
3-D Printed Keys Can Pick High-Security Locks in Seconds - usaphp
http://www.wired.com/2014/08/3d-printed-bump-keys/?mbid=social_twitter
======
blueskin_
>skeleton key

This is the lockpicking equivalent of calling a cracker a hacker.

Also, no lock can be 'unbumpable' just because it has a restricted blank, as
by definition in those cases, if the blank can be obtained, the lock can be
bumped.

Unbumpable is generally reserved for locks that actually are, by using a
mechanism other than pin tumblers (e.g. rotating discs (e.g. Abloy Protec),
magnetic encoding on the key (e.g. EVVA MCS), sliders (e.g. EVVA 3KS), or
driverless pins (e.g. BiLock)).

High security locks have for a few years been incorporating moving/active
elements into keys to avoid duplication, both now from 3D printing, but also
originally from casting a copy of the key. As it is, keys witout those can be
directly duplicated rather than even needing to bother with a bump key (unless
you wanted to open more locks than the key used to make the copy can access).

------
emhart
Jos Weyers has repeatedly brought plain sense to hyperbolic reporting. His
statement at the end is bang on:

“The sky isn’t falling, but the world changes and now people can make stuff,”
says Weyers. “Lock manufacturers know how to make a lock bump-resistant. And
they had better.”

Always very pleased to see his name pop up when this sort of thing makes news,
as he never seems to offer a quote that can be used to stoke unreasonable
fear.

------
valarauca1
I mean we've known about bump keys and lock picking for more then 50 years.
None of this is _news_. If I 3D printed a set of lock picking tools would
Wired run a story on me?

~~~
agreenberg
Author of the story here. Like I wrote, 3D printed bump keys make locks that
weren't easily bumpable in the past more easily bumpable. That's not a 50
year-old idea. Likewise, if your 3D-printed lock picking tools were more
effective than the traditional kind, than yes, I might write about them, too.

~~~
valarauca1
Changes to the keying of the key's shaft has little to do with how bumpable it
is. If its still using the same internal mechanism.

What I'm saying is, if you lock the case to your desktop shut. Dumping your
unencrypted hard drive is still possible, and easy. And fundamentally
completely unchanged. All you did was put a hurdle in front of it, not
fundamentally change the attack vector.

~~~
agreenberg
So tell me how one would have bumped an Ikon SK6 in the past.

~~~
emhart
EZ Entrie machines[0], first of all, as they've been around for a decade or so
and are purpose built to mill one-off high security blanks out of brass, so
they're significantly more effective than their plastic counterparts. They are
admittedly expensive, but when I briefly had access to one the gentleman
running it was cutting me fresh blanks for a Euro a piece. They also have
rather jaunty bows with smiley faces inscribed in them.

Additionally, people have been bumping things with just about anything that
can fit into a keyway, it doesn't particularly matter if it conforms to the
exact shape of the key, so long as it can still interact with the pins
directly. So, bent sheet metal with teeth cut into them, flexible grocery
loyalty cards, etc. have all been used by folks in the locksport community to
bump locks they didn't have proper blanks for. I can't deny the SK6 (and many
Ikon locks, they are vicious) didn't have a particularly murderous keyway, but
the possibility of carrying out a percussive attack wasn't nil.

[0] [http://www.qtactical.com/easy-entrie-key-
machine/](http://www.qtactical.com/easy-entrie-key-machine/)

~~~
teej
I think you might be missing the point. No one is saying it was impossible.
The whole point is that access, cost, and effort have gone WAY down with the
advent of 3D printing. Your comment just drives this home - before you needed
an expensive machine and a skilled operator, or a ton of time and skill to
fashion one. Now you can just pick one up off the internet for $5.

~~~
emhart
A: He implies it was previously impossible in the article with this line:

"As a result, all anyone needs to open many locks previously considered
“unbumpable” ..."

B: He asked someone to tell him how it could have been bumped prior to this
application.

C: I described, in my scenario, the purchase of a 1 Euro blank from someone
who runs the machine, which is actually /less/ than the Shapeways scenario,
which is otherwise the same - you don't purchase the equipment, you purchase
the product the equipment makes.

------
RobLach
I'm not sure what 3D printing has to do with any of this, other than that bump
key was 3D printed. That key could have just as well been CNC'd or cast or
whatever manufacturing method.

Unless they figured out this key because 3D printing allowed for rapid
iteration.

~~~
kalleboo
The difference is there's the possibility that anyone could download a blank
key 3D file off of the pirate bay and then get it printed for $5 from
Shapeways no questions asked.

Even I could do it.

I don't even know where I'd find a CNC machine. If I asked someone who has one
to make a blank key for me he'd probably tell me to fuck off or call the
police, and if I tried to use it myself I'd probably cut off my arm.

It's definitely not a revolution of any kind, it's just another step towards
lockpicking made easier and more accessible, and makes the concept of physical
locks as a lone defense weaker.

~~~
emhart
The concept of physical locks as a lone defense is a very new idea in the long
history of mechanical security.

------
Domenic_S
I briefly looked into buying high-security locks and reinforcing my door
frames when I moved into my new house. Then I realized I had two massive,
20-year-old windows on either side of the front door. In other words, a $350
lock isn't going to stop any crackheads who really want to get in.

Physical security (the real, you-can't-break-this kind) is for banks and
governments. For everything else there's video.

~~~
sirdogealot
This really hit me recently when I left the house after doing some
cryptography research.

When I "locked" the wooden door with a piece of metal that has been
photographed by probably countless cameras... I just had to laugh at myself
and wonder why I bad been programmed to do this seemingly pointless action my
entire life.

~~~
dclowd9901
I don't follow -- why are your keys being photographed by countless cameras?

~~~
DavidBradbury
Have you ever taken your keys out when you're at/leaving a store?

~~~
xorcist
No. Why would you? The casualness with which the question is put makes me
curious, but my home keys are generally something I use in the door at home,
not at the store.

~~~
Domenic_S
Those of us who use cars often keep our car keys and house keys on the same
keyring. While walking out the door of the store you pull your keys out.

~~~
xorcist
The thought hand't actually occurred to me to keep my car keys on my key ring.
They're gigantic these days. But I guess a lot of people do.

------
StavrosK
Goddamnit, bump keys aren't skeleton keys. Holy sensationalism.

------
joshvm
Keys have and always will be security through obscurity.

For most people it's not an issue. The only people that are likely to bump
your lock are really professional thieves (who are rare) or intelligence
services who'll have better equipment.

Most businesses are more than secure enough. It's far easier for a crook to
gain access via social manipulation than it is to bypass physical security
systems. As with home security, humans are always the weakest link in the
chain.

------
acd
Phones such as Google Tango should be able to copy physical keys. So should
Microsoft Kinect but that is a bit more obvious.

[https://www.google.com/atap/projecttango/#devices](https://www.google.com/atap/projecttango/#devices)

Pin codes are also not secure, subject to capture by movie cameras Google
glass and IR heat scanners picking up the key strokes.

So both keys and pin codes are not secure.

------
justaman
I previously worked for an international company that manufactures hinges for
heavy doors. I once spoke with a man who worked with locks. He said,(and I
don't recall the jargon) [keys will soon have more than one set of teeth and
the angle between the rows of teeth will be variable].

~~~
emhart
Do you remember when this was? Multiple rows of pins have been around for ...
well, since 1848 at least, but in modern locks, Kaba & Sargent (later bought
by Kaba) have been using multiple rows for many decades.

Doesn't actually prevent bumping, though! Additionally, the "angle between the
rows" is interesting in thinking what exactly he might have said. Sargent,
again, with the Keso introduced the idea of somewhat variable spacing of the
pins in the Keso.

Additionally, if we're talking angles, there was the Medeco Biaxial (often
confused for the original Medeco lock) which introduced the idea of "fore",
"center" and "aft" positioning of the cuts in the key/position of the chiseled
tips of the pins.

The former, Sargent, can still be readily bumped as even though you won't
always know if a pin will be present, you know every possible location of the
pins and can adjust accordingly. With Medeco, it's significantly harder,
though they caused themselves problems with a heavily restricted code book so
that the mere visual observation of the first two pins in the lock could give
you a very good idea of the positing of the other elements and allow you to
make a few possible bump keys to attack them. They've since fixed that
problem.

------
ianstallings
"yeah, but it's _3-D printed_ "

 _waves hands_

------
hamburg
Slightly off topic: Why don't we just use the same technology that car keys
have on door locks?

~~~
emhart
Two very different problems, though both are locks. In the case of a car you
don't always get to choose the security of the community it lives in. Its
portability, price and effective lifespan dictate different standards of
security.

In the US the average length of car ownership is at an all time high of 6
years. You can reasonably expect the locks to outlive your interest in the
vehicle. Whereas (and this is all quick googling to get to a point, so anyone
feel free to correct my figures) the average ownership of a home is 20 years.
Now, while locks can certainly survive that long, it's a good idea to replace
them once in a while.

Additionally, in the rental market where turnover is significantly higher,
there are often laws that require the regular changing of the locks from
tenant to tenant.

And - another factor - insurance standards related to security on cars are
much more robust than insurance related to security on buildings. You can
occasionally find a break for having a second lock, or deadbolt, etc. but your
returns on insurance breaks diminish completely as you invest in higher end
physical security.

All of this is to say - door locks are a commoditized after-market product
that are influenced by geography. They are made to be replaced/maintained by
the user and there will always be a thriving budget marketplace for them. Your
car locks, on the other hand, are never meant to be worked on by the user, are
rarely replaced and have almost no competitive after-market.

Hope that helps lay out some of the differences between the two.

(and I could go on. Lot of other stuff around OEM, cost of production, ability
to sell on security, etc. etc.)

~~~
hamburg
Thanks, some good points here.

------
teklulz
One could also make a bump key with a blank(ish) key, a file and 3-10 mins on
ones time...

~~~
adamtj
Of course, but the point of the article is that blanks for high security locks
used to be much harder to come by. Now, software and 3-D printers make it
easier to defeat the feature that makes them "high security". The implication
is that pretty much anybody can do it now.

I remember reading several years ago about how one can take a picture of a key
from far away and use that image to replicate the key. Back then, replicating
keys from a picture was not something just anybody could do, so it wasn't a
threat worth fretting about. Presumably 3-D printing will make that easier
too. One can even imagine an app: point your phone, press a button, and get a
key in the mail a few days later. I expect we'll see that article soon.

~~~
emhart
That app/service has existed for years, first Shloosl (now keysduplicated),
then KeyMe and I believe the proprietors frequent HN, so I expect you may see
them pop up to offer an informed opinion on this article.

[https://keysduplicated.com/](https://keysduplicated.com/)
[https://www.key.me/](https://www.key.me/)

