3D printed bump keys make short work of high-security locks

High-end locks rely on their unique key-shapes to prevent "bumping" (opening a lock by inserting a key-blank and hitting it with a hammer, causing the pins to fly up), but you can make a template for a bump key by photographing the keyhole and modelling it in software.

Jos Weyers and Christian Holler presented their work on 3D printed bump keys at NYC's Hackers on Planet Earth last month, as an existence proof of the insufficiency of relying on proprietary shapes to defend a lock. The locks they attacked were successfully opened with keys printed in nylon, of the sort you can order from service bureaux like I.Materialize and Shapeways. Weyers and Holler have produced an app called "Photobump" that turns images of keyholes into print-ready 3D bump-key shapefiles.

A photo of a keyhole alone isn’t quite enough to print one of Weyers’ or Holler’s bump keys. They also need information about the position of each pin in a target lock. But Holler says that information easily is found in widely available key-cutting software. Weyers says he can derive it even more easily by sticking any thin tool into the keyhole, feeling for the pins, and marking their depth to measure how deep in the lock’s cylinder the pins are located...

Weyers and Holler aren’t trying to teach thieves and spies a new trick for breaking into high-security facilities; instead, they want to warn lockmakers about the possibility of 3-D printable bump keys so they might defend against it. Although Holler will discuss the technique at the Lockcon lockpicking conference in Sneek, the Netherlands, next month, he doesn’t plan to release the Photobump software publicly. He’s also working with police in his native Germany to analyze whether printed bump keys leave any forensic evidence behind.

These 3-D Printed Skeleton Keys Can Pick High-Security Locks in Seconds [Andy Greenberg/Wired]

Notable Replies

  1. cegev says:

    It's not necessarily fair to say that this method works on "high-security locks." There are a number of high-security lock systems that are either very difficult to bump, or intrinsically impossible to bump, like Protecs.

    The larger threat of 3D printing and precise computerized machining, however, is that key control becomes far more difficult. It no longer matters if only one company can make the key for your lock: anyone else with temporary access to your key can just print one. Outside of unusual things like EVVA MCS, I'm not sure how this can be prevented.

  2. jerwin says:

    In general if anybody untrusted has access to a key for any length of time the key needs to be considered compromised.

    You should probably amend this to

    In general, if anybody untrusted has a photograph of a lock's keyway for any length of time, the lock, and any other lock using the same general type of keyway, needs to be considered compromised.

  3. Or, more broadly: Keyed locks are a deterrent, but should never be considered as absolutely secure. And most things that are locked can be accessed by methods that do not require defeating the lock directly.

  4. Nothing is secure given enough time and a determined attacker.

Continue the discussion bbs.boingboing.net

3 more replies