MIT Researchers: Printable Keys Make Mechanical Locks Insecure

And another thing! The French Patent office many years ago ceased allowing patents on keys that did not have a movable element, which led to the development of many keys that cannot be readily duplicated without access to either the restricted blanks or very serious equipment &amp; knowhow with which to make the blanks. These systems remain well outside the realm of 3D printing. DOM Saturn[0], Mul-T-Lock Interactive (and up), Vachette Radial[2] and a handful of others.[3]<p>Mechanical locks are far from dead, but I&#x27;d love if someone reading this took it as a challenge to reproduce keys with movable components. I&#x27;m a big proponent of pushing these systems and finding ways to circumvent them, using any technology available. I just don&#x27;t like it when the response is to throw the baby out with the bathwater.<p>[0] <a href="http://www.dom-sicherheitstechnik.com/DOM-ix-Saturn.667.0.html" rel="nofollow">http:&#x2F;&#x2F;www.dom-sicherheitstechnik.com&#x2F;DOM-ix-Saturn.667.0.ht...</a> [1] <a href="http://www.mul-t-lockusa.com/614.html" rel="nofollow">http:&#x2F;&#x2F;www.mul-t-lockusa.com&#x2F;614.html</a> [2] <a href="http://www.vachette.fr/fr/site/Vachette/Systemes-de-Securite-test/?productId=691126" rel="nofollow">http:&#x2F;&#x2F;www.vachette.fr&#x2F;fr&#x2F;site&#x2F;Vachette&#x2F;Systemes-de-Securite...</a> [3]<a href="http://www.lockpicking101.com/viewtopic.php?f=9&amp;t=56691" rel="nofollow">http:&#x2F;&#x2F;www.lockpicking101.com&#x2F;viewtopic.php?f=9&amp;t=56691</a><p>(edited to add links)

You can make a electronic bump key that will open most doors for &lt;$100, most buildings have windows (cover them in duct tape to break without noise), and even the wire mesh in the walls of a &quot;secure&quot; building can be cut with thermite. If you want real physical security you&#x27;re going to need much harder materials: steel, titanium, tungsten, concrete.<p>This comment captures the security problem well.<p>&gt; &quot;[Locks] are more of a tamper-evident seal, or a delay tactic. The issue with bumping, picking, carding, and 3d-printing is how it invalidates the current approaches towards those two aspects.&quot;<p>However, of those options, 3D-printing is clearly the worst. Bump keys and carding latches takes seconds, picks minutes, and 3D printers hours. It seems that the only situation this method would be useful is with advance access to a key, a radial-pin lock, and a free 3D printer.

Human behavior toward keys makes mechanical locks insecure. We&#x27;ve been able to reproduce keys, even fairly complex ones, well before 3D printers came along. Get a clean enough impression&#x2F;scan&#x2F;photograph and we can make it happen, perhaps 3D printing is seen as making it more accessible to the general population.<p>I&#x27;m about to go on a whole thing here, so let me first say that I am excited about their work and I have personally been pushing for years to see more high security key printing happening (see Nirav Patel&#x27;s Abus Plus key printing[0])<p>What I take umbrage with is the idea that this development is going to be the death of mechanical locks. Even the suggestion that it _should_ be the death of mechanical locks. In the Forbes article [1] One of the students behind this work suggested that his goal was the elimination of mechanical locks:<p>&quot;If we show that mechanical locks are vulnerable to key duplication just by having a handful of numbers you can download off the internet, hopefully they&#x27;ll be phased out more quickly,&quot; says Van Albert.<p>What this fails to address is that the cuts on your key are supposed to be a secret, and your behavior toward your keys should be the same as your behavior toward a password. You don&#x27;t pass it around and you are very careful about who you trust it with.<p>I also dislike the characterization of the discovery of the &quot;numbers&quot; in the main and sidebar bittings. That information has been publicly available and the suggestion that they &quot;reverse-engineered&quot; (from their abstract submitted to defcon)[2] the lock is a bit dramatic. Better, I think, to say that they &quot;read the documentation.&quot;<p>Obviously I have a chip on my shoulder when it comes to mechanical security, but I am confident saying that any call for the blanket abolition of mechanical locks is short-sighted and narrow-minded. This could have been an amazing opportunity to address human behavior as it relates to mechanical security, but instead it was wasted on the age-old call for the death of locks. There remain myriad places where a traditional lock is still required, there are myriad populations who are not able to sustain electronic locks.<p>If the day does come when mechanical locks can be left to the dust of history, it will be more likely the result of dramatic shifts in society than in technology. It will be the death of all locks, not just mechanical ones.<p>[0] <a href="https://github.com/nrpatel/PhysicalKeygen/blob/master/abus_plus.scad" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;nrpatel&#x2F;PhysicalKeygen&#x2F;blob&#x2F;master&#x2F;abus_p...</a> [1] <a href="http://www.forbes.com/sites/andygreenberg/2013/08/03/mit-students-release-program-to-3d-print-high-security-keys/" rel="nofollow">http:&#x2F;&#x2F;www.forbes.com&#x2F;sites&#x2F;andygreenberg&#x2F;2013&#x2F;08&#x2F;03&#x2F;mit-stu...</a> [2] <a href="https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Lawrence" rel="nofollow">https:&#x2F;&#x2F;www.defcon.org&#x2F;html&#x2F;defcon-21&#x2F;dc-21-speakers.html#La...</a>

Is this surprising? I&#x27;d imagine 3D printing would be capable of replicating the form of nearly any solid object that fits within the bounded volume of a given 3D printer.

I looked at making 3D-printed keys for my own locks, just for show (think yellow key, green key, etc).<p>I found two issues when researching its feasibility: printing accuracy and temperature range of the plastic. My results were that the lower-cost 3D printers didn&#x27;t have the required precision, and more importantly, the printed plastic would simply melt if it sat in a hot car during the summer.<p>My research is probably out of date now, so I wonder what kind of plastic is being used these days.

Interestingly, just posting a photo of the NYC master key set should be enough to duplicate them. Has anybody already gone from that photo to 3D models to a set of functioning NYC skeleton keys?<p>TBH, there is no reason that the city should be using such archaic key types. In Brazil, they typically used a four sided key like a philips head screwdriver that would need to be photographed from at least two sides to be able to reproduce.

Would it be possible to combine a parametric model of a given type of key with a device that can detect where the shear line is for each pin? I&#x27;m envisioning a device that you can stick into the lock one day, then go away and extract data that describes the key, which you feed into a parametric model, which you then use to produce the correct key using a 3D printer. Then you come back the next day and use this perfectly valid key to compromise physical security.<p>A device which can do such detection could be far less expensive than a device to both detect and actuate the pins.

&gt;&gt;&gt;&gt;All you need is a friend that works there, or to take a picture of their key, or even a picture of the key hanging off their belt.<p>I&#x27;m wondering how you can replicate a poorly taken smartphone camera image into a key that would unlock a high security lock. If you can&#x27;t see the grooves clearly on the key from the photo, how does the software or printer know where the grooves should go? I feel like this is quite a stretch to think you can take a photo of a lock several feet away and get an exact duplicate from a 3D printer.

That&#x27;s it Schlage. Time for 2-factor authentication key-rings.<p>Schlage Master Security (SMS) &quot;Turn the key, type the text&quot;

Good. Can we <i>finally</i> have contactless smart card access control in the mainstream now?<p>The audit and management features of an electronic access control system already make mechanical keys inexcusable on any door that &gt;1 person needs to open. Hopefully revelations like this will push more organizations to upgrade.

i wonder if one could really copy more advanced keys (f.e. the ones from KABA [0] are pretty common here) by just having some scans of the keys. these keys generally have different layouts on each side, and sometimes also on the small top&#x2F;bottom sides. so just a snapped photo definitely would not be sufficient. and even with flatbed scanners like the team in the article used, capturing the depth of the holes might be problematic...<p>[0] <a href="http://www.kaba.com/access-control/en/Products-Solutions/Mechnical-Lock-Cylinders/332590/kaba-20.html" rel="nofollow">http:&#x2F;&#x2F;www.kaba.com&#x2F;access-control&#x2F;en&#x2F;Products-Solutions&#x2F;Mec...</a>

This is lame beyond believe.<p>Do you know how in the 80&#x27;s and 90&#x27;s everything that everyone was already doing was &#x27;changing&#x27; because of computers.<p>it&#x27;s the same now with 3D printers. Forever you could duplicate a key in a machine with just a picture of the original. just because the machine to duplicate it become easier it&#x27;s not going to change the world. dammit you could already do the same with a blank and a hand file, it would just take 40~200min depending on skill instead of 5~15min on the machine.

A key is a deterrent, nothing more.

That website has a memory leak. I left it open for about 10-15min and it ate 2GB of my ram.

In other news, obvious consequence is obvious.

Have to fix this problem without changing to advanced systems

So do hammers.