This is the lockpicking equivalent of calling a cracker a hacker.
Also, no lock can be 'unbumpable' just because it has a restricted blank, as by definition in those cases, if the blank can be obtained, the lock can be bumped.
Unbumpable is generally reserved for locks that actually are, by using a mechanism other than pin tumblers (e.g. rotating discs (e.g. Abloy Protec), magnetic encoding on the key (e.g. EVVA MCS), sliders (e.g. EVVA 3KS), or driverless pins (e.g. BiLock)).
High security locks have for a few years been incorporating moving/active elements into keys to avoid duplication, both now from 3D printing, but also originally from casting a copy of the key. As it is, keys witout those can be directly duplicated rather than even needing to bother with a bump key (unless you wanted to open more locks than the key used to make the copy can access).
Jos Weyers has repeatedly brought plain sense to hyperbolic reporting. His statement at the end is bang on:
“The sky isn’t falling, but the world changes and now people can make stuff,” says Weyers. “Lock manufacturers know how to make a lock bump-resistant. And they had better.”
Always very pleased to see his name pop up when this sort of thing makes news, as he never seems to offer a quote that can be used to stoke unreasonable fear.
I mean we've known about bump keys and lock picking for more then 50 years. None of this is news. If I 3D printed a set of lock picking tools would Wired run a story on me?
Author of the story here. Like I wrote, 3D printed bump keys make locks that weren't easily bumpable in the past more easily bumpable. That's not a 50 year-old idea. Likewise, if your 3D-printed lock picking tools were more effective than the traditional kind, than yes, I might write about them, too.
Changes to the keying of the key's shaft has little to do with how bumpable it is. If its still using the same internal mechanism.
What I'm saying is, if you lock the case to your desktop shut. Dumping your unencrypted hard drive is still possible, and easy. And fundamentally completely unchanged. All you did was put a hurdle in front of it, not fundamentally change the attack vector.
EZ Entrie machines[0], first of all, as they've been around for a decade or so and are purpose built to mill one-off high security blanks out of brass, so they're significantly more effective than their plastic counterparts. They are admittedly expensive, but when I briefly had access to one the gentleman running it was cutting me fresh blanks for a Euro a piece. They also have rather jaunty bows with smiley faces inscribed in them.
Additionally, people have been bumping things with just about anything that can fit into a keyway, it doesn't particularly matter if it conforms to the exact shape of the key, so long as it can still interact with the pins directly. So, bent sheet metal with teeth cut into them, flexible grocery loyalty cards, etc. have all been used by folks in the locksport community to bump locks they didn't have proper blanks for. I can't deny the SK6 (and many Ikon locks, they are vicious) didn't have a particularly murderous keyway, but the possibility of carrying out a percussive attack wasn't nil.
I think you might be missing the point. No one is saying it was impossible. The whole point is that access, cost, and effort have gone WAY down with the advent of 3D printing. Your comment just drives this home - before you needed an expensive machine and a skilled operator, or a ton of time and skill to fashion one. Now you can just pick one up off the internet for $5.
A: He implies it was previously impossible in the article with this line:
"As a result, all anyone needs to open many locks previously considered “unbumpable” ..."
B: He asked someone to tell him how it could have been bumped prior to this application.
C: I described, in my scenario, the purchase of a 1 Euro blank from someone who runs the machine, which is actually /less/ than the Shapeways scenario, which is otherwise the same - you don't purchase the equipment, you purchase the product the equipment makes.
How much does that Easy Entrie machine cost? I'm seeing something like $10,000. A 3D-printed bump key ordered from Shapeways costs $5, and surely works better for obscure keyways than the ad hoc stuff you're describing.
You literally asked someone to describe how they would have bumped it previously and I gave you a reasonable answer that included a scenario in which you haven't purchased the machine, but instead purchased a blank cut by the machine for LESS than what Shapeways are charging for your key.
Not to mention that you seem to be ignoring the second paragraph entirely.
And, honestly, this seems like a silly argument to be having. I actually think the boys did great work on this, and I really appreciate that you mention the possibility of forensic evidence (in the practice of which Germany is a leader) left by these keys. I just think that some people commenting on this thread are a bit frustrated by some of the hyperbole, and your insistence that there is no hyperbole is continuing to derail whatever point you are attempting to make.
To address your points: I'm not sure where to find someone with this expensive machine. I know where to find Shapeways.com pretty easily. And as I wrote above regarding your second paragraph, a precisely-printed key surely is more reliable (and easier to make) than the bent sheet metal and grocery loyalty cards.
I agree this argument is silly. Whether an Ikon SK6 lock is considered "umbumpable" and by who is pretty subjective. But this thread began with a commenter saying that none of this is news, and that it's all 50 years old. Hyperbole is indeed pretty annoying.
Hah, that's an absolutely fair point. I agree completely that this is news and certainly don't appreciate it being disregarded out of hand. We are, perhaps, in some sort of heated agreement at the end of the day :)
That is my point. Key locks have this fundamental design flaw. The difficulty of exploiting this flaw differs from lock to lock, yet the flaw still exists. Its inherited from the fundamental design of the lock.
When the flaw becomes easier to exploit its isn't so much news, it was bound to happen anyways, I mean your just wrapping iron bandages around a flaw and causing it fixed. This happens in software security all the time. The flaw still exists, just we added an abstraction above the flaw, that makes the flaw harder to exploit.
If I have access to a mill and pictures of some "high security key", sans magnets and other types of active mechanisms, I can duplicate that key.
It may be difficult, but subtractive method still works. A subtractive method is what is used when you go from blank to key.
What is new here is someone can print a plastic key. Cool. with PLA and a rubber vacuum set, I can cast any amount of iron blanks of said 'secure keys'.
Yeah, the story doesn't mention printing anything from your own $1,000 printer. Shapeways sells much higher quality 3D printing as a service, which is why these guys used it.
You can take a restricted, already cut key and rebuild it with epoxy, then grind down the epoxy and key to make a bump key. I've seen it done. The primary difference today is that you can print the key blank itself without need of an already cut key.
one of the best tricks I learnt was not to put drinks in-front of your keyboard... very important (no joke), good space is behind your keyboard or the non-mouse side.
oh, that's good then. i too learned from personal experience. funny witticisms on the internet are rendered unfunny pretty quickly after you spew cola all over your setup. smh
I'm not sure what 3D printing has to do with any of this, other than that bump key was 3D printed. That key could have just as well been CNC'd or cast or whatever manufacturing method.
Unless they figured out this key because 3D printing allowed for rapid iteration.
The difference is there's the possibility that anyone could download a blank key 3D file off of the pirate bay and then get it printed for $5 from Shapeways no questions asked.
Even I could do it.
I don't even know where I'd find a CNC machine. If I asked someone who has one to make a blank key for me he'd probably tell me to fuck off or call the police, and if I tried to use it myself I'd probably cut off my arm.
It's definitely not a revolution of any kind, it's just another step towards lockpicking made easier and more accessible, and makes the concept of physical locks as a lone defense weaker.
There were many points in the article why 3D printing makes the old technique more easily accessible.
For example:
> In this video, Holler demonstrates a 3D-printed and filed bump key for an Ikon SK6, a key that uses restricted, carefully contorted blanks that can’t even be created by many key-milling machines.
Maybe the average key milling machine can't do it, but a general-purpose mill could. And for less than the cost of a 3D printer that can make strong finely detailed parts, you could buy a decent sized CNC machining center that could make keys (or anything else) out of real actual metal. For a tenth of the cost (or about the cost of a hobby printer), you can get a manual machine and do it by hand.
I briefly looked into buying high-security locks and reinforcing my door frames when I moved into my new house. Then I realized I had two massive, 20-year-old windows on either side of the front door. In other words, a $350 lock isn't going to stop any crackheads who really want to get in.
Physical security (the real, you-can't-break-this kind) is for banks and governments. For everything else there's video.
It's true that the average random person doesn't need a lock by Abloy/EVVA/etc. just because it's (as close as possible to)unpickable, but I would always avoid bumpable locks as well as ones that are (more)vulnerable to destructive attacks, two categories which include quite a lot of 'high security' locks including UL 437 rated ones. Bumping is still rarer than breaking a window, crowbarring a weak door frame, or kicking at the spot of a weak lock, but is definitely increasing in popularity as it's significantly less obtrusive and doesn't leave visible damage that may alert passers by while the crime is still in progress.
Myself, when I am able to own my own house, I am definitely fitting upgraded (unbumpable) locks as part of basic diligence with regards to security, along with fixing any easily breakable windows.
It's also worth noting that windows can always be reinforced/refitted with laminated glass or even protective films that provide enough protection that the random opportunistic crackhead will probably give up when it doesn't break straight away so as not to get caught. Burglaries that take longer than 30 seconds or so to get in will often be aborted because of the risk of getting caught, especially when there are so many houses with no or insufficient alarms, windows that can server as an easy entry point without a motion sensor behind them, and weak locks that can easily be bumped/pulled[1].
If you have big breakable windows, always invest in a good alarm with motion and/or glass-break sensors though.
[1]Pulling/snapping is gradually becoming the new bumping - some lock designs are physically weak enough that they can be either broken inside the door or physically pulled out with hand tools. Example news article: http://www.bbc.co.uk/news/uk-england-leeds-17075027
This really hit me recently when I left the house after doing some cryptography research.
When I "locked" the wooden door with a piece of metal that has been photographed by probably countless cameras... I just had to laugh at myself and wonder why I bad been programmed to do this seemingly pointless action my entire life.
Right. That old adage about "keeping honest people honest" I think really applies. The ol' $20 Schlage deadbolt will keep the random bored teenager from wandering in. My personal feeling is that folks who are... shall we say on the edge ethically still make a distinction between wandering in somewhere freely, and literally breaking in.
It's not that pointless, it filters out a certain casual thief type quite effectively. For most people its about cost/benefit analysis, and if it's a minor pain in the ass to do something, then it won't happen.
I've researched the "why" and a couple years ago had the opportunity to discuss some of the broader ideas in the history & anthropology of locks. It was actually titled "Why do you lock your door?"
No. Why would you? The casualness with which the question is put makes me curious, but my home keys are generally something I use in the door at home, not at the store.
Keys have and always will be security through obscurity.
For most people it's not an issue. The only people that are likely to bump your lock are really professional thieves (who are rare) or intelligence services who'll have better equipment.
Most businesses are more than secure enough. It's far easier for a crook to gain access via social manipulation than it is to bypass physical security systems. As with home security, humans are always the weakest link in the chain.
I previously worked for an international company that manufactures hinges for heavy doors. I once spoke with a man who worked with locks. He said,(and I don't recall the jargon) [keys will soon have more than one set of teeth and the angle between the rows of teeth will be variable].
Do you remember when this was? Multiple rows of pins have been around for ... well, since 1848 at least, but in modern locks, Kaba & Sargent (later bought by Kaba) have been using multiple rows for many decades.
Doesn't actually prevent bumping, though! Additionally, the "angle between the rows" is interesting in thinking what exactly he might have said. Sargent, again, with the Keso introduced the idea of somewhat variable spacing of the pins in the Keso.
Additionally, if we're talking angles, there was the Medeco Biaxial (often confused for the original Medeco lock) which introduced the idea of "fore", "center" and "aft" positioning of the cuts in the key/position of the chiseled tips of the pins.
The former, Sargent, can still be readily bumped as even though you won't always know if a pin will be present, you know every possible location of the pins and can adjust accordingly. With Medeco, it's significantly harder, though they caused themselves problems with a heavily restricted code book so that the mere visual observation of the first two pins in the lock could give you a very good idea of the positing of the other elements and allow you to make a few possible bump keys to attack them. They've since fixed that problem.
Two very different problems, though both are locks. In the case of a car you don't always get to choose the security of the community it lives in. Its portability, price and effective lifespan dictate different standards of security.
In the US the average length of car ownership is at an all time high of 6 years. You can reasonably expect the locks to outlive your interest in the vehicle. Whereas (and this is all quick googling to get to a point, so anyone feel free to correct my figures) the average ownership of a home is 20 years. Now, while locks can certainly survive that long, it's a good idea to replace them once in a while.
Additionally, in the rental market where turnover is significantly higher, there are often laws that require the regular changing of the locks from tenant to tenant.
And - another factor - insurance standards related to security on cars are much more robust than insurance related to security on buildings. You can occasionally find a break for having a second lock, or deadbolt, etc. but your returns on insurance breaks diminish completely as you invest in higher end physical security.
All of this is to say - door locks are a commoditized after-market product that are influenced by geography. They are made to be replaced/maintained by the user and there will always be a thriving budget marketplace for them. Your car locks, on the other hand, are never meant to be worked on by the user, are rarely replaced and have almost no competitive after-market.
Hope that helps lay out some of the differences between the two.
(and I could go on. Lot of other stuff around OEM, cost of production, ability to sell on security, etc. etc.)
They're expensive, complicated, failure-prone and proprietary. But then again, so are some high-security door locks.
Honestly it's probably just the industry wants to keep its separate businesses which adds up to more money. People sell rfid fobs separate from their high-security keys while cars combine the two. There's no reason you couldn't take the ECU out of a Lexus, wire it up to an arduino, plug it into a wall, attach a solenoid to a door lock and weld the lock cylinder of the car into a door handle. Since modern Lexus keys act as RFIDs when their batteries die it should be mostly fail proof.
Or just use a better lock. Pin-tumbler locks are just awful and inexcusable. We have know that they are bad and had better options for more than 5 decades. Yet for some strange reason they have managed to maintain their market dominance in the US. Every year they add new mitigation features that generally either don't actually work, or if they work, they just make picking it a tiny bit harder. If you want your front door not to be easily pickable, just get Abloy Protec or a similar lock for it.
Of course, the reason for this is that criminals largely don't pick locks.
Of course, but the point of the article is that blanks for high security locks used to be much harder to come by. Now, software and 3-D printers make it easier to defeat the feature that makes them "high security". The implication is that pretty much anybody can do it now.
I remember reading several years ago about how one can take a picture of a key from far away and use that image to replicate the key. Back then, replicating keys from a picture was not something just anybody could do, so it wasn't a threat worth fretting about. Presumably 3-D printing will make that easier too. One can even imagine an app: point your phone, press a button, and get a key in the mail a few days later. I expect we'll see that article soon.
That app/service has existed for years, first Shloosl (now keysduplicated), then KeyMe and I believe the proprietors frequent HN, so I expect you may see them pop up to offer an informed opinion on this article.
For some locks, that's true. Other lock companies use copyright to do key control. Your not going to find blanks for many of the kinds of keys this promises to print.
This is the lockpicking equivalent of calling a cracker a hacker.
Also, no lock can be 'unbumpable' just because it has a restricted blank, as by definition in those cases, if the blank can be obtained, the lock can be bumped.
Unbumpable is generally reserved for locks that actually are, by using a mechanism other than pin tumblers (e.g. rotating discs (e.g. Abloy Protec), magnetic encoding on the key (e.g. EVVA MCS), sliders (e.g. EVVA 3KS), or driverless pins (e.g. BiLock)).
High security locks have for a few years been incorporating moving/active elements into keys to avoid duplication, both now from 3D printing, but also originally from casting a copy of the key. As it is, keys witout those can be directly duplicated rather than even needing to bother with a bump key (unless you wanted to open more locks than the key used to make the copy can access).