Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Technology

MIT Students Release Code To 3D-Print High Security Keys 207

Sparrowvsrevolution writes "At the Def Con hacker conference Saturday, MIT students David Lawrence and Eric Van Albert released a piece of code that will allow anyone to create a 3D-printable software model of any Schlage Primus key, despite Schlage's attempts to prevent the duplication of the restricted keys. With just a flatbed scanner and their software tool, they were able to produce precise models of Primus keys that they uploaded to the 3D-printing services Shapeways and i.Materialise, who mailed them working copies of the keys in materials ranging from nylon to titanium. Primus high-security locks are used in government facilities, healthcare settings, and detention centers, and their keys are coded with two distinct sets of teeth, one on top and one on the side. That, along with a message that reads 'do not duplicate' printed on the top of every key, has made them difficult to copy by normal means. With Lawrence and Van Albert's software, anyone can now scan or take a long-distance photo of any Primus key and recreate it for as little as $5."
This discussion has been archived. No new comments can be posted.

MIT Students Release Code To 3D-Print High Security Keys

Comments Filter:
  • "Do Not Duplicate" (Score:5, Interesting)

    by DexterIsADog ( 2954149 ) on Monday August 05, 2013 @08:33AM (#44476335)
    Really? That makes them difficult to duplicate? On which planet?
    • "Do Not Duplicate". Really? That makes them difficult to duplicate? On which planet?

      I assume that message was intended for the owner of the key.

  • How quaint (Score:5, Insightful)

    by msobkow ( 48369 ) on Monday August 05, 2013 @08:34AM (#44476347) Homepage Journal

    I'd hardly call any industry that uses a physical key "high security" in an age of individually-revokable key card technologies.

    How secure can a facility be when the loss of one key means that everyone's keys have to be replaced in order to recode the lock?

    • You just tell everybody who has to come in for a key replacement who it was who lost their key, then turn your back and whistle innocently. Cuts the loss rate significantly.

      • Re:How quaint (Score:5, Insightful)

        by Anonymous Coward on Monday August 05, 2013 @08:56AM (#44476561)

        Thus ensuring that people who lose keys wait as long as possible before reporting it, in order to avoid retribution. Now you've lowered your loss rate *and* your security at the same time. :)

        • Re:How quaint (Score:4, Insightful)

          by fuzzyfuzzyfungus ( 1223518 ) on Monday August 05, 2013 @09:04AM (#44476615) Journal

          Exactly! People love Objective Metrics (especially ones made of numbers, because numbers are super scientific) that are easy to measure; because they allow even the laziest among them to experience the warm, comforting, embrace of Knowledge. They hate, and thus tend to ignore, fuzzy metrics that are difficult or impossible to quantify (like 'security') because those are a morass of nescience and harrowing epistemic uncertainty.

          By doing exactly the wrong thing, and encouraging blatantly insecure behavior (you also likely create a culture of casual key-sharing and letting just anybody who 'lost their key' in), you drive the metric that people are looking at through the floor (demonstrating your Epic Competence), and shove all the risk under the rug of the metric that everybody avoids looking at and politely doesn't mention!

          • by dkf ( 304284 )

            By doing exactly the wrong thing, and encouraging blatantly insecure behavior, you drive the metric that people are looking at through the floor (demonstrating your Epic Competence), and shove all the risk under the rug of the metric that everybody avoids looking at and politely doesn't mention!

            Wait, are we talking about the banking system here?

    • Keys have the advantage that they do not require electricity to run.

      • We use low-security locks at my employer. Electronic. The fastening is electromagnetic.

        Why? Because there are children around, which means that in the event of a fire we need to be able to evacuate very quickly. A fire that could potentially burn through power cables before setting off the alarms. The electromagnet locks are failsafe - if the power fails, the locks unlock. There's also a physical power cut button (The 'break glass' type) on one side of most of the doors.

        • Re:How quaint (Score:4, Informative)

          by msauve ( 701917 ) on Monday August 05, 2013 @09:42AM (#44477007)
          I worked in an office with electromagnetic latches. Used a badge reader to get in. A motion sensor would let you out. If you forgot your badge, flipping a sheet or two of paper through the gap between the doors would trigger the motion sensor and let you in.
          • Similar trick on ours. The doors also have those flip-up-and-down levers on the inside edges that allow for one side to be locked shut. We've no actual use for them, they are just part of the 'stanard' door that the builders purchased and installed. The children soon worked out that if you flip the lever down, the bolt comes out the top of the door and stops it closing. Which means the magnet can't make contact with the locking plate. So now there is a crew that always flips the bolts when they come through

          • One of my old work places had fancy glass doors with a touch bar to get out, badge swipe to get in. We used to keep a paperclip in the planter box by the door outside to stick through the gap and touch the bar with. It always opened.
    • I'd hardly call any industry that uses a physical key "high security" in an age of individually-revokable key card technologies.

      How secure can a facility be when the loss of one key means that everyone's keys have to be replaced in order to recode the lock?

      Remember that electronic locks can have various vulnerabilities too.

      • I'd hardly call any industry that uses a physical key "high security" in an age of individually-revokable key card technologies.

        Remember that electronic locks can have various vulnerabilities too.

        That's why I'm going to put in a voice-activated lock system. You have to know the secret word, which I've cleverly stuck inside the Welcome Notice printed over the door.
        Just don't throw things into the pond while working out the right word.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I'd hardly call any industry that uses a physical key "high security" in an age of individually-revokable key card technologies.

      How secure can a facility be when the loss of one key means that everyone's keys have to be replaced in order to recode the lock?

      The data on key cards can be replicated as well. Heck, even the new "e-passports" gaining popularity with governments around the world have been cloned in the past.

      Also, even locks that use key cards have mechanical elements. The bits can be secure as can be, but there may be physical ways to bypass the system.

      AFAIK, the only physical keying system that has not been hacked is Abloy's (non-Cliq) Protec. Short of drilling out the cylinder I don't think anyone has been able to get in without having a key. Or a

      • Re:How quaint (Score:4, Informative)

        by mlts ( 1038732 ) * on Monday August 05, 2013 @09:33AM (#44476901)

        Last time I read, the locksport guys have managed to get it open in 10-12 hours. The Protec is about ten years old, and Abloy has put out the Protec2 with minor changes recently which, AFAIK, has not been opened.

        I'd probably say the Protec2 + CLIQ is probably the best out there. It isn't 100%, (as the 2009 DEFCON got them back to the drawing board to deal with the vibration and magnet attacks and made a rev using a disk that turns as opposed to a pin that retracts), but it is as good as it gets for this department.

        Of course, there is one step up from there -- going with Kaba-Mas X-10 combo locks on the doors as a backup. However, for almost any task, the Protec2+Cliq is probably the best of breed we have right now.

    • Re:How quaint (Score:5, Informative)

      by mlts ( 1038732 ) * on Monday August 05, 2013 @09:19AM (#44476765)

      I have been at several places where the key card system goes toes up and will not allow anyone in. The controller on a lot of HID systems is an XP box, and computers can fail, locking everyone out.

      You have to have a high security mechanical override somehow. A lot of places use Best locks (which are 6-7 pins, have spool/mushroom tumblers, and unique keyways.) Others tend to go with Medeco3.

      If you want resistance to 3D printers, there are already three methods which work well. The first is what is on Mul-T-Locks and Abloy PROTEC2 locks, and that is an active pin on the side of the key.

      The second is a method like the Evva MCS, and having magnets embedded in the key. Duplicating this is a lot harder than just 3D printing a replacement, one would have to know where all eight magnets are facing and precisely align them. Not impossible, but not trivial.

      Finally, there is the "CLIQ" technology that is going through multiple revisions. This combines a high security mechanical key with an electronic chip and tiny rotating pin powered from a battery on the key. Since each cylinder keeps the authorized keys in memory, there is no one central point of failure. The CLIQ system has gotten better over the years since it was opened at a previous DEFCON. First it was a pin that would retract, but that was changed to a small disk that rotates to allow the key to turn.

      Nothing is perfect, but Assa-Abloy's CLIQ system is getting decently secure to be used as a backup cylinder with a card access system.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Overcoming 3D printers is simple.

        Make the key a box channel with the pins inside of it. Not a U-channel, a full box channel. No angle of visibility from the outside can image the functional workings of the key. And likely, an inner channel impression would not give you a good reading either.

        Making new ones would be a bitch, but, hey, I bet 3D printing could help with that. Generate pin shapes based on a GUID, and you're golden.

        • Filling the box channel with 2 part silicone rubber mix, then chasing it will produce a high precision casting negative of the channel, which can then be easily scanned. (and being rubber, easily extracted from the box channel)

          Many software packages permit boolean remove operations, which would allow them to position the 3d scanned rubber impression onto a blank channel way, then boolean remove the negative to get the positive impressions again in the digital model.

          Then it's 3D print time.

      • "Nothing is perfect"

        That's the problem here. Geeks seem to think there is such a thing as perfect security, they delude themselves in to thinking that if people just weren't so lazy, so stupid, so whatever that we could have perfect security. Now with computers that is at least a theoretical possibility. It can't happen really, but in theory one could make a perfectly secure computer system.

        Well that can't happen in reality. There is -no- perfect security in the physical world. It is just about trying to ma

    • You don't have to replace all the keys.
      If you're concerned, you replace one pin stack in xhe locks that key opens. You don't issue everyone identical keys. My key opens my office and the back door, only. The back door lock has a stack of pins that work as a bitmask, so many keys can open it and you can add or remove keys without necessarily affecting the others.

      In re systems that use physical keys - key cards and key fobs are physical keys too. Key cards store their bit pattern in iron powder. "Regular"
    • High security facilities don't use those keys anymore, nearly all Fortune 500 companies use them for office doors (looking at mine right here).

      Just ask our agency buddies: it's all about spin-locks, electronics and CCTV for locks.

  • I don't think so. A long distance photo is not going to give enough detail. You'll need a high resolution photo of the key.
    • by fuzzyfuzzyfungus ( 1223518 ) on Monday August 05, 2013 @08:41AM (#44476407) Journal

      I don't think so. A long distance photo is not going to give enough detail. You'll need a high resolution photo of the key.

      Wacky Fun! [ucsd.edu]. That paper appears to deal with a less sophisticated key; but demonstrated successful attacks at 195 feet, with comparatively cheap apparatus.

      • Since there is a company that duplicates keys from pictures [keysduplicated.com] you can try it for yourself.
        • I've made keys for a simple Master brand lock using a Xerox copy of the key (yes, it was made on a Xerox machine). And yes, the cloned key worked.

          Here at work we have these weird keys that don't have teeth - they have variable diameter and depth partial spheres cut out of the sides. Heard the last locksmith mumbling something about having to send them off to some place in Germany that still has dwarves working by the light of a lava flow from a volcano to get them duplicated... will be sending this articl

        • It wouldn't entirely surprise me if keys duplicated from pictures are actually better than the ones duplicated with your basic hardware-store cloning machine. Those are neat, fast, and work; using the template key to control the height of the blank above a cut-off wheel; but some amount of analog-copy-degradation can happen, especially if the original key isn't in fantastic shape or the operator is sloppy.

          If you are working from an image, you can't use that strategy, so actually computing the bitting codes

    • Long distance and high resolution are not mutually exclusive. A high-power camera-ready telescope will let you get both.

      • Not really. Unless somebody is holding the key incredibly still, and you're using an incredibly fast shutters speed and you know exactly where to point the camera.

        Even a 200mm lens, which isn't going to be getting you a good view from far away, is going to have serious issues picking up sufficient detail on the key to make a duplicate.

        • Unless somebody is holding the key incredibly still

          Like when they're lining it up to insert into the keyhole. What keys will need in the future is an opaque covering that slides down the shaft of the key as it's inserted into the lock, preventing the teeth from being seen.

          • Good luck with that. In order to get a shot like that, you'd have to have the camera directly on the wall, and you'd have to do that without the person noticing, and you'd have to have enough light.

            Just saying, the likelihood of this working out, is pretty small, and you'd likely be caught by somebody that thinks it's suspicious to be taking photos of people in such a fashion.

        • by afidel ( 530433 )

          A 200mm lens is hardly exotic or expensive, I have an 18-200mm and a 150-500mm, with the 500mm I can shoot shots of birds at 200 yards that will capture individual lines on the feathers which are much smaller than the features on a key.

          • Only if they're holding the key still, and good luck doing that without anybody noticing. You're also presumably using a tripod to take those photos.

            I've been a photographer for years, and if you're seriously suggesting that this is in some fashion realistic, I seriously doubt that you know anything about photography.

            And yes a 200mm lens isn't rare, but getting one that could plausibly do this is quite expensive. And even then, you're talking about an F2.8 brick that everybody is going to notice. Even then,

    • Or multiple low-resolution photos.

    • I don't think it matters, since if you can't get a high-res image of the key, you could just bump it open [youtube.com].

    • by tibit ( 1762298 ) on Monday August 05, 2013 @10:00AM (#44477227)

      Whenever you'll be playing with a 12 inch or larger telescope, do yourself a favor and point it onto a terrestrial target a few hundred feet away. I've seen terrestrial pictures being taken through a 20" telescope and all I can tell you is that with clear air it's feels like taking your point and shoot and teleporting it a mile away. Never mind that if you don't care about giving yourself away, you can also flash-illuminate your target through the same optical assembly. I have to dig up some of the portraits my colleague took with his girlfriend standing about 1100 m. away on a winter night, with heavily overcast sky and no moon, with through-the-lens flash. It really looks as if you've been standing right there, except that of course the aberrations typical for closeup pictures are nowhere to be seen. As far as portraits go, a telescope gives you IMHO the best 2D reproduction to be had. I'm sure it'd be just as great at extracting the geometry of a key, since you get as close to axonometric projection as you can get.

  • Low-tech solution (Score:4, Interesting)

    by Conspiracy_Of_Doves ( 236787 ) on Monday August 05, 2013 @08:35AM (#44476357)

    Make the keys so that there are sheaths around them, which can bend away on a spring when you need to use the key, or the key can come out of the end of the sheath. Or some other way to hide the tooth pattern when the key isn't being used.

    • Already been done: http://www.youtube.com/watch?v=l_d1ZgzmSok [youtube.com]

      If you only want to get in or out, then no door/lock combination can stop you. It's just a question of force.

      Doing it without detection. or detection sufficiently later, is another question however.

      • by quetwo ( 1203948 )

        +1.

        One of my friend's old warehouses had a wicked lock, plus card access, air-lock, etc. It wasn't in the best part of town.

        Either way, their building caught on fire (HVAC unit burned up). It took the fire-marshall about 20 seconds to get through their reinforced door, and another 15 seconds to get through the rest of their security. If people want in, they will get in. It is all a matter of how much attention you generate for yourself, and how long you want to prolong people knowing you were there.

        Watc

    • by mlts ( 1038732 ) *

      Some English prison locks do this, because part of their design is to make the key and keyway as hard to eyeball as possible (so prisoners can't carve one out of soap or whatnot.)

    • Make the keys so that there are sheaths around them, which can bend away on a spring when you need to use the key, or the key can come out of the end of the sheath. Or some other way to hide the tooth pattern when the key isn't being used.

      A foreskin for keys...?

  • by dbitter1 ( 411864 ) <slashdot@@@carnivores-r...us> on Monday August 05, 2013 @09:09AM (#44476653)

    Former locksmith here. The Primus (and nearly all of the other high security keys) are simply relying on patent protection to keep people from duplicating the keys. Any locksmith worth his/her salt already has key machines that could reproduce them onto a chunk of brass (worst case) or just onto a normal key blank.

    If you want to see something that would impress me, look at a German company - DOM - that has a design that includes a floating ball bearing in the key, which is integral to making the lock work. If they could make THAT with a printer, I'd be impressed.

    One model:
    http://www.dom-sicherheitstechnik.com/DOM-ix-Saturn.667.0.html [dom-sicher...echnik.com]

    • I've noticed that with the shoddy and fragile construction endemic in North American residences, it's not worth putting a fancy lock on things. You can kick the door in with one kick from a polio victim. Or with just a bit more force you can punch down the drywall and fake facade.
      • The purpose of the locks is to make it noisier to get into the house, and to signal legal intent. If you are expecting crooks in your neighborhood to be good at picking ordinary locks and actually use the skill, then upgrading your locks might get them caught in the act.

        Probably not though

    • by mlts ( 1038732 ) *

      That mechanism is used in Mul-T-Locks and Abloy locks (the Mul-T-locks use it as a patent, the Abloy locks use it for a way for the user to know the key is all the way inserted.)

      What I wouldn't be surprised in seeing is something similar to Ace round locks, except with the bitting inside the barrel. Of course, we then are back to the age old Bic pen way of opening those, but I'm sure there is a way to help with that (especially if a tumbler or two slid on an axial path somehow.) This would require someone

    • I mean, there was nothing in the key which looked that difficult to duplicate, contrary to those key as you showed. Or even the round key , which have pins on all direction , not only 2 axis but on 8 axis or more (I dunno if you know what type I mean, when you look along the axis they look like a star with 8 ray and along the axis the pins at at random position and random angle). I never found a locksmith which had the way to duplicate those despite wanting a second set of key. (maybe I should have asked
  • by NotSanguine ( 1917456 ) on Monday August 05, 2013 @09:09AM (#44476659) Journal

    have 24 hour surveillance and use "man traps" [wikipedia.org] which require multiple access keys, electronic or otherwise.

  • A lock will only ever serve to keep an honest man honest.

  • by Sperbels ( 1008585 ) on Monday August 05, 2013 @09:35AM (#44476911)
    Can some explain to me why the only stories about 3D printing that make the news are ridiculously paranoid? Anyone can print out a secret key. Anyone can print out shitty plastic gun. What's next? Anyone can print out a bat'leth? Anyone can print out a plastic pressure cooker and make a plastic bomb? Anyone can print out plastic kiddie porn? Not one story discussing the incredible potential? Like, machines printing out copies of itself? Or the effects on a society and economy where any product can be downloaded and printed? None of that interesting stuff? Just the fear and paranoia stuff?
    • by mlts ( 1038732 ) *

      It is a new technology, and the first thing that happens are the fearmongers coming out. Next come the regulators because they want to enforce the status quo.

      Same old thing, we had this with computers, we had this with the Internet. I wouldn't be surprised if there is a law or international treaty that gets passed forcing all 3D printer makers to have a DRM stack, or only allow signed files to be printed on the machines (with people having to send all stuff they want printed to a third party for "approval

    • by msobkow ( 48369 )

      Everyone can imagine the benefits.

      But only the paranoid can fear the sky falling on their old business models and security through obscurity.

    • You can 3D print a spatula. Nothing says "I love you" like the gift of a 3D printed spatula.
      • by jfengel ( 409917 )

        Maybe this sounds weird, but this is actually a key question for me about 3D printing. Material matters at least as much as shape.

        I cook a fair bit, and I know what I like in a spatula. I have several different kinds of spatula on hand for different purposes. They need the right amount of flexibility for the job. Some are very thin and stiff (but not brittle); others are thick and flexible. Some need to tolerate high heat; some need to be soft enough to avoid scratching Teflon.

        That's just for spatulas, a pr

  • I for one would like to know when i can 3d print a buggy whip.

  • ....I do not think Les Claypool appreciates this.

  • In USA, you 3d print a custom key after months of work. In Soviet Russia, you just use a sledge hammer.

  • Not as convenient, but it's not as if this is new. I have easy access to a CNC mill. Pretty sure I can make any key that a key cutter can create, given the original (or very good pictures with something for size reference) and a small chunk of billet.
    • Yes, but even in the very best/most efficient case, it will take more than $5 of machine time to create. It's the same argument with guns - anyone can make one with a basic set of shop machines. The key (if you'll excuse the pun) to 3D printers is that it's a trivial process which can be accomplished for very low cost. The barriers to entry are significantly reduced, and will only get lower as the cost of printers comes down.

      • If programs can be sufficiently complex so as to create the program for the 3d printer to print the key with
        If you have to create the 3d printer program, well that's not any easier than creating the CAD drawing for the CNC machine. I can build a CNC mini-mill for 1500 dollars, so they are cost competitive (in relation to this topic) with the 3d printers also. Side bonus: steel key is much more resilient than plastic.
        • WTF, slashdot ate the top paragraph, sorry, let me try that again.

          If a program can be sufficiently complex so as to create the program for the 3d printer to print the key with less than 5 dollars of effort, they could just as easily create tool paths for a CNC mill.

          If you have to create the 3d printer program, well that's not any easier than creating the CAD drawing for the CNC machine. I can build a CNC mini-mill for 1500 dollars, so they are cost competitive (in relation to this topic) with the 3d pr

    • You can also duplicate most modern firearms (if you don't have a needed tool, you can make that too), and your work can be as good or superior.

      http://www.cncguns.com/downloads.html [cncguns.com]

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...