Matt Blaze of AT&T labs published an interesting research paper detailing a troubling fundamental weakness in master-keyed lock systems. These are the type of locks where each lock accepts a unique individual key, as well as a “master” key which can open any lock in the set (not specific to Master brand locks). This weakness allows any person with access to a non-master key in the set to very easily fabricate a copy of the master key.
One needs very little skill to exploit this weakness, and it leaves behind no evidence. It can be accomplished with nothing more than a couple blank keys and a metal file, and the attack can be carried out incrementally over a period of time. But it requires no more than a few minutes in total.
The security implications of this simple attack are very serious, since these locks are often used in government offices, schools, and businesses as well as some residential facilities such as apartments, dormitories, and condos. Originally the findings were quietly provided to the lock, law enforcement, and security communities, but since details starting circulating in the underground world, AT&T labs thought it best to make the information public, so institutions using master-keyed locks can become aware of the vulnerability, and take whatever countermeasures they see fit, if any.
From the paper:
We tested our attack against a variety of medium- and large- scale institutional master keyed installations, including both educational and commercial environments. Systems tested were both relatively new and relatively old, had been both factory-keyed as well as privately rekeyed, and included locks manufactured by Arrow (SFIC), Best (SFIC), Corbin Russwin, Schlage, and Yale. For the Best SFIC, Arrow SFIC and Schlage systems, we used portable key punches and a supply of blank keys brought to the facilities tested. For the Corbin Russwin and Yale systems, we pre-cut six test keys on a general purpose code machine (based on measurements previously taken from a change key) and used a metal file at the test site to progressively cut the test keys and finally to cut the full master bitting onto a fresh blank key. [...snip...] In every case, the attack yielded the top master key bitting, as expected. In general, it required only a few minutes to carry out, even when using a file to cut the keys.
Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks (PDF)
Written by
Alan Bellows, posted on 09 September 2005. Alan is the founder, developer, designer, and managing editor of Damn Interesting, and he likes the Oxford comma.
Get a dog.
JustAnotherName said: “Get a dog.”
That will be addressed in a future article… False Sense of Security: Dogs Can be Distracted With Steaks
Or shot.
Best defense from a dog is the noise.
What about dogs with frikkin’ laser beams on their heads?
Oh man, that’d be so freakin’ AWESOME!
:P
Unless the robber has a mirror…
Don’t just get any dog, get Lassy. That bitch was the canine counter-part of MacGuiver…
Enter your reply text here. OK
hippies don’t worry about this stuff.
inclination of theft is = to sick & unhappy people.
would your mom approve. some would and they ought to be sent to Saudia Arabia for punishment.
Hello bump key.
the MOB owns locksmith companies and has bad PI`s on thier pay rolls hands out keys to bad cops and bad judges.If you rent your screwed if you own you can defend your domain while inside your home only maybe a safe room and door chains and unkeyed dead bolts.Satellite home cams and mics plus ADT systems are a must if the problem walks in the door.Delay the truspassers and wait and call THAN and only than can you use deadly force and only to stop.if you wound you could end up broke and in jail yourself.BEEN there too many times to recall them all.