When most people think of physical security, of locking computers or other sensitive information away from unauthorized access, they think of door locks. One of the most common types of door locks is still key and pin tumbler. But how secure are these systems? Is a single locked door considered reasonable and appropriate security? Based on current research, the answer to the first question is increasingly negative. The answer to the second has always been in question.
What is a key and pin tumbler lock?
At its most basic design, a pin tumbler lock, as shown in Figure 1, relies on a system of pins to either prevent or allow a plug to rotate within a lock cylinder. When a key is inserted, the bottom pins are raised to the shear line and the plug is able to rotate (Laxton, Wang, and Savage, 2008, p. 2).
The keys used are cut using a bitting code. The key and pin tumbler system relies on two assumptions.
- No unauthorized people know the bitting code for a specific lock
- Keys are kept secure, and if lost, the locks are replaced
Problems with physical key access control
There are two problems with relying on the physical security of keys. The first has been a problem since key locks were invented; keys are lost or stolen. Sometimes keys are only "temporarily mislaid." However, even if a key is in the wrong hands for even a short time, several methods exist to duplicate it, including, such as impressioning. A manual key decoder, as shown in Figure 2, can also use a key to obtain the bitting code for a key/lock pair (Laxton, Wang, and Savage, 2008, p. 2). Other approaches like, lock bumping and lock picking exploit weaknesses in lock design.
The problem with these methods is access. Access to either the key or the lock is necessary, putting the attacker at risk and raising the work factor. But now a criminal might not need actual access to a key, or its lock, to duplicate it.
Research recently published by Benjamin Laxton, Kai Wang, and Stefan Savage (the team) demonstrates the possibility of duplicating a key using a digital image. Using the same approach as implemented with manual key decoders, an attacker can derive bitting codes from digital images obtained with cameras strategically placed outside the normal physical operating area of the key's owner. In other words, the attacker does not need to gain physical access to the facility or to the key to make a duplicate key.
The research focused on two common household key types: the Kwikset KW-1 and the Shlage SC-1. It's necessary to at least know the blank used to create the key. Applying the bitting code to the wrong blank doesn't get an attacker very far.
To test long distance image capture as a means to obtain key characteristics, the team used a C5 spotting scope, Teleview PowerMate 4X Tele-extender, and Cannon 40D Digital SLR camera. The setup, which weighed about 16 pounds, is shown in Figure 3.
The team took photos of keys from 35, 65, and 100 feet to test the process. A proof-of-concept photo, taken at 165 feet, is shown in Figure 4.
Once the team obtained a key image, they followed the following steps to arrive at a key that would fit into the corresponding lock:
- Measurements on the reference key image are taken and the pixel/mm ratio for that image is computed. This step only needs to be done once for each key blank of interest.
- A digital image of a target key is acquired.
- The user specifies point locations in the target key image that match those in the reference key image.
- Using the point locations, the homography that maps the target key onto the reference key is computed.
- Using the known pixel/mm ratio and the mm dimensions for the distance to first cut and inter-cut distance, the expected locations of each cut point along the key shaft are deterministically located.
- A heuristic search for the depth of each key-bit can be carried out automatically or refined with user input.
- Given the cut depth measurements for the target key in mm the key bitting code is given by matching the mm measurements to the published manufacturers specification for cut depths (e.g., a Kwikset "1" cut is 0.329 inches from the base of the key blade).
The results were interesting. At 35 feet, the key image was properly decoded 4 out of 4 times. At 65 feet, 3 out of 4 attempts were successful. At 100 feet, the team was able to cut the right key 2 times out of 4. Details about this research are found in the team's findings paper.
So do key pin tumbler locks provide reasonable and appropriate security?
A single locked door has never been enough to protect sensitive data or critical systems. An effective physical security design includes multiple obstacles an attacker must overcome. These include:
- Motion and sound sensors
- Multiple locked doorways
- Employee awareness of piggy-backing, social engineering, or other common methods of circumventing physical controls
Putting aside the "single door" vulnerability, requiring employees to maintain keys is a bad idea. They are commonly lost or stolen with no notice to management. Even when management is informed, the cost of replacing affected locks is often too expensive or too much trouble.
Use of centrally managed cipher locks, biometric entry systems, or a hybrid solution is the best way to implement locks as part of an overall physical security strategy. Codes are easily changed when employees leave the company, and access via the employee's biometric signature is quickly disabled. Linking a centralized management system to an account provisioning solution can automate this process, based on information entered into the HR database.
The final word
Will an attacker take a picture of your keys lying on your desk any time soon? Probably not. But the threat exists. More important, however, are the physical access opportunities provided criminals when a well-designed, layered, physical security strategy is not implemented. This includes training employees to question the presence in secure areas of anyone they don't recognize.
Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.