Slashdot Mirror
AT&T Identifies Widespread Security Hole - In Locks
__roo writes "The New York Times has an article [free registration required] about a researcher at AT&T Labs Research who has discovered a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building, and it requires little more than a file and a few key blanks."
Lock picking kits and expliots have been avalible for a very long time, out of the back of magazines (soldier of fortune, most notably) and there have even been text files about it. Why does it take a computer security expert to make us nerds consider "real life" attacks a possibility?
"You sir, have just crossed my happy line..."
I find it interesting seeing that security by obfuscation is a prevalent concept throughout mankinds realm. I guess it is nurtured by the ostrich-sticking-head-in-sand effect of thinking something doesn't exist if we're not aware of it.
It also makes me laugh how newspapers always skew stuff for sensationalism: now terrorists are one step closer to the US. They are pounding on the gates! WATCH OUT!!!. I think this security whole is mostly going to be used by 16 year old K-Mart workers.
Anyways, very nice article in the end, and hats off to AT&T for having 'brass hats'.
Any system that has a "master key" to allow access - be it a physical lock on a door, a backdoor to a program, a key-escrow system, whatever, allows this kind of attack - get the master key, game over.
I had do design an encryption system to manage software options in a piece of gear I designed. I thought about having a "back-door" to enable options on any unit, the better to test software. I quickly abandoned that idea - let the master key get out, and it's game over. Sure, it may make my life slightly more difficult as a developer, but it also means that no one, not even me, can cheat the system.
When I had to write the system up for export permission, I described it in detail - algorithm, file formats, I even had to include the source code for the relevant sections. I suppose you could get that information with a FOIA request. Knock yourself out - if you don't have the private key of the keypair, you won't be able to create the options file.
Say it with me, kids - "master keys and back doors are BAD - JUST SAY NO!"
www.eFax.com are spammers
The funny thing is, the lock system was not designed to have a single master key. Instead, there was supposed to be a different master key for each building. The campus wide master key was an "emergent property" of the similarities between the various building master keys. Only students possessed this master key :-)
I still have the key, but it's not so useful any more, as they've changed many of the locks.
Doug Moen
I have written a truly remarkable program which this sig is too small to contain.
Ok, there are a lot of replies here that seem to be saying that physical security, especially regarding locks, is not that important. You would be surprised.
Let's look at places that have master keyed systems:
So, it shouldn't be taken lightly that many master key systems are vulnerable to attack.
You can talk about your electronic lock systems all day, but most (at least in the UK) have a normal lock as part of them, with the electronic system for convenience and being able to tell who is where and when. If they don't have a normal lock in them, then they quite often have fire crash bars on the other side.
I haven't had a chance to read the paper yet, as the crypto.com site is slashdotted, as is the mirror I found. However, a lot of master key systems have vulnerabilities. For example:
Some keys have ridges down the sides. Sub master keys only differ from master keys in that they have these ridges, preventing them from being used in other parts of the building. File off the the ridges, and off you go.
Get two or more keys from a mastered building. Notice similarities and differences. It is often very easy to deduce the master key from this, because often the mastering works by pins having several splits in them.
These are extremely simple ways of finding masters. There is of course the fact that keys are often badly controlled, and unlike passwords, are not easy to change from a central location.
Security through obscurity is often a method used with locks. And it works reasonably well. I would say that lock picking is a far rarer skill than being able to use a computer well.
Some of the more recent lock systems (Assa, Schlage etc.) are very hard to copy, sometimes involving three separate mechanisms in the lock which all need to work. This is if you can obtain blanks. Some even involve small magnets. They are hard, if not impossible to pick as well.
More worrying, however, is the lack of physical strength in most doors. If you aren't afraid of leaving traces, opening most doors by force is remarkably easy. Yale locks (front door latches) often only take one kick to open. Even mortice locks are often badly installed and not that strong. Even if the lock holds up, the door, most of the time, won't hold up to a crowbar, or in desperate situations, an electric saw of any kind.
So, although I am sure that the technique presented in the paper has been around for years, it's going public big time now. We're going to have to welcome the script kiddies who practise on the real world soon.
When I replaced the locks on my house, the lock company advertised a series of locks with a restricted keyway, which meant according to the locksmith that their company was the only one in the region where you could get key blanks, cyliners or other hardware associated with this series of locks.
I ran into this phenomenon in college; I tried to make a copy of my girlfriend's dorm room key at several hardware stores. I actually milled off and polished the head of the key where the "DO NOT COPY" and "UNIVERISTY AABBCC" info was on it so it looked like an ordinary key.
The last place I went to the guy looked at me and laughed and said, "Nice job, but its a university key -- the blanks and hardware are sold directly by to the University key shop. Even if I wanted to, I couldn't make a copy of it, I have no blanks that will work."
Anyway, the technique described here requires a bunch of blank keys, which if you can't get or are extremely hard to get makes you wonder if this technique would work in places that employ limited keyway hardware.
This is not an unknown technique. I did this 30 years ago in college. And I only made adaptations to the technique described in a book on locksmithing which was checked out of the college library. I just didn't have any blanks to work with so I made do with one lost key I found. The campus used a type of blank not sold to the public.
A grand master keying system is based on 5 to 8, but usually 6, tumblers, with typically 10 levels or codes for each tumbler. A simple master system will have at least 2 tumbers with double cuts (but the doubles cannot be cut too close). A more complex system with a level of submastering will have 4 tumblers double cut. A grand master system with potentially two or more levels of submastering will have all the tumblers double cut.
Presuming it is a grand master system (and very large numbers of change keys generally are made this way even if no grand master key is produced), then you can presume that each position on the key is different between your key and the grand master. And not only is it different, but you can also rule out the level which is one above or below what your key has (the tumbler piece would be prone to pivot and jam, instead of slide, if cut too close). And even two levels apart is often avoided because a tumbler piece of those length can jam, although they insert a ball if the tumbler width is the same as 2 levels in that position (or 3 in some systems).
So for a typical 6 tumbler 10 level system, you can rule out 3 levels (or 2 if your key is at the highest or lowest) at each position, and the levels 2 above and below are less likely (try them last).
From your key, you can figure out about where all the levels are. Any additional keys (and I had one, and since this is a non-destructive step, I could also look at a friends' keys) can help. Now with the one spare key I had (extras help a little), you begin the step to find the master levels.
When a key position is ground just a little bit too high, usually about 1/4 of a level interval, it can still engage the tumbler cuts, but it will be rough when doing so. The same thing happens when it's low, but that's not helpful, so make the cut a little high. Even if the other positions are wrong this can be done, but if they are right it's easier. Putting a bit of solder on the position to raise it really helps because now you can see an indentation formed due to the pressure. Attempting to turn the key in the lock will try to work in those positions just a bit off, but will leave a mark on the key, especially if the metal is soft like solder. If there is no indent, you didn't get the right level, so try another at that position.
Repeat for all positions. If you are good you can even work all positions in parallel and accomplish this in just minutes. Once you have a level for every position which is at a different height than your own key, you probably have the grand master. If your key was really a submaster, this could trip you up. But they generally try to avoid giving out submaster keys to students.
There are two other ways to do this.
You can remove the lock and pull the tumblers and measure them. Be very careful because when you tap out the slide to expose the tumblers, do so one at a time because there's always a spring on top to keep the tumblers under pressure. Of course don't lose the parts, and don't lose the order the tumbler pieces come out. Now you can simply see what levels for each position make up the grand master.
Another method is to figure out all the levels and their distances. The micrometer caliper helps here. Write down the levels for your key. The next step is to examine other keys of other students. Of course they will think you're trying to make a copy of their key, but if they're your friends and you can trust them, you can reveal your real plan. Write down the levels for their key as well. This now lets you rule out some more levels at each position which the master cannot be. With enough keys you can narrow down just what the grand master key is.
If all the keys you examine are part of the same submaster system, you'll notice that 2 or 3 or maybe 4 positions are just the same on all keys. The grand master will be different there, but if you just cut your new master key at those levels anyway, while you won't have a grand master, you will end up with a submaster which can be used on all the locks in area (usually a building or so) that the examined keys came from.
A combination of having a few change keys (yours and a few friends' keys) to rule out more levels in some positions, and working with the first method to find the master levels, can speed things up for you.
Like I said before, I didn't actually invent these methods; I read them from a locksmithing book. I merely adapted the solder techniques to make things a little easier. Real locksmiths can do it without solder.
now we need to go OSS in diesel cars
Locksmithing is a closely guarded profession. They have more secrets too, but they'll be mad enough at this guy and the NYT for letting the cat out of the bag on this one.