Archive for the ‘Keys’ Category

May Contain Hackers 2022

Friday, May 26th, 2023

In the summer of 2022, the Dutch hacker community gathered at the May Contain Hackers conference. The conference was amazing, with over a dozen simultaneous tracks with topics ranging from electronics, privacy and internet security, to art and technology. The program is published at https://program.mch2022.org/ and the talks are published on https://media.ccc.de/c/MCH2022.

For Lockpicking content, Toool organized a lockpicking village, The MCH CTF included lockpicking challenges, and plenty of exciting talks are given. Including Introduction to lockpicking and safe cracking, Anker 3800 Magnetic lock, and bumping electronic locks! More on these after a photo impression of MCH.

Jan-Willem presented an introduction to lockpicking and safe lock manipulation.

Talk description from the MCH schedule: Most security implementations leak information, mechanical security is no different. It takes sharp eyes, a soft touch, and a good hearing to distinguish between information and noise. In this talk we will go in depth on how locks works, and how we can persuade them to disclose their secrets, and open them without damage.

The Open Organization of Lockpickers (Toool) is a group of nerds obsessed with mechanical security. We create, collect, take apart, discuss, and attempt to defeat locks. While we are known for lockpicking, there are many other techniques for opening locks without damage.

This talk will focus on the language of the locks, the side channels in mechanical security systems. We will start with binding order, the mechanism to isolate the locking elements, and exploit them one by one. Then we will discuss a wide variety of other methods of gathering information and opening locks. Most of these methods are not practical, but working them out gives us great joy, and we would like to share the highlights with you.

Walter presented his research of the Anker 3800 magnetic lock. It includes deriving master keyed systems, designing an electronic key/lock decoder, and 3D printing keys.

Talk description from the MCH schedule: The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. Can it be opened without the key? This talk discusses how the lock works in a master keyed system and how it can possibly be defeated. It will cover decoding, picking and key duplication.

The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. It was designed by Japanese company MIWA and is sold in the Netherlands under the Anker brand. It is a high security lock that is often used in large master keyed systems.

I wondered: can it be opened without the key? I will present my adventures with the lock, having opened it up to see how it works, and several things I have tried to copy the key, pick the lock, decode the lock and find out what the master key looks like. The talk will include successes and failures and I will discuss designing 3D models, C&C work, electronics, Arduino programming, PCB design, and more.

The talk is aimed at people with an interest in lockpicking. No prior knowledge is necessary.

The write-up is found at https://blackbag.toool.nl/?p=3907

mh shared his research on bumping electronic locks. As in, opening the electronic locks by using a percussion drill and custom attachment.

Talk description from the MCH schedule: Modern electronic locks are often optimized for cost, not security. Or their manufacturers don’t do security research. Or they ignore it. For whatever reason, many current electronic lock systems are susceptible to surprisingly simple attacks. We’ll look at some of them, and at the underlying basics, so that you can do your own research.

In this talk, we look at a number of modern electronic locks and their security flaws. Surprisingly many current systems are susceptible to very simple attacks, like the equivalent of using bump keys. Of course, there are electronic and/or SW-based attacks, too.
We’ll look at some of them, and at the underlying basics, so that you can do your own research.
Some of the problems have been fixed by manufacturers, but typically only for future production runs, so you will get some practical advice on how to test your own hardware for these critical flaws.

Jan-Willem presented a basic introduction to threat modeling and uses puzzles as an example.

Talk description from the MCH schedule: Mechanical locks are everywhere and come in all shapes and flavors. But choosing the right lock can be rather difficult. For example, what is better? A lock that is hard to pick, or a lock with hard to duplicate keys. This talk will not give you the answers, but it will help you understand the trade-offs. Furthermore, we will have fun threat modeling our locks.

Is lockpicking a threat you should be concerned about, or is the brick the tool you should care for? Jan-Willem, from The Open Organization of Lockpickers (Toool), will share his ideas on mechanical security and threat modeling. We will make it fun and use several case studies, starting with defining a lock, threat modeling mechanical puzzles, and use several case studies where the threat was overrated. Simply put, attacks against locks range from the trivial to mastery. I’ll share multiple failed attempts of attacks that should be trivial, but were not in practice, and we will analyze them together.

Quantifying the Brinell hardness of keys

Saturday, April 8th, 2023

In an effort to quantify the locksport world, I’m taking my measuring tools to locksport in an attempt to learn the details. For example, how much torque is required to pick a lock. With this knowledge, we can build better lockpicks, and teach proper technique. In this blog, I’ve set out to compare the hardness of key blanks for impressioning.

As I’m not a machinist, nor do I have access to fancy hardness measuring equipment, I’ve found the cheapest method I could use at home. There are many methods, and many systems, to measure the hardness of metal. One difficulty was to get familiar with the lingo and to find a measurement tool that works for key like metals, thin, soft, etc.

The most common method of cheap hardness testing is to use Rockwell hardness testing files from measuring hardness of knifes. Usually in the range of C40 to C65 in increments of five. I’ve found similar methods online for testing the hardness of lead with pencils. Where HB hardness pencil will be equivalent to a certain percentage lead in tin. To my knowledge, none such system exists for brass.

More expensive methods press a hardened piece of metal with a known force into the sample, and measuring the indentation. While most of these measuring jigs are too expensive, I’ve found one for cheap. That is the Poldihammer test, which is sold on eBay for around €100. The tool uses a captive ball bearing which presses both on a bar of known hardness and the sample. You just simply place it on the object and hit it with a hammer. The ball bearing presses with equal force into both metals object. Comparing the dents gives you the Brinell hardness.

My Poldihammer came with a small magnifier and scale. It’s not so easy to use, and the resolution is minimal. The kit also comes with convention tables, but they feel very approximate. My solution is to measure the indentation with a digital microscope and calculate the BHN from this formula from Wikipedia:

\operatorname{BHN}=\frac{2P}{\pi D \left(D-\sqrt{D^2-d^2}\right)}

BHN = Brinell Hardness Number (kgf/mm2).
P = applied load in kilogram-force (kgf)
D = diameter of indenter (mm)
d = diameter of indentation (mm)

It doesn’t take much to use the dent on the reference bar to calculate the force. As the force is equal on the key, we can use the force to calculate the hardness of the keys. Let’s take a look at a real world example. The next two images are the dents under high magnification.

Key for measurement B1: 214.581 by 209.048 pixels. This is 2.00 mm on average.
Reference bar with hardness 187. Measurement B1: 163.809 by 162.959 pixels. 1.55 mm average width.

For completeness, I’ve added the calculations as to make the method repeatable, and accessible to more hobbyists. The force is calculated as follows: P = BHN(reference) * PI * D * (D – SQRT(D^2 – X^2)). Where X is the dent on the reference bar. In LibreOffice Calc, this is =187*PI()*10*(10-SQRT(10^X^2)).

The hardness of the key is calculated BHN(Key) = P /(PI * D *(D^2-Y^2)). Where Y is the dent on the key. In LibreOffice Calc, this is =P/(PI()10(10-SQRT((10^2)-(Y^2))))

For the numbers above, I’ve found the force as 706.25, and the BHN of the key as 110.8. I’ve repeated the test for four more keys and measured them as 114.5, 103.9, 97.0, and 118.2 with an average of 108.9. In similar measurements, I would drop the minimum and maximum and take the average of the remaining samples, which is 109.7.

The following table is the result of my measurements. The results are surprising.

BrandAverageAquired dateCommentMeasurement [BHN]
SilcaThree keys2018CS206 Brass. 147.1
SilcaThree keys2022LD5R Steel. 222.8
JMA Three keys2018Keys from Nigel Tolley. 135.4
BauelementeThree keys2019SSDeV Impressioning. 123.5
AbusThree keys2019LockCon133.4
AbusThree keys2020Toool Inventory135.8
AbusFive keys2022LockCon Box A127.4
AbusFive keys2022LockCon Box B108.9
AbusFive keys2022LockCon Box C131.5
Table of key measurements. Keys for Abus C83 with keyway similar to Y1.

The data revealed something interesting and confirmed a hunch. The hardness of steel keys is the highest, obviously. We see the brass alloy (nickel silver) have a range of values. There are also outliers, for example Box B, these keys are softer than keys acquired on the same day.

I’ve since played with both harnesses and can tell one hardness from another in impressioning. But only after I’ve switched from one hardness to another after a dozen opens, with the same hardness. After switching backwards and forwards, I can’t tell the difference in a blind test.

One final note, the kit comes with one reference bar that is consumable. We have about a hundred measurements in them. I have not found replacement bars, yet. But I believe we can use a similar shaped bar of steel, which is then calibrated with the reference bar before use. This will reduce accuracy, but can be accounted for if the measurements are comparative.

Thanks for taking your time to read about measuring hardness of keys. If you have a professional (Brinell) hardness measurement tool, and want to help out, let’s swap keys and compare notes. I’m always open to learn.

Continued work on MIWA/Anker 3800

Monday, October 3rd, 2022

I had spent quite some time on the Anker 3800 cylinder. This system was originally patented by the Japanese firm MIWA. It contains just 4 pins, each of them having 4 possible depths. But, there’s also 4 sliders that are magnetically operated by magnets in the key.

An Anker 3800 Eurocylinder
The keys

This system was sold in the Netherlands by Dutch firm Ankerslot and is still used in many large, high security setups.

I made a magnetometer to decode the magnets in a key or in a cylinder, made a 3D model of the key to be able to print it and figured out how to get the master key of a system. My talk at MCH’2022 is available online.

At LockCon, Han provided me with a set of five cylinders, all keyed differently but all part of the same masterkey system. No keys were provided.

I started by reading out all the magnets in the sliders. Each slider can have one or two magnets. If there are two, one is for the user key, one for the master key (we’ll ignore submasters for the moment). By knowing the magnets in the cylinder, it is possible to figure out which magnet should be in the key. For master keyed systems, there might be two possible magnets to operate the slider, where one will be in the master key, the other in the user key. With this information, I could determine the magnets in the master key and in the individual user keys (for each slider, there was only one possible magnet that would open all cylinders, so it was clear that that particular magnet should be present in the master key).

The correct bitting is another story. I had no key to start with. It is possible to create 256 keys and try them all to find all possible bittings. I was lucky however to have gotten one half cylinder.

What I did is create a bump key (so four times the deepest cut, which I will call a ‘4’), containing the correct magnets. With the bump key, I could open a cylinder and disassemble it. The half cylinder was my luck, as that can also be re-assembled. For this task, I used a 3D-printed plug follower.

This gave me all the correct bitting positions for this one cylinder (pin 1: 3 or 4, pin 2: 1 or 3, pin 3: 2 or 3, pin 4: 4). Since I did not have the original key, I did not know which depth belongs to the user key and which to the master key. The configuration allows for 2^3=8 possibilities. By creating 8 keys and trying them on the other cylinders, I could find out the master key bitting. With 3D printed keys, it is possible to print, say, a 3/1/2/4 key and if it doesn’t work, file a bit away to get a 4/1/2/4 key. That is exactly what I did and 4/1/2/4 worked on all cylinders, giving me the correct master key.

Next, I wanted to create the user keys. I could have created user keys by only using different magnets and keeping the bitting the same, but that would not give me the keys as they would originally be made for these cylinders. Since I now had a working master key, I could easily probe each pin position for all depths in sequence. I started with a 1/1/2/4 key, trying that on the 4 remaining cylinders and writing down the results, then filing it to a 2/1/2/4, trying again and then 3/1/2/4. With four keys to start with and 4*3=12 filing actions I was able to decode all the bittings.

Decoded cylinders, ‘G’ and ‘R’ are north/south poles (my magnetometer uses green/red light as an indicator)

Here, I have put squares around the magnets and bittings of the master key. If there are other bittings or magnets, they must be in the user key. The first pin of cylinder 2 for instance has possibile depths 3 and 4, and the master key has depth 4, so the user key must have depth 3. Note that in this system (and in this instance), user keys can have a bitting that can be filed down to the master key, as long as the magnets are different. Cylinder 2 shares the middle two magnets with the master key, the outer two are different.

With that information, I knew all the individual keys and printed them.

The user keys only open one cylinder each

And I have the master key.

The master key is golden of course

In fact, with this collection of cylinders, it is now also possible to make submaster keys for certain subsets of cylinders, even if that was not intended originally.

Thanks for reading! -Walter.

Photos CCBY4.0 Walter @ Toool Blackbag

Lock Picking Forensics

Wednesday, October 6th, 2021

I (Walter) have created a geocache that requires some RSA hacking and subsequently lockpicking. I bought an Abus Titalium 64TI/40 padlock to be picked. Several people were able to find it by teaming up together. The feedback I got was that people spent considerable time on the lock, sometimes several hours (in separate sessions).

Geocacher #15 was unable to lockpick the lock, even though he had practiced on an identical lock at home. I offered to go with him to give advice. He couldn’t open it. Also I couldn’t (quickly) open it. I took the original key and that would not open it. By not fully inserting the key and wiggling, I succeeded in opening. (I let the geocacher pick his own lock and allowed him to log the cache.)

Once home, I decided to take a look at the lock. Although only a very limited number of people had worked on it, it was completely shot. I took a video comparing showing a new padlock and then the one from the cache:

I’ve taken apart the lock to have a look at the pins. We always say that picking a lock will leave tiny traces on the pins (and other parts of the lock) that can be found during a forensic investigation. Well, in this case, the naked eye was enough to see the abuse.

Here’s the plug with the key inserted. Note how the pins have shortened. This causes the key to no longer work.

This also explains why taking out the key a bit and wiggling opened it.

Here’s a view of the pins:

There’s now a new padlock in place. You can’t really tell from the picture here, but the pins are made out of aluminium, which kind of explains the wear on them. I bought the lock as it is marketed as being weather proof. But resisting weather is different from resisting lockpicks.

Photos/video CCBY4.0 Walter Belgers

Book review: Little Black Book of Lockpicking

Thursday, September 30th, 2021

Two weeks ago Alexandre “FrenchKey” Triffault published the book Little Black Book of Lockpicking on NDE techniques for Red teams and security professionals. The book has 171 pages with a broad variety of lock types and opening methods, from lockpicking to impressioning, and from making cutaways to decoding combination padlocks.

Whenever there is a new book about lockpicking I pick up a copy especially when it’s written by a friend. It sold for €35 Amazon that does the printing and distribution of this book. The book is a good read and is a continuation of the OFC guide to lockpicking (free pdf) that’s also written by Alex and translated by MrAnybody. The OFC guide is all about lockpicking while this book includes many more topics including bumping and impressioning, both topics I’ve paid extra attention to.

The first thing I noticed was the many high detailed graphics used. Alex modeled the locks, lockpicks and other tools and included 3D renderings in the book as virtual cutaways. The style works very well for this book. It does not just write about a concept but also shows how it is done.

The book is 27 chapters and on average six pages for each subject, this inevitably means there is not too much room for details or nuances. This is a pity as Alex has the ability to give insights I would never think of.

I want to mention that the advanced topics in the book like (self) impressioning will take a long time to get good at. For me, I’ve experienced it takes many failed attempts to do these attacks, even in a controlled environment. Attacks like self-impressioning took me a very long time to make work. I can only imagine how it would be to attack doors on an assignment.

This is one of the better books on the basics of NDE and I recommend getting a copy for yourself or to to share. When you share the book, do keep in mind the book is written for red teams on an assignment and not for hobbyists. It is never a bad thing to give a small lecture on the locksport ethics and our view on locks as a puzzle with the book.

Lock pin collection

Friday, March 19th, 2021

In a previous blog post Jan-Willem’s pin collection was mentioned. In this post the pictures of the pins and keys are shared.

There is no epic conclusions to this project. At this moment it’s is just a collection of photos of locks and pins. Shared with the world. Hopefully it’ll be a resource for new pickers that would like to know what they are up against. Maybe future research will use it. Where someone clever uses the fact some spools are different than others to decode the lock. Sputnik comes to mind and we think the possibilities are not exhausted yet. (If you are working on something I’m happy to assist.)

New pickers, don’t be intimidated by the key or keyway. If you look through the collection much of the pins are underwhelming. Where a Evva is known to be difficult lock it was not expected to find all standards or one spool pin. When struggling with a lock just take it apart and see what’s in there. For the next time you encounter the same lock you will know Nemef has a spool on position two (insider joke).

This collection has a few obvious biases:

  • The collection only contains basic pin tumblers.
  • Most locks are from Europe, and are from well known lock brands.
  • The locks are not too expensive and are usually old. Therefore it lacks fancy pins like gins and Christmas trees.
  • Pins/locks that are too similar are rejected. There are some duplicates as well.
  • This is a snapshot in time. The pinning of the locks change every few years. A good example is DOM RN with two different types of pins in this collection.

If you have specific knowledge on these locks. Please share, we are open to learning more about locks. Find us on Discord, leave a comment or send us an email.

The photos are: key, pins, key, pins. The photos of pins are arranged with the brand and number. The keys have ‘key’ in the name. The Titan with a key engraved D5474 will have the pictures: TitanD5474-1key-1-scaled.jpg and TitanD5474-1-1-scaled.jpg.

The pictures are by Jan-Willem Markus. CC BY 3.0. https://creativecommons.org/licenses/by/3.0/
In short: you are free to use, modify and share these photos as long as you give attribution. If you plan on selling them or using hem in a blog/paper/book please notify us.

The end.

Album for storing a pin collection

Thursday, March 11th, 2021

In 2019 Jan-Willem started with am odd collection. Not the locks, nor the keys, just the pins from a pin tumbler. Pins are in a lock and make them function. However, the pins are only observable when the owner decides to gut the lock or create a cutaway. The idea was simple: Create a collection/archive of pin tumbler pins and their keys. This required a proper way to store the pins.

To store the pins many different boxes have been tried. After many failed attempts Jan-Willem stumbled upon a hobby not to dissimilar from our own: coin collecting! The value of one €2 coin is just €2 to a consumer. While the collector is looking for a 1st edition misprint from Monaco, and not just any coin.

Coins are often stored in albums, either with or without protection. The lowest quality coins protection are two pieces of plastic film and a cardboard cutout. Often glued or stapled together. While the high end coins are with a certificate sealed in an acrylic case. Leuchtturm makes coin boxes in between the two, and at a reasonable price and the inserts are DIY, lasercut acrylic.

First attempt with Leuchtturm boxes.

To store these boxes it was decided to use business card holders, this did not go as plan and required custom holders. First made from acrylic and the second version from wood. Fifty sets of pins are created and thirty are added to the album. This is where the project was stuck for a year.

Pins in album v1

Last week was a good time to continue this project. A proper pleader album was bought. And the pins are added.
This is the result this far:

Abus E90 pins in a box.
Leuchtturm album.
Demonstrating how the Leuchtturm album is used to store pins.
Pins neatly stored in the album.

The album has 48 pins and about 30 more sets are ready to be archived. Acrylic is ordered and the inserts will be created when a lasercutter is accessible again. The photos will be published here on Blackbag. For now you can find one key a day on twitter: https://twitter.com/hashtag/microkeys?src=hashtag_click&f=live

The coin boxes, album, and inserts are sold under the name Leuchtturm and Lighthouse. These boxes are available on eBay. Link to a Dutch web shop: https://www.knm.nl/leuchtturm-quadrum-capsules-14-mm/nl/product/2741/

The files are available under creative commons, share alike with attribution, commercial use is allowed.

Key duplication from a photo CTF

Sunday, September 22nd, 2019

Jos has a talk about key duplication from pictures. If you have not seen it: https://youtu.be/muINcnhj1EQ
For a conference there was the question: What does it take to make it into a workshop? There was little budget so we have turned it into a CTF instead of a training/workshop.
This CTF has no prices and might teach you something new.

If you ever wished you could try it without being sneaky, this is your chance. The CTF is a controlled and safe environment. You are encouraged to copy these keys!

The problem:
Publishing pictures of your keys is not a good security practice. Keys can be duplicated from a photo rather easily. Twitter and other social media are full of threads filled with pictures of keys. I got shared one but they’ve removed it on our advice.
(Note to self: Take more screenshots.)

Example: https://twitter.com/hashtag/zeigteureschluesselanhaenger
The hashtag is about the keychain but there are some perfectly decodable keys in there.

The CTF:
1) Get to the keys
2) Take a photo or make an imprint of it
3) Make a key
4) Test the key

Measuring tools and files will be available at the lockpicking village.
We are going to help as little as possible to not spoil the fun.

There are three keys at the moment:
CTF 1) Key will be published here
CTF 2) Key will be placed on the table at lockpicking villages (do not borrow/steal the key please.)
CTF 3) Key will be on the belt/lanyard of the Orga or instructors at the lockpicking Village

Please don’t publish pictures of the CTF 2 and CTF 3 key. You are allowed to do a writeup about CTF 1.

CTF Key 1:

Key measurements:


As there was still some ambiguity, this picture should prove be useful. Each square is 5mm by 5mm.

All locks are standard unmodified 5pin Abus/Buffo. The blanks that work are Y1, 1A (SKS/JMA), CS206 (Silca) and many others. You’ll get points for sourcing your own keys. Really, give it a try!

This CTF will run for the next months to years. Come see Toool at a conference near you.
Next up: Hardwear.io, HITB, LockCon and Hackerhotel 2020.

If you want to play but can’t make it to a conference. Please send me a digital bird at Jan-Willem at Toool dt nl. You’ll be send three pictures and a post address. You can mail me the physical keys you’ve made.

I’ve tested the CTF myself. It took me about 30 minutes to make three keys from a photo.
Please, don’t publish pictures of your keys, stay safe.

Published by Jan-Willem.

Key duplication revisited

Sunday, August 18th, 2019

A few weeks ago, we tested the Quick Key Easy Pro kit from Multipick, which turned out to work very well for duplicating a BKS Janus key and even a DOM Diamant key.

This time, we wanted to see if you really need such as expensive kit. First, we focus on the metal. Can we use cheap rose metal we obtained from the internet? We use the moulds we created earlier. The answer: yes, this works fine, for both keys. Our first attempt failed as the two halfs of the mould were not properly aligned, but that is “operator error”.

Next, we try to see if there are alternatives to the moulding material. We use cuttlebone, that is also used by silver smiths. We use a standard key to start with. The duplicate looks promising, but does not work. Again, we blame the alignment of the two parts of the mould. Some further testing is necessary. The cuttlebone is too brittle to be used in combination with the holder from the Multipick kit.

Key duplication

Tuesday, July 16th, 2019

Although at Toool, we normally pick locks without having a key, it is also interesting to occasionally look at other ways of opening a lock. I got my hands on a Quick Key Easy Pro kit from Multipick (not affiliated) and decided to test it out. I took it to the Toool meeting with three locks to test it out on.

First up was a BKS Janus lock. I combines the two substances to make the mould, but spent too much time kneading it, it was already partially hardened when I wanted to press the key in. The second try, I hurried up a bit more and it worked nicely. I heated up a pellet of metal and poured it in the mould.

After a short wait, out came the key.

This key is quite sturdy and is thus easy to create using this technique. But the tolerances are quite small. Does the key work?

Yes, it does! And that for the first key I am making with this kit. I’m impressed. Because this key was a success, I decided to take on an even bigger challenge and duplicate a DOM Diamant key. This key is very hard to duplicate, as it has very thin pieces of metal going down the key. The first attempt yielded a key that was incomplete. The metal had not gone all the way in. I melted that key again, made it slightly warmer and tried again. The second time, the key that came out had a hole in the middle, but it had metal in all the important places. And what do you know: this key worked first time around!

Jos made a video of me duplicating the key. I hope you enjoy watching as much as I enjoyed copying the key. Sorry for talking Dutch in the video 🙂

Walter.