{"id":11073,"date":"2016-01-15T09:00:32","date_gmt":"2016-01-15T14:00:32","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=11073"},"modified":"2020-02-27T04:01:04","modified_gmt":"2020-02-26T17:01:04","slug":"3d-printed-keys","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/3d-printed-keys\/11073\/","title":{"rendered":"Real-world hackers can 3D-print your keys"},"content":{"rendered":"<p>One thing you might not know about hackers is that besides cracking some virtual systems many of them are fond of hacking real world stuff as well. One thing of particular interest for them is naturally locking systems. For instance, lockpicking contests and related talks are a common thing at hacker conferences such as DEF CON or Chaos Communication Congress.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/01\/06023219\/3d-printed-keys-FB.jpg\" alt=\"Real-world hackers can 3D-print your keys\" width=\"1280\" height=\"840\" class=\"aligncenter size-full wp-image-11078\"><\/p>\n<p>At the recent <a href=\"https:\/\/www.kaspersky.com.au\/blog\/tag\/32c3\/\" target=\"_blank\" rel=\"noopener noreferrer\">32C3 conference<\/a> in Hamburg, Eric Wustrow, a professor at the University of Colorado, presented a report describing how 3D printers can be used to forge keys. To be precise, for the forgery of keys for <a href=\"https:\/\/en.wikipedia.org\/wiki\/Pin_tumbler_lock\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">pin tumbler locks<\/a>, which is probably the most common lock system.<\/p>\n<p>Before 3D printing was invented, in order to make a copy of a key one had to be skilled in metalcraft or at least in programming some CNC machine tools. Besides that, restrictions included unavailability of certain blank keys, necessity of physical access to key one wanted to forge and others physical world limitations. Obviously, 3D printing makes everything easier and cheaper, since it transfers some of the problems to digital plane.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/a_85S1rIjNM?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>But how exactly can a 3D-printed key be used to attack a pin tumbler lock? There are at least three attack models (or as they say in cyber-security world, \u2018attack vectors\u2019) this type of locks is vulnerable to.<\/p>\n<p>First of all, it\u2019s teleduplication of a key. Modern cameras\u2019 sensors have huge resolutions, so even bad digital photo can contain more than enough information to make a 3D model of a key and print a replica. Moreover, modern telescopic lenses are so good (and relatively affordable), that this picture can be shot from a very impressive distance.<br>\n<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/01\/06023226\/3d-printed-keys-teleduplication.jpg\" alt=\"Real-world hackers can 3D-print your keys\" width=\"1280\" height=\"1200\" class=\"aligncenter size-full wp-image-11074\"><\/p>\n<p>Second attack model is <a href=\"https:\/\/en.wikipedia.org\/wiki\/Lock_bumping\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">lock bumping<\/a>, a technique that involves using a specially crafted bump key with deep cuts and some sleight of hand. It turns out, that <a href=\"http:\/\/unlocked.own-hero.net\/2014\/07\/10\/preview-photobump-plastic-bumpkeys\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">plastic 3D printed bump keys<\/a> can be even a better choice than the metal ones, since plastic transmits a knock better, bumping makes less noise, and risk of damaging the lock is reduced. And of course making a 3D model and printing a plastic key is way less complex than messing with metalcraft.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/2MCUXF84WuY?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>The third scenario is probably the most interesting one: it is aimed towards master key systems and thus called by Wurstow \u2018Privilege escalation\u2019 resembling <a href=\"https:\/\/en.wikipedia.org\/wiki\/Privilege_escalation\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">computer hacking technique of the same name<\/a>. The core idea of master key systems widely used by organizations is to make a lock \u2018compatible\u2019 with two different keys at once. To achieve that, locks manufacturers use two sets of pins inside a lock. Usually the so-called master key is in turn compatible with several locks, because one of the pin sets in them is made identical.<\/p>\n<p>The problem is, that the sets of pins are not completely independent. If the attackers have a regular key which opens one of locks in question, they can modify one of its cuts and try to open the lock. If it doesn\u2019t work, they need to modify the cut again, and keep modifying it until the alternative, \u2018master key pin\u2019 is in place and the lock is opened. All the other cuts are correct for this particular door, because they still conform to the \u2018regular\u2019 pins.<\/p>\n<p>In such a way, one by one, attacker can modify all the cuts and get a master key that opens every door as a result. In this case 3D-printing could be especially helpful to the attacker since this scenario involves a lot of attempts and each of them requires a new modified key sample.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/01\/06023225\/3d-printed-keys-teleduplication-privilege-escalation.gif\" alt=\"Real-world hackers can 3D-print your keys\" width=\"640\" height=\"360\" class=\"aligncenter size-full wp-image-11075\"><\/p>\n<p>But are 3D-printed keys that good to work in real life? As a study shows, not all the substances used in 3D-printing are strong enough, some of them are too flexible, some of them are too fragile. But there certainly are some substances suitable for keys forgery. Moreover, for those who are not sure whether plastic will stand it or not, there are certain 3D-printing services which offer printing in metals such as brass, steel or even titanium.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/01\/06023223\/3d-printed-keys-substances.jpg\" alt=\"Real-world hackers can 3D-print your keys\" width=\"1280\" height=\"720\" class=\"aligncenter size-full wp-image-11076\"><\/p>\n<p>It is worth mentioning that 3D printed keys are not just a theoretical problem. The software for key forgery with 3D-printing technology is already in the wild, so are the 3D printers themselves. The most obvious case is TSA master keys leak. Several months ago someone has posted an image with TSA keys set on the web \u2014 3D printable models followed immediately. And now anyone can download them and print their very own set of \u2018Approved Luggage Locks\u2019 keys.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">REVEALED: TSA has a master key for your luggage and people are making copies @BI_Video <a href=\"http:\/\/t.co\/P5bod70zUK\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/P5bod70zUK<\/a> <a href=\"http:\/\/t.co\/oZ9jspPXqB\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/oZ9jspPXqB<\/a><\/p>\n<p>\u2014 Business Insider (@BusinessInsider) <a href=\"https:\/\/twitter.com\/BusinessInsider\/status\/642409568778240001?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 11, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>So, what can we do to defend? Probably, the good way of thinking about this cyber-physical issue is to implement the same strategy that people use to protect IT systems. You can think of your keys as of real-world passwords and treat them accordingly. Thus we come to several simple rules that won\u2019t secure your lock for 100%, but at least will impede the attack enough to make the attacker rather go away:<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/tips?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#tips<\/a> 10 simple rules for passwords <a href=\"https:\/\/t.co\/9csfPxhHZ8\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/9csfPxhHZ8<\/a> <a href=\"https:\/\/t.co\/98UMK5RYdR\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/98UMK5RYdR<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/679321211340464129?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 22, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>1. Don\u2019t use simple \u2018passwords\u2019. As you can see, common pin tumbler locks are rather weak and vulnerable, not exactly like \u2018123456\u2019 or \u2018john1975\u2019, but pretty close to it. If you need better protection, choose more complex lock systems.<\/p>\n<p>2. Use \u2018two-step authentication\u2019. Two locks of different types could work much better than the only one lock.<\/p>\n<p>3. Don\u2019t expose your \u2018passwords\u2019. Keep your keys off from cameras and of course never post photos of your keys online. Even a bad photo could be enough to 3D-replicate your key.<\/p>\n<p>4. Master-keys are pretty much like \u2018backdoors\u2019 at your organisation\u2019s door locks. Avoid using such systems in critical rooms\u2019 and areas\u2019 doors.<\/p>\n<p>5. It won\u2019t hurt to use a <a href=\"https:\/\/www.kaspersky.com\/advert\/multi-device-security?redef=1&amp;THRU&amp;reseller=gl_KDpost_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">security solution<\/a>: alarm systems can protect you from burglary if attackers are persistent enough to overpass all above mentioned security means.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At the Chaos Communication Congress a university professor tells how to forge keys using a 3D printer and we come up with a few tips how to protect yourself from that<\/p>\n","protected":false},"author":421,"featured_media":11077,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[1347,1375,1374,1373,97],"class_list":{"0":"post-11073","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-32c3","9":"tag-forgery","10":"tag-keys","11":"tag-locks","12":"tag-security-2"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/3d-printed-keys\/11073\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/3d-printed-keys\/5273\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/3d-printed-keys\/3661\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/3d-printed-keys\/6546\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/3d-printed-keys\/6630\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/3d-printed-keys\/6543\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/3d-printed-keys\/7529\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/3d-printed-keys\/7290\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/3d-printed-keys\/10497\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/3d-printed-keys\/11073\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/3d-printed-keys\/5976\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/3d-printed-keys\/6760\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/3d-printed-keys\/10095\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/3d-printed-keys\/10497\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/3d-printed-keys\/11073\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/32c3\/","name":"32C3"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/11073","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=11073"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/11073\/revisions"}],"predecessor-version":[{"id":26810,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/11073\/revisions\/26810"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/11077"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=11073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=11073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=11073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}