Posts Tagged ‘Key duplication’

Key duplication from a photo CTF

Sunday, September 22nd, 2019

Jos has a talk about key duplication from pictures. If you have not seen it: https://youtu.be/muINcnhj1EQ
For a conference there was the question: What does it take to make it into a workshop? There was little budget so we have turned it into a CTF instead of a training/workshop.
This CTF has no prices and might teach you something new.

If you ever wished you could try it without being sneaky, this is your chance. The CTF is a controlled and safe environment. You are encouraged to copy these keys!

The problem:
Publishing pictures of your keys is not a good security practice. Keys can be duplicated from a photo rather easily. Twitter and other social media are full of threads filled with pictures of keys. I got shared one but they’ve removed it on our advice.
(Note to self: Take more screenshots.)

Example: https://twitter.com/hashtag/zeigteureschluesselanhaenger
The hashtag is about the keychain but there are some perfectly decodable keys in there.

The CTF:
1) Get to the keys
2) Take a photo or make an imprint of it
3) Make a key
4) Test the key

Measuring tools and files will be available at the lockpicking village.
We are going to help as little as possible to not spoil the fun.

There are three keys at the moment:
CTF 1) Key will be published here
CTF 2) Key will be placed on the table at lockpicking villages (do not borrow/steal the key please.)
CTF 3) Key will be on the belt/lanyard of the Orga or instructors at the lockpicking Village

Please don’t publish pictures of the CTF 2 and CTF 3 key. You are allowed to do a writeup about CTF 1.

CTF Key 1:

Key measurements:


As there was still some ambiguity, this picture should prove be useful. Each square is 5mm by 5mm.

All locks are standard unmodified 5pin Abus/Buffo. The blanks that work are Y1, 1A (SKS/JMA), CS206 (Silca) and many others. You’ll get points for sourcing your own keys. Really, give it a try!

This CTF will run for the next months to years. Come see Toool at a conference near you.
Next up: Hardwear.io, HITB, LockCon and Hackerhotel 2020.

If you want to play but can’t make it to a conference. Please send me a digital bird at Jan-Willem at Toool dt nl. You’ll be send three pictures and a post address. You can mail me the physical keys you’ve made.

I’ve tested the CTF myself. It took me about 30 minutes to make three keys from a photo.
Please, don’t publish pictures of your keys, stay safe.

Published by Jan-Willem.