One of the unintended consequences of cheap 3-D printing is that any troublemaker can duplicate a key without setting foot in a hardware store. Now Andy Greenberg reports that clever lockpickers are taking that DIY key-making trick a step further printing a "bump key" that opens even high-security locks in seconds, without seeing the original key.
A bump key resembles a normal key but can open millions of locks with a carefully practiced rap on its head with a hammer. Using software they created called Photobump, Jos Weyers and Christian Holler say it's now possible to easily bump open a wide range of locks using keys based on photographs of the locks' keyholes. As a result, all anyone needs to open many locks previously considered "unbumpable" is a bit of software, a picture of the lock's keyhole, and the keyhole's depth. "You don’t need much more to make a bump key," says Weyers. "Basically, if I can see your keyhole, there’s an app for that."
Weyers and Holler want to warn lockmakers about the possibility of 3-D printable bump keys so they can defend against it. Although Holler will discuss the technique at the Lockcon lockpicking conference in Sneek, the Netherlands, next month, he doesn't plan to release the Photobump software publicly and is working with police in his native Germany to analyze whether printed bump keys leave any forensic evidence behind.
Ikon maker Assa Abloy argues 3-D printing bump keys to its locks is an expensive, unreliable trick that doesn’t work on some locks whose keys have hidden or moving parts but Weyers argues that instead of dismissing 3-D printing or trying to keep their key profiles secret, lockmakers should produce more bump resistant locks with electronic elements or unprintable parts.
"The sky isn't falling, but the world changes and now people can make stuff," says Weyers. "Lock manufacturers know how to make a lock bump-resistant. And they had better."
(Score: 5, Informative) by gman003 on Tuesday September 02 2014, @01:53AM
Bump keys are already easy. All you really need is a key for any similar lock that you can file down - one that will fit into the lock, but not necessarily turn it. So if I did that to my apartment key, I would (theoretically) be able to use it on any other apartment in my complex, or any other that uses that same lock design (regardless of how it was keyed). All 3D printing does is remove the difficulty of getting that blank key.
Bump keys are also a well-known problem. Many common locks are still vulnerable to them, but any high-security lock will have countermeasures. This doesn't really change the attack, it's basically the equivalent of a script-kiddie version of an existing well-known attack.
(Score: 4, Informative) by frojack on Tuesday September 02 2014, @02:01AM
Right, this whole 3D printing business is becoming like "do any common thing with a computer and suddenly its novel and new and (usually) scary.
Go look at any hardware store and you will find the shelves are full of new locks (not even the high-security models) that advertise Non-Bump-able.
There are a bazillion locks installed that are bumpable, but locks tend to get replaced when people move out or in. The problem is that large apartment buildings don't want to replace all their locks, they just want to re-key them. Non-bump usually involves replacing the cylinder, rather than simply rekeying (changing the pins). Almost any lock smith can replace a bumpable cylinder with a non-bump one for a few bucks. But chances are your building super won't want to foot that bill.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday September 02 2014, @04:07PM
Go look at any hardware store and you will find the shelves are full of new locks (not even the high-security models) that advertise Non-Bump-able.
RTFA! This is about making working bump keys for said "Non-Bump-able" locks.
(Score: 2) by frojack on Thursday September 04 2014, @05:56AM
Nope. There isn't a hint of a suggestion of that capability in the article or the linked sites.
No, you are mistaken. I've always had this sig.
(Score: 5, Interesting) by Snotnose on Tuesday September 02 2014, @02:15AM
CSB
About 30 years ago I lived in an Apt complex that consisted of about 10 rows of rectangular buildings, all with 8 units each, each had a different street address. I worked night shift at the time and we used to get off at midnight, close a local bar, go get dinner, and head home. One night I unlocked my door but, when I went to open it the door chain was on. As my brain was processing WTF some old guy comes up to the door yelling "hey,who are you and what are you doing!".
Turns out I'd gone to the row next door. A bit of experimentation the next day showed that my #7 key unlocked all 10 #7 doors. Went to my neighbor, his #6 key opened all #6 doors. we went to the landlord and got our locks replaced the next day.
/CSB
Of course I'm against DEI. Donald, Eric, and Ivanka.
(Score: 3, Funny) by isostatic on Tuesday September 02 2014, @09:17AM
You're lucky you didn't get shot. God bless America.
(Score: 3, Funny) by jimshatt on Tuesday September 02 2014, @10:09AM
(Score: 0) by Anonymous Coward on Tuesday September 02 2014, @02:35AM
I got a lockout tool set off a tool truck, it included a thin key that opens gas caps, some car doors, tool boxes, some padlocks, some house door locks, etc. Not very high tech, could easily make one with a bench grinder and a thin piece of metal.
(Score: 2) by nyder on Tuesday September 02 2014, @02:41AM
Getting blank keys are easy. Lots of stores have key copying kisoks in them, that needs a store person to operate, but they leave them open, and you can palm keys easy. Knew some peeps who did that for car keys because they knew how to make their own master for many models.
(Score: 2) by LoRdTAW on Tuesday September 02 2014, @02:23PM
How about the key counter in Home Depot that is only manned when a employee is summoned by a customer. The best part is the decorative key blanks with sports teams and other colorful designs are right on the counter facing the aisle. I can walk up, grab a blank, which already has a barcode tag attached, and walk to the self checkout counter which is right next to it.
And really this isn't scary news at all. I learned how to make a tension bar and rake in shop class from my shop teacher. Hacksaw blade is used for the rake and the tension bar made from a short piece of fish tape (or wire snake) which is heat treated spring metal. All done on a bench grinder.
Also, if key blanks were next to impossible to obtain it would be trivial for a machinist to make one using a surface grinder and perhaps a slotting saw on a horizontal mill. Then a bit of work with a file to cut the ridges.
(Score: 2) by Snow on Tuesday September 02 2014, @07:26PM
I was at a walmart wanting a new key and couldn't find any service (Surprise, Surprise). I had enough time to root through the cupboards, find the instruction booklet, follow the instructions and make my own key. No one challanged me at all. I was there for probabaly 20 minutes. It's not exactly Ft. Knox.
(Score: 5, Informative) by q.kontinuum on Tuesday September 02 2014, @04:33AM
Getting a blank key for high security locks was *not* easy before. Companies selling these locks were careful to patent their key profile, to sue others creating the same blanks, and to only work together with selected, certified partners. For cheaper locks this was always simpler, but now it gets simple even for the high security locks, and that's mainly what the story is about.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by gman003 on Tuesday September 02 2014, @04:46AM
So the locks were relying on security through obscurity (make blank/used keys hard to obtain) rather than security through security (making it resistant to bump keys). Yeah, I'm not gonna waste much sympathy on them.
(Score: 2) by q.kontinuum on Tuesday September 02 2014, @05:56AM
Nor do I :-) But it wasn't even obscurity. The profile can be seen from the outside. The interesting thing about the article is that basically the potential trouble maker new all along how the key was supposed to look like, but usually the effort to build one would have been prohibitive. Now it's a child game.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 5, Informative) by TheLink on Tuesday September 02 2014, @06:20AM
There are mechanical keys/locks systems that aren't crap: https://en.wikipedia.org/wiki/Disc_tumbler_lock [wikipedia.org]
Why not use those instead? Padlocks using this tech seem fairly common where I live.
(Score: 2) by q.kontinuum on Tuesday September 02 2014, @11:23AM
Thanks for the link. Sounds interesting.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 1) by My Silly Name on Tuesday September 02 2014, @02:47PM
Another interesting design is the Bramah [bramah.co.uk] lock, which despite its origins in the 18th century is still pretty damn hard to pick, and is definitely resistant to crude bumping techniques.
Unfortunately, no matter how groovy the lock technology we use, there's always the thermorectal method of obtaining a key. In my case, having abandoned big cities and now living in the boonies in Tasmania, I almost never lock my front door at all.
(Score: 2) by LoRdTAW on Tuesday September 02 2014, @07:56PM
Unfortunately, no matter how groovy the lock technology we use, there's always the thermorectal method of obtaining a key. In my case, having abandoned big cities and now living in the boonies in Tasmania, I almost never lock my front door at all.
Or just kicking the door down. Or breaking a window. But if you are that worried then you buy a reinforced door: https://www.youtube.com/watch?v=2cs_b3f97VE [youtube.com]
(Score: 0) by Anonymous Coward on Wednesday September 03 2014, @07:53AM
Or just kicking the door down. Or breaking a window.
Which makes it easier to convince the insurance company to pay out in cases of theft (without technically committing fraud by breaking stuff yourself).
http://www.consumeractiongroup.co.uk/forum/showthread.php?321332-Burgled.-Claim-declined-because-of-no-proof-of-force-or-violent-entry [consumeractiongroup.co.uk].
(Score: 2) by LoRdTAW on Tuesday September 02 2014, @08:18PM
Picking is not an issue but disc key copying is actually quite easy. The MTA uses these locks in the subway and perhaps other places to lock up just about anything. I had a friend in high school who was NYC subway obsessed and his neighbor was an MTA employee. Dont ask me how but he got ahold of the disc tumbler key and the lever keys used on the various doors and compartments of the subway cars. He secretly made clay casts and hand copied them using nails and sheet metal. The disc tumbler key was made from a nail with a flat filed on its length and then grooves for the discs filed at an angle into the half. The lever tumbler keys (aka old timey skeleton keys) he already made from bent sheet metal brazed to a nail by making a clay pressing from the slot on the door. He just had to figure out the rejection notch which was surprisingly dead center square and easy to cut.
The both of us had MTA keys we would show off by opening the doors between cars and unlocking gates with the disc locks. We were young and dumb but it was quite fun. But you had to be careful so we kept mischief to a minimum as that was jail right there. We only unlocked stuff to show off and stole a disc lock to lock our bikes with. Those locks were super strong. A solid steel uni body and a thick hardened shackle. Locking was simple: turning the key 90 degrees twisted a cam that pushed two steel bearings outward into grooves on each side of the shackle. There was no push to snap the lock, you had to turn the key to lock and unlock it. Impossible to break the lock by hammer, chisel or bolt cutter. You were better of cutting the chain or what ever the chain was around unless you had a torch. Master locks are garbage next to these things.
(Score: 2) by mrchew1982 on Tuesday September 02 2014, @11:53PM
Most high security locks now use other means to overcome unauthorized copying. The one that I'm most familiar with from my day job is ASSA ABLOY; they use a secondary set of pins on the sidebar of their locks. They have also started to use pins on the top that twist and turn, as well as fancy profiles on the pin/key interfaces that require special cuts at odd angles.
It's always a race...