Keys to the Kingdom: Impressioning, Privilege Escalation, Bumping, and Other Key-Based Attacks Against Physical Locks

By Deviant Ollam

Lockpicking has become a popular topic with many in the security community. While many have chosen to learn the fine art of opening locks without keys, few people explore the fascinating methods of attack that are possible WITH keys. Keys to the Kingdom addresses the topics of impressioning, master key escalation, skeleton keys, and bumping attacks that go well beyond any treatment of these topics in the author’s previous book, Practical Lock Picking.

This material is all new and focuses on locks currently in use as well as ones that have recently emerged on the market. Hackers and pen testers or persons tasked with defending their infrastructure and property from invasion will find these techniques uniquely valuable. As with Deviant Ollam’s previous book, Practical Lock Picking,  Keys to the Kingdom includes full-color versions of all diagrams and photographs. Check out the companion website which includes instructional videos that provide readers with a full-on training seminar from the author.

• Excellent companion to Deviant Ollam’s Practical Lock Picking
• Understand the typical failings of common security hardware in order to avoid these weaknesses
• Learn advanced methods of physical attack in order to be more successful with penetration testing
• Detailed full-color photos in the book make learning easy, and companion website is filled with invalualble training videos from Dev!

• Language: English
• Publisher: Elsevier Science
• Release date: Dec 6, 2012
• ISBN: 9780123979308

Deviant Ollam

Deviant Ollam's first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology's Science, Technology, and Society program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. While earning his BS degree at NJIT, Deviant also completed the History degree program federated between that institution and Rutgers University. While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant is also a member of the Board of Directors of the U.S. division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon, Deviant runs the Lockpick Village, and he has conducted physical security training sessions at Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, CanSecWest, ekoparty, and the United States Military Academy at West Point. His favorite Amendments to the U.S. Constitution are, in no particular order, the 1st, 2nd, 9th, and 10th.

Book preview

years.

Chapter 1

Impressioning

Chapter Outline

The Mechanics of Pin Tumbler Locks

What Is Impressioning?

Why Choose Impressioning?

How Impressioning Works

Tips and Tricks

Open!

Locks That Resist Impressioning

Training Aids and Exercises

Summary

A topic that has generated great interest and discussion among lock pickers and penetration testers in recent years is the tactic of impressioning. Of course, like many exciting trends that capture the attention of the security industry, impressioning is not brand new. As is the case with most lock-opening methods, this has been a skill in the arsenal of locksmiths and covert operatives for some time… however, precious little has been written or reported about it publicly. Only in recent years has the topic of impressioning received increased focus at security conferences and locksport competitions.

As you will soon see, there is legitimate reason to be excited about impressioning. Not only is the tactic very covert—at least outwardly—but if it is completed properly, you will have essentially compromised your target lock for good. A successful lock picking attack means you have opened the lock in that particular instance. A successful impressioning attack means that you have opened the lock in perpetuity.

The Mechanics of Pin Tumbler Locks

Although many of you are likely already familiar with the means by which mechanical locks function, it would be appropriate to give a brief overview of such facts here, to ensure that all readers are comfortable with this concept and to introduce the style of diagrams that I like to use in all of my instructional materials which pertain to locks.

The style of lock with which the majority of people are most acquainted is the pin tumbler design. I realize that many of you may already be familiar with this hardware (indeed, diagrams and photographs of all shapes and sizes abound on the Internet and in other printed works), but I feel it would be proper to review this mechanism briefly, in order to guarantee that all readers understand how it functions and how it can be exploited.

The pin tumbler mechanism is one of the oldest lock designs in existence and is still widely used today. It consists of a round component referred to as a plug which rotates in order to engage or move some additional mechanism (such as a latch or cam or tailpiece connected to the rear side of the plug). When the lock is at rest, the plug is blocked from rotating by means of pins. These pins are installed in such a way as to prevent turning of the plug. Only if the pins are moved to a precise position (usually by inserting the correct key into the lock) can the plug become unobstructed and free to move.

The basic diagram that I like to use in all of my instruction about locks can be seen in Figure 1.1. This is an image of a pin tumbler lock, seen from both a forward-facing perspective (on the left side of this diagram) and from a side-view perspective (on the right side of this diagram). In this image, the plug referred to above is shown in a rather bright shade of yellow. The plug is situated in the housing, which in my diagrams is shown in a pale beige hue. The pins which prevent (or allow) the plug to turn appear in two varieties: key pins (shown in red) and driver pins (shown in blue) and they are acted upon by springs installed in each pin chamber. As you can see in Figure 1.1, when the lock is at rest it is the driver pins which obstruct the plug’s movement.

Figure 1.1 Here we see all the basic components of a pin tumbler lock. The plug, the housing, the pins, and the springs… most of the locks which we use every day consist of little more than these simple pieces.

Pin tumbler lock operation

When a user inserts the proper key into a lock, the key pins ride along the edge of the key’s blade (see Figure 1.2). The blade travels into the lock until the key comes to rest either by its tip encountering the rear of the keyway or by the key’s shoulder coming to rest on the front face of the lock. Locks that function in this manner are called tip-stopped or shoulder-stopped, respectively.

Figure 1.2 A key being inserted into a pin tumbler lock. Its blade moves the pin stacks as it rides against them.

When the proper key has been fully inserted into a lock, a unique phenomenon can be observed… all of the pin stacks will have been pushed into exactly the right position such that the split between the key pins and driver pins (known as the pin shear line) will be aligned across the edge of the plug. When the pin stacks are all in this perfect position, there is nothing obstructing the plug from turning. This alignment is represented in Figure 1.3.

Figure 1.3 The correct key for this lock has been fully inserted.

Let’s take a closer look at this phenomenon, without the appearance of a key in our diagrams, to ensure that everyone is fully-aware of what is taking place. Figure 1.4 shows quite clearly how all the pin stacks have now been raised to a height that will allow the plug to move freely and rotate within the housing. The key pins (shown in red) are all contained perfectly within the plug, and the driver pins (shown in blue) have all been moved completely out of the plug and are resting in the housing. If a user were attempting to operate this lock, it would turn feely, as seen in Figure 1.5.

Reviews for Keys to the Kingdom

[Jonathan Murphree · Rating: 5 out of 5 stars]

Very informative, very well explained with no ambiguity. I hope to get a chance to buy Deviant a whiskey some day even in his writing he comes off as a super nice guy.