A group of lock-picking hackers based in Melbourne, Australia, has cracked open the controversy surrounding 3D printing and personal security. Using images from publicly available patent websites, the hackers managed to replicate so-called ‘restricted’ keys that could be used to open businesses, government buildings or secure data centers.
The problem of 3D printed keys first came to public attention nearly one year ago, when leaked images of TSA master luggage keys allowed an individual to 3D print working replicas using only a commercially available 3D printer.
In this most recent story, unveiled at the BSides Canberra Security Conference in Melbourne, the hackers used a similar 3D printing technique—however rather than peeking into vacationers’ luggage, they could potentially break into a secure data center.
Typically, ‘restricted’ keys are considered to be safeguarded because only expensive specialist locksmiths with licenses and specific machinery can produce them. They are used mainly to protect sensitive areas where standard and easily copied keys will not suffice.
In order to further ensure that un-authorized individuals will not copy a restricted key, they often have the words ‘do not duplicate’ on them to warn locksmiths. Unfortunately, as Topy, a Loop Technology security consultant explains, those words mean very little to determined lock-pickers.
"The restricted keys have 'do not copy' stamped on them, but unfortunately it doesn't really mean anything," he said. “In Melbourne you can't get restricted keys from locksmiths no matter how nicely you ask them… so we decided to make them ourselves.”
To circumvent the fact that they couldn’t copy the keys using traditional, physical methods, Topy and his team went digital. Knowing that the shapes of the keys are patented, they simply went online to public patent sites, where they were able to download very high quality images.
To make things even easier, the key blanks are often available as scalable vector images with precise measurements—more than enough information for a CAD modeler to create an accurate 3D file.
The 3D printed key is made from a durable plastic that can be used multiple times without breaking. As The Register explains, with such a key, lock-pickers can obtain the cylinder from a vulnerable lock, learn the master key pattern, and then apply it to the 3D printed ‘blank’ key. The system doesn’t require the lock to be broken, meaning users can get in and out undetected.
Luckily—in this instance, at least—the lock picking was done for legitimate reasons: to understand how high-security locks can be compromised using 3D printing and other digital technology, and to develop measures to further protect them.
This isn’t the first time 3D printing and personal security has come to light in recent months. In addition to the TSA Master Key scandal mentioned above, Eric Wustrow recently discussed three common ‘attack models’ used to create 3D printed keys, and in related 3D printing security news, the University of California, Irvine, has discovered that 3D files can be stolen and re-created based on nothing more than the sounds emitted from a 3D printer.