1 00:00:00,000 --> 00:00:01,459 ERIC VAN ALBERT: I'm Eric Van 2 00:00:01,459 --> 00:00:02,999 I'm David Lawrence. 3 00:00:02,999 --> 00:00:05,083 DAVID LAWRENCE: And 4 00:00:05,083 --> 00:00:06,334 here today. 5 00:00:06,334 --> 00:00:07,876 He contributed a lot to the project. 6 00:00:07,876 --> 00:00:10,999 We're just two MIT students. 7 00:00:10,999 --> 00:00:12,999 We don't have more credentials than 8 00:00:12,999 --> 00:00:15,083 Playing with locks is a hobby. 9 00:00:17,000 --> 00:00:21,751 If you'd 10 00:00:21,751 --> 00:00:25,999 Hope you enjoy this lock. 11 00:00:25,999 --> 00:00:30,751 How many of you guys were here 12 00:00:30,751 --> 00:00:32,125 Fantastic. 13 00:00:32,125 --> 00:00:36,125 I'm going to talk 14 00:00:36,125 --> 00:00:41,334 We can do more of a quiz 15 00:00:41,334 --> 00:00:45,125 When you have 16 00:00:45,125 --> 00:00:47,000 and body and stacks constraining them 17 00:00:47,000 --> 00:00:50,542 If you select the key, you raise 18 00:00:50,542 --> 00:00:53,250 up to the interface 19 00:00:53,250 --> 00:00:55,334 allows that to turn. 20 00:00:55,334 --> 00:00:56,999 What's that interface called. 21 00:00:56,999 --> 00:00:58,626 Wonderful. 22 00:01:00,417 --> 00:01:02,918 We have I a video here. 23 00:01:03,999 --> 00:01:07,626 This is a cutaway lock so you can see 24 00:01:10,542 --> 00:01:13,918 As you insert the key, you can see 25 00:01:13,918 --> 00:01:16,501 When it's not inserted 26 00:01:16,501 --> 00:01:19,709 above the shear line so 27 00:01:19,709 --> 00:01:21,999 the pin from turning. 28 00:01:21,999 --> 00:01:26,375 If you insert it all the way 29 00:01:26,375 --> 00:01:27,375 Everybody see that? 30 00:01:27,709 --> 00:01:28,999 Great. 31 00:01:31,083 --> 00:01:34,209 These locks are vulnerable to a lot 32 00:01:34,209 --> 00:01:37,626 as Marc and Toby talked 33 00:01:37,626 --> 00:01:39,083 You can take these keys 34 00:01:39,083 --> 00:01:41,792 and they'll copy them for you. 35 00:01:43,667 --> 00:01:46,584 Another thing you can do is picking. 36 00:01:46,834 --> 00:01:52,250 And inserting long wires 37 00:01:52,250 --> 00:01:54,999 I'll go over those quickly 38 00:01:54,999 --> 00:01:56,959 about them a lot. 39 00:01:56,959 --> 00:02:00,751 Picking is where you exploit 40 00:02:00,751 --> 00:02:02,999 By applying torque 41 00:02:02,999 --> 00:02:05,751 all the pin stacks to bind. 42 00:02:05,999 --> 00:02:07,959 In a perfect lock they would all bind 43 00:02:07,959 --> 00:02:09,959 at that point you'd be screwed. 44 00:02:09,959 --> 00:02:11,999 But because the holes are slightly 45 00:02:11,999 --> 00:02:14,999 on the plug, only one of them 46 00:02:15,209 --> 00:02:17,083 And if you use a pick 47 00:02:17,083 --> 00:02:20,209 up to the shear line, then it will set 48 00:02:20,209 --> 00:02:24,083 a very small amount and it will trap 49 00:02:24,083 --> 00:02:27,125 down and then you don't have 50 00:02:27,125 --> 00:02:31,542 and you can repeat that 51 00:02:33,209 --> 00:02:35,542 Impressioning I'm not going to go 52 00:02:35,542 --> 00:02:37,834 because I'm not very good at it. 53 00:02:37,834 --> 00:02:39,792 It involves taking a blank key, 54 00:02:39,792 --> 00:02:42,999 and using the torque and binding action 55 00:02:42,999 --> 00:02:45,292 and you can file 56 00:02:45,292 --> 00:02:47,375 up with a working key. 57 00:02:47,918 --> 00:02:50,999 So pin tumbler locks 58 00:02:50,999 --> 00:02:54,918 for the sleighing prime us 59 00:02:54,918 --> 00:02:58,792 of the Schlage Primus key there 60 00:02:58,792 --> 00:03:01,999 the SCHLAGE 61 00:03:01,999 --> 00:03:06,209 which is the squiggly line on the top 62 00:03:06,501 --> 00:03:08,999 We're going to call that 63 00:03:10,501 --> 00:03:12,542 Now an important part 64 00:03:12,542 --> 00:03:15,959 is you can completely separate these 65 00:03:15,999 --> 00:03:18,999 In fact, we've cut a couple keys 66 00:03:18,999 --> 00:03:21,626 the side bar or just the top bidding. 67 00:03:21,918 --> 00:03:25,959 Now, here's a side bar only. 68 00:03:27,083 --> 00:03:31,417 And then here is a full key, 69 00:03:31,417 --> 00:03:34,083 the side milling on it. 70 00:03:38,626 --> 00:03:42,167 Can anybody pick a Primus lock, 71 00:03:42,709 --> 00:03:46,459 One guy in the back. 72 00:03:46,459 --> 00:03:47,459 I salute you. 73 00:03:47,459 --> 00:03:48,999 Much more skilled than I am. 74 00:03:49,083 --> 00:03:51,292 We cannot pick Primus locks. 75 00:03:51,292 --> 00:03:52,918 I have one friend who can do it. 76 00:03:52,918 --> 00:03:55,459 He's very good at it but we have 77 00:03:55,459 --> 00:03:57,292 of opening these. 78 00:03:57,584 --> 00:04:00,709 Now, what we're going to do 79 00:04:00,709 --> 00:04:05,417 at keyless entry, we're going to look 80 00:04:05,417 --> 00:04:07,542 So this is basically using information 81 00:04:07,542 --> 00:04:10,918 you gather somehow about the key 82 00:04:10,918 --> 00:04:12,501 to the lock. 83 00:04:13,209 --> 00:04:16,083 There's a lot of things in place 84 00:04:16,083 --> 00:04:18,584 The way you get these keys 85 00:04:18,584 --> 00:04:22,834 to send them proof that you are who 86 00:04:22,834 --> 00:04:27,834 And you're entitled to get keys, 87 00:04:27,834 --> 00:04:30,292 This key is blank 88 00:04:30,292 --> 00:04:31,999 bidding on it. 89 00:04:31,999 --> 00:04:33,667 But it does have a side bar. 90 00:04:33,667 --> 00:04:36,167 Schlage claims they're 91 00:04:36,167 --> 00:04:39,459 side bar and they go 92 00:04:39,459 --> 00:04:42,250 a lot of money to get side bars. 93 00:04:44,959 --> 00:04:47,709 In order to attack this lock, 94 00:04:47,709 --> 00:04:50,334 first we have to figure out how 95 00:04:50,334 --> 00:04:53,459 and how it actuates the parts 96 00:04:53,501 --> 00:04:55,999 We're going to create a 3D model 97 00:04:55,999 --> 00:04:59,667 is the first step 98 00:04:59,667 --> 00:05:02,626 Then we're going to look at additive 99 00:05:02,626 --> 00:05:07,375 and implication of this for Primus 100 00:05:07,792 --> 00:05:12,292 All right, so we'll start 101 00:05:12,292 --> 00:05:19,501 we're calling it reverse engineering 102 00:05:19,501 --> 00:05:22,375 There's no great amount 103 00:05:22,375 --> 00:05:25,209 So start out with a Primus key 104 00:05:25,209 --> 00:05:26,999 about the lock. 105 00:05:27,209 --> 00:05:28,876 And what does it say on it? 106 00:05:28,876 --> 00:05:31,834 Primus, do not duplicate. 107 00:05:32,292 --> 00:05:35,751 Actually, we may have to end 108 00:05:35,751 --> 00:05:37,375 all for come. 109 00:05:39,999 --> 00:05:43,167 (Laughter) The third line of the key 110 00:05:43,167 --> 00:05:44,167 A U.S. 111 00:05:44,167 --> 00:05:45,167 patent number. 112 00:05:45,542 --> 00:05:49,542 I'm guess Schlage thinks this 113 00:05:55,375 --> 00:05:57,334 But actually U.S. 114 00:05:57,334 --> 00:05:58,792 patent filings are public. 115 00:05:58,792 --> 00:06:01,999 So you look it 116 00:06:01,999 --> 00:06:05,999 of about 20 pages 117 00:06:05,999 --> 00:06:09,542 explaining exactly how it works. 118 00:06:09,792 --> 00:06:13,334 So you can see that 119 00:06:13,334 --> 00:06:15,999 on the top of the key. 120 00:06:15,999 --> 00:06:19,250 There are 5 additional cuts 121 00:06:19,250 --> 00:06:21,167 And there's 122 00:06:21,167 --> 00:06:26,209 on the side of the lock which 123 00:06:26,209 --> 00:06:28,250 We'll take a closer look at that soon. 124 00:06:28,918 --> 00:06:34,375 You read through the patent 125 00:06:34,709 --> 00:06:38,959 But there's a lot more information that's 126 00:06:38,999 --> 00:06:43,751 So suppose you do a Google search 127 00:06:43,751 --> 00:06:45,999 Well, there you are. 128 00:06:46,751 --> 00:06:49,999 They have it up on their Web site. 129 00:06:50,083 --> 00:06:53,876 And if we look inside there, there 130 00:06:53,876 --> 00:06:56,417 that they've provided to us. 131 00:06:56,999 --> 00:07:02,999 So here you can see how that side 132 00:07:02,999 --> 00:07:02,999 There's an L. 133 00:07:02,999 --> 00:07:05,999 shaped pin called 134 00:07:05,999 --> 00:07:09,501 down in the grooves on the side 135 00:07:09,709 --> 00:07:12,459 That meshes 136 00:07:12,459 --> 00:07:17,209 to the side bar in the previous talk, 137 00:07:17,792 --> 00:07:21,667 And when those finger pins are lined 138 00:07:21,667 --> 00:07:26,083 as you can see in the drawings at right, 139 00:07:26,083 --> 00:07:28,584 the cylinder can open. 140 00:07:28,834 --> 00:07:31,584 If the finger pins are not aligned 141 00:07:31,584 --> 00:07:35,709 the side bar and that will prevent 142 00:07:36,083 --> 00:07:38,709 So the fingers pins have got 143 00:07:38,709 --> 00:07:41,209 and rotated to the correct angle. 144 00:07:41,209 --> 00:07:42,999 They have two degrees of freedom. 145 00:07:43,292 --> 00:07:45,083 So let's take a look. 146 00:07:45,334 --> 00:07:49,626 Here is a cutaway lock and side bar 147 00:07:49,626 --> 00:07:51,876 the finger pins. 148 00:07:51,999 --> 00:07:54,918 You'll see them moving 149 00:07:54,918 --> 00:07:59,250 to be misaligned until the key 150 00:07:59,250 --> 00:08:01,999 of them will be lined up. 151 00:08:04,292 --> 00:08:08,999 Until you rotate it back and forth 152 00:08:08,999 --> 00:08:10,999 of light on them. 153 00:08:11,250 --> 00:08:13,999 You see there they rotate. 154 00:08:17,626 --> 00:08:21,292 Until the key is all the way 155 00:08:21,292 --> 00:08:25,876 and if the wrong side bar is us used 156 00:08:30,834 --> 00:08:34,999 That's basically it 157 00:08:35,250 --> 00:08:37,125 If there are any missing details, 158 00:08:37,125 --> 00:08:39,792 of course take one apart and look. 159 00:08:39,834 --> 00:08:41,209 But it turns out that 160 00:08:41,209 --> 00:08:45,626 at lock Wiki already did that and put 161 00:08:46,334 --> 00:08:50,876 So all you have to do is look 162 00:08:50,876 --> 00:08:55,083 and you can see exactly how this side 163 00:08:55,083 --> 00:08:56,999 It's got little notches 164 00:08:56,999 --> 00:09:00,709 on the finger pins that fit 165 00:09:00,709 --> 00:09:03,626 as the bump is in the right spot. 166 00:09:04,209 --> 00:09:10,083 This is the lock and Schlage believes 167 00:09:10,083 --> 00:09:15,459 secure, resistant to duplication 168 00:09:16,375 --> 00:09:18,417 And they're almost right. 169 00:09:19,999 --> 00:09:24,999 So next thing we'll take a look 170 00:09:24,999 --> 00:09:28,417 So that is now that you have 171 00:09:28,417 --> 00:09:32,375 out the exact dimensions that are 172 00:09:32,375 --> 00:09:37,709 the finger pins and the pin on the top 173 00:09:37,709 --> 00:09:39,626 into the lock. 174 00:09:39,918 --> 00:09:44,083 So we'll start out with a top 175 00:09:44,083 --> 00:09:46,375 This is a page from the service manual. 176 00:09:46,417 --> 00:09:50,125 This is backwards compatible 177 00:09:50,125 --> 00:09:54,459 of this is secret at all and this 178 00:09:54,459 --> 00:09:56,999 for the top of the key. 179 00:09:57,626 --> 00:09:59,999 The side of the key 180 00:09:59,999 --> 00:10:04,459 because all Schlage tells you 181 00:10:04,459 --> 00:10:06,876 They can be left, center or right. 182 00:10:06,876 --> 00:10:08,918 And high or low. 183 00:10:08,999 --> 00:10:11,375 So what we did to figure 184 00:10:11,375 --> 00:10:14,999 for this not using any special tools, 185 00:10:14,999 --> 00:10:18,000 on a flatbed scanner run them 186 00:10:18,000 --> 00:10:20,876 and exact the parameters. 187 00:10:20,999 --> 00:10:23,459 We got nice results. 188 00:10:23,751 --> 00:10:24,876 Here they are. 189 00:10:24,959 --> 00:10:25,999 Now you know. 190 00:10:26,334 --> 00:10:30,250 You can also see here a picture 191 00:10:30,250 --> 00:10:33,999 those different positions map 192 00:10:34,125 --> 00:10:39,834 This is side bar 64246 deep right, 193 00:10:39,834 --> 00:10:42,667 deep left, deep right. 194 00:10:43,751 --> 00:10:46,834 And that's about it for this side pitting. 195 00:10:46,999 --> 00:10:50,417 There are a couple other things we have 196 00:10:50,417 --> 00:10:52,792 a key that can be used. 197 00:10:53,542 --> 00:10:55,918 We have a minimum slope 198 00:10:55,918 --> 00:10:58,542 down to each cut 199 00:10:58,542 --> 00:11:00,999 to rotate, that's got 200 00:11:00,999 --> 00:11:03,626 down to the bottom of the cup. 201 00:11:03,999 --> 00:11:07,125 Otherwise, the friction 202 00:11:07,334 --> 00:11:08,751 There's also 203 00:11:08,751 --> 00:11:12,709 because if it's the ramp is too steep, 204 00:11:12,709 --> 00:11:15,792 the key won't be able to go in and out. 205 00:11:15,792 --> 00:11:18,292 So because there's this rotating pin you 206 00:11:18,292 --> 00:11:21,792 out these two factors and there's only 207 00:11:21,792 --> 00:11:23,959 of slopes that work. 208 00:11:24,334 --> 00:11:26,999 And finally the bottom 209 00:11:26,999 --> 00:11:30,792 to match the curvature 210 00:11:30,876 --> 00:11:33,751 So we went through and figured 211 00:11:33,751 --> 00:11:36,999 as well And that's it 212 00:11:36,999 --> 00:11:40,918 for all of the control surfaces 213 00:11:40,918 --> 00:11:43,999 With this, you can put 214 00:11:43,999 --> 00:11:47,334 All the finger pins in the right place 215 00:11:47,459 --> 00:11:48,999 Of course, the last piece 216 00:11:48,999 --> 00:11:52,167 a key cross section that will fit 217 00:11:52,250 --> 00:11:55,501 Now, eventually, 218 00:11:55,501 --> 00:11:59,417 in all of their standard Primus locks 219 00:11:59,417 --> 00:12:05,334 a bit more material from that, it fits 220 00:12:05,501 --> 00:12:09,959 And we speculate that the reason this 221 00:12:09,959 --> 00:12:15,375 the side bar mechanism imposes such 222 00:12:15,375 --> 00:12:21,999 and that the key has got 223 00:12:21,999 --> 00:12:22,999 This one. 224 00:12:22,999 --> 00:12:26,417 There's got to be a big hole 225 00:12:26,417 --> 00:12:30,626 the finger pins can ride 226 00:12:30,626 --> 00:12:35,083 There's got to be side bar there's got 227 00:12:35,334 --> 00:12:38,083 There's very little flexibility 228 00:12:38,083 --> 00:12:40,083 around the side bar. 229 00:12:40,334 --> 00:12:44,375 So in that respect, the side bar 230 00:12:44,375 --> 00:12:48,459 a regular lock where there could be 231 00:12:48,459 --> 00:12:49,876 a key. 232 00:12:49,999 --> 00:12:54,959 And once we have that key cross 233 00:12:54,959 --> 00:12:58,709 all these pieces together 234 00:12:59,083 --> 00:13:03,083 And to do that, we used 235 00:13:03,167 --> 00:13:05,999 Open S cut 236 00:13:05,999 --> 00:13:10,083 like syntax that compiled to 3d models. 237 00:13:10,083 --> 00:13:16,751 It was first used to model keys 238 00:13:16,751 --> 00:13:19,209 So we saw that and thought it was 239 00:13:19,209 --> 00:13:21,999 and implemented the Primus key. 240 00:13:21,999 --> 00:13:24,083 It was only a few hundred lines of code. 241 00:13:24,083 --> 00:13:25,501 Not a lot of work. 242 00:13:25,959 --> 00:13:29,083 Considering the purported security 243 00:13:29,459 --> 00:13:31,709 Here's an example of what it looks like. 244 00:13:31,709 --> 00:13:34,083 This is our top level function called key. 245 00:13:34,209 --> 00:13:36,626 Which is taking the top code 246 00:13:36,626 --> 00:13:40,083 and it's calling out to a bunch 247 00:13:40,083 --> 00:13:43,417 to draw the top of the key and 248 00:13:43,417 --> 00:13:47,083 out all of the bumps that need 249 00:13:47,459 --> 00:13:49,876 And this is what you get. 250 00:13:49,876 --> 00:13:53,959 You call the function key and get 251 00:13:53,959 --> 00:14:00,334 working Primus key (Applause.) 252 00:14:00,334 --> 00:14:06,083 we'll tell you about a bunch 253 00:14:06,083 --> 00:14:10,876 to easily and cheaply fabricate these. 254 00:14:10,876 --> 00:14:12,999 Three D models are great 255 00:14:12,999 --> 00:14:14,999 if you can't make it. 256 00:14:15,999 --> 00:14:17,999 Has anybody filed keys? 257 00:14:17,999 --> 00:14:18,999 Show of hands. 258 00:14:20,584 --> 00:14:23,083 Take a file, work it for a while. 259 00:14:23,083 --> 00:14:26,999 It takes a steady hand, a pair 260 00:14:26,999 --> 00:14:31,626 Now we thought that hand machining 261 00:14:31,834 --> 00:14:35,501 Until one day our friend Rob sends us 262 00:14:35,501 --> 00:14:38,292 by hand opening a Primus lock. 263 00:14:38,501 --> 00:14:41,083 And we're like wow, 264 00:14:41,083 --> 00:14:43,459 He used very complicated tools, 265 00:14:43,459 --> 00:14:48,999 He used a dremel, a pair of calipers 266 00:14:48,999 --> 00:14:51,083 Only material cost 267 00:14:51,083 --> 00:14:54,459 he basically described 268 00:14:54,459 --> 00:14:57,792 all of the dimensions 269 00:14:57,792 --> 00:14:59,999 with dremel 270 00:14:59,999 --> 00:15:03,417 and stuck it in the lock and it worked. 271 00:15:04,876 --> 00:15:06,999 He's done it 272 00:15:06,999 --> 00:15:10,125 the 11 numbers describing the key 273 00:15:10,125 --> 00:15:12,626 a key that will open the lock. 274 00:15:12,626 --> 00:15:14,584 It's fantastic. 275 00:15:14,999 --> 00:15:17,292 Here's photos of the process. 276 00:15:17,292 --> 00:15:18,999 You can see 277 00:15:18,999 --> 00:15:21,918 in the Primus key way 278 00:15:21,918 --> 00:15:25,209 to prevent you from breaking 279 00:15:25,959 --> 00:15:27,792 Thin it down using the dremel. 280 00:15:27,792 --> 00:15:31,250 You see the complicated tools we have 281 00:15:31,709 --> 00:15:33,918 It also happens that 0 you are key 282 00:15:33,918 --> 00:15:35,876 as our kitchen table. 283 00:15:36,334 --> 00:15:38,584 So once the key is thinned 284 00:15:38,584 --> 00:15:42,209 in the Primus key way you can start 285 00:15:42,209 --> 00:15:45,584 to setting into and here we've got two 286 00:15:45,584 --> 00:15:50,083 And you basically scribe 287 00:15:50,083 --> 00:15:54,918 scribes more measure repeat ad 288 00:15:55,125 --> 00:15:57,999 Here it is with almost 289 00:15:57,999 --> 00:16:00,459 of polishing it 290 00:16:00,459 --> 00:16:02,999 in the lock and it opens. 291 00:16:02,999 --> 00:16:05,751 And we have that to show you now. 292 00:16:06,292 --> 00:16:09,959 Here's the hardware store key blank. 293 00:16:10,167 --> 00:16:14,083 This one I think was 25 cents 294 00:16:15,459 --> 00:16:19,375 Here is the result. 295 00:16:22,125 --> 00:16:24,999 There's the part we dremel'd out. 296 00:16:27,250 --> 00:16:31,751 Here's the stock key 297 00:16:31,751 --> 00:16:35,334 See that biting there compared to ours. 298 00:16:35,501 --> 00:16:38,083 And let's put it in the lock. 299 00:16:38,083 --> 00:16:40,542 Here's 300 00:16:41,125 --> 00:16:42,999 That works fine. 301 00:16:43,209 --> 00:16:46,083 Here's our key opening the lock. 302 00:16:46,542 --> 00:16:56,292 (Applause) So that's it. 303 00:16:56,292 --> 00:16:57,542 Yeah, you can dremel it. 304 00:16:59,167 --> 00:17:01,999 If you've had 305 00:17:01,999 --> 00:17:03,876 you can do this. 306 00:17:07,209 --> 00:17:09,959 This is how Schlage makes their keys. 307 00:17:12,876 --> 00:17:14,709 They mill 308 00:17:14,709 --> 00:17:16,459 numerical control. 309 00:17:16,626 --> 00:17:21,083 If you are interested outsourcing this 310 00:17:21,083 --> 00:17:23,167 the setup cost 311 00:17:23,167 --> 00:17:27,792 because you have to there's a lot 312 00:17:27,792 --> 00:17:31,959 of common milling machines don't have 313 00:17:31,959 --> 00:17:35,709 to operate the small tool diameters you 314 00:17:36,083 --> 00:17:40,209 And so the a better tool than 315 00:17:40,209 --> 00:17:45,375 is probably a desktop micro mill 316 00:17:45,375 --> 00:17:47,999 through the market. 317 00:17:47,999 --> 00:17:49,501 Keep ap eye out for ones 318 00:17:49,501 --> 00:17:53,167 will run you probably 319 00:17:53,167 --> 00:17:56,792 The other shown here is another mill 320 00:17:56,792 --> 00:17:59,083 of milling 321 00:17:59,083 --> 00:18:01,125 into a Primus key. 322 00:18:01,125 --> 00:18:02,501 This is not out yet. 323 00:18:02,501 --> 00:18:04,250 It's a funded kick starter project. 324 00:18:04,959 --> 00:18:08,999 But the most exciting thing we tried 325 00:18:08,999 --> 00:18:11,999 a new space 326 00:18:11,999 --> 00:18:15,999 printers have hit the levels 327 00:18:15,999 --> 00:18:18,334 a high security lock. 328 00:18:18,542 --> 00:18:24,834 So we took that 3d model and just sent 329 00:18:24,834 --> 00:18:26,709 Shapeways.com and iDotmaterialize. 330 00:18:27,292 --> 00:18:30,709 We got keys back 331 00:18:30,999 --> 00:18:36,083 We tried two different mastic processes 332 00:18:36,125 --> 00:18:39,250 And well, it turns out that 333 00:18:39,250 --> 00:18:41,751 (Laughter) So we're going 334 00:18:46,999 --> 00:18:52,334 (Applause) The first material we tried 335 00:18:52,334 --> 00:18:55,626 frosted ultra detail 336 00:18:55,626 --> 00:18:58,999 as much precision as we can here. 337 00:18:59,375 --> 00:19:03,999 And this is a stereo process secured. 338 00:19:04,334 --> 00:19:05,999 Very expensive. 339 00:19:05,999 --> 00:19:09,999 There's a 5 dollar setup cost 340 00:19:10,083 --> 00:19:11,999 How much is it going to cost you 341 00:19:11,999 --> 00:19:13,999 at the hardware store. 342 00:19:14,083 --> 00:19:15,083 $3? 343 00:19:16,375 --> 00:19:19,083 Precision was excellent. 344 00:19:19,209 --> 00:19:20,999 We measured it. 345 00:19:20,999 --> 00:19:21,999 It was great. 346 00:19:21,999 --> 00:19:25,083 Issue was it was not that strong. 347 00:19:25,209 --> 00:19:28,999 It was plenty strong to attack 348 00:19:28,999 --> 00:19:32,209 but when it comes 349 00:19:32,209 --> 00:19:37,334 the half spot at rust padlock, 350 00:19:37,999 --> 00:19:40,709 But there are a lot 351 00:19:40,709 --> 00:19:43,209 like figuring out whether you have 352 00:19:43,209 --> 00:19:47,918 for a lock or removing the cylinder 353 00:19:50,083 --> 00:19:52,083 What's it it looks like. 354 00:19:52,083 --> 00:19:53,083 We don't put the bumps 355 00:19:53,083 --> 00:19:56,083 because they're useless 356 00:19:56,083 --> 00:19:58,501 There it is. 357 00:19:58,501 --> 00:20:01,501 There it goes going 358 00:20:01,501 --> 00:20:03,417 real smooth. 359 00:20:09,584 --> 00:20:13,667 (Applause.) Next thing was different 360 00:20:13,667 --> 00:20:15,876 strong and flexible. 361 00:20:15,999 --> 00:20:17,959 This is laser centered nylon. 362 00:20:19,042 --> 00:20:21,125 This is cheaper. 363 00:20:21,125 --> 00:20:23,083 Only $3 total. 364 00:20:23,709 --> 00:20:25,999 The issue here was the precision. 365 00:20:25,999 --> 00:20:28,959 This is not 366 00:20:28,999 --> 00:20:31,000 It's not high resolution but it's enough. 367 00:20:31,250 --> 00:20:34,292 It's less smooth going into the lock. 368 00:20:34,292 --> 00:20:37,751 Sometimes you've got to give it 369 00:20:37,751 --> 00:20:42,626 enough to operate most locks 370 00:20:42,626 --> 00:20:44,334 So we can take a look at that. 371 00:20:44,459 --> 00:20:47,709 See if you can see the side bar there. 372 00:20:47,709 --> 00:20:48,709 It's hard. 373 00:20:48,709 --> 00:20:50,584 Yeah, there is a side bar. 374 00:20:50,584 --> 00:20:52,626 It's just hiding. 375 00:20:54,542 --> 00:20:57,999 Little harder to insert 376 00:20:57,999 --> 00:21:01,125 it opens fine and it's quite strong. 377 00:21:04,292 --> 00:21:06,999 By the way, we got old FL. 378 00:21:06,999 --> 00:21:10,083 This is a key that doesn't open anything 379 00:21:10,083 --> 00:21:12,999 an idea how brittle the first one was. 380 00:21:13,417 --> 00:21:14,501 That's it. 381 00:21:15,083 --> 00:21:17,083 So you don't want that happening 382 00:21:17,083 --> 00:21:20,459 of cases where you might be using 383 00:21:21,999 --> 00:21:24,792 And then the third thing we tried just 384 00:21:24,792 --> 00:21:28,083 out is this titanium process which 385 00:21:28,083 --> 00:21:32,292 to deposit titanium powder 386 00:21:33,250 --> 00:21:35,626 And that turned out awesome. 387 00:21:35,626 --> 00:21:39,083 The down side is it ran us $150 388 00:21:39,999 --> 00:21:43,918 But you want to show that? 389 00:21:43,918 --> 00:21:49,334 It is an amazing looking thing. 390 00:21:49,334 --> 00:21:52,459 We measured it and it was more precise 391 00:21:52,459 --> 00:21:54,292 you how good it is. 392 00:21:54,292 --> 00:21:55,834 But it's certainly 393 00:21:55,834 --> 00:21:58,209 the Schlage factory, most likely. 394 00:21:58,209 --> 00:21:59,209 Yep. 395 00:21:59,209 --> 00:22:00,209 Here it is. 396 00:22:00,209 --> 00:22:04,709 We go into the lock and no problem. 397 00:22:04,999 --> 00:22:06,999 This stuff is super strong. 398 00:22:06,999 --> 00:22:15,959 (Applause.) So there it is, 399 00:22:15,959 --> 00:22:19,209 I suspect there are many more ways 400 00:22:19,209 --> 00:22:23,834 of these outfits are just starting 401 00:22:23,834 --> 00:22:27,667 they have 3d printers that print in wax. 402 00:22:27,667 --> 00:22:30,083 And maybe they'll even give you 403 00:22:30,209 --> 00:22:31,999 So we have no reason 404 00:22:31,999 --> 00:22:35,834 of these other processes wouldn't work 405 00:22:35,999 --> 00:22:40,292 And we also expect 406 00:22:40,292 --> 00:22:42,999 Because 407 00:22:42,999 --> 00:22:47,999 is the white 1 and titanium are currently 408 00:22:47,999 --> 00:22:52,751 a royalty fee that's part 409 00:22:52,751 --> 00:22:54,209 in 2014. 410 00:22:55,876 --> 00:23:00,667 Historically speaking, when 411 00:23:00,667 --> 00:23:02,999 went down 25 30%. 412 00:23:03,250 --> 00:23:05,834 And we start seeing things 413 00:23:05,834 --> 00:23:09,125 So that's going to be exciting. 414 00:23:09,417 --> 00:23:13,209 Maybe we'll get 415 00:23:16,083 --> 00:23:19,209 Finally, let's take a look 416 00:23:19,709 --> 00:23:24,459 So first for Primus locks, 417 00:23:24,999 --> 00:23:27,834 We know all of these dimensions now, 418 00:23:27,834 --> 00:23:31,250 is a key or else a picture 419 00:23:31,250 --> 00:23:35,584 if you've got a sense of you know, 420 00:23:35,751 --> 00:23:37,334 But it's not going to be hard. 421 00:23:37,334 --> 00:23:41,250 Especially if you're decoding that side 422 00:23:41,250 --> 00:23:43,250 Because there's only six possibilities 423 00:23:43,250 --> 00:23:45,626 they look quite different. 424 00:23:46,542 --> 00:23:51,167 Of course that means key duplication 425 00:23:51,167 --> 00:23:54,999 your key you're going to need 426 00:23:54,999 --> 00:23:58,501 to ship off to shapeways and that's it. 427 00:23:58,501 --> 00:24:01,209 You've got your copy 428 00:24:01,209 --> 00:24:05,083 going to the hardware store 429 00:24:06,292 --> 00:24:10,999 So one thing this means 430 00:24:11,334 --> 00:24:15,792 It's standard attack that can be 431 00:24:15,792 --> 00:24:18,792 in which you start 432 00:24:18,792 --> 00:24:22,417 and a couple of key blanks 433 00:24:22,417 --> 00:24:27,083 out one pin at a time to find where 434 00:24:27,459 --> 00:24:30,250 In a master system, the side bar 435 00:24:30,250 --> 00:24:33,626 because that's built 436 00:24:33,626 --> 00:24:37,292 the ability to produce blocks 437 00:24:37,292 --> 00:24:39,999 the same attack and this 438 00:24:39,999 --> 00:24:42,459 a regular pin tumbler lock. 439 00:24:42,459 --> 00:24:44,834 Have you seen the Matt blaze paper. 440 00:24:47,999 --> 00:24:50,999 Matt blaze master keyed systems. 441 00:24:51,250 --> 00:24:55,999 (Talking simultaneously.) But 442 00:24:55,999 --> 00:24:58,709 These are still a pain to pick. 443 00:24:59,083 --> 00:25:01,167 So we're just looking at starting 444 00:25:01,167 --> 00:25:04,292 of the information contained in a key. 445 00:25:04,375 --> 00:25:06,918 Although note that's not going 446 00:25:06,918 --> 00:25:10,167 by there's been other work 447 00:25:10,167 --> 00:25:14,334 there's a key at Berkeley I believe 448 00:25:14,334 --> 00:25:18,334 have been at one 449 00:25:18,334 --> 00:25:21,250 They successfully decoded 450 00:25:21,250 --> 00:25:25,083 from a guy sitting at a table 451 00:25:25,083 --> 00:25:30,250 of a 4 story building 452 00:25:30,542 --> 00:25:33,083 If you see anyone walking 453 00:25:33,083 --> 00:25:35,626 from their belt, 454 00:25:35,626 --> 00:25:37,459 of one of those. 455 00:25:38,334 --> 00:25:39,584 All right. 456 00:25:39,584 --> 00:25:41,292 So we're going to have 457 00:25:41,292 --> 00:25:44,667 want to use a Primus lock 458 00:25:44,999 --> 00:25:49,334 If you're using Primus locks already, 459 00:25:49,334 --> 00:25:53,083 if anyone at all can go duplicate a key. 460 00:25:53,959 --> 00:25:56,751 It's not new that you can duplicate 461 00:25:56,751 --> 00:25:58,999 You could get a machinist 462 00:25:58,999 --> 00:26:01,334 But what's new is anyone can do it. 463 00:26:01,584 --> 00:26:04,334 There's no barrier in terms 464 00:26:04,334 --> 00:26:07,999 No cost barrier, anyone who feels 465 00:26:08,709 --> 00:26:13,083 But the interesting thing 466 00:26:13,083 --> 00:26:15,334 to Primus locks. 467 00:26:15,918 --> 00:26:19,501 There's no specific weakness 468 00:26:19,709 --> 00:26:22,792 Any physical lock 469 00:26:22,792 --> 00:26:24,584 and printed. 470 00:26:24,999 --> 00:26:29,999 So it's an industry wide problem that's 471 00:26:29,999 --> 00:26:33,083 up now 3d printing 472 00:26:33,083 --> 00:26:35,999 to have these precisions. 473 00:26:36,209 --> 00:26:39,501 Key duplication 474 00:26:41,459 --> 00:26:44,125 It will be like pirating movies. 475 00:26:44,334 --> 00:26:47,751 It still takes one person who can go 476 00:26:47,751 --> 00:26:51,125 or take their video camera 477 00:26:51,417 --> 00:26:53,083 But as soon as they've done it, 478 00:26:53,083 --> 00:26:54,999 to download the movie. 479 00:26:55,250 --> 00:26:59,083 It takes one person to model a key 480 00:26:59,083 --> 00:27:02,417 and download and print them off. 481 00:27:02,501 --> 00:27:06,209 So I think we'll find those people 482 00:27:07,417 --> 00:27:09,501 Physical security 483 00:27:09,501 --> 00:27:11,751 on information security. 484 00:27:11,959 --> 00:27:14,083 We're breaking 485 00:27:14,083 --> 00:27:16,999 by writing code for a key. 486 00:27:16,999 --> 00:27:18,375 I think that's cool. 487 00:27:21,334 --> 00:27:23,792 Patent protection 488 00:27:23,792 --> 00:27:26,959 for lock companies 489 00:27:26,959 --> 00:27:30,083 to threaten legal action 490 00:27:30,083 --> 00:27:34,334 physical reproductions 491 00:27:34,334 --> 00:27:39,334 I don't think they'll be able to go 492 00:27:39,334 --> 00:27:43,999 the same information included 493 00:27:43,999 --> 00:27:48,083 Go after each individual person that 494 00:27:48,083 --> 00:27:49,999 of these keys. 495 00:27:49,999 --> 00:27:51,999 But I don't think they'll be able 496 00:27:51,999 --> 00:27:53,792 the distribution 497 00:27:53,792 --> 00:27:55,584 on a patented key. 498 00:27:55,584 --> 00:27:57,999 But we're not lawyers. 499 00:27:57,999 --> 00:28:00,083 You should talk to Marc Weber Tobias. 500 00:28:02,584 --> 00:28:07,709 Lawyers can make your day suck 501 00:28:08,999 --> 00:28:14,876 Here's other keys this 502 00:28:14,876 --> 00:28:18,417 This is all recent work 503 00:28:18,417 --> 00:28:20,334 This is for a mini Cooper. 504 00:28:20,334 --> 00:28:23,999 This does nothing about the chip 505 00:28:23,999 --> 00:28:25,876 the real key. 506 00:28:26,834 --> 00:28:29,375 It works for the physical section. 507 00:28:29,751 --> 00:28:33,626 This is used commonly in bike locks. 508 00:28:33,709 --> 00:28:34,918 Other stuff. 509 00:28:35,083 --> 00:28:38,167 People have three d printed handcuff 510 00:28:40,083 --> 00:28:42,083 Field is wide open. 511 00:28:42,083 --> 00:28:45,999 Anything that's a physical lock, 512 00:28:45,999 --> 00:28:49,999 up wherever it 513 00:28:49,999 --> 00:28:53,083 and people can print it out. 514 00:28:53,999 --> 00:28:56,584 We have audience projects here that 515 00:28:56,584 --> 00:28:59,083 if someone else wanted to do. 516 00:28:59,125 --> 00:29:02,334 We'd like to see 3d models 517 00:29:02,334 --> 00:29:06,167 in open S cat because it's not that hard. 518 00:29:06,375 --> 00:29:08,375 Especially Medeco which a lot 519 00:29:08,375 --> 00:29:11,999 is the highest security 520 00:29:12,334 --> 00:29:14,918 If you've ever looked 521 00:29:14,918 --> 00:29:18,667 he's published most 522 00:29:18,999 --> 00:29:22,209 Probably print out a model of that 523 00:29:22,999 --> 00:29:26,999 It would be neat to integrate models 524 00:29:26,999 --> 00:29:34,083 the process fully automatic especially 525 00:29:34,083 --> 00:29:36,083 That should be fairly straightforward. 526 00:29:36,083 --> 00:29:38,334 Maybe there's a market 527 00:29:38,334 --> 00:29:39,334 iPhone app. 528 00:29:39,334 --> 00:29:41,999 Take a picture of your key, get 529 00:29:46,751 --> 00:29:51,792 It would be neat to have a place to go 530 00:29:51,792 --> 00:29:54,792 for pirate bay for keys. 531 00:29:56,250 --> 00:29:59,709 And here's some food for thought. 532 00:29:59,709 --> 00:30:00,959 If you're 533 00:30:00,959 --> 00:30:02,417 about these. 534 00:30:03,083 --> 00:30:05,834 There's a lot 535 00:30:05,834 --> 00:30:10,542 because a retired locksmith was selling 536 00:30:12,501 --> 00:30:15,709 Called him the master keys 537 00:30:15,876 --> 00:30:19,834 These are keys that are used 538 00:30:19,834 --> 00:30:25,250 fire departments in New York City, 539 00:30:25,250 --> 00:30:30,834 to electrical circuit breaker boxes 540 00:30:31,501 --> 00:30:36,417 People were getting upset that 541 00:30:36,417 --> 00:30:38,042 But what's going 542 00:30:38,042 --> 00:30:40,584 the 3d models for these keys? 543 00:30:40,584 --> 00:30:43,417 These have got to be in hundreds 544 00:30:43,417 --> 00:30:45,417 There's no way to change these locks. 545 00:30:46,083 --> 00:30:51,626 The interesting thing 546 00:30:51,626 --> 00:30:59,167 by the New York post has probably got 547 00:30:59,167 --> 00:31:02,999 ahead and do it right now. 548 00:31:02,999 --> 00:31:05,918 (Laughter) (Applause) Also, one 549 00:31:05,918 --> 00:31:09,751 manufacturers uses the same key 550 00:31:09,751 --> 00:31:14,999 and I believe that they put a picture 551 00:31:14,999 --> 00:31:16,667 On their online storefront. 552 00:31:16,667 --> 00:31:20,667 Even if not, how long will it be 553 00:31:20,667 --> 00:31:25,542 Models it, dollar, two dollars, buy 554 00:31:26,792 --> 00:31:31,751 If three d printing keeps picking 555 00:31:31,751 --> 00:31:36,375 to be a major change in the field 556 00:31:38,125 --> 00:31:41,334 So I think that's about all we have here. 557 00:31:41,959 --> 00:31:44,334 We have a couple people to think. 558 00:31:44,375 --> 00:31:46,292 Yeah, sure. 559 00:31:47,542 --> 00:31:50,167 A lot of people worked on this 560 00:31:50,167 --> 00:31:51,876 of us up here. 561 00:31:51,876 --> 00:31:53,751 I'll like to thank Gabe, 562 00:31:53,751 --> 00:31:57,626 of course Rob who couldn't be here 563 00:31:57,626 --> 00:32:00,999 the person manufacturing 564 00:32:00,999 --> 00:32:04,959 and Schlage for publishing 565 00:32:04,959 --> 00:32:08,999 the MIT lock sport community 566 00:32:08,999 --> 00:32:11,167 in the first place. 567 00:32:11,876 --> 00:32:13,334 Thank you very much. 568 00:32:13,334 --> 00:32:17,083 (Applause.) So we have quite a bit 569 00:32:17,083 --> 00:32:19,417 We have about 15 minutes 570 00:32:19,417 --> 00:32:19,417 But, if you want to come play 571 00:32:19,417 --> 00:32:19,417 stuff works, come 572 00:32:19,417 --> 00:32:20,417 we'll be there. 573 00:32:20,417 --> 00:32:22,292 If we e mail you, can we get 574 00:32:22,292 --> 00:32:22,292 The code 575 00:32:22,292 --> 00:32:24,876 and file distribution and posted 576 00:32:24,876 --> 00:32:26,999 What bit did you guys use 577 00:32:26,999 --> 00:32:28,834 The highest speed you could get. 578 00:32:28,834 --> 00:32:28,834 There was 579 00:32:28,834 --> 00:32:30,083 but you can also use small. 580 00:32:30,083 --> 00:32:31,083 3/64ths or less.