Key copying kiosks are now showing up in big box stores and using the kiosk is a quick way to make a key. The key kiosk is also a no-questions-asked- $2 cash- bump-key-o-matic. This talk will show how this kiosk is operated and how it can duplicate bump keys and certain do not duplicate keys. *Disclaimer: this presentation is for educational purposes. Please be aware of the laws in your area that may pertain to bump keys. Stay legal.

2. Chris Sistrunk, PE
Electrical Engineer
ICS/SCADA
– Mandiant, Entergy
– Project Robus (ICS Protocol Fuzzing)
Physical Security
– Substation Security Team
– Fun & education
@chrissistrunk
chris.sistrunk@mandiant.com

3. Disclaimer
The information in this presentation is intended
for educational purposes. I am a security
professional, but I am not a legal expert. Please
be aware of the laws in your area that may
pertain to bump keys.

4. + +
=

5. Key Kiosks

6. minuteKey
Does not
accept cash!
Window for
viewing
Scans only
key shaft
Emails receipt

7. FastKey
Does accept
cash!
Scans entire
key
Prints receipt
(no email)

8. KeyMe
approved key iPhone App
• Take pic of key
• Store keys in the CLOUD
• Displays key type + code
• Mail order
Only 5 Kiosks in NY
• Requires fingerprint for
key from cloud
• Duplicates keys as well

9. KeyMe - Prior Art
7/25/2014
http://www.wired.com/2014/07/keyme-let-me-break-in/
“I spent about 30 seconds in the stairwell scanning his
keys with software that would let me reproduce them
with no specialized skills whatsoever. The iPhone app I
used wasn’t intended for anything so nefarious: KeyMe
was designed to let anyone photograph their keys and
upload them to the company’s servers. From there, they
can be 3-D printed and mail-ordered in a variety of
novelty shapes, from a bottle opener to Kanye West’s
head. Or they can be cut from blanks at one of KeyMe’s
five kiosks in the New York City area.”

10. Kiosk Key Types
• Schlage SC1
• Kwikset KW1
• Master M1
• Weiser WR5
• Mailbox NA14
• Other keys may vary
• KeyMe has biggest selection

18. Will it copy a bump key?
Let’s try bump keys:
• Machine-made brass
• Hand-filed brass
• Hand-made plastic
• Printer paper
• Paper plate
• Brass key with large paper cover
• Brass key with small paper cover

30. Success!

31. Detail
Machine-made brass Hand-filed brass Hand-filed plastic

32. Detail

33. Failure is always an option!

34. Results
Bump key type Kiosk Copy? Works?
Machine-made brass  
Hand-filed brass  
Hand-made plastic  
Printer paper  n/a
Paper plate  n/a
Brass with large paper cover  n/a
Brass with small paper cover  

35. Conclusions
FastKey Kiosk copies bump keys!
– Original “key” doesn’t have to be a key
– Cheaper than buying bump keys online
– Must align key carefully in the scanner
– Tries to copy the key as close as possible
– May correct errors in original key
– Has trouble duplicating small teeth on end of keys
A crappy bump key may still work!

36. Further Study
• Will kiosks copy 3D printed keys?
• What other materials will the kiosk copy?
• Key Kiosk vulnerabilities?
– Windows?
– Cell radio
• Is the KeyMe iPhone app secure?
I recommend coordinated disclosure.

37. Someone might get your key n00dz

38. Whoopsie
http://vendingadventures.blogspot.com/2013/05/fast-key.html

39. Questions/Ideas?

40. Related YouTube Videos
https://www.youtube.com/watch?v=O6UqrQwTbgY
https://www.youtube.com/watch?v=Fu74iwq224w
https://www.youtube.com/watch?v=TrDlyTAIByg
https://www.youtube.com/watch?v=kAYTKwPG6a0