
Hacker Opens High Security Handcuffs With 3D-Printed And Laser-Cut Keys - thebigdeluge
http://www.forbes.com/sites/andygreenberg/2012/07/16/hacker-opens-high-security-handcuffs-with-3d-printed-and-laser-cut-keys/
======
nl
The situation with keys is actually worse than Forbes makes out.

Apparently they don't realize that (most) keys can now be copied from a
photograph, from up to 195 feet away[1]. I realize that these "high security
keys" are probably harder to duplicate than a normal key - but how many
security officers know they should be keeping the keys _out of sight_ as well
as physically secure?

[1] <http://hackaday.com/2009/09/22/photographic-key-duplication/>

~~~
loceng
Time for fingerprint entry to become popular - at least until cloning specific
body parts becomes a home-kit..

~~~
Simucal
Mythbusters was able to defeat several fingerprint identification systems
quite easily.

At first their attempts were pretty elaborate. They lifted a fingerprint from
a glass a person had held and then used an acidic solution to etch that
pattern onto a mold. This mold then opened all of the high-end thumbprint
readers they had.

However, if I remember correctly, they then went low-tech and simply used a
photocopy of the thumbprint which also opened several devices.

~~~
sophacles
I think it is good to remember that security is situational. So unless a
prisoner is holding a copy of every officer/guard/transfer agent's finger
prints, they won't be able to undo the lock while in most detention situations
(the only ones I can come up with are fairly contrived, or require the
prisoner to escape in cuffs, making the point moot). Basically, if the
arresting officer puts the cuffs on the detainee, and scans in his fingerprint
as the "unlock with this fingerprint" option, it becomes very difficult for
the detainee to get a copy of that print in a form that will work, and then
use it, unlike an accessible hidden key known to work with $model-of-handcuff.

Of course that says nothing about _other_ ways to defeat the cuffs, which
would probably become the prime area of research at that point. (why attack
the locking mechanism if there are easier to defeat weaknesses).

~~~
sbov
According to the article, that's not how handcuffs need to work.

Handcuffs are designed so that one officer can put them on and another can
take them off. If that weren't the case this situation of being able to print
1 key for all handcuffs wouldn't exist - they would simply make unique keys
per handcuff.

~~~
sophacles
Fair enough, although, I think a procedure change and a "transfer authority"
function could easily cover this. The transfer function would basically be:
original cuffer presses the transfer button, swipes his print, the receiver
then swipes his print, and the transfer is done.

However, in a broader view, yeah, there are probably better ways than
fingerprints handle keys once electronic locking mechanisms are introduced.
Probably something akin to a 2-factor cryptographic mechanism.

~~~
pavel_lishin
Easy nitpick, what if one of the officers gets sick, gets injured, or just
plain forgets and goes home?

~~~
sophacles
Good question. I don't know, but perhaps an override key. However now that the
physical key isn't an open secret, and needed by everyone, they would be
easier to secure. And small batches would have a specific key for that batch,
but not for all cuffs, making it even harder for the detainee to have the
right duplicate on hand.

I feel though that my larger point is getting lost in this thread. It was/is:

Just because a security technology doesn't work for reason $x in situation $y,
that doesn't mean that the weaknesses also apply to situation $z.

------
ldayley
Interesting story. My larger concern is that incumbent businesses and
political interests will use this type of story to spread FUD that enables
them to enact fear-based regulation before the benefits of cheap 3D printing
can be realized by the general population. One simply has to look at piracy
concerns and asanine infosec and privacy regulations for previous examples.

~~~
m0nty
Just wait until you can download a handgun. Just wait until someone attaches
explosives to a DIY drone and sends it into a shopping mall. Just wait until
someone hacks the firmware on your self-driving car. It's going to get ugly.

~~~
Bakkot
Re "download a handgun", that debate is already happening:

[http://boingboing.net/2011/09/20/3d-printed-ar-15-parts-
chal...](http://boingboing.net/2011/09/20/3d-printed-ar-15-parts-challenge-
firearm-regulation.html)

~~~
m0nty
I suppose it's more effective still, given small-scale production, to upgrade
components on existing fire-arms rather than try to manufacture one from
scratch.

------
dsr_
Handcuff locks are identically keyed so that any police officer can open them.

But it's rare that you need such compatibility; instead, "anyone in the
department" is a fine size.

Handcuff manufacturers cheaped out. If they offered keys made per department,
the keyspace would go from approximately 5 to tens of thousands. That won't
stop someone from duplicating a key, but it will change the cost proposition
for mass-duplication.

Plastic ties don't have the key issue, but they are vulnerable to a
knowledgeable (semi-) brute-force attack.

~~~
Hoff
In large-scale and homogenous departments, yes, that might sometimes work.

Through what is known as mutual aid, it is routine for various smaller police
agencies to interoperate with other law enforcement agencies; with county,
state and federal agencies with direct jurisdiction, and police departments
from neighboring municipalities through mutual aid.

Finding a half-dozen police agencies at various calls is not uncommon.

This isn't only a factor with small departments, either. In some areas within
cities with large established police departments, there can be a dozen law
enforcement agencies with direct jurisdiction for a particular location and/or
event.

And yes, this can be why officers at large events are often issued plastic
cuffs. No keys.

Paralleling the problem that would arise with using multiple different cuff
keys, simple radio communications among the various police and municipal
agencies can be an issue. Everything from the frequencies and bands and
encoding to the individual radio codes used by officers can lead to confusion.

When the ____hits the fan, a police officer needs equipment that works
reliably, and the officer doesn't want to even have to think about using the
equipment, nor about different cuff keys, radio protocols or codes.

~~~
shabble
There was a usenix paper I recall from last year: _Why (special agent) Johnny
(still) Can't Encrypt_ [1], which I think includes some of the issues of
trying to run these sorts of ad-hoc radio networks securely.

[1] <http://www.crypto.com/blog/p25/>

------
egypturnash
"Even so, Ray says he won’t post CAD models of the Bonowi or Clejuso models
online, given that those keys are harder to obtain and providing blueprints
for their reproduction could in fact reduce their real-world security. "

But in the very same article, there's a _lovely_ photo of the Bonowi key next
to a more readily-available Chubb key[1].

And I suspect most of the kinds of people with access to laser cutters and 3D
printers have heard that it's pretty easy to dupe a key from a photo. Googling
for "duplicate key from photo" brings up any number of articles that outline
the techniques.

I can only assume that the Chubb key was provided for scale, to allow anyone
with the tools to reproduce the Bonowi as well!

[1][http://blogs-
images.forbes.com/andygreenberg/files/2012/07/S...](http://blogs-
images.forbes.com/andygreenberg/files/2012/07/Screen-
Shot-2012-07-14-at-6.14.45-PM.png)

~~~
HeyLaughingBoy
Not knowing much about keys, but knowing a bit about machining materials, I
dare say that skilled people with access to a hardware store to buy a hacksaw,
a few files and some metal could also duplicate a key without much trouble.

For all their high-tech trappings, laser cutters are still doing what humans
do by hand all the time; they just do it faster.

------
jwatte
I wonder if someone patented an actuator/microcontroller based cuff. The "key"
would contain a battery and the cuff would challenge the key for the right
password. There's lots of cryptography that could be used there, from shared
secrets to public/private signatures. If it's not patented yet, I guess this
description of the idea (that I might have thought of 364 days ago) counts as
prior art :-)

------
eumenides1
I don't understand why we are making handcuff with keys. Wouldn't it be better
to have cuffs that lock but can't be unlocked. The only way to get them off
would be to destroy them. Think zip ties that are structurally stronger.

Maybe the destruction method would be something like UV light to melt the
cuffs.

Is it so important that we have re-usable cuffs?

~~~
crusso
_Think zip ties that are structurally stronger._

Zip ties themselves are easily circumvented with a razor. If stronger, how
much stronger? Do you need heavy-duty bolt cutters to get them off?

 _UV light to melt the cuffs._

Wouldn't a UV light source then be an easily-producible key?

~~~
eumenides1
I was thinking like 3/4 to 1/2 inch tubes of solid plastic. So maybe heavy-
duty bolt cutters would be a good idea to get them off.

The crux of the idea is that only way to get the cuffs off is to break the
cuff with a specific brute force that requires a large unconcealable device.
Even with the device, you still need time/space to use it (5-10 mins).

So pretend that we would need a large UV lamp and 5 mins to melt through.

~~~
ishkur101
If the cuffs cannot be reused then costs go up. If costs go up I pay more tax
to cover this.

------
DrWhax
Old news, this has already been done at <http://har2009.org/> read more here
-> <http://blackbag.nl/?tag=har2009>

~~~
sesqu
Yes, that was mentioned in the TFA, because it was done by the same guy. Did
you not read it?

------
xbryanx
Zip ties.

