1 00:00:00,000 --> 00:00:01,834 Is there another one down here? 2 00:00:01,834 --> 00:00:02,834 I've got that video. 3 00:00:02,834 --> 00:00:03,876 I've got that video. 4 00:00:03,876 --> 00:00:04,999 Here's the walking mic. 5 00:00:04,999 --> 00:00:08,709 So we've got, like, two minutes before we actually get this thing going. 6 00:00:08,709 --> 00:00:08,709 And as you can tell, we're experiencing technical difficulties 7 00:00:08,709 --> 00:00:09,709 please stand by. 8 00:00:09,709 --> 00:00:10,709 Cursory stuff. 9 00:00:10,709 --> 00:00:11,999 Q&A mic, right over there. 10 00:00:11,999 --> 00:00:11,999 Once we get rid of our wonderful technical difficulties, 11 00:00:11,999 --> 00:00:11,999 you will want to use the Q&A mic whenever you ask 12 00:00:11,999 --> 00:00:11,999 a question or at least repeat the question so it gets put 13 00:00:11,999 --> 00:00:12,999 up on the video. 14 00:00:12,999 --> 00:00:12,999 So people that watch the video later on actually know what kind 15 00:00:12,999 --> 00:00:14,250 of question we're asking. 16 00:00:14,250 --> 00:00:14,250 Next, if you have to leave, use the three exit doors in the back 17 00:00:14,250 --> 00:00:15,250 of the cabin. 18 00:00:15,250 --> 00:00:16,250 Back of the room. 19 00:00:16,250 --> 00:00:16,250 Do not try to exit the doors as you leave 20 00:00:16,250 --> 00:00:16,250 because that's crowded and there are going to be lines there today and 21 00:00:16,250 --> 00:00:16,250 the room is going to get crowded so it helps the flow 22 00:00:16,250 --> 00:00:17,334 if you go out the back. 23 00:00:17,334 --> 00:00:18,999 And with that, are we having fun? 24 00:00:18,999 --> 00:00:19,999 Yeah (whistle). 25 00:00:19,999 --> 00:00:20,999 Who's hungover? 26 00:00:20,999 --> 00:00:22,999 The rest of you all, not working it right. 27 00:00:22,999 --> 00:00:24,459 Got to have more fun out here. 28 00:00:24,459 --> 00:00:25,584 It's Vegas, you know? 29 00:00:25,584 --> 00:00:27,999 you don't have to tell back home what happened. 30 00:00:27,999 --> 00:00:29,834 But you can tell what happened here. 31 00:00:29,834 --> 00:00:32,083 What's your favorite talk that you've gone to? 32 00:00:32,083 --> 00:00:33,083 Anybody? 33 00:00:33,083 --> 00:00:34,250 This is entertaining. 34 00:00:34,250 --> 00:00:35,250 Okay. 35 00:00:35,250 --> 00:00:36,250 Anybody got a joke? 36 00:00:36,250 --> 00:00:37,250 This one. 37 00:00:37,250 --> 00:00:38,250 Nice! 38 00:00:38,250 --> 00:00:39,250 (Laughter). 39 00:00:39,250 --> 00:00:40,292 Squirrels and nuts. 40 00:00:40,292 --> 00:00:41,292 Anyway, okay. 41 00:00:41,292 --> 00:00:42,375 You'd have to do that. 42 00:00:42,375 --> 00:00:43,375 Yeah. 43 00:00:43,375 --> 00:00:44,375 Here. 44 00:00:44,375 --> 00:00:44,375 I guess since we're going to start this off, we'll let 45 00:00:44,375 --> 00:00:44,375 the speakers start the show because they might have some things 46 00:00:44,375 --> 00:00:47,626 to talk about at the beginning before they start their slides. 47 00:00:47,626 --> 00:00:47,626 So we'll let the other guys do their job and we'll let 48 00:00:47,626 --> 00:00:48,626 the speakers start. 49 00:00:48,626 --> 00:00:49,626 So have fun. 50 00:00:49,626 --> 00:00:50,751 Oh, I got to call home. 51 00:00:50,751 --> 00:00:51,751 You're fine. 52 00:00:51,751 --> 00:00:52,751 Okay. 53 00:00:52,751 --> 00:00:53,751 Okay. 54 00:00:53,751 --> 00:00:55,334 Well, good morning, everyone. 55 00:00:55,334 --> 00:00:56,667 Welcome to DEF CON again. 56 00:00:56,667 --> 00:00:58,792 We're glad to see you all up this morning. 57 00:00:58,792 --> 00:01:00,292 And my name is Marc Weber Tobias. 58 00:01:00,292 --> 00:01:02,209 This is Tobias Bluzmanis, my partner. 59 00:01:02,209 --> 00:01:02,209 And hopefully, they'll get our audio problems 60 00:01:02,209 --> 00:01:03,209 dealt with. 61 00:01:03,209 --> 00:01:04,209 And our hey, okay. 62 00:01:04,209 --> 00:01:05,999 So we've got video on both screens? 63 00:01:05,999 --> 00:01:07,125 But no teleprompter? 64 00:01:07,125 --> 00:01:08,667 MARC WEBER TOBIAS: Right. 65 00:01:08,667 --> 00:01:10,584 But the president is not here, either. 66 00:01:10,584 --> 00:01:10,584 So Toby and I work for security labs which 67 00:01:10,584 --> 00:01:10,584 is in our office and we work for a number 68 00:01:10,584 --> 00:01:12,417 of major lock companies in the world. 69 00:01:12,417 --> 00:01:12,417 We have a team that analyzes mainly high 70 00:01:12,417 --> 00:01:12,417 security locks but some consumer level products 71 00:01:12,417 --> 00:01:15,709 as well for security vulnerabilities mainly for covert entry. 72 00:01:15,709 --> 00:01:15,709 So a few years ago at DEF CON we talked 73 00:01:15,709 --> 00:01:15,709 about a number of different consumer level locks 74 00:01:15,709 --> 00:01:16,999 but not really in detail. 75 00:01:16,999 --> 00:01:16,999 And as a result of that, we ended up filing a complaint with one 76 00:01:16,999 --> 00:01:18,125 of the standards organizations about the lock we're going 77 00:01:18,125 --> 00:01:20,542 to talk about today. 78 00:01:20,792 --> 00:01:22,501 And we figured a couple years would go by, 79 00:01:22,501 --> 00:01:25,834 some things would occur, maybe the problems would be remedied 80 00:01:25,834 --> 00:01:27,751 but they weren't. 81 00:01:27,959 --> 00:01:31,292 So today we're now the monitor went away here 82 00:01:31,292 --> 00:01:36,834 but I guess we're okay So today we're going to talk about one 83 00:01:36,834 --> 00:01:41,667 of the most popular consumer level mechanical cylinders 84 00:01:41,667 --> 00:01:44,501 in the United States. 85 00:01:46,667 --> 00:01:50,626 And the problems, the design problems that we found. 86 00:01:50,626 --> 00:01:52,083 How many of you guys have this lock 87 00:01:52,083 --> 00:01:53,999 on your doors? 88 00:01:54,417 --> 00:01:55,417 Ooh. 89 00:01:56,751 --> 00:01:59,751 So everybody knows what this is. 90 00:01:59,918 --> 00:02:01,250 Okay. 91 00:02:01,709 --> 00:02:02,999 Yeah. 92 00:02:03,334 --> 00:02:08,334 So this is probably in the United States there's really two 93 00:02:08,334 --> 00:02:13,999 major consumer level brands in the United States. 94 00:02:13,999 --> 00:02:15,167 This is one of them. 95 00:02:15,167 --> 00:02:17,999 And they're in every DIY store, hardware store. 96 00:02:17,999 --> 00:02:22,375 And a lot of folks believe that these are really secure. 97 00:02:22,375 --> 00:02:24,542 And in many ways they are. 98 00:02:24,542 --> 00:02:29,709 The problem is, we'll point out to you in critical ways, they're not. 99 00:02:29,709 --> 00:02:30,542 So we're going to go through we've done 100 00:02:30,542 --> 00:02:33,250 a pretty detailed slide presentation. 101 00:02:33,334 --> 00:02:38,375 And with a lot of graphics and animation that we hope you guys 102 00:02:38,375 --> 00:02:41,999 enjoy to detail the problems. 103 00:02:42,334 --> 00:02:47,250 And we recognize that a lot of folks can't afford high security 104 00:02:47,250 --> 00:02:51,709 cylinders that are $75, $100, $150 a piece. 105 00:02:51,709 --> 00:02:52,999 We do understand that. 106 00:02:53,375 --> 00:02:58,250 And I guess some locks is better than no locks on your door. 107 00:02:58,709 --> 00:03:03,083 But there's also a false sense of security that these kind 108 00:03:03,083 --> 00:03:08,375 of locks provide a higher level security than they do. 109 00:03:08,375 --> 00:03:12,334 And that's also enhanced by packaging and marketing statements 110 00:03:12,334 --> 00:03:15,626 by the manufacturer, especially with regard 111 00:03:15,626 --> 00:03:19,999 to the Builders Hardware Manufacturer's Association standard 112 00:03:19,999 --> 00:03:23,417 for it's a consumer commercial level standard 113 00:03:23,417 --> 00:03:26,292 that has much more to do with endurance 114 00:03:26,292 --> 00:03:29,209 and durable than security. 115 00:03:29,209 --> 00:03:30,999 And that's the case in this lock. 116 00:03:30,999 --> 00:03:34,542 So Kwiksets are really easy to understand. 117 00:03:34,542 --> 00:03:37,292 Today we're going to talk about their SmartKey versus 118 00:03:37,292 --> 00:03:40,459 conventional pin tumbler locks. 119 00:03:40,459 --> 00:03:42,083 And a number of ways we've determined 120 00:03:42,083 --> 00:03:44,999 to open them very rapidly and that present some 121 00:03:44,999 --> 00:03:47,584 serious vulnerabilities. 122 00:03:47,584 --> 00:03:51,083 Now, you'll notice that the lock on the left hand side of the screen, 123 00:03:51,083 --> 00:03:54,999 that's a SmartKey because it's got a little slot to the left 124 00:03:54,999 --> 00:03:56,918 of the key way. 125 00:03:56,918 --> 00:03:59,292 That means it's a reprogrammable lock. 126 00:03:59,292 --> 00:04:01,709 So what we're going to do is begin this morning, 127 00:04:01,709 --> 00:04:05,375 letting you listen to a couple pieces of audio. 128 00:04:05,959 --> 00:04:10,999 We called customer service repeatedly to ask them how secure their locks 129 00:04:10,999 --> 00:04:14,999 were as if we were going to buy some. 130 00:04:15,250 --> 00:04:17,292 And we wanted to set the stage 131 00:04:17,292 --> 00:04:23,459 because this either these folks aren't trained properly or they're making 132 00:04:23,459 --> 00:04:27,999 statements that they shouldn't be making. 133 00:04:28,250 --> 00:04:32,999 So either way we thought you would enjoy the questions. 134 00:04:32,999 --> 00:04:34,918 These are about two minute clips each. 135 00:04:34,918 --> 00:04:38,375 And nothing has been edited out that was relevant. 136 00:04:38,751 --> 00:04:41,584 Only the chit chat between us but these I tried to edit 137 00:04:41,584 --> 00:04:44,459 out to the relevant statements. 138 00:04:44,459 --> 00:04:48,209 So this first one was on in June of this year with Brian. 139 00:04:48,250 --> 00:04:51,751 Audio clip: Quick set, this is Brian. 140 00:04:51,751 --> 00:04:52,751 Can I help you. 141 00:04:52,751 --> 00:04:54,751 A couple questions on SmartKey. 142 00:04:54,751 --> 00:04:55,751 Okay. 143 00:04:55,751 --> 00:04:59,626 So my only concern is quick set comfortable and basically 144 00:04:59,626 --> 00:05:04,876 debunked this that there's no way to stick a screwdriver, just 145 00:05:04,876 --> 00:05:09,083 a common tool into the lock and open it. 146 00:05:09,083 --> 00:05:11,584 Technician: No, that would be a negative. 147 00:05:11,999 --> 00:05:17,999 I mean, if that if it was that easy to pick to pick a Kwikset lock, 148 00:05:17,999 --> 00:05:22,834 they would be having us do recalls, okay. 149 00:05:22,834 --> 00:05:24,125 This customer has this unit. 150 00:05:24,125 --> 00:05:26,209 Get a call tag, have a prepaid label sent back and sent back 151 00:05:26,209 --> 00:05:28,375 to our quality control. 152 00:05:28,375 --> 00:05:30,083 There's nothing like that. 153 00:05:30,083 --> 00:05:31,334 It's business as usual. 154 00:05:31,334 --> 00:05:34,501 Are you guys are aware or been trained of any tools 155 00:05:34,501 --> 00:05:39,834 out there that will open these or is this all just nonsense. 156 00:05:39,834 --> 00:05:43,083 Technician: No, without the key you can't open it, no. 157 00:05:43,083 --> 00:05:47,876 Just so I can tell my boss, as far as Kwikset is concerned, 158 00:05:47,876 --> 00:05:52,125 other than drilling these, if you don't have the key, 159 00:05:52,125 --> 00:05:55,417 you're not going to get in. 160 00:05:55,417 --> 00:05:56,417 No. 161 00:05:56,417 --> 00:05:57,792 That's the bottom line. 162 00:05:57,792 --> 00:05:59,501 If you stick anything foreign inside the key way is just going 163 00:05:59,501 --> 00:06:02,083 to make it that much harder to open up. 164 00:06:02,292 --> 00:06:05,999 Basically what you're telling me is it isn't going to happen. 165 00:06:05,999 --> 00:06:09,834 You can sabotage the key way which (Ended) MARC 166 00:06:09,834 --> 00:06:12,626 WEBER: That was Brian. 167 00:06:12,999 --> 00:06:14,999 So you're starting to get the picture. 168 00:06:15,626 --> 00:06:17,292 This is Satima. 169 00:06:17,292 --> 00:06:19,876 (start audio) How can I help you? 170 00:06:19,876 --> 00:06:20,999 Are you tech support? 171 00:06:20,999 --> 00:06:21,999 Yes, I am. 172 00:06:21,999 --> 00:06:24,083 Ma'am, we're looking to buy a large amount 173 00:06:24,083 --> 00:06:26,999 of your SmartKey cylinders. 174 00:06:26,999 --> 00:06:29,209 So I have some questions. 175 00:06:29,209 --> 00:06:30,209 Go ahead. 176 00:06:30,209 --> 00:06:31,292 Are you technical? 177 00:06:31,292 --> 00:06:32,292 Yes. 178 00:06:32,292 --> 00:06:35,834 How about forced entry? 179 00:06:35,834 --> 00:06:36,999 How difficult are they? 180 00:06:36,999 --> 00:06:41,542 Like the old locks you could take a screwdriver and put a lot 181 00:06:41,542 --> 00:06:44,209 of pressure on them. 182 00:06:44,209 --> 00:06:45,542 Same thing with these. 183 00:06:45,542 --> 00:06:46,999 You can line up the springs. 184 00:06:46,999 --> 00:06:50,209 That's what the screwdriver would do, right? 185 00:06:50,209 --> 00:06:54,999 Force the springs to align and open the lock. 186 00:06:55,209 --> 00:06:56,250 With these ones, you can't even put 187 00:06:56,250 --> 00:06:58,792 a flat head screwdriver in there. 188 00:06:58,792 --> 00:07:00,250 You can't. 189 00:07:00,250 --> 00:07:01,250 You can't, no. 190 00:07:01,250 --> 00:07:04,292 Because there's racks we call them. 191 00:07:04,292 --> 00:07:07,834 They're coming from up and down up an down direction. 192 00:07:07,999 --> 00:07:09,167 Not just up. 193 00:07:09,167 --> 00:07:10,167 Okay. 194 00:07:10,999 --> 00:07:13,751 So this stuff on the Internet is not true? 195 00:07:13,751 --> 00:07:17,334 That you can stick a screwdriver in them and open them. 196 00:07:17,334 --> 00:07:19,334 No, no. 197 00:07:19,334 --> 00:07:24,834 We were aware of that video and you know, we found out about it. 198 00:07:24,834 --> 00:07:29,083 But they did something else before they showed that video. 199 00:07:29,501 --> 00:07:32,667 I believe that's what I heard that they did something else 200 00:07:32,667 --> 00:07:35,209 to the cylinder and then they recorded the video 201 00:07:35,209 --> 00:07:38,999 with using a flat head screwdriver and opening it. 202 00:07:38,999 --> 00:07:40,083 That's not how it works. 203 00:07:40,083 --> 00:07:42,999 So, if somebody walks up to a lock in one of our apartments, 204 00:07:42,999 --> 00:07:46,083 unless they can take that lock apart, you're telling me 205 00:07:46,083 --> 00:07:48,999 they can't open it without a key. 206 00:07:48,999 --> 00:07:50,167 That's correct, sir. 207 00:07:50,167 --> 00:07:53,876 Is there any quick way of forcing these open that 208 00:07:53,876 --> 00:07:59,626 a burglar could do, like, in 30 seconds or 15 seconds. 209 00:07:59,626 --> 00:08:00,626 No, no. 210 00:08:00,626 --> 00:08:03,792 Is there anything guys have been trained on or are aware of. 211 00:08:03,792 --> 00:08:05,542 No, no. 212 00:08:05,542 --> 00:08:06,626 Nothing like that. 213 00:08:06,626 --> 00:08:10,167 There's no tool you can just put in the cylinder and just pop it open. 214 00:08:10,167 --> 00:08:11,167 There isn't. 215 00:08:11,167 --> 00:08:15,209 There's no emergency key that we send you that will open it. 216 00:08:15,209 --> 00:08:16,209 Nothing like that. 217 00:08:16,209 --> 00:08:19,999 How long have you been with Kwikset dealing with these? 218 00:08:19,999 --> 00:08:21,542 Four years. 219 00:08:21,542 --> 00:08:24,292 Let's just take a 4 inch or 6 inch screwdriver which 220 00:08:24,292 --> 00:08:27,999 everybody has in their kitchen drawer and you stick it 221 00:08:27,999 --> 00:08:33,959 in the lock and you take a pair of pliers or vice grips and you turn it. 222 00:08:34,083 --> 00:08:35,542 Can you open the lock? 223 00:08:35,584 --> 00:08:36,999 No. 224 00:08:36,999 --> 00:08:39,999 What about sticking a wire through the where the key goes 225 00:08:39,999 --> 00:08:43,751 in or any other MARC WEBER TOBIAS: Now don't jump ahead 226 00:08:43,751 --> 00:08:45,459 of yourself. 227 00:08:45,876 --> 00:08:49,459 No wire or anything like that. 228 00:08:49,459 --> 00:08:50,459 You cannot. 229 00:08:50,459 --> 00:08:51,999 No, you cannot. 230 00:08:51,999 --> 00:08:54,542 You wouldn't worry about these to protect your valuables or your house 231 00:08:54,542 --> 00:08:56,083 or apartment. 232 00:08:56,083 --> 00:09:01,459 Not at all (end audio). 233 00:09:01,459 --> 00:09:05,667 MARC WEBER TOBIAS: That's what the public is told if you call 234 00:09:05,667 --> 00:09:10,334 in and want to he no if these locks are secure. 235 00:09:12,999 --> 00:09:16,501 I don't think there's any malice on the part of their employees. 236 00:09:16,501 --> 00:09:17,626 They just don't know. 237 00:09:17,999 --> 00:09:19,876 They haven't been educated. 238 00:09:19,876 --> 00:09:22,334 There was plenty of stuff on the net a couple years ago that 239 00:09:22,334 --> 00:09:25,999 they referred to I don't know if they don't know or have been told not 240 00:09:25,999 --> 00:09:27,459 to say it. 241 00:09:27,459 --> 00:09:28,542 They just don't know. 242 00:09:28,542 --> 00:09:31,083 The reality is as we is see from a show of hands, 243 00:09:31,083 --> 00:09:35,334 there's millions of locks used in America, homes, apartments, 244 00:09:35,334 --> 00:09:38,542 businesses, they're inexpensive. 245 00:09:38,542 --> 00:09:43,751 Cylinders run 20, 30 maybe $40 a piece, they have pin tumbler models 246 00:09:43,751 --> 00:09:49,999 and SmartKey models A deadbolts and also electronic cylinders. 247 00:09:50,250 --> 00:09:54,459 So it is one of the most popular locks in America. 248 00:09:54,626 --> 00:09:56,999 And they've been in business actually 249 00:09:56,999 --> 00:09:59,417 for about 60 years and again, they have 250 00:09:59,417 --> 00:10:02,459 a very diversified product line. 251 00:10:02,999 --> 00:10:05,918 These are some of their distribution channels 252 00:10:05,918 --> 00:10:09,999 as you recognize Home Depots, Lowe's, Ace Hardware, lots 253 00:10:09,999 --> 00:10:13,542 of folks are carrying these locks. 254 00:10:13,834 --> 00:10:15,999 Mainly they're sold through DIY channels, 255 00:10:15,999 --> 00:10:20,042 do it yourself charges rather than the locksmiths. 256 00:10:20,125 --> 00:10:23,667 A lot of locksmiths actually don't care for these cylinders 257 00:10:23,667 --> 00:10:28,584 because it circumvents their revenue and they're low quality locks. 258 00:10:28,709 --> 00:10:32,334 And this is a shot I think from Home Depot. 259 00:10:32,667 --> 00:10:35,999 And they're very, very prevalent. 260 00:10:35,999 --> 00:10:37,999 They've got great marketing. 261 00:10:38,167 --> 00:10:41,292 They're in residential and apartment facilities. 262 00:10:41,292 --> 00:10:45,918 So Kwikset, Weiser Baldwin, the basics. 263 00:10:45,918 --> 00:10:46,918 Toby? 264 00:10:46,918 --> 00:10:50,000 TOBIAS BLUZMANIS: No, keep going. 265 00:10:50,000 --> 00:10:51,999 MARC WEBER TOBIAS: We're talking about pin tumbler locks which 266 00:10:51,999 --> 00:10:54,667 is their older version and SmartKey. 267 00:10:54,667 --> 00:10:56,751 SmartKey will show you the difference. 268 00:10:56,751 --> 00:10:59,667 In some ways it is a very clever clock. 269 00:10:59,751 --> 00:11:03,626 The pin tumbler locks they sell are 5 or 6 pin. 270 00:11:04,083 --> 00:11:06,667 SmartKey is 5 pin. 271 00:11:06,792 --> 00:11:08,626 The SmartKey, there's attributes that 272 00:11:08,626 --> 00:11:12,999 the pin tumbler locks don't have as far as security. 273 00:11:12,999 --> 00:11:15,375 The pin tumbler locks, if some of you guys were 274 00:11:15,375 --> 00:11:19,334 around several years ago we had 11 year old Jenna Lynn bumping 275 00:11:19,334 --> 00:11:20,999 them open. 276 00:11:20,999 --> 00:11:23,375 You all remember Jenna Lynn? 277 00:11:23,375 --> 00:11:25,125 She's probably in college now. 278 00:11:25,459 --> 00:11:29,626 But she became a YouTube star a little girl in one minute figured 279 00:11:29,626 --> 00:11:33,999 out how to open these locks, whack whack, they're open. 280 00:11:34,501 --> 00:11:37,999 The problem is they all have the same key way. 281 00:11:38,334 --> 00:11:40,792 There's no duplication protection. 282 00:11:40,792 --> 00:11:42,542 There's no key control protection. 283 00:11:42,542 --> 00:11:46,083 These are definitely not for high security installations. 284 00:11:46,083 --> 00:11:48,501 They're mainly residential and apartments. 285 00:11:48,751 --> 00:11:52,876 So Kwikset history as I said, they've been around about 60 years, 286 00:11:52,876 --> 00:11:55,999 they're very easily compromised. 287 00:11:55,999 --> 00:11:57,999 And the SmartKey was introduced 288 00:11:57,999 --> 00:12:05,250 around 2008 but probably a lot of you folks still have pin tumbler locks. 289 00:12:05,375 --> 00:12:08,834 You probably wouldn't know the difference unless you look 290 00:12:08,834 --> 00:12:11,459 at the little slot, the right hand photograph, 291 00:12:11,459 --> 00:12:16,459 the little slots to the left of the key way, that indicates Kwikset. 292 00:12:16,751 --> 00:12:20,250 But it's the same key that will open these locks. 293 00:12:20,751 --> 00:12:24,918 So here's the difference: On the left is a pin tumbler where it's 294 00:12:24,918 --> 00:12:30,292 a conventional lock with two pins and a spring in each chamber. 295 00:12:30,292 --> 00:12:33,083 On the right hand side is SmartKey. 296 00:12:33,083 --> 00:12:36,876 It's much more complicated design but same key will open it. 297 00:12:36,999 --> 00:12:43,667 Actually, you can see what they share is the same key. 298 00:12:43,667 --> 00:12:47,834 What Kwikset did with this is try to use the same key 299 00:12:47,834 --> 00:12:53,167 for their locks so you have one that is pin tumbler design and 300 00:12:53,167 --> 00:12:57,999 the other you can reprogram and supposedly more secure, 301 00:12:57,999 --> 00:13:01,918 you cannot bump, cannot pick open the lock, 302 00:13:01,918 --> 00:13:06,999 you can probably other attacks like impressioning the key, 303 00:13:06,999 --> 00:13:10,834 you cannot do that with Kwikset. 304 00:13:10,834 --> 00:13:14,417 But on the tradeoff, we find ways more easy 305 00:13:14,417 --> 00:13:17,999 to open this Kwikset lock. 306 00:13:17,999 --> 00:13:22,876 MARC WEBER TOBIAS: So pin tumbler, they're not secure unless 307 00:13:22,876 --> 00:13:28,167 they're a lock with a number of added on attributes. 308 00:13:28,167 --> 00:13:31,083 Pin tumbler locks in this category are easy to pick, 309 00:13:31,083 --> 00:13:33,334 easy to bump open. 310 00:13:33,334 --> 00:13:37,626 Easy to impression, easy to mechanically bypass. 311 00:13:37,626 --> 00:13:40,999 Can be master key'd and it's also fairly easy to determine what 312 00:13:40,999 --> 00:13:44,626 the top level master key is and there's limited number 313 00:13:44,626 --> 00:13:46,667 of combinations. 314 00:13:46,667 --> 00:13:49,959 And these locks are fairly low tolerance locks. 315 00:13:49,959 --> 00:13:55,167 So there are many fewer keys that, in the universe of keys that 316 00:13:55,167 --> 00:13:58,334 will open these locks. 317 00:13:58,334 --> 00:14:02,334 So the pin tumbler lock go ahead. 318 00:14:02,334 --> 00:14:03,834 TOBIAS BLUZMANIS: Okay. 319 00:14:03,834 --> 00:14:08,834 So we're going to go first how a pin tumbler cylinder works. 320 00:14:08,834 --> 00:14:09,834 Okay? 321 00:14:09,834 --> 00:14:11,792 In this case, we have a Kwikset cylinder, this 322 00:14:11,792 --> 00:14:14,876 is what you see from the outside. 323 00:14:15,083 --> 00:14:19,999 And the parts we have a shell that is the outside portion, the plug, and 324 00:14:19,999 --> 00:14:23,792 the key slot where you put the key. 325 00:14:23,792 --> 00:14:27,209 That's what mainly more people know about the lock. 326 00:14:27,209 --> 00:14:30,999 So what is inside isn't a pin stack. 327 00:14:30,999 --> 00:14:34,083 You have a spring series of pin tumblers 328 00:14:34,083 --> 00:14:37,626 and you have shear line. 329 00:14:38,083 --> 00:14:43,167 That shear line is where you have to move the pin stack in order 330 00:14:43,167 --> 00:14:46,083 to create and MARC WEBER TOBIAS: A 331 00:14:46,083 --> 00:14:48,209 clear surface. 332 00:14:48,209 --> 00:14:54,542 TOBIAS BLUZMANIS: Separate those pins in order for the lock to turn. 333 00:14:54,918 --> 00:14:56,125 Okay? 334 00:14:56,125 --> 00:14:59,167 So that's the basics of a pin tumbler. 335 00:14:59,167 --> 00:15:01,959 You have to get that pin on shear line depending 336 00:15:01,959 --> 00:15:04,999 on the height of the key so you can unlock 337 00:15:04,999 --> 00:15:06,918 the cylinder. 338 00:15:06,999 --> 00:15:11,375 Now, that's one pin on regular pin tumbler, you have 339 00:15:11,375 --> 00:15:14,083 more than one pin. 340 00:15:14,083 --> 00:15:18,375 You have in this case 5 pins, different heights on the bottom pin, 341 00:15:18,375 --> 00:15:22,459 which is the portion that fits the key. 342 00:15:22,459 --> 00:15:26,667 So when you put the key, you see all the bottom pins line 343 00:15:26,667 --> 00:15:29,375 up with the cylinder. 344 00:15:29,375 --> 00:15:35,999 So that cylinder can turn if they match pins match the key. 345 00:15:36,250 --> 00:15:39,999 So if you put the wrong key, what you have 346 00:15:39,999 --> 00:15:44,709 is some pins either extend to the lock or something 347 00:15:44,709 --> 00:15:49,959 from the top blocking the rotation of that pin. 348 00:15:49,959 --> 00:15:51,999 It's a very simple design. 349 00:15:51,999 --> 00:15:54,501 Has been for many, many years. 350 00:15:54,501 --> 00:16:00,250 And most manufacturers work around this design adding side bars, 351 00:16:00,250 --> 00:16:07,876 third levels of locking devices but it's the most common element. 352 00:16:07,999 --> 00:16:11,667 MARC WEBER TOBIAS: Are we okay? 353 00:16:11,667 --> 00:16:12,667 Okay. 354 00:16:14,167 --> 00:16:21,125 TOBIAS BLUZMANIS: So that's what is inside on a regular pin tumbler. 355 00:16:23,167 --> 00:16:30,334 And we said this SmartKey is not a pin tumbler lock. 356 00:16:30,334 --> 00:16:34,375 If you look inside, the very different components that 357 00:16:34,375 --> 00:16:38,999 will make that lock be able to reprogram the lock 358 00:16:38,999 --> 00:16:41,959 to any specific key. 359 00:16:41,999 --> 00:16:45,999 And to make it more secure against bumping and picking 360 00:16:45,999 --> 00:16:50,334 and some sort of impressioning techniques. 361 00:16:50,459 --> 00:16:52,167 MARC WEBER TOBIAS: This is what 362 00:16:52,167 --> 00:16:55,709 the inside of a SmartKey looks like. 363 00:16:55,709 --> 00:16:57,459 We'll blow that up in just a minute. 364 00:16:57,459 --> 00:17:00,626 But this is a side bar base lock which means it's 365 00:17:00,626 --> 00:17:05,667 a different locking mechanism that keeps the plug where you stick 366 00:17:05,667 --> 00:17:08,667 the key into from turning. 367 00:17:08,667 --> 00:17:13,959 And this design actually was developed in 1978. 368 00:17:14,083 --> 00:17:18,999 The original design here was in over a million hotel rooms 369 00:17:18,999 --> 00:17:24,626 because it aloud it was the first real programmable lock. 370 00:17:24,626 --> 00:17:26,083 Very, very clever. 371 00:17:26,083 --> 00:17:31,083 And then it was improved by a company in Italy called Rialda. 372 00:17:31,083 --> 00:17:34,083 And then Kwikset took the Rialda design and modified it 373 00:17:34,083 --> 00:17:38,125 for the consumer market in the United States. 374 00:17:38,125 --> 00:17:40,876 So attributes of SmartKey. 375 00:17:40,876 --> 00:17:42,584 It's only a 5 pin lock. 376 00:17:42,584 --> 00:17:46,292 And when we say pins, they're really not pins. 377 00:17:46,292 --> 00:17:47,626 They're sliders. 378 00:17:47,626 --> 00:17:49,459 And there's a really big difference. 379 00:17:49,459 --> 00:17:53,751 Pins mechanically and physically are secure against torque 380 00:17:53,751 --> 00:17:56,125 and forced attack. 381 00:17:56,125 --> 00:17:59,584 The sliders in these locks are not quite so secure. 382 00:17:59,709 --> 00:18:04,083 In this lock there's one side bar that really provides the entire security 383 00:18:04,083 --> 00:18:05,999 of this lock. 384 00:18:05,999 --> 00:18:09,167 They are extremely pick resistant. 385 00:18:09,334 --> 00:18:12,876 There's an underwriters laboratory standard 386 00:18:12,876 --> 00:18:18,999 437 which defines picking for commercial and high security locks. 387 00:18:18,999 --> 00:18:21,999 Kwikset actually meets this standard. 388 00:18:21,999 --> 00:18:25,667 That means these are not be picked in under 10 minutes. 389 00:18:25,667 --> 00:18:28,083 They are very, very pick resistant. 390 00:18:28,083 --> 00:18:31,626 And they also cannot be bumped, period. 391 00:18:31,626 --> 00:18:33,876 Because there's no pin pin tumblers. 392 00:18:33,876 --> 00:18:39,083 These are sliders so there's nothing to bump open to which in a way, 393 00:18:39,083 --> 00:18:45,125 as we refer to this lock, it's one of the most secure insecure locks 394 00:18:45,125 --> 00:18:47,125 in America. 395 00:18:47,501 --> 00:18:53,501 Now, obviously those are opposite ends of the spectrum. 396 00:18:53,501 --> 00:18:54,834 That's what it is. 397 00:18:54,834 --> 00:18:57,501 From the picking standpoint, from the impressioning standpoint, 398 00:18:57,501 --> 00:19:02,250 from the bumping standpoint you're essentially not going to reopen them. 399 00:19:02,250 --> 00:19:05,250 The problem is that's trumped by other ways we'll show you. 400 00:19:05,250 --> 00:19:07,999 The other really cool thing how many of you guys have SmartKey versus 401 00:19:07,999 --> 00:19:10,876 the old pin tumblers or do you know. 402 00:19:11,250 --> 00:19:13,167 So not that many. 403 00:19:13,834 --> 00:19:17,626 SmartKey are backwards compatible. 404 00:19:17,999 --> 00:19:21,918 You can instantly reprogram them with without a locksmith. 405 00:19:21,999 --> 00:19:25,334 Stick the correct key into the lock, turn about 30°. 406 00:19:25,417 --> 00:19:26,501 Pull it out. 407 00:19:26,501 --> 00:19:29,292 Stick a new key in, turn it back to 12:00, that lock is reprogrammed 408 00:19:29,292 --> 00:19:31,626 with a new combination. 409 00:19:31,626 --> 00:19:33,999 It is a very, very clever and desirable option 410 00:19:33,999 --> 00:19:36,125 in the marketplace. 411 00:19:36,125 --> 00:19:39,083 But there's a lot of security tradeoffs to get there. 412 00:19:39,083 --> 00:19:40,918 TOBIAS BLUZMANIS: Definitely. 413 00:19:40,918 --> 00:19:44,125 We have to also we understand the space they have to work 414 00:19:44,125 --> 00:19:46,626 is also the same. 415 00:19:46,626 --> 00:19:51,834 So to put all this different attributes in a lock. 416 00:19:51,876 --> 00:19:57,999 It becomes a very difficult task to do. 417 00:19:57,999 --> 00:20:00,999 MARC WEBER TOBIAS: The other attributes it has one primary kiwi 418 00:20:00,999 --> 00:20:04,709 everywhere which is a problem because it's easy to make keys 419 00:20:04,709 --> 00:20:06,834 or duplicate keys. 420 00:20:06,834 --> 00:20:08,626 There is no key control. 421 00:20:08,626 --> 00:20:11,250 Now, they make a special deadbolt lock 422 00:20:11,250 --> 00:20:16,292 for limited master keying for apartment houses that we'll 423 00:20:16,292 --> 00:20:18,042 show you. 424 00:20:18,626 --> 00:20:24,375 And they think that that key cannot be duplicated easily. 425 00:20:25,334 --> 00:20:27,709 Toby, you want to do that this one? 426 00:20:27,709 --> 00:20:28,999 TOBIAS BLUZMANIS: Okay. 427 00:20:29,459 --> 00:20:31,292 We showed you at the beginning how 428 00:20:31,292 --> 00:20:34,000 a pin tumbler lock works. 429 00:20:34,000 --> 00:20:37,083 This is a SmartKey. 430 00:20:37,667 --> 00:20:41,999 The first you notice is the little slot on the side. 431 00:20:41,999 --> 00:20:44,542 That's to change the combination when you follow 432 00:20:44,542 --> 00:20:46,999 the right procedure. 433 00:20:50,459 --> 00:20:54,999 We told you on the inside totally different. 434 00:20:55,125 --> 00:20:59,626 This lock is based on a side bar design. 435 00:20:59,626 --> 00:21:05,542 You see a pin you see a slider on next to the pin and side bar. 436 00:21:05,542 --> 00:21:07,834 MARC WEBER TOBIAS: Side bar is in purple. 437 00:21:09,083 --> 00:21:17,083 TOBIAS BLUZMANIS: Side bar tried to retract but it's blocked by that slider. 438 00:21:17,083 --> 00:21:22,999 So in order for that lock to open, the pin has to move the slider 439 00:21:22,999 --> 00:21:29,959 to the right height so that side bar can enter groove of the slider and 440 00:21:29,959 --> 00:21:33,083 the lock can be opened. 441 00:21:33,918 --> 00:21:45,751 That's the principle of this SmartKey as far as the slider bar combination. 442 00:21:48,501 --> 00:21:51,584 The way they can make the different combinations 443 00:21:51,584 --> 00:21:55,584 is the way that they fit the pin to the slider. 444 00:21:55,584 --> 00:21:57,999 With different channels. 445 00:21:59,209 --> 00:22:03,584 The slider stays in the same position, slide bar at the same position, 446 00:22:03,584 --> 00:22:09,083 but the pin configuration pin slider changes for different depths from 1 6. 447 00:22:09,083 --> 00:22:12,751 MARC WEBER TOBIAS: The relationship between the pin tumbler 448 00:22:12,751 --> 00:22:16,999 on the right hand side and the yellow slider those separate 449 00:22:16,999 --> 00:22:20,375 in reprogramming mode so that they index to one 450 00:22:20,375 --> 00:22:24,792 of the 6 different little teeth on the slider. 451 00:22:24,834 --> 00:22:26,584 And they bring it back together. 452 00:22:26,584 --> 00:22:29,334 That's how the combination is changed in this lock. 453 00:22:29,334 --> 00:22:30,334 Go ahead, Toby. 454 00:22:30,334 --> 00:22:35,542 TOBIAS BLUZMANIS: Same thing, not only one pin/slider combination. 455 00:22:35,542 --> 00:22:43,501 We have in total for the SmartKey, we have 5 pins and 5 sliders. 456 00:22:43,876 --> 00:22:47,334 So the sliders are the ones that set the combination 457 00:22:47,334 --> 00:22:50,709 inside the SmartKey cylinder. 458 00:22:50,751 --> 00:22:54,709 So when you put the key and the key is set to that combination, you see 459 00:22:54,709 --> 00:22:56,501 the red dots? 460 00:22:56,999 --> 00:23:01,959 That's where the side bar drops, okay? 461 00:23:01,959 --> 00:23:03,999 So when the side bar drops at that combination, 462 00:23:03,999 --> 00:23:06,250 that lock can be open. 463 00:23:06,250 --> 00:23:10,459 And the pins just follow the combination of the key. 464 00:23:10,792 --> 00:23:19,999 In this case we have 26341 which is the individual depth of each key. 465 00:23:21,792 --> 00:23:28,083 If we want to rekey the lock, we have to put the working key 466 00:23:28,083 --> 00:23:34,918 they have a special cool that it will move a block in that have 467 00:23:34,918 --> 00:23:41,083 a hub that house all those sliders and what happens is that 468 00:23:41,083 --> 00:23:45,918 the sliders separate from the pins. 469 00:23:45,918 --> 00:23:49,667 So now we can remove the pins but the pins the sliders are 470 00:23:49,667 --> 00:23:53,584 at the same shear line with the MARC WEBER TOBIAS: 471 00:23:53,584 --> 00:23:57,584 They're locked into position so they can't go anywhere 472 00:23:57,584 --> 00:24:00,876 until we stick another key in. 473 00:24:00,876 --> 00:24:03,125 TOBIAS BLUZMANIS: So we can put another key. 474 00:24:03,125 --> 00:24:07,959 That key sets to the combination of the key and then we have to bring 475 00:24:07,959 --> 00:24:14,125 all those sliders back to engage again to the sliders, the pins. 476 00:24:14,167 --> 00:24:19,709 So we have a new key working for this lock. 477 00:24:20,083 --> 00:24:23,459 So it's very clever design. 478 00:24:23,459 --> 00:24:28,292 They have ball bearings to prevent also MARC WEBER 479 00:24:28,292 --> 00:24:35,542 TOBIAS: Okay, so these are the components that let's see. 480 00:24:35,542 --> 00:24:36,542 Okay. 481 00:24:36,792 --> 00:24:39,125 So this shows the 5 pin tumblers that 482 00:24:39,125 --> 00:24:41,542 the key responds to. 483 00:24:41,542 --> 00:24:44,876 These are locked together to make this lock work. 484 00:24:44,876 --> 00:24:48,167 So and the two bottom pieces are the side bars that actually stop that 485 00:24:48,167 --> 00:24:50,250 plug from turning. 486 00:24:50,250 --> 00:24:53,501 And this is what the plug looks like. 487 00:24:53,999 --> 00:24:55,584 TOBIAS BLUZMANIS: Yeah, their pins are, like, 488 00:24:55,584 --> 00:24:58,918 hollow so you can put the pins, they have a cover. 489 00:24:58,999 --> 00:25:04,459 So you see the tabs where the sliders go and you have that hub, 490 00:25:04,459 --> 00:25:09,999 that puts the slider together with the side bar. 491 00:25:09,999 --> 00:25:11,792 MARC WEBER TOBIAS: Okay. 492 00:25:11,792 --> 00:25:13,167 So now let's talk about master key systems 493 00:25:13,167 --> 00:25:15,999 before we get to the attacks. 494 00:25:15,999 --> 00:25:19,501 So in conventional master key systems and pin tumbler locks, 495 00:25:19,501 --> 00:25:23,209 we have one key that can open many locks. 496 00:25:23,209 --> 00:25:27,167 And there's potentially many different levels of keying. 497 00:25:27,167 --> 00:25:30,417 Because we have an extra pin in each chamber. 498 00:25:30,834 --> 00:25:33,999 And that creates a whole bunch of different shear lines. 499 00:25:34,542 --> 00:25:37,792 Conventional locks are expensive to rekey. 500 00:25:37,792 --> 00:25:39,375 You have to have a locksmith do it. 501 00:25:39,375 --> 00:25:43,209 And there's also what we call incidental master keys. 502 00:25:43,209 --> 00:25:46,459 A lot of keys that will open a master key cylinder that really 503 00:25:46,459 --> 00:25:48,501 aren't intended. 504 00:25:48,501 --> 00:25:50,792 TOBIAS BLUZMANIS: And that's a problem. 505 00:25:50,792 --> 00:25:52,999 MARC WEBER TOBIAS: And that's a problem. 506 00:25:52,999 --> 00:25:55,167 TOBIAS BLUZMANIS: Well actually, what happened with master key system, 507 00:25:55,167 --> 00:26:01,083 those unintended keys, they tried to use those to work in the system. 508 00:26:01,167 --> 00:26:04,083 So depends on how the people doing the master keys, 509 00:26:04,083 --> 00:26:06,501 you have more than two keys working 510 00:26:06,501 --> 00:26:08,417 on the system. 511 00:26:08,417 --> 00:26:09,250 We're going to show pretty much how 512 00:26:09,250 --> 00:26:11,626 a master key system works. 513 00:26:11,626 --> 00:26:13,999 MARC WEBER TOBIAS: As we pointed out years ago, 514 00:26:13,999 --> 00:26:17,999 if they're not high security, they be also easily compromised 515 00:26:17,999 --> 00:26:22,751 but in a different way so we can figure out what a top level master key 516 00:26:22,751 --> 00:26:24,709 is in a system. 517 00:26:24,709 --> 00:26:28,626 TOBIAS BLUZMANIS: Remember the pin tumbler lock it has top pin, 518 00:26:28,626 --> 00:26:30,375 bottom pin? 519 00:26:30,375 --> 00:26:34,375 Now we have another pin between the top and bottom. 520 00:26:34,501 --> 00:26:39,125 So what happened that we are we are creating two shear lines, 521 00:26:39,125 --> 00:26:45,083 right there we can split the pin and the lock opens, we have one depth 522 00:26:45,083 --> 00:26:47,250 for that pin. 523 00:26:47,250 --> 00:26:50,501 But it's also another shear line. 524 00:26:50,501 --> 00:26:56,292 So we have two depths that opens in that specific chamber. 525 00:26:56,292 --> 00:27:00,125 But again if this is not a lock is not one pin, so we 526 00:27:00,125 --> 00:27:04,709 for this example we put another split pin. 527 00:27:04,709 --> 00:27:07,709 We put a master that's called a master waiver. 528 00:27:07,709 --> 00:27:09,876 MARC WEBER TOBIAS: Middle pin. 529 00:27:09,918 --> 00:27:15,125 TOBIAS BLUZMANIS: And the rest will were left the pins like that. 530 00:27:15,999 --> 00:27:21,792 We have an A key that makes the shear line so that key 531 00:27:21,792 --> 00:27:25,125 will open the cylinder. 532 00:27:25,459 --> 00:27:30,375 We also have a B key that will open the cylinder. 533 00:27:30,459 --> 00:27:33,125 So those were the two intended keys when we're 534 00:27:33,125 --> 00:27:36,167 making the master key system. 535 00:27:36,167 --> 00:27:42,834 We have to understand also that when people say they have a master key, 536 00:27:42,834 --> 00:27:48,876 there's no such thing as a master key for a GM car. 537 00:27:48,918 --> 00:27:52,501 You have to set a master key system. 538 00:27:52,501 --> 00:27:58,334 In a pin tumbler lock when somebody said I have a master key, the system 539 00:27:58,334 --> 00:28:02,999 is set to work with this master waivers in order 540 00:28:02,999 --> 00:28:07,999 to set the system to open different locks. 541 00:28:08,999 --> 00:28:13,083 The problem now is that we have two unintended keys, 542 00:28:13,083 --> 00:28:17,834 key C and key B that will also open that lock. 543 00:28:17,834 --> 00:28:22,584 And if we add more master waivers, that number is going to increase 544 00:28:22,584 --> 00:28:25,334 an exponential number. 545 00:28:26,626 --> 00:28:29,999 And, depending on the person doing the job, 546 00:28:29,999 --> 00:28:34,834 they can do even more master waivers and that creates many, 547 00:28:34,834 --> 00:28:39,459 many coincidental keys and they're not secure. 548 00:28:39,459 --> 00:28:42,999 MARC WEBER TOBIAS: And it can also make the lock a lot easier to pick. 549 00:28:42,999 --> 00:28:46,083 TOBIAS BLUZMANIS: The other problem with Kwikset is the key way 550 00:28:46,083 --> 00:28:50,876 is so common and they have so many different individual 551 00:28:50,876 --> 00:28:54,792 keys that they can use that probably your home 552 00:28:54,792 --> 00:28:58,999 key if you have a commercial facility that has been 553 00:28:58,999 --> 00:29:04,083 rekeyed and has a master key system, is that potentially one 554 00:29:04,083 --> 00:29:09,292 of your keys can open one or more of those locks. 555 00:29:09,292 --> 00:29:12,999 MARC WEBER TOBIAS: Kwikset came up with key control. 556 00:29:14,250 --> 00:29:17,876 It's a one level master key system. 557 00:29:17,876 --> 00:29:21,334 There's two cores in one cylinder. 558 00:29:21,667 --> 00:29:26,083 It's actually a clever system for apartment houses where you only 559 00:29:26,083 --> 00:29:29,125 need one level of master keys. 560 00:29:29,125 --> 00:29:36,584 There's two separate key ways that are secure that one won't go into the other. 561 00:29:36,584 --> 00:29:39,918 So the apartment user, the apartment tenant has one key, 562 00:29:39,918 --> 00:29:43,459 their change key and the management has a key that 563 00:29:43,459 --> 00:29:47,083 will open the other core in the lock. 564 00:29:47,626 --> 00:29:49,417 It's actually very clever. 565 00:29:49,417 --> 00:29:51,083 No locksmith is required. 566 00:29:51,083 --> 00:29:53,999 You can instantly change your master key systems. 567 00:29:53,999 --> 00:29:57,375 There are 46,000 theoretical combinations. 568 00:29:57,834 --> 00:29:59,209 They're good for facilities that need 569 00:29:59,209 --> 00:30:01,999 a very limited kind of system. 570 00:30:01,999 --> 00:30:05,999 So actually, it's a very clever system. 571 00:30:05,999 --> 00:30:08,792 However, it's got the same security vulnerabilities 572 00:30:08,792 --> 00:30:11,000 as the single lock. 573 00:30:11,459 --> 00:30:14,042 And again, they can be instantly reprogrammed. 574 00:30:14,417 --> 00:30:18,876 And you do not have cross key problem in the Kwikset that you have 575 00:30:18,876 --> 00:30:22,334 on conventional master key systems. 576 00:30:22,334 --> 00:30:23,834 It doesn't exist. 577 00:30:23,834 --> 00:30:26,501 So the problem is they can also be compromised 578 00:30:26,501 --> 00:30:28,501 in 15 seconds. 579 00:30:28,626 --> 00:30:32,626 So security, what you get is what you pay for. 580 00:30:32,876 --> 00:30:39,083 Does anybody expect a 20 $30 lock, $40 lock to actually be secure? 581 00:30:39,083 --> 00:30:40,417 And that's the question. 582 00:30:40,417 --> 00:30:46,000 And again we understand that a lot of folks can't afford high security locks. 583 00:30:46,000 --> 00:30:48,209 But we also believe that the public has a right 584 00:30:48,209 --> 00:30:52,584 to understand so they can make the decision knowingly and intelligently 585 00:30:52,584 --> 00:30:55,501 whether they'll accept the risk. 586 00:30:55,501 --> 00:31:00,876 So as we say, there's millions of facilities that can be at risk here. 587 00:31:00,959 --> 00:31:03,959 And there's a false sense of security as we talked 588 00:31:03,959 --> 00:31:07,959 about between the BHMA standard that says this is the highest grade 589 00:31:07,959 --> 00:31:12,667 of security for residential and the anti picking, anti bumping. 590 00:31:12,667 --> 00:31:16,999 So we're going to go through and as you heard the tech reps 591 00:31:16,999 --> 00:31:22,626 at Kwikset say, there's no way to get into these locks. 592 00:31:22,834 --> 00:31:24,375 If you don't have the key or you've got to drill them 593 00:31:24,375 --> 00:31:26,083 and destroy them. 594 00:31:26,292 --> 00:31:30,626 So SmartKey and design issues, the problem is the side bar 595 00:31:30,626 --> 00:31:32,876 and the sliders. 596 00:31:32,876 --> 00:31:35,626 There's only one layer of security and our problem 597 00:31:35,626 --> 00:31:40,334 is these little sliders that you see are very fragile. 598 00:31:40,334 --> 00:31:43,626 And there's also maintenance problems and programmability problems 599 00:31:43,626 --> 00:31:46,417 and low tolerance with the lock. 600 00:31:48,083 --> 00:31:51,167 And the real problem, as we're going to show you in a minute, 601 00:31:51,167 --> 00:31:54,751 you can apply torque to these plugs and open them. 602 00:31:54,751 --> 00:31:56,667 So here's the attack methodology that we came 603 00:31:56,667 --> 00:31:58,083 up with. 604 00:31:58,709 --> 00:32:03,083 Try out keys, wired through the key way. 605 00:32:03,083 --> 00:32:06,918 Visually reading the side bar and slider positions. 606 00:32:06,918 --> 00:32:09,501 Torque the plug, replicating key control and decoding 607 00:32:09,501 --> 00:32:11,667 of the master key. 608 00:32:11,667 --> 00:32:14,292 Other than that, they're very, very secure locks. 609 00:32:14,626 --> 00:32:15,959 (Laughter). 610 00:32:16,083 --> 00:32:18,999 Okay, so first of all, try out keys, probably most 611 00:32:18,999 --> 00:32:21,709 of you guys aren't old enough to remember 612 00:32:21,709 --> 00:32:26,459 in the 60s we had 64 keys that would open up all GM cars. 613 00:32:26,459 --> 00:32:27,459 64. 614 00:32:29,459 --> 00:32:32,626 We exploited the tolerance in the locks. 615 00:32:32,709 --> 00:32:35,918 TOBIAS BLUZMANIS: There's no such thing as a master key system 616 00:32:35,918 --> 00:32:37,918 for GM and you said. 617 00:32:37,918 --> 00:32:39,999 MARC WEBER TOBIAS: They're not master keys, they're tryout keys, 618 00:32:39,999 --> 00:32:42,292 you jiggle them in the key way. 619 00:32:42,667 --> 00:32:44,999 Sometimes they would open. 620 00:32:44,999 --> 00:32:45,999 Most of the time. 621 00:32:45,999 --> 00:32:48,999 But what you're doing is cutting the tolerance in half. 622 00:32:48,999 --> 00:32:51,250 Same thing with Kwikset. 623 00:32:51,334 --> 00:32:57,083 Basically with six depths in a Kwikset, most of the time we can make three 624 00:32:57,083 --> 00:32:59,999 depths equal 6 depths. 625 00:32:59,999 --> 00:33:02,501 So here is a graphic. 626 00:33:02,501 --> 00:33:06,375 The six steps on a Kwikset key, 1, 2, 3, 4, 5, 6, cuts. 627 00:33:06,542 --> 00:33:16,501 This is a depth increment key of 1, 1 1/2, 2, 2 1/2, 3, 3, 3 1/2 and 6. 628 00:33:16,501 --> 00:33:19,083 TOBIAS BLUZMANIS: We didn't do this. 629 00:33:19,083 --> 00:33:23,584 This is something that we test on the SmartKey. 630 00:33:23,584 --> 00:33:26,125 This is an old type of attack. 631 00:33:26,167 --> 00:33:29,999 Try to split the difference between one cut and the other one. 632 00:33:30,083 --> 00:33:32,584 Because the tolerance is you need tolerances 633 00:33:32,584 --> 00:33:34,834 for this lock to work. 634 00:33:34,834 --> 00:33:36,083 MARC WEBER TOBIAS: Yeah. 635 00:33:36,083 --> 00:33:38,792 So the next problem has always been their problem and it's called 636 00:33:38,792 --> 00:33:40,999 the tail piece design. 637 00:33:40,999 --> 00:33:45,918 And this is the linkage when you insert the key into the plug, the plug has 638 00:33:45,918 --> 00:33:49,125 to talk to the bolt or the latch. 639 00:33:49,125 --> 00:33:52,876 To communicate the energy to withdraw or lock the bold. 640 00:33:52,876 --> 00:33:56,999 So with Kwikset, this is hollow on one side. 641 00:33:57,083 --> 00:34:00,375 It's square and hollow so it will interface on both sides 642 00:34:00,375 --> 00:34:02,626 of the door together. 643 00:34:02,918 --> 00:34:04,542 Through the bolt. 644 00:34:06,999 --> 00:34:09,999 So this is one of the attacks we developed on one 645 00:34:09,999 --> 00:34:12,999 of the older key knob cylinders. 646 00:34:12,999 --> 00:34:16,083 This is a special key we made on the bottom that if we knock 647 00:34:16,083 --> 00:34:19,999 out the piece at the end of the key way, so there's a slot, 648 00:34:19,999 --> 00:34:23,999 we can go right through that and open the lock. 649 00:34:26,083 --> 00:34:29,709 So, if you stick that in literally in five seconds, 650 00:34:29,709 --> 00:34:32,918 this key and knob lock is open. 651 00:34:32,918 --> 00:34:34,501 This is another design. 652 00:34:34,501 --> 00:34:35,501 Toby? 653 00:34:35,501 --> 00:34:37,999 TOBIAS BLUZMANIS: Yeah, this is an old design. 654 00:34:37,999 --> 00:34:41,083 Actually this is a pin tumbler lock. 655 00:34:41,083 --> 00:34:44,626 They share the same configuration. 656 00:34:44,667 --> 00:34:51,792 But the back was covered by like 20,000 of an inch thick brass. 657 00:34:51,792 --> 00:34:56,375 So we're piercing that with an old Kwikset key that you can 658 00:34:56,375 --> 00:35:01,083 get anywhere and we put a piece wire that it was bent 659 00:35:01,083 --> 00:35:04,626 to accommodate the cylinder. 660 00:35:04,999 --> 00:35:07,999 MARC WEBER TOBIAS: This is the newer design. 661 00:35:07,999 --> 00:35:10,083 TOBIAS BLUZMANIS: This is on the Kwikset SmartKey 662 00:35:10,083 --> 00:35:12,999 and we're going to show how easy we can access 663 00:35:12,999 --> 00:35:15,876 the tail piece and pierce MARC WEBER TOBIAS: 664 00:35:15,876 --> 00:35:18,626 You tell us whether you think this is ah, come 665 00:35:18,626 --> 00:35:21,876 on whether you think this is secure. 666 00:35:22,209 --> 00:35:28,292 This attack on the tail piece of the Kwikset SmartKey 667 00:35:28,292 --> 00:35:33,083 and earlier cylinders is based on the design 668 00:35:33,083 --> 00:35:37,209 of the tail piece by Kwikset. 669 00:35:37,209 --> 00:35:43,792 It's hollow and it's square which allows us to pierce the cap at the end 670 00:35:43,792 --> 00:35:49,542 of the plug and insert a wire that's been formed to catch 671 00:35:49,542 --> 00:35:54,626 the edges of the tail piece and turn it. 672 00:35:54,626 --> 00:35:57,375 TOBIAS BLUZMANIS: Okay, the first thing is to introduce 673 00:35:57,375 --> 00:35:59,999 the tool like a regular key. 674 00:36:00,083 --> 00:36:03,751 I'm going to put tension. 675 00:36:03,876 --> 00:36:07,918 And that tension is going to make this side bar block 676 00:36:07,918 --> 00:36:11,999 the slider so I can remove the tool. 677 00:36:12,292 --> 00:36:17,959 And the reason is I need to put the tool backwards so we can start 678 00:36:17,959 --> 00:36:20,751 piercing from the top. 679 00:36:20,751 --> 00:36:22,125 That's the complicated part. 680 00:36:22,125 --> 00:36:23,626 MARC WEBER TOBIAS: Yeah. 681 00:36:23,999 --> 00:36:26,292 It's just a sharp piece of metal. 682 00:36:26,542 --> 00:36:28,417 Yeah, that's the complicated part. 683 00:36:29,167 --> 00:36:31,584 Now it's a matter of breaking it. 684 00:36:31,584 --> 00:36:34,209 TOBIAS BLUZMANIS: You can see the back on one side. 685 00:36:38,167 --> 00:36:40,083 (Smack smack smack smack smack). 686 00:36:40,083 --> 00:36:41,834 MARC WEBER TOBIAS: That's it. 687 00:36:42,667 --> 00:36:46,209 TOBIAS BLUZMANIS: This is a complicated part. 688 00:36:46,209 --> 00:36:49,417 MARC WEBER TOBIAS: Yeah, you've got to use the pliers, yeah. 689 00:36:50,709 --> 00:36:52,918 That's why I let him do it. 690 00:36:54,999 --> 00:36:59,209 TOBIAS BLUZMANIS: Now we have an opening 691 00:36:59,209 --> 00:37:03,792 for wire now we can access the tail piece that 692 00:37:03,792 --> 00:37:08,250 is right here you see I'm moving the keep going 693 00:37:08,250 --> 00:37:12,792 because MARC WEBER TOBIAS: Yeah. 694 00:37:12,792 --> 00:37:13,792 And that's it. 695 00:37:13,792 --> 00:37:14,999 That will open the lock. 696 00:37:15,626 --> 00:37:23,167 (Applause) TOBIAS BLUZMANIS: So that's it. 697 00:37:24,999 --> 00:37:25,999 (Laughter). 698 00:37:25,999 --> 00:37:27,999 There's no damage to the lock. 699 00:37:28,083 --> 00:37:30,083 Your key still works. 700 00:37:30,083 --> 00:37:37,999 MARC WEBER TOBIAS: So how many of you still trust your door locks? 701 00:37:38,751 --> 00:37:41,999 Next one: Visual decoding. 702 00:37:41,999 --> 00:37:46,501 We didn't show this but we'll tell you, you can actually take a little mirror, 703 00:37:46,501 --> 00:37:50,999 insert it into the lock, it takes a little more talent. 704 00:37:50,999 --> 00:37:54,542 And you can read the position of each of the sliders. 705 00:37:54,584 --> 00:37:55,584 Okay. 706 00:37:55,584 --> 00:37:57,125 Here's the really good one. 707 00:37:57,125 --> 00:38:00,999 This is, as I told Toby, let's just label the slide "torque'd off." 708 00:38:01,375 --> 00:38:03,999 So this is torquing the plug. 709 00:38:04,709 --> 00:38:07,250 We actually filed a complaint with the Builders Hardware 710 00:38:07,250 --> 00:38:10,501 Manufacturer's Association a couple years ago. 711 00:38:10,501 --> 00:38:11,999 It was essentially ignored. 712 00:38:11,999 --> 00:38:16,459 That we didn't think this lock should be certified as a grade 1 lock. 713 00:38:16,459 --> 00:38:20,375 This is the entire security of this lock as far we're concerned. 714 00:38:20,375 --> 00:38:23,542 These are sliders as you saw on the diagrams. 715 00:38:23,542 --> 00:38:25,125 The one on the left is normal. 716 00:38:25,125 --> 00:38:27,709 The one on the right has been warped. 717 00:38:27,709 --> 00:38:29,999 You can see it's not straight. 718 00:38:30,209 --> 00:38:34,542 This is also what happens when you stick a screwdriver into the lock. 719 00:38:34,999 --> 00:38:36,501 It's warped. 720 00:38:36,501 --> 00:38:37,999 The geometry changes. 721 00:38:38,584 --> 00:38:42,209 TOBIAS BLUZMANIS: The lock is going to be as secure 722 00:38:42,209 --> 00:38:47,501 as its weakest link and if the material is not as strong enough, that that's 723 00:38:47,501 --> 00:38:49,459 the end of it. 724 00:38:49,459 --> 00:38:52,292 MARC WEBER TOBIAS: We also ran some tests and we were able 725 00:38:52,292 --> 00:38:56,167 to torque this lock at 112 pound force inches. 726 00:38:56,167 --> 00:38:59,417 The standard actually requires 300 but their argument was well, yeah, 727 00:38:59,417 --> 00:39:03,876 but you're either sticking a paperclip or a piece of key a broken off piece 728 00:39:03,876 --> 00:39:06,125 of key into the key way. 729 00:39:06,125 --> 00:39:09,751 TOBIAS BLUZMANIS: There is one element MARC WEBER 730 00:39:09,751 --> 00:39:12,083 TOBIAS: 7 minutes. 731 00:39:12,083 --> 00:39:14,792 TOBIAS BLUZMANIS: There's one element that 732 00:39:14,792 --> 00:39:20,626 on the cylinder that when we torque the plug, we had to introduce a piece 733 00:39:20,626 --> 00:39:22,584 of key wire. 734 00:39:22,584 --> 00:39:27,959 Because we need to lift that slider that is blocking 735 00:39:27,959 --> 00:39:33,999 to the housing because there's three different depths, 736 00:39:33,999 --> 00:39:41,125 depth 1, depth 2, depth 3 that it will block the physical slider 737 00:39:41,125 --> 00:39:46,375 will block the rotation for that pin. 738 00:39:46,375 --> 00:39:48,999 But there isn't a specific position. 739 00:39:48,999 --> 00:39:52,542 And doesn't matter depth is set the slider. 740 00:39:52,542 --> 00:39:56,709 The slider is going to get inside the plug. 741 00:39:56,709 --> 00:40:07,667 So the only prevent element preventing the cylinder for opening is the slider. 742 00:40:07,667 --> 00:40:09,999 MARC WEBER TOBIAS: So here's what happens. 743 00:40:11,542 --> 00:40:14,209 (Audio) SmartKey. 744 00:40:14,792 --> 00:40:17,542 TOBIAS BLUZMANIS: That's the SmartKey. 745 00:40:17,918 --> 00:40:21,584 We just need to that is specific height. 746 00:40:21,751 --> 00:40:23,999 We're using a piece of paperclip. 747 00:40:27,709 --> 00:40:31,584 We just MARC WEBER TOBIAS: That's also the complicated part. 748 00:40:31,918 --> 00:40:34,999 TOBIAS BLUZMANIS: And of course I did that part. 749 00:40:36,999 --> 00:40:38,250 (Laughter). 750 00:40:38,250 --> 00:40:39,709 MARC WEBER TOBIAS: Yeah. 751 00:40:39,709 --> 00:40:42,999 (Chuckling) so this is just a standard little screwdriver. 752 00:40:42,999 --> 00:40:45,000 We just seat it into the key way. 753 00:40:45,000 --> 00:40:46,542 You don't have to bang on it. 754 00:40:46,542 --> 00:40:48,542 This is a vice grip. 755 00:40:48,542 --> 00:40:51,125 This door on your house. 756 00:40:52,959 --> 00:40:54,667 You see it's already turned. 757 00:40:54,667 --> 00:40:57,792 TOBIAS BLUZMANIS: You can see it's already turned. 758 00:41:01,375 --> 00:41:06,501 TOBIAS BLUZMANIS: Those sliders bend, the plug compresses. 759 00:41:06,501 --> 00:41:09,167 So now the cylinder can go back and forth. 760 00:41:12,125 --> 00:41:15,417 Now you have to put that piece there. 761 00:41:15,999 --> 00:41:18,959 And that's the reason why they passed the test. 762 00:41:18,999 --> 00:41:20,999 To certification. 763 00:41:21,459 --> 00:41:24,876 Because when they test for this lock, they put the screwdriver, 764 00:41:24,876 --> 00:41:28,918 they torque it to say but the cylinder is open right now. 765 00:41:28,918 --> 00:41:30,999 MARC WEBER TOBIAS: Okay. 766 00:41:30,999 --> 00:41:34,459 Same problem, no key control plastic keys. 767 00:41:34,918 --> 00:41:36,083 Okay? 768 00:41:36,542 --> 00:41:38,250 This is very impressive. 769 00:41:42,125 --> 00:41:52,876 TOBIAS BLUZMANIS: That's a MasterCard. 770 00:41:52,876 --> 00:41:54,918 MARC WEBER TOBIAS: No, that's Chase. 771 00:41:54,918 --> 00:41:55,918 (Laughter). 772 00:41:55,918 --> 00:41:57,999 TOBIAS BLUZMANIS: Sorry, I didn't know. 773 00:41:57,999 --> 00:42:01,709 MARC WEBER TOBIAS: So then we figured out how to decode the lock. 774 00:42:01,709 --> 00:42:03,083 We're going to run out of time. 775 00:42:03,876 --> 00:42:07,999 Basically there's a procedure that we can take six 776 00:42:07,999 --> 00:42:12,999 different keys and we can figure out TOBIAS BLUZMANIS: How 777 00:42:12,999 --> 00:42:14,999 to decode it. 778 00:42:14,999 --> 00:42:18,667 Those are the depths of each pin. 779 00:42:18,667 --> 00:42:24,626 But now, if we notice, that side bar really doesn't did not 780 00:42:24,626 --> 00:42:28,459 engage on the false gate. 781 00:42:28,459 --> 00:42:33,250 So we designed one key that can move basically what we're going 782 00:42:33,250 --> 00:42:37,542 to you're going to see here in this video is that 783 00:42:37,542 --> 00:42:41,083 if we can remove the key from the cylinder 784 00:42:41,083 --> 00:42:45,999 with a specific depth that is an indication that we have 785 00:42:45,999 --> 00:42:50,999 the code MARC WEBER TOBIAS: I don't think we have time 786 00:42:50,999 --> 00:42:53,459 to run this video. 787 00:42:53,459 --> 00:42:57,334 But these are the six keys let me just do part of this. 788 00:42:57,834 --> 00:43:03,542 Video: This is going to be decoding the cylinder on Kwikset. 789 00:43:03,542 --> 00:43:05,999 This is the problem with master key. 790 00:43:06,584 --> 00:43:12,999 We have depth probing keys for each of the 6th depths that we're 791 00:43:12,999 --> 00:43:18,876 going to probe in rapid order and determine the essentially 792 00:43:18,876 --> 00:43:23,999 the gate positions on each of the sliders. 793 00:43:24,584 --> 00:43:28,501 TOBIAS BLUZMANIS: So let's start with number 6. 794 00:43:28,501 --> 00:43:29,999 Just put the key in. 795 00:43:29,999 --> 00:43:34,083 Put a little bit of torque and try to remove the key. 796 00:43:34,459 --> 00:43:37,709 TOBIAS BLUZMANIS: If we cannot remove the key, that's 797 00:43:37,709 --> 00:43:42,167 an indication that that pin is not set for that depth. 798 00:43:42,417 --> 00:43:46,999 MARC WEBER TOBIAS: Basically we go through and probe each 799 00:43:46,999 --> 00:43:52,250 of the six sliders and then once we figure out the code, we generate 800 00:43:52,250 --> 00:43:55,999 a key for it in, like, 10 seconds. 801 00:43:55,999 --> 00:44:00,626 TOBIAS BLUZMANIS: So we go pin by pin. 802 00:44:00,626 --> 00:44:01,626 Pin. 803 00:44:01,626 --> 00:44:03,375 We just put the key in that position. 804 00:44:03,375 --> 00:44:04,375 We try to remove. 805 00:44:04,375 --> 00:44:07,083 If it can be removed, we record the number that we're using 806 00:44:07,083 --> 00:44:10,999 to MARC WEBER TOBIAS: So basically, Toby goes through, 807 00:44:10,999 --> 00:44:15,167 decodes the entire lock, creates a key for it. 808 00:44:15,167 --> 00:44:19,125 So making the control as we'll wrap this up, this 809 00:44:19,125 --> 00:44:22,792 is their master key scheme. 810 00:44:22,792 --> 00:44:26,292 TOBIAS BLUZMANIS: Yeah, this is the way that Kwikset takes 811 00:44:26,292 --> 00:44:30,167 the approach for the master key system. 812 00:44:30,792 --> 00:44:33,876 This is what they call the key control. 813 00:44:33,876 --> 00:44:40,125 MARC WEBER TOBIAS: It's not playing. 814 00:44:40,250 --> 00:44:41,834 Go ahead. 815 00:44:41,834 --> 00:44:45,792 TOBIAS BLUZMANIS: So that cylinder has another cylinder on top. 816 00:44:45,999 --> 00:44:47,876 That's the scheme they use. 817 00:44:47,876 --> 00:44:52,751 It's two cylinders because their platform is so small 818 00:44:52,751 --> 00:44:58,459 they decided I can have one key for a renters. 819 00:44:58,584 --> 00:45:00,626 One key for the user. 820 00:45:00,626 --> 00:45:05,999 The thing is they're so close and all this attack also can be performed 821 00:45:05,999 --> 00:45:08,501 on the their lock. 822 00:45:08,501 --> 00:45:11,083 That we thought well, this is not secure. 823 00:45:11,083 --> 00:45:12,918 It's even more insecure because you don't see 824 00:45:12,918 --> 00:45:14,999 the cylinder on top. 825 00:45:15,792 --> 00:45:18,792 The cover has to turn so you can expose 826 00:45:18,792 --> 00:45:21,125 the other cylinder. 827 00:45:21,125 --> 00:45:25,709 So, if torque the plug or you pierce the plug, you're never going to notice. 828 00:45:25,709 --> 00:45:28,999 And that's something that you, as consumer, should know that 829 00:45:28,999 --> 00:45:34,459 the MARC WEBER TOBIAS: Here's the bottom line as we'll sum up. 830 00:45:34,459 --> 00:45:40,999 This is a clever in some respects but also insecure in some respects. 831 00:45:41,375 --> 00:45:43,417 It's a trade I don't have. 832 00:45:43,459 --> 00:45:47,209 When you spend money on locks, it's an insurance policy. 833 00:45:47,709 --> 00:45:50,834 You do get what you pay for. 834 00:45:50,834 --> 00:45:55,792 It may look secure but that, as we've shown you doesn't mean it is. 835 00:45:55,792 --> 00:45:58,626 I think that wraps it up for this DEF CON this year. 836 00:45:58,626 --> 00:45:59,918 We thank you very much for coming and we hope you 837 00:45:59,918 --> 00:46:01,334 enjoyed this. 838 00:46:01,334 --> 00:46:01,334 (Applause.) TOBIAS BLUZMANIS: If you have any questions MARC 839 00:46:01,334 --> 00:46:02,667 WEBER TOBIAS: Thank you.