Hacker News new | past | comments | ask | show | jobs | submit login
Master Keys (schneier.com)
173 points by mikegerwitz on Oct 15, 2012 | hide | past | favorite | 54 comments

Also, if you are interested in actual master keys, Matt Blaze's paper on the subject is a classic: http://www.crypto.com/masterkey.html

"n a recent research paper, we describe weaknesses in most master-keyed lock systems, such as those used by offices, schools, and businesses as well as by some residential facilities (particularly apartment complexes, dormitories, and condominiums). These weaknesses allow anyone with access to the key to a single lock to create easily the "master" key that opens every lock in the entire system. Creating such a key requires little skill, leaves behind no evidence, and does not entail engaging in recognizably suspicious behavior. The only materials required are a metal file and a small number of blank keys, which for many locks are readily available."

If you follow through to the story that shows a picture of the keys two things are notable: these are pretty easy keys to duplicate (especially given the nice clear photograph of them) and it was the New York Post who both broke the original story and posted a picture of the keys (face palm).

I was slightly surprised that they just look like regular keys. I was half expecting them to have special grooves, or protrusions, or magnets or something.

Nope. Just a regular key that hits a specific set of pins that are required to be there.

If you think about it, designing a lock that takes 2 completely different types of keys would be very difficult. If you don't fit the grooves that a regular key does, you don't fit. So you have to use the same blank. After that it is just the set of grooves that matters.

>designing a lock that takes 2 completely different types of keys would be very difficult

This is actually fairly common in commercial buildings. The keys have a channel running down the side (the 'grooves' you speak of). The grooves determine what kind of keyway the key can fit into. You can can configure your locks so a certain groove pattern will only fit a subset of your locks, while another kind of groove will fit into all of them. Schlage for instance makes a series of keyways (A, C, D, E, F, G, H, J, K, L, M, XP etc.) that are specified to do exactly this. I always forget which, but I believe it's the L keys that will fit into most of the other keyways.

You can consult Schlage's own books to learn more: http://professional.schlage.com/pdfs/sss/Schlage_Key_Systems... (scroll to the end.)

Some of those keys look ancient! I don't see how a lock keyed to those could possibly hold up to even an amateur lockpick.

Ancient is the point - at some point after the twenties, it became less and less cost effective to have someone at the building 24/7 - and the rise of electronic security (alarms basically) provided everyone with a two-factor reassurance that the system was still secure even with distributed master keys.

As long as no-one sold them to the public ...

Ugh, the NY Post is nothing but a tabloid -- from Fox, no less.

Master keys are the very definition of "security through obscurity". As Bruce says, this is a very hard problem and one that has been reasonably solved for a long time. However, thinking that sophisticated terrorists or criminals have been unable to exploit this merely because they haven't been to eBay is naïve to the extreme.

>> Master keys are the very definition of "security through obscurity".

Not really. A key is like a physical password. Security by obscurity is "I'm betting you don't know what kind of lock/encryption I'm using." Legitimate security is "I won't give you my key/reveal my password."

Just because there's a secret doesn't mean you're Doing it Wrong. "Something you know" is a valid authentication factor.

As I see it, though, the issue is that I can walk up to your house, notice that you're using a XYZ-brand lock as I knock on the door, give you a standard door-to-door spiel, you turn me away and you forget about me before you're back on your couch.

Half an hour later I have a master key to your house because I Googled "XYZ master key" and filed the appropriate key blank to match. How do you combat that?

That's the security-by-obscurity argument - once the information on "XYZ master key" is available, your house is compromised and you can't fix it by rekeying, only by replacing all XYZ-brand locks with a different brand.

Security through obscurity is, ultimately, betting your system on something you can't ever change.

A key that you give out to thousands of people and cannot be changed afterwards ceases to be a key and becomes an intrinsic part of the system.

With a real key, when a leak like this happens, you invalidate the leaked key and issue a new one. In this particular case, they're basically stuck hoping that nobody does anything nefarious with this key.

The mere existence of a physical key does not make it security through obscurity. It's the fact that the same physical key is distributed to thousands of people with no good way to control them all or compensate for a leak that makes it security through obscurity.

> The mere existence of a physical key does not make it security through obscurity. It's the fact that the same physical key is distributed to thousands of people with no good way to control them all or compensate for a leak that makes it security through obscurity.

Semantic nitpick, but how does that make this security through obscurity? S.T.O. is not betting your system on something you can't ever change, it's betting your system on hoping the attacker won't guess how the lock works. I think we should be careful not to use inappropriate labels, as this dilutes the language and makes it more difficult to communicate.

My point is that if you set up a master key in the fashion described, such that thousands of people have access to it and it's basically impossible to change, that key becomes part of the system, rather than being a separate key. It becomes part of "how the lock works".

To quote Kerckhoffs's principle, which Wikipedia leads me to believe is the basis of the whole concept of security through obscurity:

"Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents"

Despite the name, this master key is not a "key" in the cryptographic sense. Any system intended to provide security without a key is necessarily relying on security through obscurity.

It's a different sort of "security through obscurity". We all know that many locks (elevators, etc) have a master key -- we see the receptacles every time we ride in such an elevator. The obscure part is not that there IS a master key, but rather its shape.

A master key is the same as a backdoor known to few. Whether you're using a key that fits the lock, or know that 'Joshua' is the superuser's login, it's still a "secret" which only provides protection while it's actually secret. I think it still counts as STO.

Not meaning to start any kind of semantic flame war, but I'm still not convinced.

> Whether you're using a key that fits the lock, or know that 'Joshua' is the superuser's login, it's still a "secret" which only provides protection while it's actually secret.

But isn't the same true about passwords? Aren't passwords secrects providing protection only when they remain unknown?

The problem here lies, IMO, not with secrecy but with the password/key distribution and protection. I could imagine a situation similar to described in the article if an administrator gave server's root password to half of the company staff, hoping that no one leaks it.

No. Obscurity is not the only or even any of the protection keys master or otherwise provide. Regardless of whether attacker knows of the existence of master key or not. They still need a key.

A master key represent reduction of security (by bypassing depth of security and putting more eggs in one locked basket). Both security trade-offs for convenience.

I was wondering about the same thing regarding those TSA locks.

My fancy new luggage comes with combination locks and in addition with one of those TSA locks.

The thing is, how many different lock combinations are they? (My guess: less then a dozen) How widely must the master keys be distributed? Well, in multiple instance to every airport in the US and then some How long until a bunch of dodgy luggage handlers own a set of those locks?

While the consideration not having to break your luggage is nice the implementation seems not very secure to begin with (yeah: I know: neither are luggage locks, but still)

That's depressing.

Especially the part about how you can just bust open the zipper on a locked bag anyways.

That's an excellent starting point to explain why we shouldn't accept encryption that has backdoors.

I basically use luggage padlocks as an over-the-top way of making sure the zipper doesn't come undone accidentally. Of course, I could achieve the same thing with a paperclip.

I assume the lock industry will be added to the list of industries that will lobby like hell against 3D printer technology. I'm putting the over/under on a 3D model of these keys showing up on the Net at about a day.

Key-making machines are already widespread and much cheaper than 3D printers.

equally, a set of metalworking files and key blanks/brass stock are much cheaper than key-making machines.

Michael Brady, commenting on the original article, said it best.

"Master keys are a convenience, not a security measure."

Like a smart terrorist/activist/pranker couldnt learn how to pick locks.

I feel like if this were to be replaced by a digital solution it would be essential that multiple vendors would be used. There was a big vulnerability that occurred with hotel locks that seems like it would have been mitigated by multiple vendors. http://www.schneier.com/blog/archives/2012/08/hotel_door_loc...

Given when such keys need to be used, a digital solution would also need to work in emergencies such as flooding, fire, and partial destruction (door and lock internals fine, outer lock and door severely damaged).

I imagine that it's easier just to stick with the good old master keys.

I've long believed that most locks are not there to stop professionals, they're just there to stop the opportunist.

If you're at peace with this then there's little advantage spending an extremely large amount of money putting in place a sub-standard digital solution.

The existing system is good enough.

I've heard it before: "Locks are there to keep honest people honest."

The lock on your front door won't stop someone breaking into your house. Or rather: your lock likely isn't the weakest point when it comes to keeping people out.

However, with the master keys it's not just about getting into places where you shouldn't be able to go, it's also about more or less locking a whole place down by disabling elevators. I can imagine you could put something a bit more complex to disable something which already requires electronics to function.

Yeah, I guess master key usage is just a little too broad. Opening doors doesn't seem like a huge issue, but I would at least require a supplementary password entry for crucial functionality like disabling elevators.

And in those life and death situations that emergency workers are involved in... would you accept the loss of a life because the emergency worker couldn't get hold of the password in time to save someone?

As I said... it's good enough.

A second layer of protection for critical features that could cost lives is always a good idea. Have to balance authorized people using them with preventing unauthorized people from causing chaos, maybe a standardized pass code that changed once a month and all rescue workers received. If for instance 3d printers become household items and the key pattern is widely distributed online it could end up being a big problem.

Yeah, the question is really which potential harm is larger: unauthorized access, or the possible failure of authorized access? Then you need to ensure the system is more likely to fail in the less dangerous direction.

Sounds like physical keys do that.

Do most locks really need to work in emergencies?

My house has no master key, after all. If the fire department needs to get inside, they will break the door down. That is the universal master key for any situation, and my understanding is that fire departments are well equipped for this.

Why not simply not have a master key, with the understanding that the door will be destroyed in the event of an emergency?

sometimes master keys operate things like elevators and control panels

I wonder if that could be solved with a similar sort of design. Instead of a lock with a master key, how about a "break in case of fire" cover on the elevators? You could still have a lock and building-specific keys for non-emergency uses.

Targets for vandalism and other shenaniganery.

How often have you heard of someone picking the lock to a knox box or an elevator control panel? (Probably not very)

How often have you heard of someone hitting the alarm or screwing around with the emergency options? (Probably more)

Well, unlike standard fire alarms, these don't need to be easy to break into. Since they're for use by the fire department in an emergency, you can assume that whoever uses them will have access to axes and a willingness to use them.

I think that this article represents the need for digital locks. So far, no one has disrupted this space and there is a HUGE market. Think of everyone who lives in an apartment/house in the world. Now take only 1% of 1% of 1% and that's going to be a very large number of people who would signup.

> take only 1% of 1% of 1%

1. Why? I mean, I get that it's a very small fraction, but if you're considering a scenario where you only get a very small fraction of the market, why should that very small fraction be more plausible than, say, 1% of that?

2. OK, so the population of the world is about 7 billion, and 1% of 1% of 1% of that is 7,000. That's not actually so very enormous, especially as you're not going to get a lot of recurring business. (Unless you're envisaging that people pay on a subscription basis for the continued use of the locks on their home, in which case I think 0% of 0% of 0% is a better guess for the likely market penetration.)

A lot of houses in South Korea have electronic locks. We got locked out on Christmas eve because the batteries didn't work properly in the cold.

> "I think that this article represents the need for digital locks."

I disagree. We are talking about keys to critical infrastructure - fire doors, elevator overrides, utility areas of subway systems.

These are all resources that need to be accessible in a power outage or disaster situation. I do not want our firemen to be locked out of where they need to go because some digital lock lost power.

There is a reason in traditional engineering emergency overrides and shutoffs are mechanically implemented and don't go through a computer.

Digital lock with built in dynamo (pull down lever?) to generate the miniscule power required to operate it?

Some horrifying disaster happens in New York, the subway tunnels are flooded. Fire crews need access to a locked/gated area, but your dynamo'ed electronic door lock is completely kaput.

The whole point of this critical infrastructure is that it be accessible in an emergency and have as few failure modes as possible. A mechanical lock has very few failure modes short of changing the laws of physics.

Fire crews have bolt cutters to handle the common case of a door with a small lock of any sort.

How reliable is that?

I know this is uncharitable, but after reading your post, I immediately envisaged a future where locks are web controlled, and the security of people's front doors relies on a shiny Web 2.0 site not having an XSS or CSRF somewhere. Uh oh.

That said, I would be really interested to see a shot at something new in this area.

Most of the current companies follow the OEM -> reseller model. Their customer is actually building and access maintenance companies, not the end user.

I'm not in favor of it, but it's worth noting that the lock on all of our front doors right now is not terribly hard to pick. When the SWAT team wants in, they dispense with the lock altogether by just battering through the door. I suppose if that wasn't fast enough for you, you could blast your way in. The lock-picking technique would not work on correct code--but producing proven correct code is very expensive and unpleasant, so not likely to happen. And you'd still be susceptible to the other two options.

My point is that security is not primarily a technical problem--or at least, there isn't a 100% technical solution, and probably never will be. In practice we benefit a lot from looking innocuous and having neighbors that know us and like us. The main thing keeping people out of your home isn't the lock, it's the inconvenience and unpleasantness of what would most likely happen if they were caught.

I completely agree with you; especially in terms of "security" being a social construct.

However, if it's possible to anonymously unlock a door using the Internet, that that door will most definitely be unlocked once a few people catch on. If such a problem were widespread enough, people would write software to scan the Internet, unlock doors and post the GPS co-ordinates to a twitter feed. This is a direct and unfortunate corollary of the "Greater Internet Fuckwad Theory". A small subset of people would go around "doordriving", or "dooring". Now the idea is stuck in my head.

You're right that correct code can't be "picked" per se - but it's not just about correct code. It's easy to underestimate the number of moving parts required in real world electronic access control systems and how they interact with the computing and physical environments they're installed in. The full system includes the manufacturer, their networks / personnel / procedures, the building, network cabling, management station, the management network, management policies and procedures, peripheral controllers, peripheral bus, peripheral electronics, the physical doodads and mechanisms, the "card to reader" interface and finally the cards themselves.

I personally find the threats against current electronic locking deployments to be pretty interesting. I'm by no means an expert or anything but I had to learn a little bit about it for my job. I'm going to deliberately ignore the SWAT method of e.g. attacking the doorframe if the lock is too hard ;) Or the ceiling and floor tiles, or asking nicely for the key, or dressing up as a fire inspector and asking for the key, or setting off a fire alarm and so on etc. Also, I'm going to focus on the systems I know a bit about, which are corporate office building systems (not e.g. hotels, which are different, or high security systems).

Consider e.g. a standard HID based access control system. You have an awful VB/MS-JET (last time I used it :) card / zone / user / rule GUI on the management station. That thing needs to be secured - and you would be surprised in practice how many organisations put the management station straight on their internal network, as a domain member server even. Multi-tenanted buildings tend to have better security on the management computers -- since they're air-gapped from any of the tenant corporate networks ;) They usually live in a maintenance room (locked by a conventional lock, for obvious reasons) down near the ground floor. In the multi-tenant case the management station will often have a modem plus PC anywhere installed.

If you can log on to the management computer (e.g. by compromising the domain or dialling in to it if it's standalone), the access management system itself asks for a password. You can pull the usernames directly from the underlying access database. You don't normally need to crack passwords. What you do to gain access is choose the name of the installer company as the login, and use that for the password too ;) IAPT (I am a pentester), and so far it's worked every time. Finding building access control management stations is filed in my notes under sections "fun post exploitation activities" and "amusing screenshot fodder".

But going down a level: In practice there is a lot more code running in these systems which I haven't personally looked at in depth. The fittings (e.g. door opener thingy, access card reader widget) are "dumb", and they communicate to peripheral controllers. As I understand it, the management station downloads the various settings and rules and card IDs into the peripheral controller, so that everything still works when if the management computer is down. As I understand it, this communication is plaintext (the name of the bus protocol escapes me right now). If you gain access to any of that wiring (host -> peripheral controller or peripheral controller -> peripheral) it's game over. However there's another possibility I've never seen anyone mention, which is that (I suppose) you might be able to van eck the comms over that bus too.

I think it is a setting you can choose (a hardware option on the fittings?) for whether you want things to fail open or closed in the event that the power goes out.

Going down another level, the "dumb" peripherals really do have code running on them -- they're just "dumb" in the same way that a "dumb terminal" is dumb. If a reader is designed and installed properly we shouldn't be able to glitch it or just plug into an access port, but that still leaves the air interface. The standard HID systems are just doing plaintext RFID and can fairly trivially be cloned by something like a proxmark. It gets a bit worse though with the plaintext systems. The IDs in the standard HID cards are usually formatted as a facility code, followed by a (sequentially allocated) user ID. So if you get the ID of one card -- even if that card has been cancelled -- you can brute force your way to a valid card fairly quickly.

There are encrypted systems (doing things properly) which have been out for a while, but they are still not nearly as common as they should be. Things can still go wrong if that's done poorly (e.g. Mifare classic) but as I understand it the new systems are fairly secure.

Finally, electronic locking mechanisms are still subject to manufacturing tolerances and obvious implementation blunders - meet the new problems, just like the old problems. There are lots of electronic door mechanisms out there which are vulnerable to nothing more complex than a good shove. This is common with both the mag plates and the latches. They also have unique hardware problems. We had a really amusing "bug" in our office where our actuator was wired up in parallel with other actuators by a lazy installer. So even though we were supposed to be in a separately secured section of the building (different access group + pin required for entry), people with access to other areas could still open the door by teaming up -- one person swipes on low security door, wait for the click, and other pushes on the high security door. Sigh.

In a roundabout way, I hope this explains a little bit of my skepticism when I picture an electronic locking company with a groovy kickstarter video (here at lockify, we've reimagined locking things!) and a shiny web 2.0 front end.

> an electronic locking company with a groovy kickstarter video (here at lockify, we've reimagined locking things!) and a shiny web 2.0 front end.

I'm surprised no one's brought Lockitron [1] into this discussion.

[1] http://news.ycombinator.com/item?id=4602679

Oh wow, there is one! Actually, looks like a great idea.

In my opinion the best technical hack in that product is designing it fit over a deadbolt. That does an end-run over the OEM problem of needing distributors or partners to install and manage it, while providing a failsafe for when power or wifi isn't working. It also accounts for various denial of service conditions. It's not more secure than your existing lock in a physical sense, but it's cool that you can log door entries.

Would be an interesting product to perform a security review on.

There are digital locks, e.g. unlocked using RFID tokens. Carrying around a token is not much more convenient than carrying around a physical key, although it does come with other benefits (e.g. easier revocation). Using something like NFC and unlocking a door using your phone would be nice, but on the other hand I don't want to be locked out just because my phone ran out of power.

Anyway, it's not a trivial modification, ie. just replacing the lock, because the digital lock needs power to process the key and unlock the door. As long as that's necessary, the initial investment and the increased complexity make the benefits moot to me personally. If you have some sort of door knob action maybe you could harness that to generate a small amount of power sufficient to unlock the door?

What if there is a power outage? You say battery? What if the battery fails? And you would still have the problem of keeping thousands of batteries and electronics running, those fail too. In the end you are adding complexity to the system, so physical locks still have advantages.

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact