Secure Your Physical Perimeter Part II: Protect Your Keys

Few among us give any thought to protecting our keys.  While most would recoil at the idea of giving our keys to a stranger, we hand them to valets without a second thought, leave them lying around the office, wear them visibly from belt loops, and even post pictures of them on the Internet.  A key contains a certain code that is unique to your lock, “secret” information that allows your key to open your lock and only your lock.  This information should be protected.  Leaving keys in plain sight (or worse, allowing physical access by untrusted persons) allows an attacker the opportunity to capture the information necessary to copy your key.

The Threat

First, it is important to understand the three pieces of information necessary to generate a key.  They are the key profile, the number of cuts, and the depths of each cut.  All of this information is available from the lock itself by a sufficiently skilled attacker, but the information is much more easily acquired from the key.

The key profile is the shape of the keyway into which the key is inserted.  This information is important because it dictates which key blank must be used to generate a key for that lock; if the key cannot fit into the keyway, it will not operate the lock.  There are several ways the key profile may be obtained.  First, it may simply be stamped on the key bow (the portion of the key used for turning) in the form of a code (e.g. “KW1” in the accompanying photo).  If it is not stamped it is usually fairly easy for an attacker to make an educated guess.  The photo below depicts a Kwikset key alongside the keys for three aftermarket locks.  Each of these locks utilize Kwikset specifications and the bows of each are a similar shape.  An attacker seeing a key bow of this shape could be reasonably certain of the keyway and the necessary blank (KW1).

Protect Your Keys
These keys are all instantly recognizable by their bows as using the Kwikset key profile and keying specifications, even though only one is a true Kwikset-brand key.

Once the key profile has been ascertained, an attacker must determine the number of cuts.  The attacker can make an intelligent guess as the vast majority of locks (at least in the US) adhere to the following protocol: residential locks usually have five pins while commercial locks are generally more likely to have six.  The attacker doesn’t have to leave this to guesswork, however.  The cuts on keys are what we generally misunderstand because we usually have no idea what we are looking at.  The important information in a key is the flat cut beds (the “valleys”) on the key.  Each valley is where a pin will sit when the key is fully inserted into the lock.  Simply counting the cut beds in the key will yield the number of cuts.  In some cases referencing manufacturer’s specifications can also be helpful; some manufacturers may offer certain locks in only five- or six-pin configurations.  Referencing manufacturer’s specifications can also help us with the last step, determining the depth of each cut.

The key profile and number of cuts are not considered the “secret” information in the key.  The unique combination of cut depths is, however, and this information is what makes your key different from those of your neighbors’.  This is the information that gives your key its unique code and as stated early in this article, allows it to open your lock while preventing it from opening others.  The cut depths are described in what is called a key code.  In Kwikset locks, for instance, a “1” cut will be the shallowest possible cut and a “6” will be the deepest possible cut according to manufacturer cut specifications.  There are several ways that an attacker may acquire the key code; obtaining a direct code, “sight-reading”, or measuring the key.  Once the key code has been obtained, this information can be input into a key machine to produce a working key.

Obtaining a direct code is by far the easiest method of obtaining a key code.  On OEM (factory) keys, this code is frequently stamped on the bow of the key.  The direct code consists of a five- or six-digit number, each correlating directly to a cut position and the depth of cut in that position.  The key in the photo below gives up all its secrets at a glance.  The shape of the bow is indicative that the key uses a KW1 key profile.  Secondly, there is a direct code stamped on the bow, the numbers “36645”.  This gives us the number of cuts (5) and the depth of each cut—everything we need to cut an operating key for the lock.

Protect Your Keys
A direct code on a key. The numbers on the bow correlate directly to the depth of the cuts on the blade.

If an attacker is sufficiently familiar with the system, he may not even need to see a direct code.  He can compare the cuts and make a reasonable determination of the depth of each, a technique called “sight reading”.  It is this technique that is perhaps the most dangerous because all it requires is a quick look at your keys (or worse yet, a photo).  Finally, if an attacker has physical access to your keys he can measure the depth of each cut with any number of tools (including a caliper, a key-measuring gauge, or specially-cut “depth and space” keys).

 

The Patch

There are some simple measures you can take to prevent key-duplication attacks.

  • Keep your keys out of sight. Keep them in a pocket, a purse, or use a pouch that keeps them covered, and never, ever post pictures of you keys online!!!  Likewise, don’t leave your keys unattended; all too often I see people leave their keys lying on their desks, etc.
  • When giving keys to a valet, mechanic, or anyone else who requires your car key, only give them the car key. There is no need to give out your house key, mailbox key, and office key to someone who only needs access to the car.  Additionally, some cars offer mechanical keys that are designated as valet keys which are specially cut to operate the door and ignition, but not storage compartments such as the glove box and trunk.  If your car has one, use it.
  • When giving keys to service personnel who require repeated access to your home such as dog-walkers, babysitters, cleaners, etc., inquire about their company’s policy regarding keys. Look for a service provider that has a policy offering rekeying of your locks if they lose your key.
  • Never leave a key hidden outside your home. If someone finds the key he or she may simply steal it.  Theft is the best case scenario because you know it is gone the first time you look for it (though this may be weeks or months later) and can change your locks.  The worst-case scenario is the attacker duplicating your key and replacing it; now, not only does the attacker have a key, but you have no idea that he does.
  • Have your keys cut on “neuter-bow” blanks. These are blanks that have a non-descript bow that does not bear the key profile code, does not have a distinctive shape that could reveal information, and is certainly not stamped with a direct code.  Further, most neuter-bow keys also bear the warning, “Do Not Duplicate” which may provide a very small measure of protection against unauthorized duplication (don’t let this give you a false sense of security about passing out your keys; many locksmiths and retail locations will still provide duplicates of so-called DND keys).
Protect Your Keys
Two keys, one cut on a standard Schlage-pattern bow, and one cut on a neuter bow.
  • Purchase and install UL-listed high security locks. Most high-security keys have unique, novel mechanisms that are very difficult to copy.  They are also usually patented and the key blanks are only available to authorized dealers.  Further, to have a duplicate made, a special key duplication card is often required along with a photo ID.  Finally, some high security mechanisms have a moveable element within the key.  If this element (specifics vary) cannot or does not move it simply will not operate the lock.  Because this type of key is so complex there is very little chance of an attacker manufacturing an improvised blank upon which he can copy your key.

Real World Example

A recent news item highlights this danger.  The Washington Post published a story about the TSA, and in it included a photograph of a set of TSA luggage keys.  These keys are a declared backdoor in TSA-approved locks, allowing officers to inspect bags but, theoretically, keeping the bag secured from everyone else.  The posting of the photo became a story itself because of the easy ability to reproduce keys from a photograph, as we will discuss below.  The photograph of the keys not longer appears on the Washington Post, but very good photos are available here, here, and here.

The next post in the Secure Your Physical Perimeter series will cover some steps you can take to increase the physical security of your locks.