Patented keys have high-quality drawings in plain sight. Bsides Canberra A group of Melbourne lock-pickers have forged a creative method for popping so-called restricted locks by 3D printing keys found on freely-available designs on patent sites.
The feat demonstrated at the BSides Canberra security conference last week is a combination of opportunistic ingenuity and lock-picking mastery, and will be warmly-received by red team penetration testers and criminals alike.
Lock-picking is common within the information security industry, is a staple at hacker conventions, and is becoming an increasingly used skill as part of anything-goes attempts to access controlled areas wherein computers can be found.
Restricted keys are controlled by limiting manufacture to expensive specialist locksmiths who require licences and specific machinery to produce the keys.
Locks using the keys are used across enterprises to secure sensitive areas such as offices and data centres.
Now a Loop security consultant known as “Topy”, and his fellow lockpickers say restricted keys have become skeletons in the security closet.
Their plastic, 3D-printed blank keys are sufficiently strong to be used multiple times without breaking.
With such keys in hand, a lock-picker can obtain the cylinder from a vulnerable lock – say one at the external gate of a targeted facility – to learn the master key pattern which can then be applied to the 3D printed blank restricted key.
“The restricted keys have ‘do not copy’ stamped on them, but unfortunately it doesn’t really mean anything,” Topy told hackers.
“In Melbourne you can’t get restricted keys from locksmiths no matter how nicely you ask them … so we decided to make them ourselves.
“The shape of the keys is patented and that means you can go online and search the database for very high quality images.”
The key blanks are often scalable vector images with precise measurements that allowed Topy and his colleagues to create computer-aided designs of many restricted keys.
Cracking restricted keys enables an attack whereby a restricted lock is removed from a gate – which takes just two well-placed cuts of a rotary tool – and a replacement that accepts any key is inserted. The attack therefore goes undetected.
The lock picker can then extract the original lock’s cylinder and tap out the pins within. Each can be measured and used to build the respective restricted master key.
Topy says master keys are used in scores of businesses, utilities, and government buildings where separate levels of physical access are required for staff with different levels of security clearance.
There are some scenarios in Australia where highly-sensitive master keys can be derived from extremely vulnerable environments, but the details of those attacks are being kept under wraps until the situation can be resolved.
Topy and his colleagues developed the attack in a hired warehouse dubbed HackHouse, and are working on new methods to overcome high-security locks.
His attacks, like many other emerging information security exploits, are not needed to break into many secured areas since businesses and individuals typically buy cheap and easily-poppable locks.
Lock-picking is a staple of security conferences. Hang around and you’ll see ATMS, wafer and tumbler locks and every type of handcuff on the market picked apart.
Even rudimentary lock-pickings skills sometimes aren’t needed to access secure areas, as many organisations use key safes to store master keys. But those safes can be opened using weakly-protected combination locks.