Working Medeco high-security keys can be whittled out of plastic

Researchers at DefCon in Vegas have demonstrated that they can make "high security" Medeco key-blanks out of the plastic used in credit-cards, and then whittle them into working keys by referring to low-resolution photos of original keys.

"Basically, we've destroyed Medeco's key control, because we can make (plastic keys) for any of their M3 locks and a lot of their Biaxial locks, which is their last generation of locks," says Tobias, who authored the book Open in Thirty Seconds, with Bluzmanis.
The researchers demonstrated the technique using a Medeco mortise cylinder that Threat Level purchased in California before leaving for Las Vegas. After buying the lock, Threat Level scanned the key and e-mailed the image to the researchers, who then created several plastic keys. When Threat Level arrived in Las Vegas with the lock, it took about six seconds to open the lock using a plastic key.
"It's keys by e-mail," says Tobias. "It's key-mail."...
The Medeco M3 key does have an extra feature to secure the lock -- a step protrusion on the side of the key that's designed to move a slider inside the lock. But last year at DefCon, Tobias and his colleagues showed how they could simply insert the end of a bent paper clip into a Medeco high-security lock to push back the slider, rendering the slider ineffective as a security layer. Once that is done, they're then able to insert the plastic key in this new attack, to lift and rotate the pins.

Researchers Crack Medeco High-Security Locks With Plastic Keys

(Image: Dave Bullock (eecue)/Wired.com)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Gadgets • Happy Mutants • maker

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

Nores

Is there anything here that isn’t true of all key locks? And hasn’t been true of all key locks since the very first one was invented?

i.e. if you know exactly what the key looks like, you can make another one. Okay, until comparatively recently you couldn’t have made one out of a credit card. I guess that counts as a patentable innovation these days.
Anonymous

I am a bonded, registered Master Locksmith. Attended Medeco University (that’s what they call the training course) There is only ONE DOCUMENTED instance of anyone EVER picking a Medeco cylinder. The gentleman was a retired New York Police dectective. He only did it once…..Medeco invited him to the factory, where he was unable to pick the lock, again. Someone said they could make a key from PLASTIC??? Not gonna happen, folks. MAYBE some of the older keyways, (Sky & Air) and that is a big maybe. Those are keyblanks that the federal patent has expired on. The upgraded Keyways are sold to lawful Locksmiths, who are required by law, to register EACH key system….The owner cannot even get a key copied unless he or she has picture ID, and each key is logged into a signature card. The number of keys made is carefully tracked. Medeco can, and often does, ask for verification of keyblank usage from the licensed Locksmith. Even when the Locksmith makes an error with a keyblank, the key is logged into the system, and destroyed. The key information is stored in a safe, as are the Keyblanks. I realize that anyone on here can make claims, but the reality of it is, that most claims are just that….claims. Perhaps if a person had a milling machine…..and IF that person could obtain the right blank (Medeco has several series of keyblanks, all patented)and could read all of the half cuts and double cuts at the correct angles and spacing, well, you get the idea. Not trying to bust anyones balloon, just being as honest as I know how.
- Chris S
  
  @Anon#44;
  
  “Perhaps if a person had a milling machine…..and IF that person could obtain the right blank”
  
  Who needs a blank if I have the original key for the lock?
  
  Check out
  http://i.materialise.com/
  http://www.shapeways.com/
  http://www.ponoko.com/
  
  Nothing special about these, just the first three I could find that print 3D shapes in stainless steel.
  
  They might be nice guys for you, and block key-like objects – but there are already home 3D printers, although they won’t do the same range of materials yet. Either way – the biggest challenge is getting an accurate model of the key – but that can be worked on ahead of time, in private.
  
  Also – I don’t think I need to make the whole shape out of metal. I can likely position the pins with a plastic copy of the cuts, bonded to a torque wrench that gives me the oomph to turn the cylinder. So the home printer will likely give me a solution anyway.
  
  As a Master Locksmith, I hope you’re ahead of the curve and looking at newer locking systems for your clients who may eventually want something better than to be secured with a key that anyone can copy.
Takuan

Medeco locks are EXPENSIVE. People buy them under the impressions they offer superior security.
mdhatter

I sorta figure Takuan is so zen he has no petty material ‘things’ worth locking up, so of course he could keep an eye on them himself.
takeshi

Tak –

Just thought you’d like to know, BoingBoing is #5 in Google results for “human guard.”

That may be enough to establish a new sense of meaning, in my estimation. But another use of the phrase might be: “a human-shaped guard fitted to a giant electric razor.” Like a Flowbee, only scarier.
Takuan

speciesist. Now be quiet and set up the bomb.
buddy66

He’s one of the tippling monks. Gotta keep an eye on the bottle.
arkizzle

Or a tentacle. Leaving several hundred more tentacles free to tipple, eviscerate and constrict, amongst other things beyond the ken of man.
Dave Bullock (eecue)

I think one of the main issues is that medeco locks have always been thought of as the most secure locks in the US. Clearly they have serious issues. Most attacks come from the inside. If you can copy a key the system epic fails.
President of Calendars

People who are saying this isn’t a big deal should read the original article at Wired, as it explains this better than the excerpt does, but essentially what it comes down to is that Medeco has used patents and other legal stuff to make it so that only specific locksmiths, licensed by Medeco themselves, have access to the blank keys used for Medeco locks. This, along with their having been considered unpickable until last year’s Defcon, was a main selling point: even if someone who is supposed to have a key should turn out to be untrustworthy, they couldn’t duplicate that key, quit their job, and then break in. Until now.
Anonymous

I’m pretty sure Takuan is a mom.
- Antinous
  
  I’m pretty sure Takuan is a mom.
  
  I’ve heard him referred to as a ‘mother’ before, but not as a mom.
dingolishious

I bet you could get a good image by xray
Nores

So Medeco has based its business model on the claim that they can make an object into some kind of special shape such that nobody else can form matter into that shape?

Seriously, WTF? A key is just a piece of inert matter. The only thing that differentiates it from a cheese grater is that it’s been formed into a very particular shape that matches the pattern of tumblers inside the lock. How can it be impossible to form another piece of inert matter into that shape once you know the details of the shape in question? Honestly, am I missing something?
minTphresh

takuan is a NOUN! with tentacles. (some vestigial)
RJ

Medecos exist mainly to help with key control. The locks are beatable, but it isn’t really worth most office workers’ time to mess with all that, or to find a specific dealer who will copy their keys without recording it.
mdhatter

O, Ryleh?
mdhatter

VISA – It’s everywhere you want to be.
trafnar

You can duplicate almost any key that you have access to, by making a mold of it, or using a 3d scanner, or just by eye/comparison.

Medeco keys are harder to duplicate, but if you are familiar with how they work it’s easy to imagine how it wouldn’t take THAT much work to duplicate one yourself.

In addition to superior key control, medeco locks offer increased defense against picking.
strathmeyer

“To be clear, this doesn’t allow them access to a lock which they didn’t originally have access to the key (or detailed picture of the key).”

These keys are extra expensive because they’re supposed to be unduplicatable.
Oren Beck

Security is inherently a balance between unbreakable, usable , and cost effective. Pick any 2 was the joke.
This time the joke is unfunny yet true. And stacking factors inherently runs head on against usable or cost effective.

Witness the automotive “transponder keys” Nice in concept yet fails on cost AND usability. A key BLANK priced at over $50 is far from cost effective to many people. Then when you add dealer mechanical cutting plus transponder coding? Closer to $150 for some cars if not more.

WE just could reproduce the corridor of doors Maxwell Smart went thru.
Anonymous

M3 Has “for” and “aft” cuts. thesere are angles cuts at the dept of every cut. Unlike regular keys medeco keys has angle cuts whre pins drop and spin at same time. did they do those “for” and “aft” cuts also ?
i wish they have given some info about that

Jon from NYC – champion LS-
Takuan

nothing cheaper than a human guard
Takuan

think they’ll do the honest thing and thank them for pointing out this serious fault?
mdhatter

“nothing cheaper than a human guard”

Yeah, having an ‘inside guy’ pays dividends.
Takuan

I was talking about keeping your own eye on things you care about
mdhatter

I assumed you meant ‘hire a guard’. The best heist movies always have an inside guy.
Not a Doktor

Why is it as a vegas resident, events are given bigger coverage AFTER they happen?

I scan the papers and yet they expect me to goto these things ex posto facto.
trafnar

I don’t know if I’d really call this ‘cracking the lock’. More like cracking the key control system.

To be clear, this doesn’t allow them access to a lock which they didn’t originally have access to the key (or detailed picture of the key).
Anonymous

“There are some locks that hackers can’t open. For everything else, there’s MasterCard.”
Simon Bradshaw

When I worked at a secure government site, locks for filing cabinets (the ones that didn’t have combination locks) used odd keys that had two sets of teeth at a 120 degree angle, precisely so that it would be harder to make a replacement or get one cut.

Of course, once we have RepRaps, weird-shaped keys won’t be a problem.
Cory Doctorow

Simon@4: Medeco tried something like this and were pwned by a paper-clip: “last year at DefCon, Tobias and his colleagues showed how they could simply insert the end of a bent paper clip into a Medeco high-security lock to push back the slider, rendering the slider ineffective as a security layer.”
HarshLanguage

#3 – It’s more accurate to say that it requires just enough access to a key to get a good-enough-to-replicate digital image of its profile. A cameraphone photo of the key might be enough for all we know, and that’s certainly a much lower hurdle to clear. If an intruder is motivated enough, getting a quick, surreptitious snap of someone’s keys probably isn’t that daunting.

Like most security measures, most physical keys just aren’t that secure against a determined intruder, for any number of reasons.
jackbird

#7, Not for a Medeco key.
takeshi

Yeah, ’cause, you know, when I hear “human guard” I immediately think: “myself, keeping an eye on my own belongings.”

That said, they’ve finally found a legitimate use for credit cards.
Anonymous

>>My hardware store can do the same thing….
>>Not for a Medeco key.

Which is sometimes the only reason for using Medeco. I once lived in an apartment where the front door to the building had a Medeco lock. It was a big plate-glass door, making the pickability of the lock completely irrelevant. They just wanted to keep the tenants from duplicating the keys.
Takuan

bah! illiterates! I’ll be taking your stuff while you’re in remedial classes!
Takuan

http://www.toool.nl/index-eng.php
Kevin

There’s usually a “The hackers are coming! The hackers are coming!” article in the local papers about week before Blackhat/DEFCON. Hard to miss, lots of paranoia about social engineering and people stealing grass from the lawn at Ceaser’s.

#2 Writes

Why is it as a vegas resident, events are given bigger coverage AFTER they happen?

For Vegas, I check the convention and events calendar websites for when I plan to be in town, to see if anything interesting is going on, or to reschedule if my visit coincides with some huge optometrist convention or something.

I scan the papers and yet they expect me to goto these things ex posto facto.

This is a common problem with newspapers, some acknowledge the issue, and are planning to “fix” it, give local events much more advance coverage rather than only after-the-fact.
jheiss

Housemates of mine in college used to make keys for Medeco locks out of some more generic key blank (Yale I think, something that was thin enough to fit in a Medeco key path). The material just needs to be stiff enough and thick enough that you can file in the twists for the pins. Doesn’t surprise me too much that credit card plastic fits the bill.

I suppose it’s interesting that they were able to duplicate a Medeco from a picture, but I imagine it’s not too hard to measure the pin heights from the picture, and determine whether each pin is twisted left, right or center. The twists are pretty easy to see on a real Medeco key.

As others have said Medecos aren’t impenetrable, no lock is. They just up the barrier, since you can’t realistically pick them and duplicating the key requires some extra effort.
Takuan

http://www.zdnetasia.com/news/security/0,39044215,62044472,00.htm
Oren Beck

It would be trivial to increase the torque required for latch actuation. Set it way beyond what any conceivable plastic could transmit and this hack’s expired! Left for reader research is keys with ohmic contact devices. Which also could devalue this hack.

It’s arguably good practice to use self restraint in applying skills. YES we should ethically feed back a valid risk so it can be managed. Exploiting it for unwarranted personal gain is ethically bankrupt.

Locks are of primary utility to keep honest people thinking that their property is secure.
Takuan

they done anything about bump keys yet?
Jeff

It’s good when someone will point out a flaw in the weakness of a system. Sometimes. It’s not like everyone who uses those locks is going to run out and change them. Sometimes telling people how easy it is to copy something is a two-edged sword.