Frank brought this nice little key-duplicating robot to my attention. The ‘minuteKey’ seems like a great idea! (check their site or see the FAQ for the limitations)

I am not sure how wise it is to have your home keys scanned and analyzed by a robot and then identify yourself to it by paying with a credit-card (no cash payment possible). On top of that it needs your e-mail address in order to mail you a receipt. The first thing that comes to mind is that all this data quickly turns into a pretty interesting database, especially if the minuteKey becomes popular and widespread.

Interesting times we live in …

As you can see on the image above I am doing fine. The image is a picture made by Dutch Panorama Magazine a couple of weeks ago at the Amsterdam Toool meeting. Panorama interviewed me and wrote a pretty nice article about me.

One of the topics covered in the article is the flood of professional lock-related work I do at the moment. It is one of the reasons blackbag has not been updated for some time. Just too busy traveling, preparing courses, trainings, paid R&D and even work in the field of lock-forensics. When I say forensics it is not always answering the question if a particular technique was used to open a specific lock, it can also be in a role of expert witness to explain (or show) a particular lock can be opened quickly in court. I hope to follow up on the specific incident mentioned in Panorama when the case is final.

Next week we will be at ‘Hack In The Box’ in Amsterdam (may 19 and 20). We will have the Amsterdam Toool meeting on Wednesday (May 18) in our traditional hangout (the Kamers cafe/restaurant), and might later in the evening move to the prestigious Krasnapolsky Hotel at Dam square in Amsterdam to set up the booth. Thursday and Friday we will be at the Hotel for sure. If you want to learn about IT security and hobby-lockpicking, “Hack in the Box” is the place to be. I can offer a special discount if you want to attend “Hack in the Box”, so mail me for details.

One of the other courses we are preparing is for the blackhat sessions at DefCon (July 30-31). A two day hands on impressioning and safe-combo-manipulation course. Gonna be quite nice.

Still have a lot of work to do before I can announce LockCon 2011 …

Scott Buckey mailed me the following on my little challenge to see what you could make out of two scrambled audio messages. Not a 100% score, but good enough if an unknown message went trough the air. And I believe the attack can be optimized some more (giving better audio quality).

—
@ Scott:
It’s a rolling code inversion scrambler that changes inversion point approximately every 3 seconds.

On the recording the first 3 second ‘frame’ is missing, sorry 🙁

[Start]

[Start of first frame] Cryptomuseum test tape [End of first frame] -Decoded at 3.729Khz
[Start of second frame] of the Icom Analog *broken; ‘Public?’* Scrambler [End of second frame] – Decoded at 4.441Khz
[Start of third frame] by saying some random numbers related to *broken; the ?* radio [End of third frame] – Decoded at 3.940Khz
[Start of forth frame] *broken; Five? or Niner ?* Five Four Seven [End of forth frame] – Decoded at 3.120Khz
[Start of fifth frame] *broken; Five ? or One? * Six *eight A ? *[End of fifth frame] – Decoded at 2.000Khz
[Start of sixth frame] one four six [End of fifth frame] – Decoded at 3.067Khz
[Start of seventh frame] two seven *broken; nine? or five?*[End of seventh frame] – Decoded at 4.352Khz
[Start of eighth frame] *broken; Something? or simply?* like this (bleeps) [End of eighth frame] – Decoded at 4.263Khz
[Start of ninth frame] (Bleeps) *Broken; and? or TION?* [End of Ninth frame] – Decoded at 4.263Khz
[Start of tenth frame] (Bleeps) End of test [End of tenth frame] – Decoded at 3.023Khz
[End]
—
He also mailed me the following audio sample. If you compare it to the original descrambled wav file there still is a big difference, but still I take my hat off for Scott.

Koos thought the first sample was recorded over a trunked network, but that is not the case. The ‘bursts’ in the sample are used for synchronization in the (slow) rolling code.

The reason you hear me count and whistle in the samples is because it is a quick and easy way of testing the effectiveness of analog scramblers. Listening to the whistles in the scrambled output will give you a pretty good idea if the scrambling is static, repetitive and what the possible scrambling technique and change rate is. And it is always interesting to see how many numbers you can identify ‘by ear’ on these kind of systems.

The descrambled audio of the second file can be found here.

The blackbag banner says: locks, encryption and the RF spectrum. These two last topics did not get much attention yet. It is not that I do not have a lot to tell about it, it’s just that locks take up all of my time and interest at the moment. That is why I decided to donate a big part of my encryption device collection to the (virtual) crypto museum. Just take a look on their site, it is really a great place that will give you an idea about the radio side of things of the field I am interested in, and that are the foundations of my work for GSMK Cryptophone.

I know the people behind cryptomuseum.com from some time ago. They are the same that asked me to make a working key for an enigma some time ago at a Toool meeting. What is real funny is that twelve years ago I had the same idea, and even registered the cryptomuseum.com domain for a couple of years. But hey, then I got so involved with locks and lockpicking that I decided to put my focus on that. But before that I was quite serious about is, and even made some audio samples of encrypted and decrypted radio scramblers. For now I will only post two samples of these analog scrambling devices. If you listen carefully to these samples, you might be able to get some words, or even part of a sentence. You can post your guesses (or decrypted wav’s) in the comments. I will post the ‘decrypted’ audio in a couple of days from now.

It has been a while since I added a category to blackbag, but now there is a new one called “cut to pieces”, and it is greatly inspired by the work of Peter Field.

On the “cut to pieces” image I share with you today is the inner working of the Mottura C38 lock. It is nice lock, that contains many nice features. Today I cover the magnetic pin. The pins in one of the chambers are not spring loaded, and gravity pulls the plug pin below sheer line. If the magnet in the key is at the right position, and has the right polarity, the magnetic pin in the house is pulled towards the key, also lifting the housing pin.

I hope the image(s) speaks for itself. (click on the image for a bigger version)

I am currently making quite a nice collection of images of various locking systems for my presentations and workshops. I will try to share some of the work here to keep you posted on what I am doing …

2011 will bring some interesting papers on advanced locks. Both Michael Huebler and Han Fey are working on articles on some unique locks. Han’s article will be about the latest lock from Assa, the d12.

In my previous posting I asked what two locks had in common. I will now give you the answer. The bottom lock is the famous ‘seven pin’ ASSA 700 lock, and contains some extremely nasty anti-pick pins. In short: if you tension the lock and lift a few pins, the lock will ‘freeze’. Once a pin is locked between the core and the house you can only move it again after (almost?) fully releasing tension. We learned this seven pin lock was developed and produced already over a period of 50 years (!), and is still a very common ‘medium security’ lock in Sweden.

And they call it medium security. Sure, if you compare the seven pin version to locks like the Assa Twin system (pdf) (like Twin Combi and DP) there is still a huge difference between them. But I dare to call the design of the 700 high security anyway.

The top image from my previous posting shows the new ‘medium security lock’ by Assa. It is a new design to replace the Assa 700 lock and it is called the d12. So that is what they have in common.

Han’s preview of the d12 article already covers twenty pages(!). Here is some basic info about this amazing new lock. The pin has two tips, and there can be an offset between the left and right contact points. This gives very interesting properties for masterkey-systems. To prevent the pins from twisting, they are equipped with little wings that fall into a slot in the channel of the core. And the wings also make some of the pins ‘float’, so a ‘999’ key will not make contact with all pins. If you look at the image, you can see the fifth pin is much longer and is being operated by a lower portion of the key. And if you manage to get your picktool inserted, the lock has the same anti-pick properties as the 700 series. You will have to be patient for Han’s article to read all the ins- and outs of this system, but I can just say it is neat to see groundbreaking new technology like this enter the market.

And last but not least: there was a small error in Han’s image in my previous post. Pin six was not positioned correct (as Michael Huebler pointed out in the comments). Below is the correct image.

To be continued (somewhere in 2011) …

Really, I think highly of you. And Han and I are just curious if people know the relationship between these two locks shown below, and how long it will take before the correct answer is given in the comments. After Christmas I will come back with the answer here anyway.

Han and I get more and more work as expert witnesses in court cases and in lock-forensics these days. It is one of the reasons we invest a lot in Macro Photography.

It seems more criminals are using clever opening techniques to break into places, and in the Netherlands not many people have the expertise to be able to show what happened. News about this kind of ‘burglaries without a trace’ cases even make it to the front page of Dutch newspapers.

The article was about the ‘Twente case’. Dutch Police in Twente (.NL) arrested a twenty-five year old male on November 4th. A witness gave the police a description of a person who most likely broke a window at a shop at the Heutinkstraat in Enschede. Police noticed a person on a bicycle who matched the description, but the man tried to escape when they approached him. After a short chase the man was arrested, and the first official report (mirror) about this incident mentioned the man possessed ‘burglary tools’.

A later report (mirror) stated the man was taken into custody and his house was searched. At his house a lot of stolen goods were discovered, as well as a ‘large amount of cash’. Police soon discovered the man used manual lockpicking to break into houses. His territory was a range of houses of elderly people at the Marthastraat and C.F. Klaarstraat in Enschede. So far he confessed thirteen burglaries committed over an 18 months period. He mostly went out at night and used a lockpick set to gain entry. As police stated, the man ‘worked very clean’, and in some of the cases the owners of the house never even realized they had been burglarized! He managed to take away expensive goods, silver and cash without leaving a trace. To make things worse, he even used the burglarized houses for mail order fraud. He successfully mail ordered gold and expensive goods without the owners of the houses knowing.

According to police spokeswoman Chantal Westerhoff, the burglar had ‘very sensitive fingers’. She said “Lockpicking is a special trade, and not a lot of people can do what this guy did”.

After his confession, and showing lots of remorse, the man was released from custody. He will soon have to account for his behavior in court. I hope I can find out what day the court case is, and I will try to follow up on the story. Any information on the case is welcome, so feel free to mail me if you know more about it.

* Note December 2: I received additional information about the case. The trial will be held in February 2011 (no date set yet). And it is going to generate a lot of media attention as there are some very interesting angles to the story.

Just a few weeks I felt like a kid in the candy-store at the small exhibition about the history of our Dutch intelligence service AIVD. And even though the exhibition was relatively small, there was a lot to see. The great thing is they showed items that were in real use at the service before. I will cover some subjects that interest me (and hopefully you) a lot.

Take for instance hidden transmitters (bugs). I remember reading about the famous 1977 train-hijack in the Netherlands in a book about counter terrorism. The hijackers requested at one moment of time a crate full of soda and a band-aid box. In the book they mentioned it took the intelligence services great difficulties to find a soda crate that could be prepared with an audio-transmitter. For that purpose they traveled all trough the country trying to find an older type wooden ‘coca cola’ crate . The actual crate they used was at the exhibition, and showed the transmitter and hidden compartment in detail. The transmitter in the soda case makes sense to me, but the at the band-aid box I am not sure if they only show the batteries, or that I do not understand the structure of the transmitter(s).

One other thing that interests me is encryption. At the exhibition was a Hagelin C 446 A encryption device, (build in 1945). I am always very interested to see what kind of lock is installed on devices like that, because it reflects the state of the art in locks at that time. The Hagelin is equipped with an Ikon ‘cross beard’ lock. Often at these kind of devices you see the serial number is stamped into the key. Besides the lock on the Hagelin machine there was only one other display that covered keys. It showed a hollow key used to smuggle messages.

But they had more crypto stuff. It is widely known that “one-time pad encryption (OTP)” is a type of encryption that has been proven impossible to crack if used correctly. For the fine details check out wikipedia. In an OTP system the sender and receiver make use of a small ‘code book’ or ‘code table’ that is only used once. Agents that were sent out sometimes had to smuggle this code material with them, and at the exhibition they showed how that was done. They used hollow batteries, a travel “comb and mirror kit” and even the good old ‘hollow heel shoe trick’ to hide the thin sheets containing the codes. It seems from the material at the show they only used numbers on their code sheets.

Other methods of transferring messages that are on display are ‘dead letterboxes’ and a ‘burst transmitter’. The dead letterbox they showed was nothing more then a piece of cement with some messages inside. This ‘rock’ would be dropped at a known location by one agent, and later picked up by another. This way the agents should not have to meet face to face, and if one of them was under surveillance the surveillance had to be pretty strict to see the agent throw or pick up a rock from the ground. The burst transmitter is another way of communication. The message was prepared by the agent, and then transmitted at high speed (in a burst) via a special shortwave transmitter. Because the length of the transmission was short, there was little chance of detection, let alone allow for radio location measurements.

It is worth visiting the exhibition in Zoetermeer, especially if you have kids. There is a real mission for them, and they have to complete a puzzle search to get a small prize. It is open for the public until February 27 2011.

Seems like some interesting assignments are coming up. And if whether or not the assignments will materialize, one can always make good use of the kind of repro-stand I just purchased.

I was also persuaded to buy some special ‘daylight’ lamps that came it and came from the same manufacturer, so for the moment I have a nice ‘basic’ setup. There still is a chance light from just two sources will not quite do it, but for the moment I am happy and can at least make some small series of images. I made some test shoths with my crappy old camera, and am not too unhappy with the result. Just to show a few, here is some images of IKON DLC, IVANA NECOLOCK, Federal, LIPS and some other locks. Now waiting for Christmas to see if Santa will bring me a nice(er) camera and maybe a couple of lenses …