This article is marked as 'retired'. The information here may be out of date and/or incomplete.

Matt Blaze of AT&T labs published an interesting research paper detailing a troubling fundamental weakness in master-keyed lock systems. These are the type of locks where each lock accepts a unique individual key, as well as a “master” key which can open any lock in the set (not specific to Master brand locks). This weakness allows any person with access to a non-master key in the set to very easily fabricate a copy of the master key.

One needs very little skill to exploit this weakness, and it leaves behind no evidence. It can be accomplished with nothing more than a couple blank keys and a metal file, and the attack can be carried out incrementally over a period of time. But it requires no more than a few minutes in total.

The security implications of this simple attack are very serious, since these locks are often used in government offices, schools, and businesses as well as some residential facilities such as apartments, dormitories, and condos. Originally the findings were quietly provided to the lock, law enforcement, and security communities, but since details starting circulating in the underground world, AT&T labs thought it best to make the information public, so institutions using master-keyed locks can become aware of the vulnerability, and take whatever countermeasures they see fit, if any.

From the paper:

We tested our attack against a variety of medium- and large- scale institutional master keyed installations, including both educational and commercial environments. Systems tested were both relatively new and relatively old, had been both factory-keyed as well as privately rekeyed, and included locks manufactured by Arrow (SFIC), Best (SFIC), Corbin Russwin, Schlage, and Yale. For the Best SFIC, Arrow SFIC and Schlage systems, we used portable key punches and a supply of blank keys brought to the facilities tested. For the Corbin Russwin and Yale systems, we pre-cut six test keys on a general purpose code machine (based on measurements previously taken from a change key) and used a metal file at the test site to progressively cut the test keys and finally to cut the full master bitting onto a fresh blank key. […snip…] In every case, the attack yielded the top master key bitting, as expected. In general, it required only a few minutes to carry out, even when using a file to cut the keys.

Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks (PDF)