[Infowarrior] - MIT Students Release Program To 3D-Print High Security Keys
Richard Forno
rforno at infowarrior.org
Mon Aug 5 11:59:13 CDT 2013
8/03/2013 @ 12:36PM |31,362 views
MIT Students Release Program To 3D-Print High Security Keys
http://www.forbes.com/sites/andygreenberg/2013/08/03/mit-students-release-program-to-3d-print-high-security-keys/print/
When lock maker Schlage imprinted the words “do not duplicate” across the top of the keys for their high-security Primus locks, they meant to create another barrier to reproducing a piece of metal that’s already beyond the abilities of the average hardware store keymaker. One group of hackers, of course, took it instead as a direct challenge.
At the Def Con hacker conference Saturday, MIT students David Lawrence and Eric Van Albert plan to release a piece of code that will allow anyone to create a 3D-printable software model of any Primus key, despite the company’s attempts to prevent the duplication of those carefully-controlled shapes. With just a flatbed scanner and their software tool, they were able to produce precise models that they uploaded to the 3D-printing services Shapeways and i.Materialise, who mailed them working copies of the keys in materials ranging from nylon to titanium.
“In the past if you wanted a Primus key, you had to go through Schlage. Now you just need the information contained in the key, and somewhere to 3D-print it,” says 21-year old Van Albert. “You can take a high security ‘non-duplicatable’ key and basically take it to a virtual hardware store to get it copied,” adds 20-year-old Lawrence.
Schlage’s Primus models are advertised for use in high-security applications: The company’s marketing materials include references to the locks’ use in government facilities, healthcare settings, and detention centers. That security stems in part from Primus’s unique model, which includes two tracks of teeth–one on the top of the key and another on the side, each of which correspond to a separate set of pins in the lock. Even Marc Weber Tobias, one of the world’s most well-known lockpicking experts, has written that he uses Primus locks in his home and for secure evidence storage in his legal practice.
Lawrence’s and Van Albert’s software tool, to be clear, doesn’t let its users open any random door secured by one of those locks. It merely enables anyone to copy a key they couldn’t easily copy before. But the two students in MIT’s electrical engineering program point out that there are ways to copy a key without ever possessing it. Other researchers like those behind the Sneakey project have shown that keys can be effectively replicated from photos, even ones taken from hundreds of feet away. And by studying Schlage’s manuals and patents, Lawrence and Van Albert learned to decipher the two distinct codes in the keys–one set of six numbers cut into the top of the key and another set of five in its sidecut–that can be programmed into their modeling software and precisely reproduced.
“All you need is a friend that works there, or to take a picture of their key, or even a picture of the key hanging off their belt,” says Lawrence. “Pirating keys is becoming like pirating movies. Someone still has to get the information in the first place, but then everyone can get a copy.”
Once a key has been photographed or scanned, 3D-printing through online services is relatively cheap. The MIT students, who say they didn’t try printing the keys themselves on home 3D printers, used Shapeways to print working keys in nylon for less than $5 each, though a more durable titanium copy from i.Materialise.com cost them $150.
I reached out to Schlage, but haven’t yet heard back from the company. Despite their focus on Primus locks, Lawrence and Van Albert argue that the security implications of 3D-printed keys aren’t limited to any one lock maker. “Our message is that you can do this for any high-security key,” says Lawrence. “It didn’t take that much work. In the future there will be models available online for almost any kind of key you’re looking for.”
Lawrence and Van Albert point to the case of a photo of a set of New York City fire elevator master keys, which allow access to many electrical panels, elevator controls and subway gates around the city, that was published by the New York Post last fall. Though the Post‘s story meant to warn about the possibility of those keys, which are distributed to electricians and firemen, falling into the wrong hands, its detailed image actually made it possible for anyone to model and 3D-print or mill the keys themselves. The Post quickly realized their mistake and took down their photo of the keys from its website, but not before it had already spread widely around the Internet. (I admittedly made a similar mistake myself last year when I posted a picture of a high-security handcuff key.)
“There’s no way of getting the cat back in the bag when you can print a New York city fire elevator key,” says Lawrence. “Those files won’t go away.”
Lawrence and Van Albert aren’t the first to try 3D printing keys. In 2011, Apple engineer Nirav Patel created a program that allowed anyone to encode their key’s measurements into a 3D-printable model, though Patel’s software only dealt with normal keys that can already be duplicated by any hardware store.
At the HOPE hacker conference in New York last year, a German lockpicking expert known as “Ray” showed that he could 3D-print and laser cut working keys for high-security handcuffs. Those keys are often highly restricted but designed to be identical, so that any police officer can open cuffs locked by another officer. That makes them especially vulnerable to being reproduced by anyone who wants to hide a copy of the tiny keys somewhere on their body, ready to pull out and use to free themselves.
As for Schlage’s 3D printing problem, Lawrence and Van Albert don’t offer any easy fix. They argue the the whole notion of non-duplicatable keys may be an anachronism in the age of 3D printing, and that high-security institutions should move to electronic locks that use unique cryptographic keys that are far harder to copy. “If we show that mechanical locks are vulnerable to key duplication just by having a handful of numbers you can download off the internet, hopefully they ‘ll be phased out more quickly,” says Van Albert.
“Either that,” adds Lawrence, “or make 3D printers illegal.”
---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.
More information about the Infowarrior
mailing list