Key duplication from a photo CTF

September 22nd, 2019

Jos has a talk about key duplication from pictures. If you have not seen it: https://youtu.be/muINcnhj1EQ
For a conference there was the question: What does it take to make it into a workshop? There was little budget so we have turned it into a CTF instead of a training/workshop.
This CTF has no prices and might teach you something new.

If you ever wished you could try it without being sneaky, this is your chance. The CTF is a controlled and safe environment. You are encouraged to copy these keys!

The problem:
Publishing pictures of your keys is not a good security practice. Keys can be duplicated from a photo rather easily. Twitter and other social media are full of threads filled with pictures of keys. I got shared one but they’ve removed it on our advice.
(Note to self: Take more screenshots.)

Example: https://twitter.com/hashtag/zeigteureschluesselanhaenger
The hashtag is about the keychain but there are some perfectly decodable keys in there.

The CTF:
1) Get to the keys
2) Take a photo or make an imprint of it
3) Make a key
4) Test the key

Measuring tools and files will be available at the lockpicking village.
We are going to help as little as possible to not spoil the fun.

There are three keys at the moment:
CTF 1) Key will be published here
CTF 2) Key will be placed on the table at lockpicking villages (do not borrow/steal the key please.)
CTF 3) Key will be on the belt/lanyard of the Orga or instructors at the lockpicking Village

Please don’t publish pictures of the CTF 2 and CTF 3 key. You are allowed to do a writeup about CTF 1.

CTF Key 1:

Key measurements:


As there was still some ambiguity, this picture should prove be useful. Each square is 5mm by 5mm.

All locks are standard unmodified 5pin Abus/Buffo. The blanks that work are Y1, 1A (SKS/JMA), CS206 (Silca) and many others. You’ll get points for sourcing your own keys. Really, give it a try!

This CTF will run for the next months to years. Come see Toool at a conference near you.
Next up: Hardwear.io, HITB, LockCon and Hackerhotel 2020.

If you want to play but can’t make it to a conference. Please send me a digital bird at Jan-Willem at Toool dt nl. You’ll be send three pictures and a post address. You can mail me the physical keys you’ve made.

I’ve tested the CTF myself. It took me about 30 minutes to make three keys from a photo.
Please, don’t publish pictures of your keys, stay safe.

Published by Jan-Willem.

Impromptu lockpicking village at Bornhack IV

August 19th, 2019

Jos and I (Jan-Willem) where at Bornhack.dk a small hacker conference in Denmark. Not only where the talks interesting also the quietness was welcome. Bornhack does not have multiple tracks so plenty of time to relax and pick locks.

We brought a lockpicking village in a box. A decently sized tool case with everything you’d need for a unplanned lockpicking village.

I’m attempting to learning manipulation of safe locks and brought a S&G lock and a bunch of manipulation sheets to Bornhack. It took me the better part of three days to crack it. (For a upcoming conference I’ve got an hour.)

Manipulating safes and safecracking sparked the interest of multiple people and I’ve did my best to explain the basics. What I was doing and how to exploit the lock.

Jos did his talk on post-its and invited people to join us at theFEEST village. aka Dutch village with free beer and stroopwafels. Many Danish hackers joined us at the village. It’s always fun to teach people a new skills.

Internet of lockpicks.

Note to self: Create a http://www.istodayfriday.com/ like website for lockpicking.

Key duplication revisited

August 18th, 2019

A few weeks ago, we tested the Quick Key Easy Pro kit from Multipick, which turned out to work very well for duplicating a BKS Janus key and even a DOM Diamant key.

This time, we wanted to see if you really need such as expensive kit. First, we focus on the metal. Can we use cheap rose metal we obtained from the internet? We use the moulds we created earlier. The answer: yes, this works fine, for both keys. Our first attempt failed as the two halfs of the mould were not properly aligned, but that is “operator error”.

Next, we try to see if there are alternatives to the moulding material. We use cuttlebone, that is also used by silver smiths. We use a standard key to start with. The duplicate looks promising, but does not work. Again, we blame the alignment of the two parts of the mould. Some further testing is necessary. The cuttlebone is too brittle to be used in combination with the holder from the Multipick kit.

Attacking masterkeyed systems

August 6th, 2019

A couple of years ago one of our members, Jos Weyers, came up with a novel method to attack masterkeysystems. If you know Jos, it’s probably not at all surprising that this method mainly consists of impressioning. Attacking masterkeyed systems that way has several distinct advantages; no need to take a lock apart, no need for huge numbers of blanks, no need to have access to a working key, no guessing if your new key is indeed the master you are looking for, to name just a few. After keeping this knowledge within a rather small community for some time, it is now out in the open due to a talk Jos did at OzSecCon in Melbourne this year.Which off course includes live demo’s right there on stage.

https://twitter.com/kylieengineer/status/1139694231964938240

(masterkeysystem supplied and pinned up by Holly Poer , “southpark-esque lock animations” by JanWillem Markus)

Key duplication

July 16th, 2019

Although at Toool, we normally pick locks without having a key, it is also interesting to occasionally look at other ways of opening a lock. I got my hands on a Quick Key Easy Pro kit from Multipick (not affiliated) and decided to test it out. I took it to the Toool meeting with three locks to test it out on.

First up was a BKS Janus lock. I combines the two substances to make the mould, but spent too much time kneading it, it was already partially hardened when I wanted to press the key in. The second try, I hurried up a bit more and it worked nicely. I heated up a pellet of metal and poured it in the mould.

After a short wait, out came the key.

This key is quite sturdy and is thus easy to create using this technique. But the tolerances are quite small. Does the key work?

Yes, it does! And that for the first key I am making with this kit. I’m impressed. Because this key was a success, I decided to take on an even bigger challenge and duplicate a DOM Diamant key. This key is very hard to duplicate, as it has very thin pieces of metal going down the key. The first attempt yielded a key that was incomplete. The metal had not gone all the way in. I melted that key again, made it slightly warmer and tried again. The second time, the key that came out had a hole in the middle, but it had metal in all the important places. And what do you know: this key worked first time around!

Jos made a video of me duplicating the key. I hope you enjoy watching as much as I enjoyed copying the key. Sorry for talking Dutch in the video 🙂

Walter.

Lishi Schlage impressioning tool

July 11th, 2019

The company Lishi is mostly known for their decoding tools for several brands of cars. Now, they also have decoding tools for Schlage and Kwikset locks, that works similarly.

Although not as much a sport as lockpicking using standard picking tools, we are always eager at Toool to try out new tools. Not long ago, Jan-Willem already tweeted about the tool:

Now, we also have a demonstration of the Schlage tool, done by Jos:

Enjoy!

Walter.

East German secret policy and lockpicking

July 11th, 2019

More than 12 years ago, Oli Diederichsen wrote a book about impressioning. It had quite an effect and nowadays we have impressioning championships in which working keys are filed in amazing times.

And now, Oli has written a new book (called “Stasi Secret Service Tools: Die geheimen Schlossöffnungswerkzeuge der Abteilung VIII“), about the former East German secret service and their research into locks and lock opening. They made combs (called “heavenly key”) and special opening tools for Trabant cars, the only car a normal person in Eastern Germany could buy. But they were also interested in locks from other places, including high security locks.

At the previous LockCon, Oli already showed his ongoing work including some really interesting pictures of the Stasi tools. The book is available in German only.

The Room

March 11th, 2019

Toool NL organised “The Room” as a side-event of the 2019 edition of the <a href=”https://hackerhotel.nl” target=_blank>Hacker Hotel</a> conference. Bugs, scenario, gameplay, set dressing and props by Jan-Willem, Rob and Jos. The talk about The Room is available on YouTube:

All vids recorded by Bix, with gear supplied by duh-events.nl, except the POVvid, which was recorded by https://leukemensen.nl/.
Camera’s were still running when Jos went through the room to snap pictures for the (impromptu) talk above, which gives a good indication of where (almost) all of the treasures were hidden. These are links to videos of some teams running “the Room”:

It was great fun!

Opening a vintage lock

February 3rd, 2019

A while back, somebody visited one of our Toool meetings. This gentleman brought with him a punch clock device. I am not sure in what setting it was used, but found one example on the internet of such a clock being used in a prison, where the warden would register their rounds through the facility

Punch clock

The keys were lost, so we were asked to try to open it without damage. The lock looked easy enough..

Still, we could not open it fully.

In the end, Jos took it home to look at it a bit further and in the end he was able to open it. We had not expected a three lever lock when we started.

Finally, we had a nice view of the insides, where you can see the mechanism to transport a paper tape and an ink ribbon.

Lockpicking escape rooms

December 25th, 2018

Eric runs a lock shop (Au P’tit Clou Serrurerie) in Belgium, in the city of Beauraing (near Dinant and also near a degree confluence point). He has also set up a few escape rooms with a lockpicking angle. If you’ve ever been in an escape room, you know they often involve locks to be opened, to get to the next stage. But the the escape rooms Eric designed, are completely in a lock theme. One is based on the story of Charles Hobbs. Hobbs was the first to defeat the security of the locks of Jeremiah Chubb and Joseph Bramah. We still call the tools he used ‘Hobbs Hooks’.

When Eric saw the talk of Tim Jenkin at LockCon 2017, he was inspired to build another escape room about his amazing story of escaping from a Pretoria jail as well. So if you would like to relive that experience, be sure to visit Trésors Cachés!