Jan 24, 2016 | By Kira

At the recent Chaos Communication Congress in Hamburg, computer science engineering student Eric Wustrow gave a talk on his ongoing research project Replication Prohibited, which deals with how 3D printed keys are impacting physical security systems and potentially compromising our safety. Looking at pin tumbler locks specifically, one of the most common types of physical locks used today, Wustrow revealed three common ‘attack models’ used to create 3D printed keys.

When it comes to Internet security, we’re constantly encouraged to beef up our passwords’ ‘strength’ in order to ensure that even the most devious of hackers won’t be able to crack them. We diligently come up with code words that are longer than eight characters, contain special symbols and numbers, use both upper and lower case letters, and that we are somehow expected to actually remember because writing them down is, of course, completely out of the question.

Yet when it comes to physical security, well, we take the old lock and key system for granted. That is probably because, traditionally at least, forging keys illegally would entail a host of physical and skill-based obstacles, including having physical access to the key in question, and being skilled in either metal crafting or CNC machine tool programming. Today, however, all you need is a semi-decent photograph and access to a basic 3D printer.

Case in point: the great 3D Printed TSA Master Key Scandal of 2015, in which a media outlet published a photograph of the master keys TSA agents use to unlock traveler baggage, and within hours, crafty makers were able to create functional 3D printed copies.

Describing the forgery of keys for pin tumbler locks, Wustrow and his University of Michigan Colleagues Ben Burgess and J. Alex Halderman describe three main attack models, or ‘attack vectors,’ as they are known in the cybersecurity world, that make use of 3D printing to crack physical locks.

The first attack model for creating 3D printed keys is known as Teleduplication. Modern cameras are capable of taking incredibly high-resolution photos even from distances as far as 200 feet or more. These photographs can quickly and easily be made into accurate CAD files ripe for 3D printing, as was the case in the above-mentioned TSA luggage key scandal. Even a bad digital photo can contain enough information to make a working 3D printed replica of a private key. “We’re in a day and age when pretty much anything can be reproduced with a photograph, a 3D printer and some ingenuity,” said one security researcher in regards to the 3D printed TSA keys. A comforting thought, indeed.

The second attack model is known as Lock Bumping, which has proved to be an effective way to open over 90% of cylinder-type locks within seconds. The advantage of 3D printing is that plastic 3D printed bump keys have significant advantages over metal ones: plastic is cheaper, makes less noise, and transmits the impact on the lock’s pins better without risking damage to the lock itself.

The third and final attack method, Privilege Escalation, was named after a similar computer hacking technique that exploits a design flaw or configuration oversight in an operating system. In the 3D printed key realm, Privilege Escalation is aimed towards master key systems and utilizes the rapid prototyping capabilities of 3D printers.

To create master keys, lock manufacturers can put two different sets of pins into a lock, with one of them being compatible with the master key. They then use that same pin across a large batch of locks. The ‘design flaw’ here is that the two pin sets within a single lock are not completely independent. Therefore, if the attackers have the non-master key, they can modify it, one cut at a time, until it is capable of opening the ‘master pin set’. 3D printing is a cheap and quick way to make a bunch of different prototypes of these modified keys until the ‘master’ is finally found.

3D printed keys do have a few drawbacks—not all materials are ideal, with plastic being prone to breakage, and some materials proving to be either too fragile or too flexible to actually turn a lock. However, with metal 3D printing on the rise, affordable brass, steel or even titanium 3D printed keys might not be too far away.

However, all of this is not meant to generate fear over the threat of 3D printing criminals gaining access to your belongings. Rather, Wustrow and his team want to raise awareness about the current state of 3D printed keys and inform people of their options. In fact, Wustrow and Burgess previously created Keysforge, a web app that allows users to 3D print ‘do not duplicate keys’ based off of a photo. Rather than designing it to enable criminal activity, they wanted to show individuals and lock manufacturers just how easy it is, encouraging them to adopt new systems.

Luckily, there are a few easy-to-follow tricks you can employ to help protect yourself against 3D printed key forgery. As global cybersecurity company Kaspersky Labs, puts it, a good way to think about this “cyber-physical issue” is to implement the same diligent strategies we use to protect our IT systems.

Their five-step security plan includes choosing more complex lock systems, avoiding master lock systems, and using a ‘two-step authentication’ system with more than one lock in place. They also suggest protecting your keys from being photographed, covering them just as you would your ATM password. Finally, if you still feel threatened, consider alternative security solutions such as alarm systems.

With the Internet of Things ensuring that everything from our refrigerators to baby monitors are well connected, we will encounter new threats to our cyber security, physical security, and the areas where 3D CAD and 3D printing technology merge the two. As with any technological trend, however, knowledge is power. Check out Wustrow’s entire 32C3: Gated Communities talk on Replication Prohibited to find out more:

 

 

Posted in 3D Printing Application

 

 

Maybe you also like:


   






Leave a comment:

Your Name:

 


Subscribe us to

3ders.org Feeds 3ders.org twitter 3ders.org facebook   

About 3Ders.org

3Ders.org provides the latest news about 3D printing technology and 3D printers. We are now four years old and have around 1.5 million unique visitors per month.

News Archive