gold green gold green gold It's a little hard to see at the end, but that's a purple pin at the very end Looking at the sergeant chart. We can see that a gold bottom pin must be a 147 or 0 Which is what sergeant calls its 10 depth green is three Six nine and purple is two five eight So based on that we can actually go ahead and severely limit what the key could possibly be For this particular system This is a sergeant system and has six pins and ten depths And we use one base numbering And we'll go ahead and under photos we can add that particular rule And so we tell it that it is a sergeant system and that we have gold green gold green gold Purple and that reduces our key space from a million down to 1728 It's worth noting incidentally that half height is not going to help this year even if this lock accepts it Which it doesn't Because half height would not be able to try both of two accommodations three apart And so we get 1728 as well with just a slightly squished chart there So this is not bad. It's a lot better than a million But we need to do a bit better than that to get a single working key One thing we can notice is that if this pin one is a zero Then pin two cannot be a nine. That would be a max violation So sergeant has a max of seven. We can go ahead and add that on in there And so now we've reduced to 1166. That's getting a little bit better What else can we do? Well remember looking at this lock. We have this shear line visible And so that tells us that this is a zero cut In this particular position. So a very high cut A very high cut depth on that key We can go further and use a lock pick to lift up that first pin and look at the second to see if we can see something similar And we don't but so here's the lock pick in there But on the third pin we do we can see A shear line at that same position telling us that that third pin is also a one cut And we can continue backwards through the lock seeing that there are not any visible shear lines beyond that So how does that apply to? The lock that we have here Well, we can go to known shear lines and we know that pin one has a one as a shear line pin three has a one We can add that rule and now that severely limits our key space down to 44 Moreover because we looked all the way back. We know that pin five does not have a shear line at one So it's only possibilities are four seven and ten So we can put that Into there And now we're down to 32 different keys. This is something that's very brute forcible It's easy to make 32 and try it that'll cost us about 10 dollars and take three minutes to try 32 keys out Not bad, but we can do better than that And the way we can do better than that is impressioning in particular with this extra information that's available to us Before we talk about how to impression this particular lock with extra information Let's talk a little bit about how impressioning works in general So we put the key in Uh, we put a blank key in so this is cut all zero-bitted the highest possible cuts And when we turn the key, there's a couple pins that bind that don't let the lock turn If we turn it really really hard Then those pins are going to bind Really really hard And if we then wiggle the key in and out up and down a little bit Those pins that are binding really hard are going to leave a mark on the key that we can then look at So if we impression this one of these pins that's binding is going to leave a mark Can we take the key out and look at that mark and see it's in position two So cut two is not a zero cut because if it were if that were a shear line Then the pin would not have bound wouldn't have left that mark So we cut it down put the key in and impression again And we take it out and we see now there's no more mark on pin two But there's one on pin four which tells us that pin four is binding It's not a zero we cut it down and we repeat the process And so pin four is still leaving an impression mark So we file it down one more time Impression it take it out pin four still leaving an impression mark file it down one more time Take it out impression it and now we see that pin five is the only one binding So pin four has stopped leaving an impression mark and pin five is now So we know it's not a zero cut we file it down And then we're going to repeat that process Filing until when we try to impression and it's the the right code the lock is just going to open So that's what impressioning works in general starting from a blank and ending with any particular lock Or with a key for that particular lock one piece of software that's i'm releasing A modification to this is a little game that you can try so you put it in and you could make the lock visible Or not as you see fit impression it and take the key back out again And then you can sort of practice your impressioning that way until you eventually get the key for it So that's something you might enjoy, but let's look at how that applies to this particular system here If we wanted to impression this lock So let's start by creating a lock here We don't actually need to start with a blank because if we look at our key space A one one one etc. Cannot possibly be the code the highest cut our code can be is one three one three four two And in our impressioning tab it tells us that so that's what we actually want to start By cutting our key to one three one three four two And we put it into the lock Now this lock to give it a couple examples for what our Actual code is inside the lock might be a one six one three four eight So that's what the key is we're ultimately searching for but of course we don't know that yet So we're going to impression this key and take it out and we see that position two is binding So position two is not actually the correct cut And so what we'll do is scroll on up and say that pin two Is not at depth three It's not at depth three because it was cut to depth three and it's leaving an impression mark So we'll add that rule that's telling us to try a six next And we know what six is going to work because it's the only position left the pin two can be So our impression mark should show up somewhere else. So we're going to file our key down to a six depth put it in And impression it and take it out again and we now see that pin five is binding and pin five is now leaving a mark so We can scroll on up and tell it that pin five which was cut to a two has um Sorry, not pin five my apologies pin six the last pin So pin six that was cut to a two has no shear line there because it leaves an impression mark And so we'll add that rule to the system no shear line there And it tells us the next try out is one six one three four five because five is the next value that pin six can take on So we try that pin six we'll cut it down from a two to a five and we'll put it in An impression is and when we take it out we'll see this impression mark left on pin six So we know that pin six is not a five depth either And so we'll tell it that no shear line at depth five And so it tells us to try an eight now And we can see that this has to be what pin six is so if this doesn't work we've done something wrong So we'll file it down To an eight and we'll put our key in and we'll hit impression And this time the lock opens because we found the correct code So as we can see one six one three four eight This was done in only three impressioning steps Whereas it would have taken 19 to get down to this particular code Using impressioning with no other information just going down one at a time at a time So very very powerful tool that will let us Decode locks with the impressioning technique. So let's look at another arrangement that can be useful to us Which is key to like systems So password reuse is generally accepted to be a poor form Key reuse is common and called key to like and see in many cases So there's a whole big old list here many of them If you're interested in this I encourage you to check out how we're paying in dv at all That's amazing talk. Uh, this key is your key. This key is my key at hope 11 And it touches on a whole bunch of these and what they do Here's a couple that I've discovered that uh wasn't mentioned in that talk that I think are interesting So one is construction cores So if you ever see an interchangeable core that's got a color on it black red or green That's usually a construction core. It's just used when the building's under construction It gets swapped out once it's done. These are all key to like So if you find say a green vest or a black slag You can look up what the code is and cut cut a key for that without doing any more decoding Traffic controller boxes are like that as well This little upper box is for emergency services to manually control the light And those keys are universal across north america and then this lower keyhole is for maintaining the system And there's only a couple of those different keys that are used across north america Here's a great example of a bunch of key to like systems. So we have an enter phone box here This is a mirror comb box. So opening it up to service the box This is a mirror comb 549 key and that's universal for all of these mirror comb boxes It's also got a postal key here so that the post worker can open the box or can Open the door and get in and deliver your mail This box beside it is a little key box that the power company uses to get in Because presumably this particular facility will have a customer owned transformer vault somewhere within side We also see these two Building owned keys. We don't know what they're for but lots of ways to get through this door Three of which are key to like systems Here's an example of a postal lock box This one is a abloy postal lock. So in canada our postal service uses abloy very very good choice It's somewhat negated by this door king lock here, which is not only a poor tolerance wafer lock But it's also key to like and these door king keys any of them will open it If it's not something that we already know what the key is for the key to like system We can determine what that key is by disassembling the lock and then once we get the key for one lock It's going to work for all of them if they're key alike So to do that we Need to get the lock out somehow So once the door is open you can unscrew the retaining screw and then unscrew the lock at which point We can take off the tail piece And get these pins to shear line somehow either shimming through the back or picking And then we can look at what the pins are on the inside of it. So in this particular case We have a lock we can see how long these pins are And that particular pattern that the pins make if we invert it So it's upside down that's going to give us what the key looks like And so we can see we put the key in and it doesn't need work And we can figure out what exactly that key is going to look like from the lock If you don't want to have to shim through the back, you can also take off this brass plate, which is an awful task to do but it does work And if you want to have a bit more time to do this decoding and disassembly One thing you can do as well is replace it temporarily at least With a lock that looks like this and that's going to work no matter what key enters the lock So anyone that tries to get in Is not going to be blocked and no one's going to be the wiser while you have the lock out for disassembly Medicals are very nice to us. They have these nice set screws at the top And so we can pull that out and dump the pin stack and so we can see in this pin stack here We have a key pin. We can read both the angle And the depth of it from that this one happens to have some master wafers So it's not key to like and we'll talk about how to handle that later, but we can see A 25 000 of an inch one wafer and a 50 000 two wafer in this case We only needed to needed to remove these first two pin stacks because We got some information about the lock already and the first two pin stacks are the only things that we needed more information about And of course because of these set screws, we don't have to worry about this awful brass piece or shimming it etc If you're interested in this sort of thing, I strongly recommend you check out mall looks amazing talk Please do not duplicate attacking the knocks blocks from defcon 26 It's all about doing attacks like this taking locks apart and looking at the knocks block systems Which is key to like across many jurisdictions in north america so that's key to like systems what we can do with that is um Start to analyze everything that we've looked at so far and figure out How to formalize it and how to determine what the best next step is and we can do that by looking at information theory So you've likely heard of the concept of the entropy of the password before We'll talk a bit about what exactly that means so information is stuff we know and entropy is stuff We don't know So in the case of a stoplight it's either red or green and that is information That's in the case of red or green one bit of information because it's zero or one that's ignoring yellow Um when it's a random variable that's something we don't know and so that's entropy And so a key or a password has entropy because we do not know it and we're trying to determine it to get into that particular lock So how do we measure the entropy? So it's in bits so a coin flip is zero or one So it has one bit of entropy a random number from zero to 255 has eight bits since eight bits going to code number zero to 255 A random number one to ten has three point three two bits Well, how do we have? Fractional number of bits well, we can think of it like the following We have three random numbers one to ten That is a three-digit number and so that can be encoded with one to a thousand or zero to 999 and that fits very well into 10 bits which can encode zero to 10 23 So two to the 10 minus one um So 10 bits will easily encode zero to 999 with not a whole lot left over And so 10 bits divided by three because we're storing three random numbers inside of it Is 3.33 which is very close to that 3.32 figure if we Extend the number that we're storing so instead of three random numbers We try to store six or nine or a thousand as that tends to infinity. This number tends to three point three two um This is mathematically represented with a log so the entropy of a piece of information can be thought of as the number of bits it takes to write it down Or write down a number from zero to um The total value that that information can possibly be And so that would be the log base two of that number So the number of bits of entropy which is represented by the greek letter eta or eta in modern greek For a random variable with n outcomes is just log base two of n So a fair coin flip has two possible outcomes log base two of two Is that should not say two bits that is a typo one bit A random number from zero to two hundred and fifty five is log base two of 256 because zero is not counted here. So Or is counted here. So that's 256 possible options, which is eight bits A random number one to ten is log base two of ten, which is 3.322 what we looked at before So a couple examples of entropy within keys That is the number of bits in the piece of information So the key to the password once we do have that information So an eight character ascii password. So that's eight bytes times eight bits per byte is 256 bits of entropy This many of you will be screaming at your monitor is wrong because Some characters are more likely than others. Some characters are not used at all in most passwords and Of course dictionary attacks exist. So certain passwords are more common than others And so that does reduce the entropy. We'll look at why in a little bit For a 10-digit passcode three characters long assuming all combinations are equally likely. We have 9.97 bits, which makes sense a thousand combinations is a little bit shy of 1024, which would be exactly 10 bits an eva mcs So that's the magnetic coding system key. It has four rotors and eight positions each for each rotor So that's eight to the power of four 4,096 or 12 bits exactly of entropy and a Schlage 5 pin system has five to the power of 10 or 100,000 combinations log 2 of 100,000 is 16.6 bits So that's a couple of Examples of how much entropy is in a system In the software that we have here it gives you that At the start and at the end of the rules that you've applied So in this particular case if we look at a Schlage system Five pins with 10 possible depths. So 100,000 and then we have 16.6 Right there and you can play around with that to see what happens as you change the number of depths and pins So if there are n possibilities and all possibilities are equally likely then the entropy is given by log 2 of n But if some possibilities are more likely than others entropy goes down So in a dictionary based attack on passwords because they follow these dictionaries It is easier to guess that there's less entropy in those passwords And so in the example of keys We see many key systems avoiding very deep cuts because that makes the key more prone to breaking Um And there's other ways that you can do keys to make it harder to pick And so that does slightly reduce the amount of entropy present in your key The fact that certain differs are less probable than others So to look at a very simple example here We have a master key that we've decoded as either a 14767 or a 94767 So looking at these two options naively we have or we could say there might be a 5050 chance of each of these two options And so sense there's two is a zero or a one. This is one bit of entropy. We can expand this calculation a little bit Um by looking at the individual probability So there's a probability of 0.5 of it being 14767 and 0.5 of 9 So we have minus 0.5 log 2 of 0.5 That's the probability of the first one Then the exact same thing because the probability of the second is the same And we do a little bit of arithmetic using our log rules and we find that simplifies to log base two of two or one bit The question is though are these equitable and so if this were a non master key then it might be But knowing that this is a master key. There's a couple of cues we can take So here's our 14767. This is very typical of what master keys very frequently look like When we take this down to a nine, there's a number of problems with it. One is it has a very deep cut in pin one This is prone to breaking off in the lock and it generally want to avoid keys breaking off in locks But especially master keys Um because if that gets stuck in there and a bad actor is able to get it out That's a problem for you. The other thing that happens here is this is now a very low cut key And for reasons we'll talk about shortly having a low cut master key is something you want to avoid So it's highly unlikely that this 94767 would be the code that the locksmith chose to be the master key So we can assess perhaps a 95 chance that it's this one cut and a 5 chance that it's this nine cut And crunching those numbers we have 0.95. So we're probably times log 2 of 0.95 Plus 0.05 times log 2 of 0.05 and we find our entropy is now 0.2 bits 0.3 grounding. So that is significantly lower owing to this high difference in probabilities between these two options In the extreme case so we can sort of intuitively understand this if one option is certain and the other option is impossible Well, that's zero bits of entropy because there's nothing unknown in this case so in general The the entropy where the probabilities are not equal is going to be the sum of each probability times the log 2 of each probability and then minus that Because log of a number less than one is going to be a negative Um, and so this definition is there's a fairly beautiful derivation of it That I won't go into now for obvious reasons, but I encourage you to look it up so we can now extend this concept and Do a little bit more useful with it by looking at joint and conditional entropy and mutual information For different rules in terms of which ones are giving us more and less information So let's just get rid of this lock to start. So what we'll do here is consider A very simple system with only three pins And only two possible depths for each and so we can see that this has three bits of entropy in it And that makes sense. We have a zero or a one zero one zero one three times over So that's three bits and we've enumerated all of the eight possible options here And of course long base two of eight is three so that also makes a lot of sense So let's say that we have say a photograph of the key or something But that photograph only shows us pin one and that tells us that pin one is a zero So that now tells us well pin one is a zero We don't know anything about pin two or pin three That gives us one bit of information it makes sense And we're now down to two bits of conditional entropy that's conditional on this rule being the case here And then we get another photo and it's a bit better It shows the pin one's a zero and pin two is a zero And so now we've limited pin one and pin two to zero zero And so we have one bit of entropy left because this rule has given us two um And if we have a third Photograph say that shows that pin three is limited to zero, but we can't see pin one or pin two Now we have the final key because we know that they're all zero zero So this is fairly simplistic and fairly obvious I assume but we can analyze it in terms of the information content provided in each of these three rules So looking at intuitively rule one gave us one bit of information rule two gives us two and rule three gives us one as well as rule two shares one bit with rule one In terms of the conditional entropy given by rule one relative to rule two So given everything that rule two gives us rule one gives us nothing extra Given everything that rule one gives us rule two gives us one bit extra And they share one bit comments both of them and rule three of course shares nothing with the other two So we can analyze this Automatically with the software here by clicking calculate conditional entropy is down below And let's compare rules one and two just to start and we see exactly what I mentioned there So rule one within this circle. We see it gives us one bit And rule two within its circle gives us two bits One bit is shared with rule one and one bit is on its own And so that one on its own is of course position two where this is the only one that tells us anything about pin two Um, and then the total information given by both is the sum of what's in here So that's the joint entropy reduction, which is two bits Comparing rule one and rule three we see that they both give us one bit And there's nothing shared between them which makes sense. We have pin one pin three nothing shared And we can compare all of them And so we see now that within these we have a total of Three bits given and for the system that started out as three bits that will reduce us to a final key And those three bits one of which is shared between rules one and two Um, one of which is just given by rule two One of which is just given by rule three And then there's nothing say that's shared by all three of them or that's just given by rule one, etc Um, so this is a fairly useful way of analyzing the rules that we've determined that limit the system And determining which one is most useful to us and are we sharing a lot of information If we are that indicates that we're not being particularly efficient with What work we're doing to find out this information to put into this system? Ideally the less shared information the more total information we're actually going to get Out of all of the rules in this particular system So that is um conditional entropy mutual information by the way is the term that we use to uh To talk about the information that is well mutual between Two different random variables or in this case two different rules that impose a constraint on the system So in the case that we looked at before with this 0151 x key we have the um conditional entropy given by the code book is a lot Almost nine bits which makes sense for going from three hundred ninety thousand to uh, 1700 possibilities And given by the photo is a fair bit as well because we were able to determine Um some severe limitations on many of the pins that exist And there's not a lot of shared information and the result of that is between these two rules They give us all of the entropy that existed in that particular key Um, there's a good reason that they don't share a lot of information and that's because Well, what is the uncertainty that exists in a photo? Well, the uncertainty is you know, is this a two or a three? You know, it's it's one position off In the case of a code book what they do with code books is very different They're not going to make a code that's off by just one cut and one pin from another item in the code book They're all going to be wildly different if you're reducing 390,000 possible differs into 1700 in the code book So because they're wildly different the information given to us by the code book Is Very very different the information given by the photo. There's not a lot of overlap and as a result there The these two rules put together are very useful to give us a lot of information about this system So we've talked about loads of techniques to determine the key for a lock when we don't have a key at all How about if we have a key for some lock on some master system? And we want to turn it into a grand master key that's going to work for all of those locks to understand how to do that Let's look a little bit at how mastering works in general Any lock on a master system is going to accept multiple keys And it does that by having more than one shear lines and at least some of the pins So in this case, we have two shear lines in every pin stack One of these shear lines in each pin stack is for the change key and one is going to be for the master key So there's two different shear lines And a different one is always going to be used one for change and one for master Master key actually is necessary in the context of multiple locks So in here we have Alice's lock and her key a one and it's going to work in her lock And we're also going to have a sub master mka that will work in her lock and a grand master But bob can't put his key in her lock. It's not going to work It binds in pin three and charlie's is completely off. It's also not going to work So that's what works in alice's lock and bob's lock Alice's key is going to or is not going to work because it's not the right key. It's just a change key But bob's key, of course will charlie's key won't And the master mka will because bob is on the a system. He's a two And the grand master is going to work as well In charlie's lock. He's on the b system. So mka is not going to work Alice's key, of course and bob's key are both also not going to work charlie's key will of course And the grand master will as well So what we have is a two level hierarchy system where we have a master key mka That works for alice's and bob's lock which are on the a system But not for charlie's which is on the b system and a grand master key that works for all of them The way that this happens is the grand master key uses the grand master shear lines in all positions on all locks The mka uses the grand master shear lines in just these last three positions But not the first two. So that way you can tell is this on the a system And all a system locks start with three one. So alice's key does as does bob's key it starts with three one and therefore mka, which also starts with three one is going to work on bob's lock If we try mka in charlie's lock It's going to work on the last three pins because mka is at the master level On these three pins notice that it shares the last three pins with the grand master key But it is not going to work in charlie's lock because mka is not the master depth in these first two pins We need the grand master key for that So we have a multi level mastering system that allows Um, certain master keys to open only some locks the individual keys only open their own and a top level master key That opens everything So that is an example of a three level system. This is two level with just a master and change keys below it This is what we just looked at. So a grand master key under which we have mka And there would be hypothetically an mkb as well and then change keys under that So here's alice and bob and charlie is somewhere over here We can have Higher levels and this requires splitting up the pins more in the way that we showed you Or using secondary locking elements So looking at our sergeant lock again It had um this visible shear line here and above it is this red pin A red driver pin is only used for key pin four five six. We see this as zero So we know that it's actually a master pin So we can start to determine what the other shear line is In this particular sergeant lock and once we know what both shear lines are We can then start to determine which one is going to be the master and reducing the master key from that When we lift up the first two pins and see that the shear or the um The master wafer on pin three is gold. We can do the same thing and determine that The second shear line is going to match one of three four or eight plus the one that we know is in there already If we have a lock on a master system and a key for that lock We can use that key to actually disassemble the lock and it's a whole lot easier because we can use the key to open the door And to then unscrew the lock from an open door We can also put the key in and use it to remove the core from the lock And then we can look at the pins and see what they actually say So to look at a demo in this case We have our mastered system and our change key here and the mastered Pin depths that we find are two eight two four, etc. And we get this for reading these pins here If we put that Into our analysis software two eight two four three five, etc We find that now the master key can take on one of each of these two positions in The lock And so there's five bits of entropy which makes sense. There's two positions in five pins And that gives us 32 possible keys that could work as the master key for this locking system We can of course create all 32 and try them We can create Only some 10 and then file them down until we've tried all 32 of these but we can do better than that because We have the change key code and we know that it's a change key Two four five three one And so we know that whichever shear lines That change key interacts with when it's using the lock is not going to be the master shear lines therefore The other shear lines will be the master So if we take eight two three, uh, sorry if we take the change key two four five three one And we put that into our analysis software. So known change key two four five Three one it's going to remove two four five three and one from the possible Depths that this Master key could be and it's going to leave us with the other remaining one in each pin stack which will be A single master key left eight two three nine nine And in fact that is what we find as the master key in this particular system So that's pretty neat Given just a Key for a master lock and access to the lock itself. We can actually derive the master key entirely from that The other thing we can do if we don't want to disassemble locks is we can combine information From a number of these low-level change keys and use that to determine what the master key could possibly be in a system So let's say we have a Schlage system So five pins and ten depths each and Schlage is zero base numbering The master key in this system could be any one of a hundred thousand possibilities If we know what one change key is let's say it's two six three five zero And we go ahead and add that as a rule We now have Instead of ten to the five we have nine to the five so a little better but not great What we do see though is that In a Schlage system remember I talked about how If we have a pin that's one too low or a little bit too high The lock might still accept it for a very worn out lock And that would be a bad thing for a lock to accidentally accept a key That's not a master key as if it were So what Schlage does to avoid that is uses what's called the two step system every Position that any key in this system will take And pin one is going to be even pin two will be even pin three will be odd etc So we're always skipping every other Depth to make sure that we don't have anything that's too close and is going to create problems With keys operating locks. They're not supposed to So what that means we turn on the two step system here is it severely limits our key space Now pin one must be even so zero two four six eight But it can't be a two because that's what our change key is And we do that for the rest of the pins and we get 10 24 possibilities. So four to the power of five We can get another change key And so this is going to be two step as well, of course So that's let's say six four One three two so if we have another person conspiring to get in on this plan to derive the master key And now we have only three possibilities each and if two more people sign on So four two seven nine six And we've eliminated even more of the possibilities And finally eight six three one eight And we've now got it down to only four possible master keys So we could absolutely just make these four and try them out and hope that one is going to work Well, we know one's going to work, but we can do better than that We know that pin one is a zero cut Pin two is a zero or an eight, but an eight is a max violation. It's too far from pin one, which is zero So we know it's zero as well And now if you look at pin three, it could be a five or a nine But a nine now is too far from a zero which we know pin two is So in fact the master key is going to be zero zero five seven four And if we add this max rule of seven, we find that that's the case So by combining these multiple change keys, we've been able to derive the master key Without taking a log apart just by using the information on those change keys From an information theory perspective We can calculate these conditional entropies from the rules that we've been looking at And we see that we have a lot of shared information between them That's because each of these rules tells us that it's on the two step system Which knocks out one out of every two position in every single pin So that's a lot of information that gives us four and a half bits As well as we're knocking out an additional depth from each pin from each of these keys that we have And so that's these two bits here So between all that it gives us a lot of information that we can then use to determine What that master code actually is So we can actually derive the master key for a system using just one lock and one key for that lock without ever taking that lock apart Using a technique called writes amplification So this has been known to locksmiths for decades And it was first made known in the infosec community with the 2003 paper by matt blaze The general technique looks like this So alice has a key for her lock and of course it works in her lock And she knows that the master key whatever it is is going to operate on different shear lines than her key does So she needs to find what the other shear lines are in her lock The way she can do that Is we're looking at her key. It has a zero cut in pin three. So that's a good place to start Because we can start varying What that depth is just in pin three And if we leave everything else to say we know it's going to work So if the lock does not open it's only because of the pin three and if it does we know we found a shear line in pin three So cut zero is what her key is. So it's definitely going to work She brings it down to a cut one and we try it And it doesn't work. So she pulls it out And tries to cut two and tries it in her lock And it does work. So now alice knows that she's actually deduced the master shear line in pin three And that's because it's the other shear line that works in her lock So she can take her modified key. So alice's key And file it down To a two and try it in bob's lock And it also works because bob's lock is very close to hers on the same system bob is a two. She's a one Alice can then go and take her modified lock key So we take alice's key And we modify it from a zero down to a two And we can try it in charlie's lock and it doesn't work, which is no surprise charlie's lock is b34 It's very far from alice's And she's only found one of the master depths. So she's going to need to repeat this Her new sub master key is three one two three four She can get a new key cut that's at zero one two three four And try the zero cut to see if it might be a shear line and as it turns out it is So we now have a master depth in zero and or in pin one and pin three So now we get a key cut zero zero two three four And we try that It does not work in her lock So she pulls it out and files it down to a one to try the next position And of course it does work, which we knew because that was what her key Was originally so we take it down to a two Now we try it It doesn't work Take it down to a three Try that in her lock and it does work. So now we found the master Um depths for pin one two and three In alice's lock by finding the other shear lines We can keep going zero three two three four We're going to get a new key cut with four as the highest So zero two three Zero four and we'll put that in And she tries it it doesn't work and so she files it down to a one Tries it it doesn't work two tries doesn't work Three tries it does work But we sort of knew that that was What her key was originally so we keep going A four we try it doesn't work File it down to a five we try it and it does work So now alice has found the master depth in pins one through four using her lock And so now we have Oh three two five is our master depths and then We want to find out what the master is in pin five as well So we we put it to a zero, but that's a max violation. So we put it to a one And we try that And it does not work We put it down to a two And it does work and alice's key originally was a four So we now have a two As our master depth in pin five. So our master code should be zero three two five two Alice can try this in bob's lock as a sanity check So zero three two five two And she tries it and it does work. So that's a very good sign and then charlie's lock is the real test zero three two five two And she tries that and it works in charlie's lock as well So by sweeping all possible depths In each pin Within alice's lock and seeing if it still works on each depth Alice is able to discover what the other shear lines are in her lock by modifying her currently working key And in doing so deduce the grand master key That is going to work in every lock on this system So an additional interesting lock configuration that gives us a little bit of information is a construction keyed system So let's take a look at what that actually is In a construction lock system We have instead of one master wafer a smaller ball bearing And that acts as a master wafer while the building is under construction being used by the construction master key So it goes in and it works and that ball bearing is below the shear line And so it operates as a master wafer What happens though when Construction is done and the user comes along with the grand master key is it is a little bit higher By the width of that ball bearing than the construction master And it goes in and it lifts that ball bearing above the shear line Well, what happens then the construction core is a little bit special as well it contains A number of holes in it That are going to line up with the top of the pin stack when that core starts to get turned that ball bearing that's now In the upper pin stack is actually going to get Dropped into one of these holes at which which point it stays trapped there forever So in the lock when the new user of the building turns this key this ball bearing is going to drop out And it stays gone forever Or stays trapped in that hole at which point it's like that ball there or that shear line no longer exists So the grand master key continues to work But if the construction worker ever comes back and tries to get the construction master to work It's not going to it's going to bind in this shear line because that ball bearing is gone So there's two things we can do with this One is if a construction worker still has the construction master and wants to make it work again All he has to do is know that there was a ball bearing in pin one and its depth was four And so from six four nine four three we can get a key cut to two four nine four three so that's four higher in pin one And that is now going to match the new GMK shear line and it is going to work The second thing that we can notice is that for our new grand master key It can't be deeper than a cut six because if it is a deeper than a cut six Then the construction key that must have gone with it is four less than that Well four less than six is a ten cut and that's not possible in this particular system which goes from one to ten So we can add that to our rule set. We have 10 000 possibilities reduced to 80 000 after max And we add a construction key in rule that in pin one There was a ball bearing with thickness four And the master construction key also has to have a max of seven And it'll take the computer a few seconds to crunch that and we see that these bottom four positions cannot be that master key Because there would have been no possible construction key to make from from it The max requirement for the construction key and the grand master key with a difference of four in pin one further limits what lock Or what key differs are available to be our master key So that's one interesting type of system another is what's called interchangeable core systems So if you have ever seen locks that look like this they have a figure eight shape around them That's because that figure eight shape is actually removable And there's a little locking lug that keeps it in place, but with a special key called a control key We can remove it The way that this works Is we have Our ic core that looks something like this And when we normally operate it It's going to turn just the plug and the core stays in place But when we use the special control key it's going to turn slightly and retract this ic locking lug The way that that works is if we look at the Just the core and the ic collar we have two shear lines One is matching where the plug is and one is a little bit higher And it's going to be just for the ic collar So if our pins have a shear line all matching the plug Then the plug is going to turn But the collar will not and so this is a standard unlocking of this lock If however the pins extend up and we have a shear line across these two pins and then the upper shear line on the ic collar and then these two as well Then what happens is our interchangeable collar gets retracted and it allows us to remove this particular lock This is very interesting When we look at systems that do not have an ic collar that extends across all the pins in this case It only uses pins three and four and that creates a number of interesting properties So one of those properties Is let's make this into a medico system We can see this collar here. And so we have This lower shear line with the plug and this upper shear line for the ic collar And that's what we're going to look at when we examine how these locks work in terms of the bidding So what's powerful about how they work in terms of the bidding Um in terms of getting us information is the way many locksmiths do it up And so we'll use medico as an example Because as we'll see it creates a very restricted set of possible master keys for ic core systems in many many cases So we have our change key And we put it into the lock And it unlocks to the regular shear line And so we turn the key it unlocks regularly And our master key is completely different bits, of course completely different heights But it also unlocks to our regular shear line and the interchangeable shear line binds So that does not actually open However, when we put in our core remove key it now binds between the core and the ic collar But has a shear line at the top of the ic collar So when we turn that it's going to turn the ic collar And release it and allow us to remove that ic core and we see now That it works on this upper shear line as well as of course the lower ones have to work for the plug to turn as well What many locksmiths do in order to avoid having to have multiple shear lines in a pin stack and also avoid limitations on the mastering system Is they will have the change key or sorry the core remove key Simply be three positions higher than the master key in those two ic collar control pins It doesn't have to be done this way We could do something a little bit different. We could have our core remove key say be Something a bit lower and then have our core Control position be at an eight cut so that wouldn't be ever possible to create a key that deep But it will remove the core But many locksmiths don't do that because it requires more pins as well as it restricts your The size of your mastering system And this is true particularly for medico We see empirically about two-thirds of the time This being done with the grand master key and the core remove key just being three positions different In those two middle positions In medico that becomes incredibly powerful actually For deducing what the master key is going to be so In a 12 cut medico key So medico can have two cuts double cuts in some positions or all of them to create a high level master key And we'll talk a little bit more later about what that specifically means But because these double cuts are so wide the max is very small It's a two between a double cut and a double cut And so that already that max of two severely limits what a medico system can take on So a medico system would have six depths usually six pins And it has a max of only two And so that reduces us from 46 000 down to only 70 7300 possible combinations But what the ic core does is significantly more restrictive Because if we want to make The ic control key three higher than the master key that means that the master key can't be a one two or three in pins three and four And so we'll add that rule there as well And the master control key has to adhere to max in addition So we'll see the effect that that has when we add this rule and it'll take a second to compute And so what we see is These three positions cannot be held by pins three or four in the master system So the master is forced down to four five and six In addition pin two can't be a one because that's a max violation the master must be four or lower So it can't go up three the max is two pins six Or pin two and pin five can't be a six step because that would be a max violation for the interchangeable core control key If our grand master key is the deepest it's a six cut That means our ic core is three higher or a three cut And we can't have a six beside a three in our interchangeable core master key So that significantly reduces the key space available in these types of medical systems Right now it's down to seven hundred and eighty four It gets even more restrictive than that for the following reason It's generally a good idea to have our master key use at least one pin in the highest physician And that way we can make sure that none of our change keys will be able to be filed down into a master key We could have one a bit lower, but that's then going to restrict how large our master system can grow While adhering to that rule If we look at the limitations imposed by this particular system We'll see that there's only two places that that one cut can go Pin one or pin six So if we add a requirement That one pin must be high cut and it'll take a minute to compute that as well We're going to see that we're now down to 159 possible master keys That is a significant limitation and that's given Very little information about our medical system. It's given that we have a Large facility so we can assume that they were planning for potentially needing to expand To a master key this double cut in all positions And we see at least one interchangeable core somewhere on that system And that's it Knowing those two things We can infer that with about a two-thirds probability Our master key is going to be limited to one of these 159 It gets even less than that because It usually makes sense to put your one depth in pin one and that way the key is nice and sturdy It's not going to break. We don't want to put a very deep cut in pin one or that grand master key Is liable to break off And so when we add That particular requirement It then is only 84 differs that follow through in pin one and we can see max restricts this incredibly tightly So there's the 84 possible situations that could exist If locksmiths do what a lot of them do when designing medical systems, which is follow these constraints It limits the key space significantly now. They don't need to they don't need to use a pin at the highest one They could put it in pin six instead And of course they could do up their ic system so that it doesn't require their master key to be low in pins three and four Um, but most locksmiths don't really think about the key space reduction that they are creating In terms of brute forcing this master key when they're designing that system And so that's why this is something that's so common to see A couple other things that we can note about this particular system is that If we have A master key or even a change key. So just this change key Now all we need to do is vary and do right simplification on These two middle pins to determine what the core move key is. So in this case Pin three is a five and so if we add three to it Goes to four three two and now we've hit the ic control line And then pin four we can vary in either direction to try to hit the ic control line for it as well So you only actually have to vary one pin to go from our Change key to an operable control key. It's just going to be for this lock But what it lets us do is remove the ic core and then we can take it apart and disassemble the lock Then we'll let us derive the master key from that Other types of locks have a similar situation. So schlegg and um, Yale control keys use a slightly different technology They have a special seventh pin in the back Where if the key is a bit longer in the case of schlegg it has this special nose on it sticking out It's going to actually actually that seventh pin Which will pull in this little retaining lug and when it does that you can then remove the core So if you have an operable key for this particular lock All you need to do is copy that key onto a slightly longer blank that contains this little nose on it And you can use that key to remove the core at which point you can then disassemble it and deduce the master key So let's look at some right simplification attacks in some special secondary locking systems So we'll start with multi lock, which has got a nice pin-in-pin system that we can attack using all the other techniques That we've talked about in this talk But it also has side pins they're used for mastering And effectively these side pins are going to fit into these side dimples drilled into the key And in this case, we have a correct key the side dimples are all there So the side pins are able to fit into it. We can turn the key and they don't impede rotation of the plug When an incorrect key is inserted there are no dimples And so the side pins are forced out into the plug and that's actually going to stop us from rotating that key This is used for mastering So we have in this case a key that's got four of the five holes drilled. This is this correct lock So these four pins are present and the key is able to turn For a lock that is not supposed to be able to open There'll be a pin populated here as well And this lack of a hole prevents that pin from moving out of the housing And it will stop the key from turning This is of course a trivial thing to amplify. We just drill an additional hole And now all of the Mastering that's done with these side pins has been defeated This key will work in anything regardless of the side pins And then we just have to use the other techniques to rates amplify the top cuts as well So that's a very simple Right simplification attack you can do something very very similar by filing metal off of sectional keyways So sometimes mastering is done by having a keyway That will not enter the keyway of some other lock. It's not supposed to open or a key that won't But then we have a master blank that's going to enter both of these locks because it's got metal missing from it Um, and so all we need to do to rate simplify there is take our key that works on one of the Low-level keyways and just copy that bidding code onto our all section blank At which point it's going to then enter all of these locks and we'll be able to open them as well With medical biaxial, we see something quite similar So medical biaxial has potential for double cuts And what we can have is in a particular pin position the pin has got this Beveled edge to it so it goes to one side or another It can bevel towards the shoulder of the key and be a four cut or towards the tip of the key and be an aft cut In a master key, that's got double cuts Regardless of whether the lock that we're in has a four pin or an aft pin It's going to interact with that key properly and open it up And medical uses this for mastering as well So a lower level key or a lower level master might be missing one of these cuts We can very easily right-samplify that if we have some mid-level master So here's mka. It's got five single cuts and a double cut in pin six And then we have any old key on the b system And so what we see for instance is this pin six That is a double cut pin five. We have an aft and it's a right cut In this key on the b system in pin five We have a four and it's a left cut So what we can do is take a left cut and add it to the four position On our mka at these same master depths And that's actually going to amplify this key into a full gmk That's going to work on all locks even if it has an aft pin in that position Sorry a four pin in that position And so we do that for all other positions where the four aft of our b key differs from our mka And we've effectively now amplified the power of our mka key to be A full gmk using the information of these angles that we see On this key here So now that we understand how the basics of medico biaxial works We can add a few tools to our arsenal to decode non-mastered medical systems So if we start with a six pin medico system if it's non-mastered it's going to follow medico's code books And so the depths are going to follow those code books give the computer a second to compute And what we see immediately is that pin one two five and six will never be a one In a non-mastered system at least for this all your version of code books that we're going to be looking at today Which is true for just about every medico system created before 2008 So immediately we see that if we wanted to impression this lock and you can impression medico locks We'd start with two two one one two two and as we went through impressioning this We would end up skipping a whole bunch increasingly so as we get closer and closer to the final key Um, so the code book sells with that and of course if we have a photo that's close, but isn't quite um Enough to get the exact bidding combining that with code books is usually enough to determine what the depths are medico also has angles though And the angles also have code books So if we add that the code books must follow medico's non-mastered angle books We see that right away Some of them are given already. So if we happen to have a pin three in the aft position, it's going to be a right cut This can be useful now that we have this if we know Whether a particular lock is a four or an aft in each position How do we tell that? Well, here's a little device that we designed That does exactly that. So here's one version where you take a blank You cut a little notch into the six aft position And then you stick it into the lock and it will clunk clunk clunk all the way along as each pin fits into it Based on how far it clunks if it aligns with these lines for the fours or not You can tell which is for an aft. Here's another design that can be cut down from any key not just a blank We have a little Tip at the end with a notch in it again in the six aft position and we can clunk clunk clunk it along and Make some marker marks on the key and then decode it afterwards and determine whether this means for an aft in each of these positions So for instance if we know that we have Um a lock in front of us and we've decoded the four and aft And if we find it to be let's say aft four aft four four aft And that particular case what actually happens is We completely get the angle sidebar code figured out for us I'm just going to remove the depths because they kill the compute time for now Um If we aren't so lucky, this is the only case of fours and afts where that happens Let's say we get a four here and an aft there. So now we have a number of possibilities We can help to decode what those angles are based on an innovation that Mark Webber Tobias and Tobias Bluzmanis came out with a number of years ago Which is medico bump keys which takes advantage of flaws in their angle code books Um, but these bump keys there's a set of four of them And if we can get one of them to work once on this lock Then we can use that to create a key that will work very easily forever more by Identifying well one of these bump keys worked And that's going to go ahead and Figure out what those remaining unknown angles are based on the fact that that particular version of the bump key happened to work If say even that isn't enough for us. So in this case pin six It could be a q which is a rate cut or a b which is a center cut Rate is 20 degree angle and center is zero and another thing that the device has found out is that Like I mentioned before with some blocks being able to accept half height cuts in the heights It'll accept half angle cuts So I can make a key at 10 degrees halfway between center and rate And that will actually operate this lock So a number of techniques that we can use to decode medico systems So we've covered a lot of techniques for how to use various sources of information to come down to a bidding code So a number that represents what the key should be cut to what depth that should be But how do we take that and turn that into an actual usable key? Well, we could start with the key blank and file it down ourselves manually That's a perfectly valid way of doing it. We can also use a machine if we happen to own a key Key machine, but many of us don't And we could also try using a locksmith. So the general procedure for that is to identify the blank It's often printed right on it. So wr5 for this weiser or y1 for this Yale Uh determine the bidding code that you want using the techniques we talked about and go to a locksmith So not a hardware store or a 7-11 and ask if they can cut a key by code if they say yes Give them the blank name and the code such as a Schlage sc1 with bidding code 0 4 2 8 5 And they will usually cut it for you for the duplicating rate If they happen to say that key is restricted, I can't cut you that Check out the talk that myself and my brother Bobby gave last year entitled duplicating restricted mechanical keys at Defcon 27 We'll talk a little bit about defenses, which is a huge field and could be a talk on its own But the most salient points there is avoid very large mastering systems If the only reason you have building a and building b master together is so that the superintendent can carry one gmk Instead of two that's really not worth the added risk for that added convenience You also don't want to master high security and low security facilities on one system So I've seen cases where a nuclear facility was mastered together with public washrooms The access control of those public washrooms is significantly less and information from those locks can be used to infiltrate the nuclear facility That's absolutely something that you want to be separating in your mastering system Which a missing lock is as bad as a missing gmk So if a lock goes missing and it can't be accounted for you need to consider the possibility that someone has Disassembled and decoded it and made the key You can consider alternatives to the two-step system and other various systems that we've talked about that can be exploited Um specific to those attacks. This is somewhat dependent on whether it's actually in your threat model This is not in the threat model for the majority of applications You can use a restricted keying system that won't stop a determined attacker Attacker, but it can slow them down and it can drive the cost up and potentially deter them from uh From carrying out the attack in certain cases and your facility ultimately should be secure even if an attacker has the gmk So you want to use secondary? security systems such as guards and alarms and a proper detection and response mechanism All that a mechanical lock does is keep honest people honest and there's loads of ways past it both keying and Forcible entry and all sorts of other methods that def con is all about And use interchangeable core or electronic components or something to make re keying easier if that becomes necessary You want to have a response plan in place for if the unthinkable happens and your gmk or a key to a particular important area gets compromised If you see something like this so a lock goes missing and you're not sure how that happens You want to take that seriously and for heaven's sakes? Don't do this So thank you very much Um, I encourage you to go try it here all the links to the applications that i'm releasing try them out for yourself And see what you can discover with them. I'd like to extend an enormous thank you to josh karen jenny and bobby for their help In getting this talk prepared in particular to jenny. She absolutely saved the day with editing this video at the last minute And i'd be happy to take your questions. Thank you very much