Slashdot Mirror
AT&T Identifies Widespread Security Hole - In Locks
__roo writes "The New York Times has an article [free registration required] about a researcher at AT&T Labs Research who has discovered a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building, and it requires little more than a file and a few key blanks."
Lock picking kits and expliots have been avalible for a very long time, out of the back of magazines (soldier of fortune, most notably) and there have even been text files about it. Why does it take a computer security expert to make us nerds consider "real life" attacks a possibility?
"You sir, have just crossed my happy line..."
Every time I go the cobblers to have a key cut I normally end up taking it back. The fresh key is cut on a professional key cutting machine by someone who has probably cut thousands of them - I still end up taking it back because it doesn't work in the lock. I've also worked in on the bench in an engineering company and am trained to use a file - detailed filing is not like filing your nails or removing huge burrs from machined metal.
Load of bollocks I say.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
I find it interesting seeing that security by obfuscation is a prevalent concept throughout mankinds realm. I guess it is nurtured by the ostrich-sticking-head-in-sand effect of thinking something doesn't exist if we're not aware of it.
It also makes me laugh how newspapers always skew stuff for sensationalism: now terrorists are one step closer to the US. They are pounding on the gates! WATCH OUT!!!. I think this security whole is mostly going to be used by 16 year old K-Mart workers.
Anyways, very nice article in the end, and hats off to AT&T for having 'brass hats'.
Any system that has a "master key" to allow access - be it a physical lock on a door, a backdoor to a program, a key-escrow system, whatever, allows this kind of attack - get the master key, game over.
I had do design an encryption system to manage software options in a piece of gear I designed. I thought about having a "back-door" to enable options on any unit, the better to test software. I quickly abandoned that idea - let the master key get out, and it's game over. Sure, it may make my life slightly more difficult as a developer, but it also means that no one, not even me, can cheat the system.
When I had to write the system up for export permission, I described it in detail - algorithm, file formats, I even had to include the source code for the relevant sections. I suppose you could get that information with a FOIA request. Knock yourself out - if you don't have the private key of the keypair, you won't be able to create the options file.
Say it with me, kids - "master keys and back doors are BAD - JUST SAY NO!"
www.eFax.com are spammers
The funny thing is, the lock system was not designed to have a single master key. Instead, there was supposed to be a different master key for each building. The campus wide master key was an "emergent property" of the similarities between the various building master keys. Only students possessed this master key :-)
I still have the key, but it's not so useful any more, as they've changed many of the locks.
Doug Moen
I have written a truly remarkable program which this sig is too small to contain.
Does anybody remember the MIT Guide to Lockpicking (PostScript file??) that was readily available on the internet in the past? We downloaded it back in '94 and friend used it to make some lock picks by filing down some nails. Let me tell you, some fun was had on campus with the practical jokes that followed ;)
Ok, there are a lot of replies here that seem to be saying that physical security, especially regarding locks, is not that important. You would be surprised.
Let's look at places that have master keyed systems:
So, it shouldn't be taken lightly that many master key systems are vulnerable to attack.
You can talk about your electronic lock systems all day, but most (at least in the UK) have a normal lock as part of them, with the electronic system for convenience and being able to tell who is where and when. If they don't have a normal lock in them, then they quite often have fire crash bars on the other side.
I haven't had a chance to read the paper yet, as the crypto.com site is slashdotted, as is the mirror I found. However, a lot of master key systems have vulnerabilities. For example:
Some keys have ridges down the sides. Sub master keys only differ from master keys in that they have these ridges, preventing them from being used in other parts of the building. File off the the ridges, and off you go.
Get two or more keys from a mastered building. Notice similarities and differences. It is often very easy to deduce the master key from this, because often the mastering works by pins having several splits in them.
These are extremely simple ways of finding masters. There is of course the fact that keys are often badly controlled, and unlike passwords, are not easy to change from a central location.
Security through obscurity is often a method used with locks. And it works reasonably well. I would say that lock picking is a far rarer skill than being able to use a computer well.
Some of the more recent lock systems (Assa, Schlage etc.) are very hard to copy, sometimes involving three separate mechanisms in the lock which all need to work. This is if you can obtain blanks. Some even involve small magnets. They are hard, if not impossible to pick as well.
More worrying, however, is the lack of physical strength in most doors. If you aren't afraid of leaving traces, opening most doors by force is remarkably easy. Yale locks (front door latches) often only take one kick to open. Even mortice locks are often badly installed and not that strong. Even if the lock holds up, the door, most of the time, won't hold up to a crowbar, or in desperate situations, an electric saw of any kind.
So, although I am sure that the technique presented in the paper has been around for years, it's going public big time now. We're going to have to welcome the script kiddies who practise on the real world soon.
Longer keylength...
When I replaced the locks on my house, the lock company advertised a series of locks with a restricted keyway, which meant according to the locksmith that their company was the only one in the region where you could get key blanks, cyliners or other hardware associated with this series of locks.
I ran into this phenomenon in college; I tried to make a copy of my girlfriend's dorm room key at several hardware stores. I actually milled off and polished the head of the key where the "DO NOT COPY" and "UNIVERISTY AABBCC" info was on it so it looked like an ordinary key.
The last place I went to the guy looked at me and laughed and said, "Nice job, but its a university key -- the blanks and hardware are sold directly by to the University key shop. Even if I wanted to, I couldn't make a copy of it, I have no blanks that will work."
Anyway, the technique described here requires a bunch of blank keys, which if you can't get or are extremely hard to get makes you wonder if this technique would work in places that employ limited keyway hardware.
How about having a double-sided lock, where the regular keys move tumblers on the top, but the master key moves tumblers on the bottom - and rigging it so either set of tumblers can release the lock?
Then the unique keys need not have any relation to the master key at all, thus returning the security level of these devices back to where most people thought it already was.
-Baron YamThis is not an unknown technique. I did this 30 years ago in college. And I only made adaptations to the technique described in a book on locksmithing which was checked out of the college library. I just didn't have any blanks to work with so I made do with one lost key I found. The campus used a type of blank not sold to the public.
A grand master keying system is based on 5 to 8, but usually 6, tumblers, with typically 10 levels or codes for each tumbler. A simple master system will have at least 2 tumbers with double cuts (but the doubles cannot be cut too close). A more complex system with a level of submastering will have 4 tumblers double cut. A grand master system with potentially two or more levels of submastering will have all the tumblers double cut.
Presuming it is a grand master system (and very large numbers of change keys generally are made this way even if no grand master key is produced), then you can presume that each position on the key is different between your key and the grand master. And not only is it different, but you can also rule out the level which is one above or below what your key has (the tumbler piece would be prone to pivot and jam, instead of slide, if cut too close). And even two levels apart is often avoided because a tumbler piece of those length can jam, although they insert a ball if the tumbler width is the same as 2 levels in that position (or 3 in some systems).
So for a typical 6 tumbler 10 level system, you can rule out 3 levels (or 2 if your key is at the highest or lowest) at each position, and the levels 2 above and below are less likely (try them last).
From your key, you can figure out about where all the levels are. Any additional keys (and I had one, and since this is a non-destructive step, I could also look at a friends' keys) can help. Now with the one spare key I had (extras help a little), you begin the step to find the master levels.
When a key position is ground just a little bit too high, usually about 1/4 of a level interval, it can still engage the tumbler cuts, but it will be rough when doing so. The same thing happens when it's low, but that's not helpful, so make the cut a little high. Even if the other positions are wrong this can be done, but if they are right it's easier. Putting a bit of solder on the position to raise it really helps because now you can see an indentation formed due to the pressure. Attempting to turn the key in the lock will try to work in those positions just a bit off, but will leave a mark on the key, especially if the metal is soft like solder. If there is no indent, you didn't get the right level, so try another at that position.
Repeat for all positions. If you are good you can even work all positions in parallel and accomplish this in just minutes. Once you have a level for every position which is at a different height than your own key, you probably have the grand master. If your key was really a submaster, this could trip you up. But they generally try to avoid giving out submaster keys to students.
There are two other ways to do this.
You can remove the lock and pull the tumblers and measure them. Be very careful because when you tap out the slide to expose the tumblers, do so one at a time because there's always a spring on top to keep the tumblers under pressure. Of course don't lose the parts, and don't lose the order the tumbler pieces come out. Now you can simply see what levels for each position make up the grand master.
Another method is to figure out all the levels and their distances. The micrometer caliper helps here. Write down the levels for your key. The next step is to examine other keys of other students. Of course they will think you're trying to make a copy of their key, but if they're your friends and you can trust them, you can reveal your real plan. Write down the levels for their key as well. This now lets you rule out some more levels at each position which the master cannot be. With enough keys you can narrow down just what the grand master key is.
If all the keys you examine are part of the same submaster system, you'll notice that 2 or 3 or maybe 4 positions are just the same on all keys. The grand master will be different there, but if you just cut your new master key at those levels anyway, while you won't have a grand master, you will end up with a submaster which can be used on all the locks in area (usually a building or so) that the examined keys came from.
A combination of having a few change keys (yours and a few friends' keys) to rule out more levels in some positions, and working with the first method to find the master levels, can speed things up for you.
Like I said before, I didn't actually invent these methods; I read them from a locksmithing book. I merely adapted the solder techniques to make things a little easier. Real locksmiths can do it without solder.
now we need to go OSS in diesel cars
The key/lock system. The height of each notch on the key is an analog value, as is the depth of the pin on the associated tumbler. However, at the moment of (attempted) unlocking, the lock acts as a ADC (analog-to-digital converter), converting each notch on the key into either a '1' (match) or '0' (no match). Thus, it could be argued by a sufficiently expensive lawyer that the actual process of opening the lock is digital by nature, and thus falls under the DMCA.
-Hentai [in vita non pacem est]
Here's where social engineering comes into play. If you're caught with lockpicking tools, you were obviously up to no good. But if you're caught with a key (and most people wouldn't know a master key from an individual key), it looks like you have every right to enter. After all, why else would you possess the key in the first place?
"But officer, this IS my office -- I have the key right here!!"
~REZ~ #43301. Who'd fake being me anyway?
And tell me how lock picking won't get you to anywhere in a building?
Keep in mind that lock-picking looks suspicious and takes time at every door. This technique could be used by an insider to expand their access in a much less suspicious manner (by playing with their own office lock, for instance). It sounds like there are only 40 or 50 possible attempts to try (try, file, try, file, etc...). If that is the case, then you bring in 5 blanks to work, try them all, take them home, and do the same the next day after appropriate filing - you'd have the master in two weeks.
Also - once you have the master you have instant access to EVERY lock. Picking only opens a single lock, with some effort expended. If you want to sneak around you would want to be able to just walk through a building at will looking like you belong there.
I think this would be a technique used in corporate espionage. An agent would get a job as a janitor or some low-level job, and then get a master key to the building. They could show up in inconspicuous clothing during a different shift away from their normal work area and just waltz through the building looking like they belong. You couldn't do that with a lockpick during regular hours.
For one thing, building up solder in each position makes it a lot easier to see the indentations. But the real reason this works is that if you apply a back and forth motion as your attempt to turn the key, the indentations can be made even if the other positions are not cut properly at all. So this can be done with one key, and it doesn't even have to be a blank (but it does get modified in the process, so if you can get a blank, that's better).
now we need to go OSS in diesel cars
Just offhand:
(1) cut 6 identical keys to the original
(2) In one slot, cut as far down as possible, and drill a hole in that location, where you can put a mobile pin on a spring and a wire.
(3) drill a hole along the base, as well, and run the wire through.
(4) Now pull on the wire to find the alternate height. No filing required [prework necessary].
Just write down the numbers you get
(5) Go home and cut new key.
Also: to get around the lack of a blank:playdoh; wax; metal; plaster; small metal casting. Or digital camera; ruler; grinder; piece of small metal.
I don't take much comfort in those workarounds.
At this point, I think that digital locks with varying codes might be a tad more secure. For example, to get the day's code, the admin takes his phone number [or street address, though a random memorized number is best], adds the date to each digit and the time on the lockbox to the last 4 digits, and that's the code. Before he gets up to go in, he figures out what it will be, in his head. Of course, if he forgets entirely, he can take a blowtorch, melt the plexiglass, and let secretary out. Then call in work crews to replace the plexiglass, and stays there, meanwhile, memorizing the *new* number, and keeping an eye out for ninjas rapelling down from the roof.
Or he can write the code on his desk, the front of his pocket protector, or whatever.
Or how about this? Specialized beeper tied to lockbox, on continuous recharge. Beeper takes incoming code, checks it against security code, checks source phone number against President's code -- and authorizes computerized lockbox to open upon access key, within the next 1 minute.
Now, to go in, you pull out your cell phone, call the company president -- he pulls out his video cell phone, calls a video cell phone watching the hall; makes sure that it's you, and then calls the beeper, enters the code [encrypted, of course], and authorizes you to go in.
Of course, I'm not a cryptologist. I'll be a cryptologist could find a dozen ways to break my idea apart. After all, the more complex a system is, the more flaws it has (doesn't it?)
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Or, for a less familiar frame of reference, 0.9% of the number of Afghan civilians directly killed by US bombs, not counting starvation deaths due to halted foreign aid caravans during the bombing.
Wah!
This is totally obvious. Anyone who knows how a master key system works can do this and probably already has. I did it myself in college; it took a copy of my dorm key and a chainsaw sharpening file, both picked up from the hardware store for about $2, and about 90 minutes of fooling around, and I had a master key to the dorm.
The dorm management did discover it eventually. I didn't use it for anything but a little urban exploration, but I think I let a few too many people back into their rooms after their roommates locked them out and the RA wasn't around, and it became common knowledge that I had the key.
They asked how I found out how to make master keys, but didn't seem to be too convinced when I just said "Well, it's obvious, isn't it? Just think for a minute and anyone could figure it out." Probably the wrong thing to say to someone who was probably a humanities major.
My knowledge came exclusively from the Junior Worldbook Encyclopedia entry on how locks work, plus about 2 minutes of thinking about it.
my roommate in college lost the key to unlock the doors on his car. We took it to the local keyshop
and they were able to make a working key without the original key in about 5 minutes.
All he did was put the proper blank in holding it with a pair of lockjaw pliers, wiggled it a bit to turn it, then used a hand file to trim the key down.
A couple more fine tuning filing and it worked just fine. charge: ten bucks.
opened my eyes a bit about how "secure" locks really are.
I didn't think about using it other than on a car till I saw this article.
Locksmithing is a closely guarded profession. They have more secrets too, but they'll be mad enough at this guy and the NYT for letting the cat out of the bag on this one.
When I was in college back in the sixties, I did this with the dorm room keys. Just compare two or three different room keys to determine the common cuts. In our case, the master cuts were higher than the single-lock cuts. That's where some high-tin-content solder comes in - fill in the master cut with solder, file it down and file it thin. The high tin content makes it hard enough to stand up to two semesters of use.
Of course, once word gets out that you and a couple buddies have master keys, anything that turns up missing from anyone's room will be your fault. You've been warned.
At the end of the school year, break the solder off with pliers and sand the area with fine sandpaper to remove all traces of solder.
But before you trash your master key, be sure to unlock your RA's room and fill it floor-to-ceiling with wadded up newspaper. He'll laugh - oh, how he'll laugh!
Rick.C
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
This isn't exactly news...
I've known about the flaw in the master key system for a long long time.
Actually, in many circumstances you can get by the mechanism by continually retrying and wiggling your key until the fit hits.
Its not guranteed, but its a little better then using a file.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra