Pictures That Defeat Key Locks

We’re at LayerOne this weekend and one of the talks we were excited about didn’t disappoint. [Jos Weyers] presented Showing Keys in Public — What Could Possibly Go Wrong? The premise is that pictures of keys, in most cases, are as good as the keys themselves. And that pictures of keys keep getting published.

[Jos] spoke a bit about new services that offer things like 3D scanning and storage of your key for printing when you get locked out, or apps that ask you to take a picture of your key and they’ll mail you a duplicate. Obviously this isn’t the best of ideas; you’re giving away your passwords. And finding a locksmith is easier than findind a 3D printer. But it’s the media gaffs with important keys that intrigues us.

We’ve already seen the proof of concept for taking covert images to perfectly duplicate a key. But these examples are not so covert. One example is a police officer carrying around handcuff keys on a belt clip. Pose for a picture and that key design is now available to all. But news stories about compromised keys are the biggest offenders.

subway-keysA master key for the NYC Subway was compromised and available for sale. The news coverage not only shows a picture at the top of the story of a man holding up the key straight on, but this image of it on a subway map which can be used to determine scale. This key, which is still published openly on the news story linked above, opens 468 doors to the subway system and these are more than just the ones that get you onto the platform for free. We were unable to determine if these locks have been changed, but the sheer number of them has us thinking that it’s unlikely.

firemans-keysWorse, was the availability of fire-department master keys which open lock boxes outside of every building. (Correction: these are fire department keys but not the actual lock-box keys) A locksmith used to cut the original keys went out of business and sold off all their stock. These keys were being sold for $150, which is bad enough. But the news coverage showed each key on a white background, straight on, with annotations of where each type of key will work.

Other examples include video news stories about credit card skimmers installed in gas pumps — that coverage showed the key used to open the pump housing. There was also an example of speed camera control cabinet keys being shown by a reporter.

key-photo-duplication-layerone[Jos’] example of doing the right thing is to use a “prop” key for news stories. Here he is posing with a key after the talk. Unfortunately this is my own house key, but I’m the one taking pictures and I have blurred the teeth for my own security. However, I was shocked during image editing at the quality of the outline in the image — taken at 6000×4000 with no intent to make something that would serve as a source for a copy. It still came out remarkably clear.

Some locks are stronger than others, but they’re all meaningless if we’re giving away the keys.

65 thoughts on “Pictures That Defeat Key Locks

  1. A lock only keeps an honest person out.

    I have a bit of locksmith training under my belt, enough to know that you don’t need a key to open most locks. What’s the point in making a key that will only open a finite number of locks when you can make tools that will open all of them? Of course, I am not a criminal, so I have only ever picked locks for legitimate reasons (lockouts, lost keys, etc.).

    1. Well, it’s the difference between standing around picking a lock in the subway for a while and simply walking up to the door and opening it. One of the two is more likely to attract attention.

    2. I’m late to the party on this one, but a digital copy can’t be lost or damaged in the same way as a physical one.
      I could keep records of them all and print as needed.

  2. I choose for my house a “Bramah type lock”, which is (apparently) harder to open without the right key, and surely not directly reproductible with a single photo since there is always a hiden part… (and of course I avoid to show my keys in public ;-) )

      1. A lockpicker friend of mine draws the line with respect to lock-strength paranoia here: if the criminal has to leave enough traces that my friend’s insurance company has to pay out, it’s not an attack he’s worried about.

        I’m thinking the sawzall threat falls under the “not-worry” category.

      2. AS will a Hy-lift Jack (a jack found on farms that is a hydraulic bottle jack with a long length) and its faster and very quiet compared to a sawzall! just place across a door at or near lock height against both sides of the frame, 3 to 6 pumps and you are in, key type and lockset quality fade quick, most bolts and latches are an inch or less almost none exceed 2 inches. So 2 inches at most at least 3/4 inch which means the jack only has to move each side apart by 3/8 of an inch to open the door!

        1. 3 point locking makes it slightly more difficult (need to spread the door 2 ways. Though, you would probably also need to warp the frame just right since the 3rd peg goes into the floor of the house. Again if you are trying to get into a place where you can bring a large jack/sawzaw/blowtorch/explosives… then nothing short of 6 inch think steel with vault style doors will prevent you from access, which would need to include access through windows and such, bringing the extremely paranoid to living in a solid block house with 1 entrance/exit…

    1. If you own a house, that’s great, you can install whatever locks you like. But for those living in apartments they own, they are generally going to be limited in what they can install. Often fire codes require a certain sort of lock with a “fire rating approval” or whatever so you can get out in an emergency (e.g. a lock that requires you to use a key to unlock the door from the inside would be a problem). And then if you are a renter you can end up with the crappiest locks in the world on your apartment and no way to do anything about them (my current rental apartment has a round doorknob in the front door with a keyhole on the outside and a turn snib on the inside then a screen door in front of that with keyholes on both sides and a snib on the inside that wont unlock if you key-lock the door)

  3. It’s not “the news stories about compromised keys [that] are the biggest offenders”, it’s the people/organisations that allow the keys to be compromised, and/or those that fail to fix the problem after it’s published.

    1. Responsible reporting is part of it, though, and it behooves journalists to be aware of the situation. Not every layperson realizes that posting a photo of a physical key is just like writing out a door security code or password in their article.

  4. This is why I have a HID prox card system on my house and my shop.
    Should have seen the look on my new neighbors face when I gave them a key card with my email address and cell number on it.
    I told them that in case of a emergency they can use it to get in and help.
    But it will only work when it has been authorized and to use their 4 digit pin code.
    I can access the controller from my iPhone or laptop and I can activate cards , kill cards ,
    allow access with or with out a card or just a pin code. On either my front or back door.
    Each door has two electro deadbolts and a 1700 lib mag lock. The dead bolts are fail secure.
    And the card system has a battery backup that will last for 48 hrs.
    I can also remote unlock either door.

    My next-door neighbors kid didn’t think I locked my door since he has never seen me unlock it with a key.
    and the locks that are on the door are dummies.
    And my house guests get confused on how to exit.
    I have a no touch sensor plate next to each door that has exit /no touch printed on it.
    The entire system cost about $300.00 Less than a Medeco deadbolt that is a good lock but the keys are expensive and can only be duplicated by the dealer.

    My keys cost about 30c each and if one gets lost or compromised I just kill it and program a new one.

    1. And after all that work may i ask, what key system you use on your key (card)? The card id? a random number, a combination, a certificate? you know that someone who is near you with a scanner (something like a smartphone) can read your key card, duplicate it, and have all access you have?

      I would just give you the name of a product a german researcher is launching, but i forgot, it is a 5 in 1 blanc card, and completly programable, you can even program the card id (manufacturer yada yada yada). He did show us doing it on real time, and getting access to an entire building by doing this to a card from a gatekeeper.

      So again, you think you are safe? do you belive in those that created that system? or did you create the system and assume that strenght is on hiding the method to open your door and not on your key quality? because my security teacher always told that belive in a closed system is bad for a security system. Security must be in the algorithm itself, and not in a hiden weak algorithm..

    2. Sounds amazing! I always believe that if someone was really going to break into your house, nothing within the average person’s price range will keep them out completely, so why not just go for an adequate solution (not cheap but not overly expensive either) that makes the controlling of access into your space simple and secure? It’s always going to be people you know who you need to guard against after all.

      I saw a couple of articles that were really interesting, with smart systems being talked about all the time these days, thought it’ll be great to share a couple here:

      http://www.nytimes.com/2014/06/12/garden/losing-the-key.html?_r=1
      http://pages.getkisi.com/access-control/wiki/authentication/smartphones/

  5. Ha… reminds me of an old job I had. I worked at a large facility where nearly every door was keycard controlled.

    One day I realize I’m hearing a weird noise in the vault. So I make my way down the hall from my office and find both the outer and inner vault doors spazzing out. They would open about 3/4 of the way then start closing again. The safety interlock wasn’t functioning (same as elevator doors) so I timed it and ducked through the doors to access the motors and disengange the drives then I cut the power and enganged the emergency bolt from the inside for both doors.

    As I was standing there admiring my handy work I realize I was still hearing the door spazz out. The vault is five stories and the vault doors for every floor were spazzing out. After I locked them I had to use the fire corridors and doors to move between which led me to another discovery, the damn electronic locks disengage during failure. A safety measure to ensure people can get out of the building during a power failure. ::headsmack::

    The entire electronic keycard lock network went South for roughly 6 hours that day. The keycard scanners would act like they scanned your card then give a green light but it was all pointless since the doors were already unlocked anyways.

  6. This only works with wafer and pin locks and only where the angle allows symmetry matching(which requires algorithms that don’t exist) or eyeing depths, and eyeing where the lock is under surveillance and remote likely wouldn’t work out.. It also suggest matching blade and blade-length is trivial and that you can just go to the local store and buy a blank..

      1. it’d still be brute force.. micrometer discrepancies can cause keys to not work at all even with pin tumbler, and with both debts and blade.

        The lack of information for blades is one thing that’s always annoyed me about the lock picking scene.. Literally the most advance people just eyeball and trial and error.. There are thick books locksmiths sometimes have that match blades to keyholes but then there is also debt of cylinder.

        Also what’s up with ‘experts’ who show how ‘easy’ locks are in a vice with no time restriction?

  7. Guess it’s time to switch to cruciform key since one would need multiple pictures to get all 4 sides done right. And it’s near impossible for run of the mill locksmith to make duplicate so dishonest one who easily accepts bribe won’t be able to make one. Lastly, harder to pick 4 sided key lock than a standard 1 sided deadbolt lock.

    PS should the subway change all the lock to prevent unauthorized entries by those with printed keys, wouldn’t it be likely they would bill the person photographed holding the key for the big job of replacing all the locks and all the keys and the labor? A year of paycheck probably!

    1. Yes, they are standard so any cop can unlock them without worrying about “who’s cuffs” etc… and cops do play nice and return each others cuffs as they typically have huge serial numbers and logos etched on them. Jail Cell locks, if not automated from a control room and typically a “3-D” style. I don’t know the lock-smitheze for what kind of key they are, but I don’t think a single photograph would do you much good with them, as they have more than one row of teeth.

      A crowbar can get you into a lot of places without leaving a mark if you know how….

      1. There’s a subtle way to use a crowbar?

        Actually I’ve a related story. A local shop was unwise enough to leave a pair of long-handled bolt cutters in their window, for sale. The window lasted about 2 days after. Moral: Don’t put burglary tools where they’re easily stolen!

  8. So, most locks can be copied, hacked. picked, etc… We’ve know that for a while now.

    I suppose the most experienced can clever can easily bypass a dimple lock. (BTW, WTF we still using standard locks here state side? Oh well I’ll be content with 12 Gauge then.)

    I’m of the idea what about a “Negative” configurable dimple lock. Looks like a standard 2 sided dimple with normal lock teeth but you have a series of eyeglass sized neodymium magnets that could be added/reconfigured to the key AND the lock. “Negative dimples will never be engaged because you have two magnets S/S or N/N keeping the pin from falling in. Combine that with non-magnetic screws for the dimples and locks.

    Well, unless the person is carrying 20 pounds of keys, bumping or foil probably would not help unless they could somehow integrate a reed switch/hall effect at every dimple. Finally without setting your hand that has a ring and a neo magnet on the correct part of the door frame the slider won’t move either against S or N. to allow the bolt portion of the metal to the door frame.

    Now you need 2 people to try to pick the lock since you can’t squat and 1 hand is now disabled looking for the right place to put it.

    And I guess the beauty is that you don’t need an active AC or DC current to read your whatever just raw magnetism.

    -=-=- And while home alone, The ole chair in the door is the best. More modern fix? Enforced plate on the door. Enforced plate bolted to the ground. Metal pipe with a piece of re-bar inside it to drop into place.

    It won’t stop the mole men from coming up through your toilet or a tank driven through your front door but it can break the ankle of a common thug or slow 2 fake cops trying to use a pvc pipe and cement ram from getting in.

    1. Don’t even need to go that far really. It’s cheap to buy a kick stop that mounts near the door handle. Try booting the door even against a cheap kick stop and you get some nasty bruising in your ankles, better off slamming hard enough to bust the screws in the door frame.

  9. Kwikset SmartKey locks are pretty much pick proof. The original design did have a weakness where an L shaped high strength steel bar could be inserted and the lock forced. That’s been fixed. Probably just wrecks the lock without opening in the current design.

    When they were first introduced I looked up picking them and found one report by a fellow who said it took him 30 minutes to pick and he was never able to repeat it.

    Quickest way through a SmartKey lock is a BFH.

  10. I once seen a 8 pin tumbler, all security pins, with sidebar and dimple. I don’t know which brand it was, but no person you know or heard of can tell of a more secure design that only uses a key.. I’d put this second only to high-security warded designs which are on million dollar hardware and engineering art.

    The best lock I’ve seen that can be bought readily is the ASSA sidebar with security pins puck locks. It’s a padlock that you’d have to lance off unless you had a while to pick it.

  11. I remember when this happened to Diebold/Premier Election Systems voting machines, around the year 2000 US presidential election. In the section of their website describing how secure their machines were, they used a picture of a key, which turned out to be a picture of the actual service door key.

    1. or just get an alarm system with a call center link and save a lot of time and money.. Street level thieves randomly looking aren’t going to spend time reverse engineering your model of alarm to MITM and nobody has ever defeated the IR motion sensors.. I think modern systems are like 20-30 USD/Euro a month these days..

      1. Even cheaper, get signs that say you have an alarm monitored by some big name alarm company or the local alarm company. Actually having the alarm is a reactionary effort. Having the signs is proactive, and works even if no alarm system is installed. And, on a different note, with alarm systems going either IP or cellular, MITM is harder. There were only a few standards for the older ones that reported zones triggered to the alarm company via an analog telephone line.

  12. I think the best locks are magnetic key lock. They are very high-tech. No guarantee that they cant be picked but it will certainly slow a thief down. Also biometric locks are good. But if they have a backup emergency tumbler lock then it is pointless. The best deterrent just short of having actor Ving Rhames stand in your yard 7 x 24 looking ominous is to post fake ADT signs around your property (you can make them on your color printer), They never know if you are vulnerable or not so they move on to easier pickings. Dead bolts are better anti-door smashing thieves as well as doors that open out. You could put 2 x 4 across each door interior and then do like the POTUS does in Oval Office and have a hidden camouflaged door for egress and entry,

    If you have this gadget, like many in guberment have, you don’t need no 3D printer to make keys to pick locks from photos: http://klom-tools.com/wp-content/uploads/2010/10/klom_tool_elektronic_pick_gun_plus.jpeg

    What I’d like to see is a computer (or Arduino) that controls your door lock and you have it’s USB jack in keyhole. When you insert usb dongle (flash drive or thumb drive), you press a button, and the thumb drive downloads a complex unlock code the computer is looking for and then fires the unlock solenoid to the dead bolt. Actually the computer could have absolutely NO program on it at all. An executable could be on the dongle and autoplay is set. No buttons needed. No one can hack the computer as it has no software on it, it’s all on you thumb drive, The solenoid is fired off of the LPT1 or USB printer port.

      1. Didn’t mean to be so absolute with my no hacking statement. However who is going to do side channel analysis on someones computer assisted door lock? What can they glean from a computer with no software running on it? Where and how do they hide the probe antenna from victims notice ? Chipwhisperer sounds like using a sledge hammer to kill a tiny mosquito… you kill it but at what financial cost?

      2. If the computer has no software, it has no way to verify that this particular USB drive is the right one. So, anybody who buys this setup can open anybody else’s door.

        1. Oops you are right! That one got by me. OK I guess it does need some software on the computer after all. OR the computer could just have a text file (with unique psuedo-randomly assigned file name) on it with a huge pass-code i.e. tag. If the USB flash drive doesn’t match the file name and the text content then no entry. The actual lock solenoid would not fire with a binary 1 to a particular port. It would have to be a series of different ports predefined by end-user. That way a hacker shouldn’t be able to just fire the solenoid from his laptop with one simple port write command – a good job for a piece of fruit?.I think Siemens learned this hard lesson when Stuxnet was invented…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.