Schneier on Security

Clive Robinson • August 20, 2020 9:05 AM

@ ALL,

With regards “SpiKey” it was presented at this years “HotMobile”[1][2] conferance.

Whilst I’ve been aware of how to do this for quite some time as have quite a few other engineers, we tended not to talk about it as the only defence is reengineering all the pin and tumbler locks out there, and the methods to avoid the attack of seperating the pins from the keyway whilst the key is inserted or withdrawn (yes the attack works both ways) are nearly all patented or very expensive to implement.

There is actually nothing new in the individual steps as I discuss below, nor in pulling them all together and assembling them into a neat little attack. However putting them together in an application and writing it all up in an accademic paper is as far as I’m aware a first.

However both the paper[1] and the presentation[2] assume a certain base level of information / knowledge that many may not be actually aware of in the right way. So to get a grip on how spikey does what it is doing you need to know some basic facts in the right way, that do not come out very well in either the paper or the presentation.

So,

Firstly unlike lock picking you are not “enumerating the lock” you are infact “enumerating the key”…

I know that once you understand what is going on it will sound obvious when you say it. But most lock pickers would be starting in the wrong mind set as they usually “enumerate the lock” as they do not have access to the key.

Put more simply “This is a key present attack” and “The lock is the tool that enumerates the key to produce a time based serial attack vector of a two dimensional path”.

To see why knowing this is important to get SpiKey to work you have to understand that you need to pick the correct degenerate or base model to start from (and when to switch back and forth between both).

Thus a “one ridge key, six pin lock” model will enumerate the distance between the lock pins and give you very little information other than the key insertion or removal speed and acceleration[3]. Thus you need to start with “multiple ridge key one pin lock” model which gives you a crudly aproximate ridge to ridge time function based on the time between the lock pin clicks[4].

However the ridge to ridge time function is “one dimensional” where as the ridge to ridge positions fall in one of a number of “path” positions on a physical grid that is two dimensional. Thus you need some way to get two dimensional “path” information out of the one dimensional time intervals.

To do this you need atleast two pieces of information. Firstly an initial known start direction and secondly a time to hight function. The first piece of information is known from the lock design that is the pin is rising not dropping as the key is inserted (obviously dropping on removal). The second piece of information is the angle of the key cutting wheel that gives the slope angle. Whilst almost anyone who has seen a key being cut will have seen the cutting wheel has an angle on it, it’s doibtfull they will have realised it’s significance or even conciously remembered that the cutting wheel for these types of keys was angled. So for easy imagining assume it’s 45degrees which gives a simple linear relationship with rise or fall of the key cut thus the pin ofset position with time.

However even knowing this, all you actually get is a “change in path” not an absolute position of the key profile. That is you do not give the actual cut depths (bittings) only the “relative” relationship to each other. Obvioulsly if you can imagine a “cut line” on a piece of paper over which you overlay a transparancy with the grid pattern you can see that it can only fit in a smaller range than the total number of cut hights. Also there are other practical bitting rules that reduce the number of possibilities further and both the paper[1] and presentation[2] give slightly different asspects on this problem.

But the real model is “multiple key ridges and six lock pins” this is going to give the base timing you want from the lead pin in the lock plus five other delayed thus partial copies from the five following pins. Thus you get six clicks from the first pin five from the second, four from the third and so on giving you twenty one clicks in total. How do you clean out the fifteen unwanted clicks to get just the desired six clicks from the first pin. Well it’s a trick known to many engineers that have to deal with multiple echos in ranging systems like radar and from imperfections in transmission lines. The trick is to realise that if you overlay all five delayed click sequences from the five unwanted pins you can do a simple time based subtraction. That is you take the 21 click spectrum work out the delay on the first click, then using that delay subtract the one click delayed sequence from the undelayed sequence and you end up with six clicks of increasing uncertainty in time which you can apply a well known signal processing technique to, to clean up.

But the fundemental idea that is not stated in either the paper or the presentation is one I’ve mentioned several times before on this blog. Which is converting a parallel system of information into a serial system of information[4]. This is a very fundemental EmSec or TEMPEST attack technique and it can be very very powerful and it’s very easy for an inexperienced designer to get wrong. And as with analysing the signals from a “loop unrolled” AES encryption algorithm takes the analysis required from the M^N down to just N steps of M individual measurments. Thus from 2^128 to 128×2 in the case of AES. Or in the case of a six pin lock from 10^6 or 1million potentially diferent keys down to just six measurments and interpretation to find the relative key cut depths.

Thus you can see from this that it must be possible to design a lock where this attack will not work because there is no serialisation process.

And yes there are indeed locks out there where this attack will not work. These have been designed with stopping the “serialisation” of “pin raking”, as well as “Newtonian Phisics” issues that “pick guns”, or “lock bumping” exploit. Thus the key has to be fully inserted into the lock “key way” before it can be pushed up against the locking pins.

[1] The paper : https://soundaryaramesh.github.io/papers/spikey_hotmobile.pdf

[2] The presentation : https://www.youtube.com/watch?v=bxyAa_txM34

[3] The key instantanious velocity is needed to get precice key cut depth information, but a simple average of key click timings can give you a first aproximation. Then an iterative process will give you a more precise set of measurments. Any one who has written software to decode the data on mag stripe key or credit cards from an inductive “swipe sensor” will know this because you have to alow for “read head bump” causing changes in velocity as the leading edge of the plastic card hits the read head.

[4] It’s essential to understand that the first pin in the lock whilst measuring the distance between key ridges as a time function is also “serialising” what is a physical two dimensional model. If the serialisation does not happen then this type of attack can not work.

Clive Robinson • August 20, 2020 11:40 AM

@ TimH,

Don’t think this approach will work for two-sided keys/locks such as Ingersoll sc71

As the Mul-T-Lock key is inserted into the Cylinder and removed on the video,

https://m.youtube.com/watch?v=76uXnGn9Ds8

You can clearly hear the serialisation by the pins in the tumbler cylinder enumerating the key….

This video which is “Not Suitable For Work” due to guy having a “potty mouth”,

https://m.youtube.com/watch?v=PNMqA2xPeg0

Not only shows a ten leaver SC71 getting picked very quickly but also a partial view of the leavers. The lock it’s self has one heck of a lot of “slop” in it which usually aids in picking, but even so it was a fast pick.

What the guy indicates is that the levers are offset with respect to each other which is why he puts the torsion bar in at the top of the cylinder. This may well mean that the serial clicks are alternating between the top leavers and the bottom leavers.

If that is the case then the lock would be just as proportiantely susceptable to the SpiKey attack as is a normal six pin cylinder lock…

Either way both types of cylinder are serial not parallel presentation to the pins/leavers which means the locks leak information about the key…

On another note people appear to think that the opener on the inside is some how more secure than those you have to turn.

Sorry to disilution you boys and girls it’s actuall a serious design flaw. Back in the 1970’s and 1980’s I used to know locksmiths who worked for utility suppliers, they all had a little secret which was, you lifted the letter box flap and pushed a dentists “in your mouth” mirror through and they looked to see what type of latch opener was on the back of the door. They hated those that had to be rotated because that ment they had to pick or drill the lock both of which were slow compared to shoving a stiff bit of electrical “twin and earth” through the letter box and using it to “hook” the latch leaver in some cases or as in this ingersol just use it as a wedge to get the latch leaver to go back far enough to pull the latch back for the door to open.

It’s why people in the know do one of three things,

1, Don’t have a leaver operated latch.
2, Don’t have a letter box slot in the door
3, put a metal “draft excluder” raised plate over the letter box slot, which only alows things to go downwards towards the floor.

I do one and two with the latch actually operated as a dead bolt operated by a specialised security key that I dont leave in the latch mechanism. I also have a couple of non standard mortice locks, that I lock but don’t leave the key in either.

My door is not a normal UK door, which is why I could not put a letter box slot in it even if I wanted to. It’s imported from a southern european country where the police are shall we say “lazy” thus might not respond to an alarm etc for a day or two (much as they are now doing in the UK). It has a hidden high strength high cutting temprature frame and plate in the door which has solid oak front and rear and locking bolts that go into the frame from all edges of the door oh and a full length security hinge. The 90degree porch makes the use of battering rams also ineffective. So whilst not impossible to get through, it would take quite some time. Which is why a sledge hammer through the wall might be a lot faster and quieter 😉

Do I need that level of security not that I’m aware of, but it was fun putting it in place and realy discorages “cold callers” and those nuisance leafleters etc.

Clive Robinson • August 20, 2020 12:50 PM

@ Technotron,

Play audio of random key clicks or other similar metallic sounds on your phone, while opening your door lock

Sorry to shoot you down that will not work over time, for exactly the same reason you never use an OTP more than once or many other encryption systems where you can get “messages in depth.

So how to attack it,

If I hide a pin hole camera and microphone up above your door then I can make a recording every time you put the key in, and use the video to synchronize the audio recordings.

I also use the video to then just stretch or compress each recording by the velocity factor I get from the video of the key insertion time[1].

Then I average those audio tracks.

It will take maybe 16 recordings tops to pull the real signal from the random signal…

In essence it’s little diferent to a “Differential Power Analysis”(DPA) attack from the end of the last century.

Students in EU Uni’s doing computer security at undergraduate level were taught how to do the syncing of DPA recordings and averaging out the required signal from the noise to recover DES, AES and other crypto keys. That was a fifth of a century ago how much improvment has been potentially made in that time?

Clive Robinson • August 20, 2020 4:48 PM

@ echo, ALL,

in reality locks are broadly speaking still as secure as they always have been in the overwhelming majority of cases.

That is because a lock is not a security device as most ICT Sec people understand security.

Under real tangible object physical world objectives security is about ensuring physical objects stay in a designated space under the direction of a designatef person. Any attacker has to come to the physical object and make real physical effort to move it in a realitively short period of time

For instance I do not need a lock to protect your car when you’ve put it in the garage, all I need to do is brick the doors and any windows up to stop ingress and egress. In many respects and cases it may not be practical.

The actual purpurse of a physical lock security wise is two fold,

1, Not to be the low hanging fruit.
2, To delay an attack untill others have time to get there.

The fact that they also take temptation away from honest people is just a bonus.

But many physical locks are not about security, the are about other things such as privacy and safety.

A locked window may stop entry but it does not stop prying eyes, hanging a curtain on the inside of the window does that, and the lock on the window need be nothing more than a simple physical latch provided it can not be accessed from the outside. For normal privacy that will remain a sufficient deterent for many years if not centuries to come.

Likewise a lock used for safety purposes needs to be little more than the latch does for privacy. There is a standing joke in UK construction industry that the security of plant equipment is not the ignition lock that can be operated with a bent nail, but the fact it takes quite some time to operate plant equipment without arousing suspicion. Oh and the eight foot high fences just stood up in concreat blocks that any drunk with half a brain knows how to lift out of the blocks…

In the intangible world of non physical information objects security is a lot lot different. Firstly to steal an information object generaly requires no physical presence by the attacker and mostly the next to zero cost to the attacker of duplicating the information object means they only realy have to avoid detection of the copying and transmission processes as the actual information object never actually needs to be moved.

Thus in the iCT Sec industry the information objects are what are locked bot some container as with physical objects.

There are other differences but it makes the point that physical security and information security in the main require not just different skills but majorly different practices because the attacks you are dealing with in ICT Sec for information objects are very much different to physical objects. Thus the skill set differs extensively as well.

Clive Robinson • August 21, 2020 12:59 PM

@ echo,

The Bowley lock has a slightly different mechanism which may make it a lot harder or possible impossible to realistically attack with this method.

You can see it being stripped down in this video,

https://m.youtube.com/watch?v=b96pmWSArr4

However the video maker has missed some important points, why I’m not entirely certain.

First off and most importantly as far as this thread is concerned you can see that the design of the Bowley lock is such that the bittings on the key are effectively presented in parallel, thus it does not serialize the bitting pattern acoustically or otherwise. Thus there is not realy an opportunity for an acoustic or other side channel to be formed. Which you can also hear when the lock is operated you just get a single click not multiple clicks.

The tear down in the first half of the video shows why this is the case. That is the locking cylinder that pulls back the latch or dead bolt and has the pin “cut line” –thus bottom half of the pins– has the key rotated against the pins not raked along them. This occures because within the locking cylinder there is a rotating sleeve that has a lug on the back of it. This lug is in a position that enables it to engage the pin holding locking cylinder so it can rotate if the pins fall flush along the cut line. Inside of the rotating sleeve cylinder but fixed to the lock body is a simple uncoded warding cylinder[1].

Thus although you could make a torque shim to get to the hole in the pin cylinder which the sleeve lug locates in you could still not get a pin tool in that you could use on the pins individually.

Importantly whilst the lock uses conventional brass pins the key is made from a high grade steel, thus to “impression a key” would require you to come up with your own soft alloy key, or do as I used to do, use “engineers blue” or similar. However Bowley have reduced the pin cut depths from around 15-20 thousandths of a millimeter to around 4-9 thousandths which means you need very very fine abrading tool control. Lets say you were using needle files a full stroke length would normally take off 10-20 thousandths of a millimeter with a brass key deppending on how heavy handed you were…

So how about “bumping the lock” you would first need to make a bump key, well whilst it looks like it might be done as the second half of the video trys to demonstrate, you have to remember that the actual available key way movment is about the width of a pin, which makes bumping improbable.

But to make bumping even less likely atleast two of the pin sets are of the “antibumping”, “antiraking” type, also it appears that diferent springs are used on other pins further reducing the chance of either.

However what the video author missed is that Bowley have one “zero set” cut pin in each and every lock. Whilst this reduces the number of key combinations available quite a lot it does make “bumping” via a bump key or “vibrating” via a pick gun beyond the capabilities of most human beings[2].

The question is of course is Bowley going to “up their game” they made a “trade off” between the number of key combinations and an anti-bumping zero set cut pin. They’ve two basic choices to get the key combinations up, increase the number of pins, add coded warding. Or they could do both. Adding coded warding does not reduce the reliabiliry of a lock very much however adding extra pins does.

Whilst they are at it they might want to reconsider how they do the lug and pit mechanism to engage rotation in the latch/bolt operating cylinder in such a way that it can not be used from the lock key way.

Why do this, well the simplest attack might be to just drill the face of the lock body just infront of where that easy to slide out pin spring retaining plate is. Push the plate out to get rid of the springs, then blow the pins out using compressed air insert a wrench and turn the now unlocked latch operating pin cylinder.

[1] It’s quite similar to a design I came up with way back last century when working at Unique. However unlike this design where the warding is just an uncoded barier, I had a not so obvious way to actually make warding coded to the equivalent of eight extra pins. But the Managing Director who had taken over when I joined the company did not see the value in it for various reasons so he stopped the patent application… Unique nolonger realy exists but unless the various companies that took it over have thrown away the paperwork then the design and pattent application are sitting in another file cabinate appart from the copies I’ve got tucked away.

[2] You could in theory to over come human failings come up with a set of bump-keys where for each pin position you had a cut out for a zero set pin, likewise for the vibrating needles in a pick gun. But that would just multiply how long you would have to try by the number of bump-keys / needles, which dramatically increases the time a “response team” has to stop you on average…

Clive Robinson • August 21, 2020 1:08 PM

@ SpaceLifeForm,

Photographing the key 😉

The idea that so suprised our host @Bruce when I first posted it is another form of side channel attack against the key not the lock.

It’s a point that confuses many lockpickers.

Clive Robinson • August 22, 2020 4:51 AM

@ lurker,

In China I have seen frequently, and used once, a key whose profile was an irregular orthogonal set of four keys.

Are you refering to the Chinese copy of the cruciform / Zeiss lock?

https://unitedlocksmith.net/blog/what-is-a-cruciform-lock

There was a variation of these locks used at Colditz Castle and most of the Countries that had officers imprisoned there had learnt how to pick them.

I used to know a man Dominic Bruce who knew how to pick them having had first hand experience there.