We first posted this article in September 2008, but have received many inquiries about our fabulous Bilock Extreme Security product that virtually eliminates this threat. Bilock keys are unable to be copied surreptitiously in a similar fashion, due to the product using two blades with different key cuts on each blade. Combined with the patented Bilock interactive element, both in the key and the cylinder, security of both the key and lock are protected in an unequalled manner.
LAS VEGAS -- Life takes Visa, says the credit card company's catchy and ubiquitous TV ads.
And now, according to a group of security researchers speaking at the DefCon hacker conference in Las Vegas, Medeco high-security locks take Visa, too. As well as MasterCard, American Express and Discover cards.
To be more precise, the researchers say that plastic used in all of these credit cards can be easily fashioned into simulated keys that open three kinds of M3 high-security locks made by the Virginia-based Medeco Security Locks company -- locks that are used to secure sensitive facilities in places such as the White House, the Pentagon, embassies and other buildings.
"Virtually all conventional pin-tumbler locks are vulnerable to this method of attack, and frankly nobody has really considered it or looked at it before," says Marc Weber Tobias, one of the researchers.
The researchers showed Threat Level how they could create the simulated keys from plastic simply by scanning or photographing a Medeco key, printing the image onto a label and placing the label onto a credit card or other plastic to cut out the key with an X-Acto blade or scissors and then use the key to open a lock covertly.
Any credit card plastic will do to create a simulated key....
The researchers can make plastic keys, despite the fact that Medeco's M3 locks are supposed to be more secure than conventional locks, due to key-control measures designed to prevent unauthorized duplication of their keys.
"When you have a high-security lock, you don't expect this to be able to happen," says Tobias, an investigative lawyer who will be demonstrating the hack with Matt Fiddler, a computer-security researcher, and Tobias Bluzmanis, a Florida locksmith. "Key control is supposed to make this impossible to happen. That's what you're paying for."
High-security locks -- which can cost two to four times the price of a common Kwikset lock used in most homes -- have millions of possible key combinations, as opposed to just thousands in low-security locks. High-security locks also use patented key-control systems to prevent just anyone from duplicating the keys.
What this means is that only specific locksmiths who are authorized by the lock maker are given key blanks, key codes and equipment to make the keys. To ensure that no keys are made before a lock is sold, the locks are also shipped to the locksmith without pins in them -- the bars inside a lock cylinder that engage with the grooves on a key to open the lock. The pins are added by the seller after a customer purchases the lock, using proprietary key codes doled out to locksmiths by the lock manufacturer.
If a buyer wants additional keys made for the lock later on, he has to return to the same seller to have him make the keys or find another locksmith who is authorized to use that particular key code. Keys used in places like the White House would likely use an even higher level of key control, whereby only the manufacturer -- Medeco -- would be able to make duplicate keys....
The attack requires brief access to a high-security key long enough to take a picture of it with a camera phone or scan it, so it will likely have to involve an insider or someone else with access to keys -- such as a valet parking attendant.
"You're an employee and you loan it to somebody or your kid takes it off your key ring and makes a copy and tells his friends to break into the facility -- I can give you a lot of scenarios," Tobias says. "Insiders are always the biggest threat."...
"If you're a security manager for the Federal Reserve or Citibank, you have a belief that what the company is telling you is true, that unless it's authorized, nobody can reproduce your keys," Tobias says. "So if you give a key to an employee you don't have to worry about it. And that's the problem. It's not true."...
Researchers say the issue of the plastic keys is more serious than what they revealed last year at DefCon, when they demonstrated how they could bump and pick Medeco's patented M3 Biaxial and deadbolt locks -- locks that Medeco claimed were bump- and pick-proof. They were able to create bump keys for the locks after spending months analyzing Medeco's published key codes.
But by using plastic keys, the researchers can now crack the M3 locks in a way that doesn't require knowledge of key codes or any significant skills or equipment, although it does require brief access to a key to copy it....
Bluzmarin, who has been a locksmith for 25 years, says their research has forced him to rethink everything he once believed about Medeco locks.
"Basically if someone came to me (before) and said they could pick a Medeco lock, I'd say, 'You're crazy; you don't know what you're talking about.' If they told me they could open it with plastic, the same thing. I'd say, 'You're crazy.'
"Locksmiths don't have a clue what is going on. Your locksmith will tell you this is impossible."