Working Medeco high-security keys can be whittled out of plastic

Discuss

45 Responses to “Working Medeco high-security keys can be whittled out of plastic”

  1. Nores says:

    Is there anything here that isn’t true of all key locks? And hasn’t been true of all key locks since the very first one was invented?

    i.e. if you know exactly what the key looks like, you can make another one. Okay, until comparatively recently you couldn’t have made one out of a credit card. I guess that counts as a patentable innovation these days.

  2. Anonymous says:

    I am a bonded, registered Master Locksmith. Attended Medeco University (that’s what they call the training course) There is only ONE DOCUMENTED instance of anyone EVER picking a Medeco cylinder. The gentleman was a retired New York Police dectective. He only did it once…..Medeco invited him to the factory, where he was unable to pick the lock, again. Someone said they could make a key from PLASTIC??? Not gonna happen, folks. MAYBE some of the older keyways, (Sky & Air) and that is a big maybe. Those are keyblanks that the federal patent has expired on. The upgraded Keyways are sold to lawful Locksmiths, who are required by law, to register EACH key system….The owner cannot even get a key copied unless he or she has picture ID, and each key is logged into a signature card. The number of keys made is carefully tracked. Medeco can, and often does, ask for verification of keyblank usage from the licensed Locksmith. Even when the Locksmith makes an error with a keyblank, the key is logged into the system, and destroyed. The key information is stored in a safe, as are the Keyblanks. I realize that anyone on here can make claims, but the reality of it is, that most claims are just that….claims. Perhaps if a person had a milling machine…..and IF that person could obtain the right blank (Medeco has several series of keyblanks, all patented)and could read all of the half cuts and double cuts at the correct angles and spacing, well, you get the idea. Not trying to bust anyones balloon, just being as honest as I know how.

    • Chris S says:

      @Anon#44;

      “Perhaps if a person had a milling machine…..and IF that person could obtain the right blank”

      Who needs a blank if I have the original key for the lock?

      Check out
      http://i.materialise.com/
      http://www.shapeways.com/
      http://www.ponoko.com/

      Nothing special about these, just the first three I could find that print 3D shapes in stainless steel.

      They might be nice guys for you, and block key-like objects – but there are already home 3D printers, although they won’t do the same range of materials yet. Either way – the biggest challenge is getting an accurate model of the key – but that can be worked on ahead of time, in private.

      Also – I don’t think I need to make the whole shape out of metal. I can likely position the pins with a plastic copy of the cuts, bonded to a torque wrench that gives me the oomph to turn the cylinder. So the home printer will likely give me a solution anyway.

      As a Master Locksmith, I hope you’re ahead of the curve and looking at newer locking systems for your clients who may eventually want something better than to be secured with a key that anyone can copy.

  3. Takuan says:

    Medeco locks are EXPENSIVE. People buy them under the impressions they offer superior security.

  4. mdhatter says:

    I sorta figure Takuan is so zen he has no petty material ‘things’ worth locking up, so of course he could keep an eye on them himself.

  5. takeshi says:

    Tak –

    Just thought you’d like to know, BoingBoing is #5 in Google results for “human guard.”

    That may be enough to establish a new sense of meaning, in my estimation. But another use of the phrase might be: “a human-shaped guard fitted to a giant electric razor.” Like a Flowbee, only scarier.

  6. Takuan says:

    speciesist. Now be quiet and set up the bomb.

  7. buddy66 says:

    He’s one of the tippling monks. Gotta keep an eye on the bottle.

  8. arkizzle says:

    Or a tentacle. Leaving several hundred more tentacles free to tipple, eviscerate and constrict, amongst other things beyond the ken of man.

  9. Dave Bullock (eecue) says:

    I think one of the main issues is that medeco locks have always been thought of as the most secure locks in the US. Clearly they have serious issues. Most attacks come from the inside. If you can copy a key the system epic fails.

  10. President of Calendars says:

    People who are saying this isn’t a big deal should read the original article at Wired, as it explains this better than the excerpt does, but essentially what it comes down to is that Medeco has used patents and other legal stuff to make it so that only specific locksmiths, licensed by Medeco themselves, have access to the blank keys used for Medeco locks. This, along with their having been considered unpickable until last year’s Defcon, was a main selling point: even if someone who is supposed to have a key should turn out to be untrustworthy, they couldn’t duplicate that key, quit their job, and then break in. Until now.

  11. Anonymous says:

    I’m pretty sure Takuan is a mom.

    • Antinous says:

      I’m pretty sure Takuan is a mom.

      I’ve heard him referred to as a ‘mother’ before, but not as a mom.

  12. dingolishious says:

    I bet you could get a good image by xray

  13. Nores says:

    So Medeco has based its business model on the claim that they can make an object into some kind of special shape such that nobody else can form matter into that shape?

    Seriously, WTF? A key is just a piece of inert matter. The only thing that differentiates it from a cheese grater is that it’s been formed into a very particular shape that matches the pattern of tumblers inside the lock. How can it be impossible to form another piece of inert matter into that shape once you know the details of the shape in question? Honestly, am I missing something?

  14. minTphresh says:

    takuan is a NOUN! with tentacles. (some vestigial)

  15. RJ says:

    Medecos exist mainly to help with key control. The locks are beatable, but it isn’t really worth most office workers’ time to mess with all that, or to find a specific dealer who will copy their keys without recording it.

  16. mdhatter says:

    O, Ryleh?

  17. mdhatter says:

    VISA – It’s everywhere you want to be.

  18. trafnar says:

    You can duplicate almost any key that you have access to, by making a mold of it, or using a 3d scanner, or just by eye/comparison.

    Medeco keys are harder to duplicate, but if you are familiar with how they work it’s easy to imagine how it wouldn’t take THAT much work to duplicate one yourself.

    In addition to superior key control, medeco locks offer increased defense against picking.

  19. strathmeyer says:

    “To be clear, this doesn’t allow them access to a lock which they didn’t originally have access to the key (or detailed picture of the key).”

    These keys are extra expensive because they’re supposed to be unduplicatable.

  20. Oren Beck says:

    Security is inherently a balance between unbreakable, usable , and cost effective. Pick any 2 was the joke.
    This time the joke is unfunny yet true. And stacking factors inherently runs head on against usable or cost effective.

    Witness the automotive “transponder keys” Nice in concept yet fails on cost AND usability. A key BLANK priced at over $50 is far from cost effective to many people. Then when you add dealer mechanical cutting plus transponder coding? Closer to $150 for some cars if not more.

    WE just could reproduce the corridor of doors Maxwell Smart went thru.

  21. Anonymous says:

    M3 Has “for” and “aft” cuts. thesere are angles cuts at the dept of every cut. Unlike regular keys medeco keys has angle cuts whre pins drop and spin at same time. did they do those “for” and “aft” cuts also ?
    i wish they have given some info about that

    Jon from NYC – champion LS-

  22. Takuan says:

    nothing cheaper than a human guard

  23. Takuan says:

    think they’ll do the honest thing and thank them for pointing out this serious fault?

  24. mdhatter says:

    “nothing cheaper than a human guard”

    Yeah, having an ‘inside guy’ pays dividends.

  25. Takuan says:

    I was talking about keeping your own eye on things you care about

  26. mdhatter says:

    I assumed you meant ‘hire a guard’. The best heist movies always have an inside guy.

  27. Not a Doktor says:

    Why is it as a vegas resident, events are given bigger coverage AFTER they happen?

    I scan the papers and yet they expect me to goto these things ex posto facto.

  28. trafnar says:

    I don’t know if I’d really call this ‘cracking the lock’. More like cracking the key control system.

    To be clear, this doesn’t allow them access to a lock which they didn’t originally have access to the key (or detailed picture of the key).

  29. Anonymous says:

    “There are some locks that hackers can’t open. For everything else, there’s MasterCard.”

  30. Simon Bradshaw says:

    When I worked at a secure government site, locks for filing cabinets (the ones that didn’t have combination locks) used odd keys that had two sets of teeth at a 120 degree angle, precisely so that it would be harder to make a replacement or get one cut.

    Of course, once we have RepRaps, weird-shaped keys won’t be a problem.

  31. Cory Doctorow says:

    Simon@4: Medeco tried something like this and were pwned by a paper-clip: “last year at DefCon, Tobias and his colleagues showed how they could simply insert the end of a bent paper clip into a Medeco high-security lock to push back the slider, rendering the slider ineffective as a security layer.”

  32. HarshLanguage says:

    #3 – It’s more accurate to say that it requires just enough access to a key to get a good-enough-to-replicate digital image of its profile. A cameraphone photo of the key might be enough for all we know, and that’s certainly a much lower hurdle to clear. If an intruder is motivated enough, getting a quick, surreptitious snap of someone’s keys probably isn’t that daunting.

    Like most security measures, most physical keys just aren’t that secure against a determined intruder, for any number of reasons.

  33. jackbird says:

    #7, Not for a Medeco key.

  34. takeshi says:

    Yeah, ’cause, you know, when I hear “human guard” I immediately think: “myself, keeping an eye on my own belongings.”

    That said, they’ve finally found a legitimate use for credit cards.

  35. Anonymous says:

    >>My hardware store can do the same thing….
    >>Not for a Medeco key.

    Which is sometimes the only reason for using Medeco. I once lived in an apartment where the front door to the building had a Medeco lock. It was a big plate-glass door, making the pickability of the lock completely irrelevant. They just wanted to keep the tenants from duplicating the keys.

  36. Takuan says:

    bah! illiterates! I’ll be taking your stuff while you’re in remedial classes!

  37. Kevin says:

    There’s usually a “The hackers are coming! The hackers are coming!” article in the local papers about week before Blackhat/DEFCON. Hard to miss, lots of paranoia about social engineering and people stealing grass from the lawn at Ceaser’s.

    #2 Writes

    Why is it as a vegas resident, events are given bigger coverage AFTER they happen?

    For Vegas, I check the convention and events calendar websites for when I plan to be in town, to see if anything interesting is going on, or to reschedule if my visit coincides with some huge optometrist convention or something.

    I scan the papers and yet they expect me to goto these things ex posto facto.

    This is a common problem with newspapers, some acknowledge the issue, and are planning to “fix” it, give local events much more advance coverage rather than only after-the-fact.

  38. jheiss says:

    Housemates of mine in college used to make keys for Medeco locks out of some more generic key blank (Yale I think, something that was thin enough to fit in a Medeco key path). The material just needs to be stiff enough and thick enough that you can file in the twists for the pins. Doesn’t surprise me too much that credit card plastic fits the bill.

    I suppose it’s interesting that they were able to duplicate a Medeco from a picture, but I imagine it’s not too hard to measure the pin heights from the picture, and determine whether each pin is twisted left, right or center. The twists are pretty easy to see on a real Medeco key.

    As others have said Medecos aren’t impenetrable, no lock is. They just up the barrier, since you can’t realistically pick them and duplicating the key requires some extra effort.

  39. Oren Beck says:

    It would be trivial to increase the torque required for latch actuation. Set it way beyond what any conceivable plastic could transmit and this hack’s expired! Left for reader research is keys with ohmic contact devices. Which also could devalue this hack.

    It’s arguably good practice to use self restraint in applying skills. YES we should ethically feed back a valid risk so it can be managed. Exploiting it for unwarranted personal gain is ethically bankrupt.

    Locks are of primary utility to keep honest people thinking that their property is secure.

  40. Takuan says:

    they done anything about bump keys yet?

  41. Jeff says:

    It’s good when someone will point out a flaw in the weakness of a system. Sometimes. It’s not like everyone who uses those locks is going to run out and change them. Sometimes telling people how easy it is to copy something is a two-edged sword.

Leave a Reply