3D printers are fascinating devices that are becoming affordable and widely available. Many people love to experiment with them, bringing innovation to many different fields. There are so many things that one can do with 3D printing, from controversial ideas like printing weapons to creating copies of security keys. And we’re not just talking about cheap plastic copies. Newer machines can sinter titanium and other materials to create extremely durable objects.
Last week, during the OHM2013 and DEFCON security conferences, two similar presentations on lock picking innovation took place. Both showcased how copies of physical keys could be created using a 3D printer. All that was needed was the keys ID number or a few good pictures of the original key. It’s worrying to think that’s all that is needed to generate a working 3D model of a security key. Some of the 3D model files used are publicly available and can easily be modified or adapted.
This is not a new concept. 3D models for handcuff keys have been publicly available for over a year. Several years ago a few publications demonstrated how to copy a key from a few photos taken with a high resolution camera.
Of course an attacker with decent skills can use ordinary lock picking tools to open those locks as well. With 3D printers becoming accessible to the masses and the corresponding key files distributed online, it becomes even easier and more accessible for a lot more people.
There are many examples where pictures of keys were shown in newspapers or TV shows which could then lead to people copying them. Firemen’s service keys, which can operate many elevators and emergency exits, or police handcuff keys for example, could make for easy targets for anyone with a suitable printer.
While this is not something most people need to worry about, it is important to note that people should be cautious about what physical property they have photographed. Of course this attack does not work with all key and lock combinations. It is kind of similar to digital crypto keys. Older, simpler implementations with weak keys can be broken and should be replaced with stronger versions, but many implementations out there still use small, weak keys and might be at risk.