Making A “Unpickable” Lock

Every time manufacturers bring a new “unpickable” lock to market, amateur and professional locksmiths descend on the new product to prove them wrong. [Shane] from [Stuff Made Here] decided to try his hand at designing and building an unpickable lock, and found that particular rabbit hole to be a lot deeper than expected. (Video, embedded below.)

Most common pin tumbler locks can be picked thanks to slightly loose fits of the pins and tiny manufacturing defects. By lifting or bumping the pins while putting tension on the cylinder the pins can be made to bind one by one at the shear line. Once all the pins are bound in the correct position, it can be unlocked.

[Shane]’s design aimed to prevent the pins from being set in unlocked position one by one, by locking the all pins in whatever position they are set and preventing further manipulation when the cylinder is turned to test the combination. In theory this should prevent the person doing the picking from knowing if any of the pins were in the correct position, forcing them to take the difficult and time-consuming approach of simply trying different combinations.

[Shane] is no stranger to challenging projects, and this one was no different. Many of the parts had to be remade multiple times, even with his well-equipped home machine shop. The mechanism that holds the pins in the set position when the cylinder is rotated was especially difficult to get working reliably.  He explicitly states that this lock is purely an educational exercise, and not commercially viable due to its mechanical complexity and difficult machining.

A local locksmith was unsuccessful in picking the lock with the standard techniques, but the real test is still to come. The name [LockPickingLawyer] has probably already come to mind for many readers. [Shane] has been in contact with him and will send him a lock to test after a few more refinements, and we look forward to seeing the results! Continue reading “Making A “Unpickable” Lock”

Stealing Keys From The Sound Of The Lock

If you are smart, you wouldn’t hand your house key over to a stranger for a few minutes, right? But every time you use your key to unlock your door, you are probably broadcasting everything an attacker needs to make their own copy. Turns out it’s all in the sound of the key going into the lock.

Researchers in Singapore reported that analyzing metallic clicks as the key slides past the pins gives them the data they need to 3D print a working key. The journal published research is behind a paywall, but there is a copy on co-author [Soundarya Ramesh’s] website which outlines the algorithm used to decode the clicks of key teeth on lock pins into usable data.

The attack didn’t require special hardware. The team used audio capture from common smartphones. While pushing your phone close to the lock while the victim inserts a key might be problematic, it isn’t hard to imagine a hacked phone or smart doorbell picking up the audio for an attacker. Long-range mikes or hidden bugs are also possible.

There are practical concerns, of course. Some keys have a plateau that causes some clicks to skip, so the algorithm has to deal with that. It sounds like the final result be a small number of key possibilities and not just converge on one single key, but even if you had to carry three or four keys with you to get in, it is still a very viable vulnerability.

The next step is to find a suitable defense. We’ve heard that softening the pins might reduce the click, but we wondered if it would be as well to put something in that deliberately makes loud clicks as you insert the key to mask the softer clicks of the pins.

While a sound recording is good, sometimes a picture is even better. Of course, if you want to go old school, you can 3D print your lockpicks.

Continue reading “Stealing Keys From The Sound Of The Lock”

Son Of Rothult

We are continuously inspired by our readers which is why we share what we love, and that inspiration flows both ways. [jetpilot305] connected a Rothult unit to the Arduino IDE in response to Ripping up a Rothult. Consider us flattered. There are several factors at play here. One, the Arduino banner covers a lot of programmable hardware, and it is a powerful tool in a hardware hacker’s belt. Two, someone saw a tool they wanted to control and made it happen. Three, it’s a piece of (minimal) security hardware, but who knows where that can scale. The secure is made accessible.

The Github upload instructions are illustrated, and you know we appreciate documentation. There are a couple of tables for the controller pins and header for your convenience. You will be compiling your sketch in Arduino’s IDE, but uploading through ST-Link across some wires you will have to solder. We are in advanced territory now, but keep this inspiration train going and drop us a tip to share something you make with this miniature deadbolt.

Locks and security are our bread and butter, so enjoy some physical key appreciation and digital lock love.

The Key To This City Opens A Real Lock

There are few more satisfying moments than the first time you pick a lock. No matter that it’s a dollar-store padlock that you opened with a pick from a $10 eBay kit, the magic of something that should be secure clicking open in the palm of your hand is hard to beat. Pin tumbler locks are surprisingly simple devices, and to demonstrate this [Farmcraft 101] has produced one at 10x scale to demonstrate their operation on the bench.

The video is a delightful exercise in wood-shop voyerism, as we see him construct the various parts of the lock using his lathe and other workshop tools. A key of the size usually reserved for Freedom Of The City is made, but this one really does slide into the keyway and operate those pins. At the back is a latch mechanism, and the result is a fully-functional model that anyone should be able to use to figure out how the lock works.

Thelock itself isn’t the whole story though, because given the date he’s used it as the basis for a cracking April Fool in which he sends up the [Lock Picking Lawyer] and proceeds to demonstrate the glaring insecurities in his creation. Both videos are there for your enjoyment, below the break. And if you can’t wait to have a go at a lock or two, don’t forget you can always make your own tools using paperclips.

[Ed note: streetcleaner bristles. Thank me later.]

Continue reading “The Key To This City Opens A Real Lock”

Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic

Anyone in the know about IoT security is likely to steer clear of a physical security product that’s got some sort of wireless control. The list of exploits for such devices is a long, sad statement on security as an afterthought, if at all. So it’s understandable if you think a Bluetooth-enabled lock is best attacked via its wireless stack.

As it turns out, the Master 5440D Bluetooth Key Safe can be defeated in a few minutes with just a screwdriver. The key safe is the type a realtor or AirBnB host would use to allow access to a property’s keys. [Bosnianbill] embarked on an inspection of the $120 unit, looking for weaknesses. When physical attacks with a hammer and spoofing the solenoids with a magnet didn’t pay off, he decided to strip off the resilient skin that Master so thoughtfully provided to prevent the box from marring the finish of a door or gate. The denuded device thus revealed its awful secret: two Phillips screws, each securing a locking shackle to the cover. Once those are loose, a little prying with a screwdriver is all that’s need to get the keys to the kingdom.

In a follow-up video posted later, [Bill] took a closer look at another key safe and found that Master had made an anemic effort to fix this vulnerability with a squirt of epoxy in each screw head. It’s weak, at best, since a tap with a hammer compresses the gunk enough to get a grip on the screw.

We really thought [Bosnianbill]’s attack would be electronic, like that time [Dave Jones] cracked a safe with an oscilloscope. Who’d have thought a screwdriver would be the best way past the wireless stack?

Continue reading “Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic”

Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds

When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.

push button to reset safe fingerprint reader
Small button used to register a new fingerprint. It can be reached by inserting a thin shim in the gap between the door and the frame while the safe is closed and locked.

[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.

This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.

It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.

As for fooling sensors in a more traditional sense, here’s a reminder that we’ve seen a 3D printer and a photo of a fingerprint used to defeat a fingerprint sensor.

Continue reading “Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds”

Copying High Security Keys With OpenSCAD And Light

The ability to duplicate keys with a 3D printer is certainly nothing new, but so far we’ve only seen the technique used against relatively low hanging fruit. It’s one thing to print a key that will open a $15 Kwikset deadbolt from the hardware store or a TSA-approved “lock” that’s little more than a toy, but a high-security key is another story. The geometry of these keys is far more complex, making them too challenging to duplicate on a consumer-level printer. Or at least, you’d think so.

Inspired by previous printed keys, [Tiernan] wanted to see if the techniques could be refined for use against high security Abloy Protec locks, which are noted for their resistance to traditional physical attacks such as picking. The resulting STLs are, unsurprisingly, beyond the capabilities of your average desktop FDM printer. But with a sub-$300 USD Anycubic Photon DLP printer, it’s now possible to circumvent these highly regarded locks non-destructively.

Of course, these keys are far too intricate to duplicate from a single picture, so you’ll need to have the physical key in hand and decode it manually. [Tiernan] wisely leaves that step of the process out, so anyone looking to use this project will need to have a good working knowledge of the Abloy Protec system. Hopefully this keeps bad actors from doing anything too nefarious with this research.

Once you have the decoded values for the key you want to duplicate, you just need to provide them to the OpenSCAD library [Tiernan] has developed and print the resulting STL on your sufficiently high-resolution printer. Generally speaking, the parts produced by resin-based printing have a high tensile strength but are very brittle, so perhaps not the kind of thing you want to stick in your expensive Abloy lock. That said, there are some “Tough Resin” formulations available now which produce parts that are at least as strong as those made with thermoplastics. So while the printed keys might not be strong enough for daily use, they’ll certainly work in a pinch.