. DEF CON 21. August 3, 2013 dlaw, ervanalb, robj (DEF CON 21) .... Master key extrapolation is easy. Keyle
Key Decoding and Duplication Attacks for the Schlage Primus High-Security Lock David Lawrence
Eric Van Albert
Robert Johnson
[email protected] DEF CON 21
August 3, 2013
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
1 / 31
Standard pin-tumbler locks
Photo credit: user pbroks13 on Wikimedia Commons. Licensed under GFDL or CC-BY-SA-3.0.
Vulnerabilities 1
Key duplication: get copies made in any hardware store.
2
Manipulation: susceptible to picking, impressioning, etc.
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
2 / 31
The Schlage Primus Based on a pin-tumbler lock, but with a second independent locking mechanism.
Manipulation is possible but extremely difficult. Some people can pick these in under a minute. Most people cannot. We will focus on key duplication and the implications thereof. dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
3 / 31
1
Reverse-engineering the Primus
2
3D modeling Primus keys
3
Fabricating Primus keys
4
What it all means
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
4 / 31
1
Reverse-engineering the Primus
2
3D modeling Primus keys
3
Fabricating Primus keys
4
What it all means
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
5 / 31
Security through patents
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
6 / 31
Look up the patent. . .
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
7 / 31
Primus service manual
w3.securitytechnologies.com/IRSTDocs/Manual/108482.pdf (and many other online sources)
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
8 / 31
P A T . N O . 4, 756, 177
PRI MUS
DO NO T DU P L IC AT E
Sidebar operation
Finger pins must be lifted to the correct height. Finger pins must be rotated to the correct angle.
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
9 / 31
Disassembly Fill in any missing details by obtaining a lock and taking it apart.
Photo credit: user datagram on lockwiki.com. Licensed under CC-BY-3.0.
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
10 / 31
1
Reverse-engineering the Primus
2
3D modeling Primus keys
3
Fabricating Primus keys
4
What it all means
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
11 / 31
Top bitting specifications 1.012" .8558"
MACS =7 Increment: Progression: Blade Width: Depth Tolerance: Spacing Tolerance:
.6996" .5434" .3872" .231"
100°
.031"
1
dlaw, ervanalb, robj (DEF CON 21)
2
3
4
5
Attacking the Schlage Primus
6
.015” Two Step .343” +.002”-0” ±.001”
0 1 2 3 4 5 6 7 8 9
August 3, 2013
.335” .320” .305” .290” .275” .260” .245” .230” .215” .200”
12 / 31
Side bitting specifications Scan 10 keys on flatbed scanner, 1200 dpi, and extract parameters. Index 1 2 3 4 5 6
Position Shallow left Deep left Shallow center Deep center Shallow right Deep right
1 2
dlaw, ervanalb, robj (DEF CON 21)
3 4
Height from bottom 0.048 inches 0.024 inches 0.060 inches 0.036 inches 0.048 inches 0.024 inches
5
6
1
3
24
5
1
6
2
3
4
5 6
Attacking the Schlage Primus
1
3
24
Horizontal offset 0.032 inches left 0.032 inches left None None 0.032 inches right 0.032 inches right
5
1
6
2
3 4
5
6
August 3, 2013
13 / 31
Modeling the side bitting
Design requirements 1
Minimum slope: finger pin must settle to the bottom of its valley.
2
Maximum slope: key must go in and out smoothly.
3
Radiused bottom: matches the radius of a finger pin.
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
14 / 31
Key cross-section One shape fits in all Primus locks. Dictated by physical constraints.
LP
EFP
FP
P
P
P
P
P
Attacking the Schlage Primus
R I MU
R I MU
S
EP
R I MU
S
R I MU
S
dlaw, ervanalb, robj (DEF CON 21)
CEP
JP
S
CP
R I MU
S
R I MU
S
P
HP
FGP
August 3, 2013
15 / 31
Modeling the key in OpenSCAD Programming language that compiles to 3D models. First use to model keys was by Nirav Patel in 2011. Full implementation of Primus key is a few hundred lines of code. // top_code is a list of 6 integers. // side_code is a list of 5 integers. // If control = true, a LFIC removal key will be created. module key(top_code, side_code, control = false) { bow(); difference() { envelope(); bitting(top_code, control); sidebar(side_code); } } dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
16 / 31
The result key([4,9,5,8,8,7], [6,2,3,6,6]);
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
17 / 31
1
Reverse-engineering the Primus
2
3D modeling Primus keys
3
Fabricating Primus keys
4
What it all means
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
18 / 31
Hand machining
Materials needed: Hardware store key blank ($1) Dremel-type rotary tool ($80) Calipers ($20)
Cut, measure, and repeat ad nauseum.
Rob can crank one out in less than an hour.
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
19 / 31
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
20 / 31
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
21 / 31
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
22 / 31
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
23 / 31
Computer-controlled milling This is what the Schlage factory does. High setup cost (hundreds of dollars): not practical for outsourced one-off jobs. Keep an eye on low-cost precision micromills.
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
24 / 31
3D printing This is the game changing technology.
(From bottom to top, picture shows low resolution plastic, high resolution plastic, and titanium.) dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
25 / 31
3D printing results 1
shapeways.com “frosted ultra detail” I I I
2
shapeways.com “white, strong, and flexible” I I I
3
$5 setup fee plus $2 per key. Very good precision. Insufficient strength to retract a latch. $2 setup fee plus $1 per key. Acceptable precision (operation is less smooth, but it works). Strong enough to operate most locks.
i.materialise.com “titanium” I I I
$150 per key (ouch!). Very good precision. Very good strength (similar to that of a brass key).
Expect to see prices decrease even more in the near future.
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
26 / 31
1
Reverse-engineering the Primus
2
3D modeling Primus keys
3
Fabricating Primus keys
4
What it all means
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
27 / 31
Primus-specific results
Key decoding is easy. Key duplication is easy. Master key extrapolation is easy. Keyless manipulation is still hard.
Our recommendations Primus should not be used for high-security applications. Existing Primus installations should reevaluate their security needs.
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
28 / 31
General implications This is an industry-wide problem. Key duplication will become much more accessible. Physical security will depend on information security. Patent protection will become less useful.
Figure: A 3D printed car key, by Ryan Weaving, and a 3D printed disc detainer key, by Nirav Patel.
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
29 / 31
Audience projects Contribute 3D models of other keys. (Medeco, anyone?) Integrate 3D models with existing image-to-key decoding software. Start a website for the exchange of 3D models of interesting keys.
Figure: New York City “master keys”. What will happen once 3D models of these become available? dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
30 / 31
Questions?
dlaw, ervanalb, robj (DEF CON 21)
Attacking the Schlage Primus
August 3, 2013
31 / 31
![Android weblogin: Google's Skeleton Key - Def Con [PDF]](https://m.moam.info/img/260x300/android-weblogin-googles-skeleton-key-def-con-pdf_64bdf3aa098a9ee53a8b45a3.jpg)
