 Hawkeye Dank has been pretty active over the last while. That looks like we're in. I haven't seen it yet, but I'll transition us live. There it is. Alrighty. Okay, thank you everybody for coming along. This is the Q&A portion for exploiting key space vulnerabilities in the physical world. Your main goon here is going to be pasties. This is Fallible. And thank you, Bill Graydon for coming to join us today. Bill, could you tell us a little bit about yourself before we get started? Yeah, absolutely. So my name is Bill, as you know. This is my second staff con. I actually started last year as both a main track speaker and a village lead, founding and running the Lock Bypass Village, which I'm helping out with this year as well in the online forum. I'm in my non-hacker life. I work for a company called GGR Security, doing physical security consulting, audits, and a number of related services in that regard. So the very flashy aspect of that job that is highly applicable to the DEF CON environment is physical penetration tests with which some of these things that I talk about fit into. Excellent. Go ahead. Yeah, we're seeing a couple of questions come in right now. Well, we have one question about, have you ever worked, have you ever created a bump key? Another one is your opinions on the disk style locks. So some general questions about different types of locks right now. You're welcome to take a stab at those and we'll wait for a few more talks to come in. So in terms of creating the bump key, I've created hundreds, possibly thousands of them. Yeah, I mean that video that I showed at the very start of my talk with how keys actually get originated, all you have to do to make a bump key is that cutter wheel that's taking a bite out of the key at particular positions. You just take that all the way down to the bottom position and then some and you do that across all the spaces and that'll do it for you. So yeah, I've absolutely done that for both regular systems as well as high security ones like Medico. So sort of along the lines with your talk, when you got to the point where you were like narrowing it down to like the last like 10 or 18 keys, is it possible to make like a targeted bump key that would just be more effective? Just like dealing with all of those all at once? That is an incredible question and the answer is absolutely yes. What a targeted bump key would look like is effectively the lowest cuts that are present in any of those keys in your narrow down key space. And so in fact, this is something that's been known to locksmiths for decades actually that the possibility to do something like that. So I didn't have time to talk about well a lot of this in the talk but one aspect is I talked a bit about how you want your grandmaster key to be one cut in the highest position so that none of the change keys under it can be filed down. You also in many cases wanted to have one cut in the lowest position and the reason for that is if there's any of your change keys that are lower than your master key in all positions then that change key will act as a bump key that will work in every lock on that system and can possibly be jiggled around and bump those pins all up to the master shear lines. So yeah it's a great question and that's how you do it. And the next question which I kind of interrupted there was what are your opinions are on disc style locks? Apparently storage locations hate them because they actually have to be cut off. Disc-detainer type locks? So I'm looking at this question now I'm not entirely sure what it means with how they have to be cut off in terms of a storage location like if someone needs their locks removed I guess what the question is getting at is that maybe locksmiths are able to pick the other types of locks but not the disc-detainer locks that effectively comes down to the skill level of a locksmith. I mean disc-detainer locks can be picked just like getting others that they're a much more specialized skill set to do and they require more specialized tools to do and the good ones are harder you know so if you got an Avalik ProTech on there it's like there's been no verified documented picking success with those so in that case then yeah cutting them off is your only your only option which for an Avalik ProTech is also going to be a hell of a job. So I'm not entirely sure what the question is getting at but I think that I think that pretty well covers it. More than likely. So I mean I always enjoy when people come and give us more of the in-depth side of physical security stuff for death-con talks and I appreciate you coming in and presenting that material. So as you're going through you are explaining things from a bypass direction at least a lot more bypass this year right you're not approaching things from the lock picking side. So how did you find yourself in the direction of the bypass instead of what seems to be more in vogue with the hacking community of the single pin picking? That's a great question so with I mean with bypass it's the sort of thing that in in my anecdotal experience at least there's a lot less literature out there about those particular techniques you know you've got a whole bunch of great talks at various conferences about them but nothing super formalized and there's a lot in that field that really is yet to be discovered or potentially yet to be published since as as I mentioned in some of my other talks with bypass village lock bypassing has traditionally been the domain of criminals and of classified materials both of which tend not to get published and even I mean locksmiths as well do it but for I mean even still the locksmithing industry is a very kind of tight tribal knowledge apprenticeship based type industry where they don't they don't publish that sort of thing and so that's I think a large part of why the hacker community has not gotten into it nearly as much lately or until lately from a personal perspective as well like I have never been a very good lock picker I understand that theory inside note but I just can't do it and that's in a large part because of a fine motor disability that I have so it's like you know I got to go find something else that takes a bit more core skills that's a lock bypass as part of that and then having founded and run the lock bypass village just like you jump headlong into it you can't get out once you're running a village I can totally understand that so what's your what's your everyday carry kit look like good question um I mean I am incredibly disorganized so to think that I have an everyday carry kit is a bit of gratuitous to me but you know if I'm anticipating needing to potentially get through a door it's like well in that case I'm carrying a much larger kit than what would be everyday carry if I'm anticipating well maybe needing it but probably not you know I might have a break my attention ranch real simple that's all the picking equipment for poking the latch out of the way so like a shove knife or for a latch bypass what I've got on my key ring is is a little wire that's just an L shaped end of wire that I can whip out and and do that on any block that I might encounter so so I've got that and really that's about it like I don't carry a whole lot else with me and I find that in many cases if you can't improvise it's it's not worth taking that particular approach in everyday situations so I know there's a lot of discussion in the community at least in the lockpicking community of most of what we what we do for fun as locksporters isn't all that practical in your out in the world trying to be a locksmith at least from what I've heard and I'm maybe you'll either confirm this or tear this down but if you are if you're faced with a lock it's usually going to be easier to attack the mechanism to hold its holds the door together or get it through a window or etc oh yeah absolutely I mean the a large part of it is sort of not just hacking but ethical hacking it's like if our goal is to get into a facility well there we're sort of balancing a number of objectives here how much do we care about how long it takes us to get it how much do we care about the damage that we do the noise that we make the forensic evidence that we leave behind etc so you kind of pick and choose your techniques based on that and then of course there's a cost element there's a skill element so it's pretty multi-dimensional in that regard and the vast majority of practical cases so what we see in security consulting is you're you're protecting against forcible you're protecting against very very very basic bypasses and that's about it and that's what your threat model is and so I think in in some regard the focus of the hacker community on ethical hacking has done somewhat a disservice for the blue team because they are protecting against the wrong threat model and so so you see you see that a lot with with the forcible entry being really downplayed in terms of its its impacts on physical security I like that as a thought that's really interesting of talking about training the blue team maybe to not the things that people in the outside world are going to hit you with might not be the same things that we as the hobbyists are going to hit you with so do you have like something some like a specific example of like something that is more realistic in the real world that a blue team might encounter as far as physical security protection goes that isn't like normally tested or advocated for in this these kind of talks that kind of thing yeah I mean if you um you know let's take a simple example you're a mom in pop shop and you want to protect your store um if if you go to like you know many many police departments will will do a very simple free security audit for you and they know very well what the threat model is and so they're recommending things like bars on the windows um you know if you go and and ask many people in the hacker community to do a security audit they're they're not going to think about things like that they're they're going to try to you know use use a fancy latch thumb thumb turn bypass tool on on the door and say okay you gotta patch that up and and they might try some sort of um electronic attack on your access control system and it's like well that's sure it's a vulnerability but uh the sort of people that have the the means and and the motivation and the skills perform those are not going to be breaking into their neighbor right matching the attacker to the threat model yeah yeah uh we got a question um have you notified any security desks about uh the vulnerability of having their keys visible um can you say to start the first part again have i notified them yeah yeah has it been like an actionable report or or just like informed them like like hey you've got your security keys on your ring and i can see them and that's a problem oh absolutely yeah it's i mean it's one of the standard things we check for with uh with any security audit um the biggest time that we see this is with multi-unit residential you know if you've got a concierge us can we leave that lying out and it's a really simple human factors thing right so you just create you know put a little box there that they can put it in that shields it from public view and that little box then can be self-locking so if they have to walk away and uh and handle something that's not then left out there for for anyone to see or take or what not and we've seen some pretty egregious cases of uh of that being breached when you don't have quick human factor design in that regard so you're uh the so okay so first off uh the the tool that you worked showed off throughout the entirety of your talk um is that already uh available is that is that something that that other people can see and use yes it is yeah so that's uh online at a number of links that i've posted in my talk so you can find the source code on my github be gradient and and tiny world comm slash key dash space will link you to a version that you can run right in your browser that's awesome so nice to hear that in the track one channel here at the end if that's cool with everybody yeah so yeah yeah um so with that tool like uh like it starts out with a pretty brute force approach and you start adding on these these layers of knowledge um there was a lot of pieces of knowledge is that something that you like uh already you just like picked up for through your experience or is this just like uh you just like aggressively compiled all this information from everyone that you knew just to put this tool together it's a great question um i'd say that a lot of it is um a lot of its experience just talking to people the sort of thing that uh again that kind of tribal knowledge that exists in locksmithing communities for instance you know so we uh we're we're fairly good friends with a number of locksmiths and so we chat with them about all sorts of stuff like this and uh and get information there and then a lot of it when you kind of crunch the numbers and understand the mathematics behind how keying systems actually operate um at that point you can you can formally model them with a number of mathematical constructs and from that these rules become a corollary of that so a lot of it can be uh can be derived independently um and so for instance the the right simplification attack right so we derive that independently and then determine that actually this has been published about before as well um and it's been known at locksmithing communities so it's the sort of thing that a lot of people have have thought about but hasn't until relatively recently been published widely um and my knowledge the first time that there's a computational tool for analyzing it that's awesome so we've got another question um have you had any experience with working with life locks at any military contractor facilities um the answer is is no i will actually ask for clarification on what uh what is a life lock i don't know either uh yeah okay okay thank you if you're if you're still watching where you've got to sell intrigued what a life lock is uh i guess i'll bump back to your your tool a little bit while we're waiting to to hear back from hawkeye um so i i totally blanked on my question finally you got it you're good so um there your talk is quite long and thank you for that and and actually if anybody is uh out there looking forward to watching this uh he was or someone was nice enough to go through and nicely index all of the time stamps on that um so yeah that was me that was you you went to that every so yeah thank you for that um there was some um you mentioned some code books in there and i i get the impression there were some uh legal possibly ethical implications of having that information available could you talk to that a little bit of uh any solutions that you're working on on trying to make that more accessible absolutely yeah so um as far as code books are concerned i mean there's hundreds well there's thousands of them out there there's hundreds that are common to see examples of in the wild um you know everything from i mean any any standards key system that has generally numbers associated with it so you might have heard of common keys like 1284x well that's part of a a series of 151x which you looked at in the talk is another part of that series and then there's 1700 others in it c415a so there's your national cabinet key and set there's about 600 in the a series as well as there's a b and a c and there's hundreds of others like that medico non-master systems have code books as well so this is a lot of data that's being compiled by a number of of services out there the most well known of of which is insta code so anyone that's looking for that information on a case by case basis can get a subscription to that and and look up you know what is c5 415a well what's the bidding of that you can't download the entire data set for that we happen to have the entire data set um it's not licensed in a manner that we can then release it freely um unfortunately so what one thing that i'm trying with to make that actually happen is create sort of a crowdsourced um uh platform so people can if they have access to that information in a way that they're not constrained by the license they can upload it and uh and then we can create a compendium as well as i'm going to be adding back into the app a way to import that data if you happen to have it through whatever reason whatever source and you can analyze it that way um so yeah i'm i'm working on a work around with that but at the time yeah go ahead just just like spitball and could that kind of like crowdsourcing be uh happen at like a finer grade level like i have this style of key it's got this numeric thing on and here's the bidding thing could that just be crowdsourced that way instead of you know fully wholesaling uploading the the book it absolutely could be um that is a little bit trickier when you you intersect that with doing the analysis with this software because now it's like if i have a photo of a key that i think is in this series and i say i want to live at my keys based on only what's in that series if i don't have a complete series i'm going to get a wrong answer there um so it does create a bit of a challenge with that which is why um there's there's value in that information that the codebook you've uploaded is complete but for someone that just wants to do a task like look up a particular indirect bidding code to get the direct one that would absolutely be valuable for that so we walk i did get back to us a life lock is a fail secure combo lock it could be spun to keep any further attempts from to open occurring interesting so yeah is it the sort of thing where you can spin it to permanently disable lock if something's happening or that sounds like exactly what it is um that's a that's a cool concept i i'm not uh i haven't actually worked on any of those before i'm interested to look it up and see if there's any fun analytics we can do with that so awkai if you uh have any examples of these that you would like to talk further about this would be a good opportunity to uh send some messages over to bill and dm and maybe there's some interesting uh future research at play there which is actually probably a good question to go to what is your next what's your future research where are you going next with this project that's a great question um so there's a number of dimensions of that research which is applying these general methodologies to combination locks so a lot of the same thing can be used if you can get you know any little bit of information i would say a safe dial so very very skilled people can listen to the place and determine what that means can we use a computer to uh to make that accessible to a wider audience um that's that's something that i'm currently working on and uh we'll be submitting to def con in future years once that's complete um another dimension is tying it into um the the talk that i gave last year about keyways and the the shape of the keys and so we can combine those two and really get a good sense of um from a photo being able to disambiguate that and and so tying those two two pieces in um as well cool that's awesome okay i came back to a mention that uh he's seen them but is not able to show picks because of policy being and policy discouraging that which is probably expected yeah so um you'll you will share all of your uh contact contact information um so people can reach out to you i'm assuming and you are active in some of the other communities here would you tell us a little bit about the lock bypass village and um some of what you do over there yeah for sure so as i mentioned last year was our first year at at def con and so we had a whole bunch of little doors um two feet tall that had different types of hardware within them um we had a car door there and um sort of some some components from elevators some components from enter phone intercom systems that people could then try and do these physical security hacks on um and you know we were packed right up to fire code the entire time people really love doing that um and so so this year of course with safe mode what we've done is taken what we could and made online games for it um so you can you can go online uh to bypass village dot org you can practice rewiring alarms to disable them at the comms line you can practice using up ink to uh to bypass combination locks practice using shove knives to to disable latches on doors but a bunch of other stuff that uh that we've got little mini games for so you can that's you know we've that's we've done a really good village i crashed the village last year and i loved what i saw the one thing that i i don't know if i just missed it or if it wasn't there if you can add something about the magnetic door locking things that uh i would love to see somebody yeah yeah we uh we're planning to have a whole big exhibit on that this year and then uh and then ronnie b happened so that'll absolutely be there for you to see next year i look forward to it was there was there anything that you uh you felt like you like just couldn't fit into your talk some some piece of your tool or something else that you wanted to go over that was just like fascinating for you but just got the cut uh oh my gosh there was so much um i i mean i i did the initial talk and thought oh man and now we're 400 bucks is great i can cover everything and then uh i had to cut it down for three hours so um so i mean one one interesting thing that um those who are mathematically inclined will be interested to play around with is there's a separate related tool that will take if you have a system of locks you know what their sugar lines are it'll generate a relationship graph for all the different low level keys master keys in the top a little master for which key will work in which lock and you get some really neat um emergent mathematical properties from that using different different mastering systems so that's something that is up on my github right now um i will send a link as soon as i can hop over to the uh track one talk page i'll send a link to a active version you could play with um so that that's one one one of many things did did you use that to generate like a a key diagram in your talk at one point because there was there was like a grand master master like key like tree effect so that one yeah yeah so that that one was not auto generated that uh the auto generated ones are not nearly as well behaved as that's what i showed in the talk i manually made that one um but you know what the auto generated ones look like is what one thing to consider is with with key and hierarchies it's like if i do the mastering on you know pins one two three four and five if i have a master in pin three four five like an example that i showed that's why it's a typical um sub master key would look like i could also put a master in pins one and two and then change keys and pins three four and five and so now i have a master key that's going to work on selectively some locks in the a and b and the c system and not others and so you actually have this n dimensional um tesseract that's created from uh from from doing up master keys in that regard and and there's another type of system called rotating constant system that creates incredibly complex uh um relationship graphs there that's absolutely awesome we are right almost at a time i love the question that panopticon just asked though would you consider posting the director's cut version of your talk um yeah i i actually gave a thought to that i think what i'll do is uh is is break it up into bite sized pieces and post a number of separate videos talking about the different elements that i didn't get uh time to discuss in the main talk um and so that's i just created a whole bunch of social media when this talk was accepted like i should probably make a twitter so i made that i made a youtube channel as well so that's the burden liam channel that uh that's been commenting on my my talk there um that's for me and my brother or uh robert and william but uh well burden liam that's also a valid shorthand for that so um take a look at that and whenever i have time after all the chaos of deaf calling calms down i'll be uh posting some nice videos in there awesome well thank you for doing our qa session thank you for doing such a fantastic talk um hope to see you again next year yep thank you there so much um yeah there's a plenty more that we all want to hear from you so for anybody who would like to know more it sounds like you can uh track bill down in the lock bypass village um and there's more information over there for you to learn as well so thank you very much and yeah i'll be i'll be lurking in the q and a page for a chat for the next few minutes as well so perfect excellent cheers thank you so much