0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/603 Thanks! 1 00:00:09,420 --> 00:00:10,679 So welcome, everybody, for the talk 2 00:00:10,680 --> 00:00:12,929 replication prohibited, this 3 00:00:12,930 --> 00:00:15,179 talk covers the subject of 3D 4 00:00:15,180 --> 00:00:17,639 printing and the state of physical 5 00:00:17,640 --> 00:00:18,839 security. 6 00:00:18,840 --> 00:00:20,909 Our lovely speaker today is Eric was 7 00:00:20,910 --> 00:00:23,069 true. He just flew in from the States 8 00:00:23,070 --> 00:00:24,539 four days ago, he told me, and he still 9 00:00:24,540 --> 00:00:25,540 jet lagging. 10 00:00:26,280 --> 00:00:28,739 He's a student of computer science 11 00:00:28,740 --> 00:00:31,289 engineering in Michigan, you say. 12 00:00:31,290 --> 00:00:32,999 And please give him a warm round of 13 00:00:33,000 --> 00:00:34,109 applause and enjoy the talk. 14 00:00:34,110 --> 00:00:35,110 Thank you very much. 15 00:00:41,530 --> 00:00:43,629 Thanks, everyone, for coming so early on 16 00:00:43,630 --> 00:00:44,630 the last day. 17 00:00:46,090 --> 00:00:48,489 I'm Eric Wistrom, presenting 18 00:00:48,490 --> 00:00:50,649 research on Replication Prohibited, 19 00:00:50,650 --> 00:00:52,719 which is our research on 3D printed keys 20 00:00:52,720 --> 00:00:54,819 and its impact on high 21 00:00:54,820 --> 00:00:56,079 security locks. 22 00:00:56,080 --> 00:00:58,719 This is joint work with my coauthors, 23 00:00:58,720 --> 00:01:00,999 Ben Burgess and J.L Telamon from 24 00:01:01,000 --> 00:01:02,110 the University of Michigan. 25 00:01:04,489 --> 00:01:06,769 So we're talking about pin tumbler 26 00:01:06,770 --> 00:01:08,329 locks, which I think is appropriate for 27 00:01:08,330 --> 00:01:10,459 this Congress, given that the the theme 28 00:01:10,460 --> 00:01:12,799 is gated communities. 29 00:01:12,800 --> 00:01:15,079 So take take 30 00:01:15,080 --> 00:01:16,909 that what you will. But I see locks as 31 00:01:16,910 --> 00:01:19,219 sort of the the gatekeepers for 32 00:01:19,220 --> 00:01:21,659 the sneaker net of things. 33 00:01:21,660 --> 00:01:23,299 Firewalls are the gatekeepers for the 34 00:01:23,300 --> 00:01:25,369 Internet of things. And that's what these 35 00:01:25,370 --> 00:01:26,370 are for, for this. So 36 00:01:27,680 --> 00:01:28,969 just a brief overview for those that 37 00:01:28,970 --> 00:01:30,799 don't know pin tumbler locks. 38 00:01:30,800 --> 00:01:32,959 Have, you know, these pins in 39 00:01:32,960 --> 00:01:35,179 them that only open 40 00:01:35,180 --> 00:01:36,859 the lock if the correct key is inserted, 41 00:01:36,860 --> 00:01:39,629 if the wrong key is inserted, then 42 00:01:39,630 --> 00:01:41,779 the cuts on that key only lift the 43 00:01:41,780 --> 00:01:44,029 pins to different heights and one or more 44 00:01:44,030 --> 00:01:45,739 of the pins will block the inner plug 45 00:01:45,740 --> 00:01:48,049 from rotating and 46 00:01:48,050 --> 00:01:49,279 the lock will not open. 47 00:01:49,280 --> 00:01:50,689 But if you put it in the correct 48 00:01:50,690 --> 00:01:52,789 corresponding key, then you will be able 49 00:01:52,790 --> 00:01:54,109 to open the lock. 50 00:01:54,110 --> 00:01:56,269 The the pins will be lined up 51 00:01:56,270 --> 00:01:58,069 along the shoreline and broken along the 52 00:01:58,070 --> 00:02:00,199 shoreline. And this allows the inner plug 53 00:02:00,200 --> 00:02:01,200 to turn. 54 00:02:02,210 --> 00:02:03,559 Now, of course, it's important to 55 00:02:03,560 --> 00:02:05,689 remember that that is the secret 56 00:02:05,690 --> 00:02:07,519 information is encoded in these cuts. 57 00:02:07,520 --> 00:02:10,038 If you can ever take a picture or 58 00:02:10,039 --> 00:02:12,509 observe someone having these 59 00:02:12,510 --> 00:02:14,629 these cuts on a key, then you can 60 00:02:14,630 --> 00:02:16,369 figure out how to open the lock. 61 00:02:16,370 --> 00:02:18,529 If that goes to and there 62 00:02:18,530 --> 00:02:20,779 was an attack in 2008 that sort of 63 00:02:20,780 --> 00:02:22,579 generalized this and went a bit further 64 00:02:22,580 --> 00:02:24,049 and said that, you know, you don't have 65 00:02:24,050 --> 00:02:26,419 to just worry about people next to you 66 00:02:26,420 --> 00:02:28,099 and very close to you that can see your 67 00:02:28,100 --> 00:02:30,169 locks. You have to worry about sometimes 68 00:02:30,170 --> 00:02:32,629 people very far away that have telephoto 69 00:02:32,630 --> 00:02:35,239 lenses and cameras that can take pictures 70 00:02:35,240 --> 00:02:36,240 of high resolution 71 00:02:37,430 --> 00:02:39,559 from across from across the entire 72 00:02:39,560 --> 00:02:41,659 courtyards where, you know, 73 00:02:41,660 --> 00:02:43,669 you can sort of see from from some roof 74 00:02:43,670 --> 00:02:45,679 level, there's some keys sitting on a 75 00:02:45,680 --> 00:02:47,269 book that's barely visible by the naked 76 00:02:47,270 --> 00:02:49,129 eye. But you can actually make out the 77 00:02:49,130 --> 00:02:51,199 cuts on this key from this image. 78 00:02:52,700 --> 00:02:54,379 There's some, you know, tricks to 79 00:02:54,380 --> 00:02:56,029 transforming the image so that you can 80 00:02:56,030 --> 00:02:58,069 actually see it straight on rather than 81 00:02:58,070 --> 00:03:00,159 at this weird angle, but nonetheless, 82 00:03:00,160 --> 00:03:01,849 this is possible to do and they 83 00:03:01,850 --> 00:03:03,319 demonstrated this in this work. 84 00:03:05,340 --> 00:03:06,899 Of course, there's also bumpkins, which 85 00:03:06,900 --> 00:03:08,639 is a common attack against pin tumbler 86 00:03:08,640 --> 00:03:10,949 locks that have you 87 00:03:10,950 --> 00:03:13,049 cut a key to the lowest level 88 00:03:13,050 --> 00:03:15,119 and then put it in the lock, give it 89 00:03:15,120 --> 00:03:16,199 a sharp tap. 90 00:03:16,200 --> 00:03:18,479 And this bounces many of the pins 91 00:03:18,480 --> 00:03:20,549 up. And if you turn the key at just 92 00:03:20,550 --> 00:03:22,229 the right time, then maybe the plug will 93 00:03:22,230 --> 00:03:24,449 rotate as the other pins 94 00:03:24,450 --> 00:03:26,699 clear the shoreline just for a split 95 00:03:26,700 --> 00:03:27,700 moment. 96 00:03:28,730 --> 00:03:30,439 And finally, I think one of the most 97 00:03:30,440 --> 00:03:32,959 interesting attacks for pin tumbler locks 98 00:03:32,960 --> 00:03:34,879 comes out of MasterCard systems is unique 99 00:03:34,880 --> 00:03:37,219 to MasterCard systems and the MasterCard 100 00:03:37,220 --> 00:03:38,239 system. 101 00:03:38,240 --> 00:03:39,859 You have multiple keys that can open a 102 00:03:39,860 --> 00:03:42,139 single lock. So say I have my key 103 00:03:42,140 --> 00:03:43,999 that opens my office door at the 104 00:03:44,000 --> 00:03:46,039 University of Michigan and it only opens 105 00:03:46,040 --> 00:03:48,079 that one. But the building manager has a 106 00:03:48,080 --> 00:03:50,359 key that opens every door in in 107 00:03:50,360 --> 00:03:51,360 the building. 108 00:03:51,950 --> 00:03:53,779 And how this is accomplished is there are 109 00:03:53,780 --> 00:03:55,789 actually multiple pins, more than two 110 00:03:55,790 --> 00:03:57,229 pins in each stack. 111 00:03:57,230 --> 00:03:59,179 And and you have different pins that 112 00:03:59,180 --> 00:04:01,369 correspond to each of the different keys. 113 00:04:01,370 --> 00:04:03,769 So my low level change key that opens 114 00:04:03,770 --> 00:04:05,839 just my office door 115 00:04:05,840 --> 00:04:07,729 can can have cuts that correspond to the 116 00:04:07,730 --> 00:04:09,889 red and the green pins, whereas 117 00:04:09,890 --> 00:04:11,599 the master key that opens all the doors 118 00:04:11,600 --> 00:04:14,149 has cuts that correspond to 119 00:04:14,150 --> 00:04:15,150 just the red pins. 120 00:04:16,640 --> 00:04:18,828 And in 2002, Matt Blaze 121 00:04:18,829 --> 00:04:20,999 published this this privileged escalation 122 00:04:21,000 --> 00:04:23,059 or this rice amplification attack 123 00:04:23,060 --> 00:04:25,489 that's unique to Master Kaede Systems, 124 00:04:25,490 --> 00:04:26,629 which I call the blaze attack. 125 00:04:26,630 --> 00:04:29,149 This is an attack that allows a 126 00:04:29,150 --> 00:04:31,309 a an attacker to that has just 127 00:04:31,310 --> 00:04:33,319 changed key, just a low level change key 128 00:04:33,320 --> 00:04:35,839 to query their lock and learn 129 00:04:35,840 --> 00:04:38,179 what the master key to the entire system 130 00:04:38,180 --> 00:04:39,180 is. 131 00:04:39,830 --> 00:04:40,879 And to give you a sense of how this 132 00:04:40,880 --> 00:04:43,159 works, I'll walk through this 133 00:04:43,160 --> 00:04:45,349 illustration. So again, I have my 134 00:04:45,350 --> 00:04:47,419 low level change key that opens just my 135 00:04:47,420 --> 00:04:49,489 office door and it operates these 136 00:04:49,490 --> 00:04:51,429 the red and green pins at the shoreline. 137 00:04:52,430 --> 00:04:54,199 And so what the attacker does is it takes 138 00:04:54,200 --> 00:04:56,479 this key and makes a similar copy 139 00:04:56,480 --> 00:04:58,399 to it that has all of the same cuts 140 00:04:58,400 --> 00:04:59,929 except for one pin. 141 00:04:59,930 --> 00:05:01,789 One pin is different. It raises it to the 142 00:05:01,790 --> 00:05:03,679 to the highest level and the attacker 143 00:05:03,680 --> 00:05:05,149 puts this in the lock and tries to open 144 00:05:05,150 --> 00:05:06,969 it and if and sees if it opens it. 145 00:05:06,970 --> 00:05:08,689 In this case, it wouldn't open the lock 146 00:05:08,690 --> 00:05:11,029 because this red pin is blocking the plug 147 00:05:11,030 --> 00:05:12,559 from rotating. 148 00:05:12,560 --> 00:05:14,479 So the attacker removes it, files it down 149 00:05:14,480 --> 00:05:16,639 and tries it again and continues doing 150 00:05:16,640 --> 00:05:18,619 this until the lock opens. 151 00:05:18,620 --> 00:05:20,059 And because all of the other pins are 152 00:05:20,060 --> 00:05:21,559 still kept at their old position, that 153 00:05:21,560 --> 00:05:23,209 would normally open the lock. 154 00:05:23,210 --> 00:05:25,279 Once the attacker is able to open 155 00:05:25,280 --> 00:05:26,899 the lock. They have learned what the 156 00:05:26,900 --> 00:05:28,969 master cut is for that PIN 157 00:05:28,970 --> 00:05:31,219 position so they can repeat 158 00:05:31,220 --> 00:05:33,319 this for each then iteratively of the 159 00:05:33,320 --> 00:05:35,149 pins in this lock with different blanks 160 00:05:35,150 --> 00:05:37,249 and different different key cuts, 161 00:05:37,250 --> 00:05:39,469 ultimately revealing what 162 00:05:39,470 --> 00:05:41,809 the master key is to this entire 163 00:05:41,810 --> 00:05:42,810 system. 164 00:05:47,920 --> 00:05:49,809 One more thing to note about all of these 165 00:05:49,810 --> 00:05:51,519 attacks is that you have to find some 166 00:05:51,520 --> 00:05:53,169 piece of metal or some piece of material 167 00:05:53,170 --> 00:05:55,059 that can fit into the keyway of this 168 00:05:55,060 --> 00:05:57,129 lock. Key ways of locks are designed 169 00:05:57,130 --> 00:05:59,439 to be a little bit difficult to get into, 170 00:05:59,440 --> 00:06:01,689 both for to prevent lock picking, 171 00:06:01,690 --> 00:06:03,759 make it harder to get tools into it, 172 00:06:03,760 --> 00:06:05,709 and also to to make it a little bit more 173 00:06:05,710 --> 00:06:07,929 difficult to to get blanks that can 174 00:06:07,930 --> 00:06:09,189 actually fit in these locks. 175 00:06:09,190 --> 00:06:10,839 So for a lot of these attacks, for 176 00:06:10,840 --> 00:06:12,759 bumping, for making unauthorized 177 00:06:12,760 --> 00:06:15,099 duplications and for escalation, 178 00:06:15,100 --> 00:06:17,199 attackers really want to have key 179 00:06:17,200 --> 00:06:19,480 blanks that can fit into these locks. 180 00:06:21,680 --> 00:06:23,989 And for most of the locks that that 181 00:06:23,990 --> 00:06:26,089 we we encounter, this 182 00:06:26,090 --> 00:06:27,859 is very easy. You can just go to, say, a 183 00:06:27,860 --> 00:06:30,169 hardware store and buy 184 00:06:30,170 --> 00:06:31,849 one of these blanks and actually get it 185 00:06:31,850 --> 00:06:33,559 copied from from the dealer. 186 00:06:34,730 --> 00:06:36,499 And there's no control or anything like 187 00:06:36,500 --> 00:06:38,839 that that's going on in 188 00:06:38,840 --> 00:06:40,279 in these open court systems. 189 00:06:41,510 --> 00:06:43,009 One layer above that, there's 190 00:06:43,010 --> 00:06:45,349 duplication, prohibited keys 191 00:06:45,350 --> 00:06:47,719 where you can still buy them 192 00:06:47,720 --> 00:06:49,819 online, things like best keys and 193 00:06:49,820 --> 00:06:50,820 so forth. 194 00:06:51,530 --> 00:06:52,819 And there are manufacturers that sell 195 00:06:52,820 --> 00:06:54,499 them. But you may have a little bit 196 00:06:54,500 --> 00:06:56,299 harder time finding locksmiths that will 197 00:06:56,300 --> 00:06:58,189 duplicate to them or cut to them. 198 00:06:58,190 --> 00:06:59,689 But nonetheless, it's still possible to 199 00:06:59,690 --> 00:07:01,339 find them. They're just more rare. 200 00:07:02,510 --> 00:07:04,609 Finally, there is a step 201 00:07:04,610 --> 00:07:06,739 above duplication prohibited, which is 202 00:07:06,740 --> 00:07:09,079 restricted Kiwi's where the 203 00:07:09,080 --> 00:07:11,569 keyway itself is often patented 204 00:07:11,570 --> 00:07:13,669 or controlled or somehow 205 00:07:13,670 --> 00:07:15,769 specifically and custom designed for 206 00:07:15,770 --> 00:07:18,709 each system by the lock manufacturer. 207 00:07:18,710 --> 00:07:21,079 And this can be system specific in a way 208 00:07:21,080 --> 00:07:23,569 that the lock manufacturer 209 00:07:23,570 --> 00:07:25,669 and the locksmith that deploys it have 210 00:07:25,670 --> 00:07:27,949 some kind of contract where only that 211 00:07:27,950 --> 00:07:30,139 locksmith can buy blanks that fit 212 00:07:30,140 --> 00:07:32,269 that particular keyway and they have some 213 00:07:32,270 --> 00:07:34,459 keycard that authenticates it to to 214 00:07:34,460 --> 00:07:35,509 buying that. 215 00:07:35,510 --> 00:07:36,919 And so you wouldn't be able to buy these 216 00:07:36,920 --> 00:07:39,019 blanks online even if you, you 217 00:07:39,020 --> 00:07:40,040 know, knew what they were. 218 00:07:41,880 --> 00:07:43,469 To to further make this more more 219 00:07:43,470 --> 00:07:44,729 difficult for attackers to find these 220 00:07:44,730 --> 00:07:46,439 blanks, these key designs are often 221 00:07:46,440 --> 00:07:48,539 patented so that if someone actually was 222 00:07:48,540 --> 00:07:50,729 able to manufacture some of these key 223 00:07:50,730 --> 00:07:52,230 highways for popular restricted 224 00:07:53,490 --> 00:07:55,409 highways, then they wouldn't be able to 225 00:07:55,410 --> 00:07:57,239 legally sell them without infringing on 226 00:07:57,240 --> 00:07:58,240 the patent. 227 00:08:00,170 --> 00:08:02,569 So if you're an attacker and you want to 228 00:08:02,570 --> 00:08:04,459 still get access to these blanks, you 229 00:08:04,460 --> 00:08:05,569 have a couple of options at your 230 00:08:05,570 --> 00:08:07,009 disposal, you could try to custom 231 00:08:07,010 --> 00:08:08,239 manufacture it yourself. 232 00:08:08,240 --> 00:08:10,459 You could go to a CMC mill and, you 233 00:08:10,460 --> 00:08:11,989 know, measure out the key that you're 234 00:08:11,990 --> 00:08:14,059 trying to copy and, you know, just 235 00:08:14,060 --> 00:08:16,009 drill this down from from some stock 236 00:08:16,010 --> 00:08:17,269 metal or something like that. 237 00:08:17,270 --> 00:08:19,529 And that certainly is possible for most 238 00:08:19,530 --> 00:08:21,319 Kiwis, although some key ways try to make 239 00:08:21,320 --> 00:08:23,089 this more difficult by having crazy 240 00:08:23,090 --> 00:08:24,469 undercuts and things like that that are 241 00:08:24,470 --> 00:08:26,659 difficult to replicate on CMC 242 00:08:26,660 --> 00:08:27,709 Mills. 243 00:08:27,710 --> 00:08:29,329 But in general, this is going to cost, 244 00:08:29,330 --> 00:08:31,939 you know, some amount of money and take a 245 00:08:31,940 --> 00:08:33,949 fair amount of skill to do in practice. 246 00:08:34,970 --> 00:08:36,439 There's actually a machine that will do 247 00:08:36,440 --> 00:08:38,808 this for you called the Chemex 248 00:08:38,809 --> 00:08:40,339 Easy entry. 249 00:08:40,340 --> 00:08:42,139 And this is a pretty cool device. 250 00:08:42,140 --> 00:08:43,428 You just put in a key that you want to 251 00:08:43,429 --> 00:08:44,479 copy at the top. 252 00:08:44,480 --> 00:08:46,039 It has a little probe that comes out and 253 00:08:46,040 --> 00:08:48,019 measures different parts of the of the 254 00:08:48,020 --> 00:08:50,149 keys thickness and then has a 255 00:08:50,150 --> 00:08:51,829 second part that has a S.A.M. 256 00:08:51,830 --> 00:08:54,319 that cuts the smiley face, Kilink, into 257 00:08:54,320 --> 00:08:56,090 whatever key that you put in the top. 258 00:08:57,110 --> 00:08:58,679 Now, this machine is not cheap. 259 00:08:58,680 --> 00:09:00,349 Last I checked, I think it's about 7000 260 00:09:00,350 --> 00:09:02,599 euro, but it's, you know, something 261 00:09:02,600 --> 00:09:04,369 that could be useful for attackers if 262 00:09:04,370 --> 00:09:06,139 they were, you know, breaking into banks, 263 00:09:06,140 --> 00:09:07,140 I guess. 264 00:09:08,810 --> 00:09:11,479 So finally, there's 3D printing, 265 00:09:11,480 --> 00:09:13,129 this is something that's becoming much 266 00:09:13,130 --> 00:09:14,599 more consumer available. 267 00:09:14,600 --> 00:09:16,579 I've seen several 3-D printers here at 268 00:09:16,580 --> 00:09:18,679 Congress and and 269 00:09:18,680 --> 00:09:20,749 3-D printers are really sort of a 270 00:09:20,750 --> 00:09:22,339 fast, you know, innovating thing that's 271 00:09:22,340 --> 00:09:24,500 going on and rapidly improving 272 00:09:25,520 --> 00:09:27,169 the state and the strength of the 273 00:09:27,170 --> 00:09:28,279 materials that they can print. 274 00:09:29,570 --> 00:09:31,189 3-D printing still requires some amount 275 00:09:31,190 --> 00:09:32,839 of skill, but the tools there are also 276 00:09:32,840 --> 00:09:33,739 improving that. 277 00:09:33,740 --> 00:09:35,269 You can find these these free tools to 278 00:09:35,270 --> 00:09:37,309 model things. And that makes it much 279 00:09:37,310 --> 00:09:38,929 easier than than it used to be. 280 00:09:41,000 --> 00:09:43,429 So one question is, if we print 281 00:09:43,430 --> 00:09:45,829 keys in plastic or in whatever material, 282 00:09:45,830 --> 00:09:47,539 are these printed keys actually strong 283 00:09:47,540 --> 00:09:49,519 enough to use in practice? 284 00:09:50,630 --> 00:09:52,399 To answer this question, our group 285 00:09:52,400 --> 00:09:54,409 performed an experiment on a number of 286 00:09:54,410 --> 00:09:57,079 different ways. We we modeled 287 00:09:57,080 --> 00:09:59,209 several different key ways of keys in 288 00:09:59,210 --> 00:10:01,759 plastic, in acrylic, 289 00:10:01,760 --> 00:10:03,889 in nylon, in several different 290 00:10:03,890 --> 00:10:06,079 materials, including metal. 291 00:10:06,080 --> 00:10:08,269 And we took them all and 292 00:10:08,270 --> 00:10:10,309 put them into locks and tried to break 293 00:10:10,310 --> 00:10:11,809 them off with the most expensive 294 00:10:11,810 --> 00:10:13,669 screwdriver that I have ever purchased in 295 00:10:13,670 --> 00:10:14,670 my life. 296 00:10:16,190 --> 00:10:18,469 It has it has a USB output and 297 00:10:18,470 --> 00:10:20,569 it tells you how many pounds of torque is 298 00:10:20,570 --> 00:10:22,579 being applied to the screwdriver. 299 00:10:22,580 --> 00:10:24,589 And the one redeeming quality of this 300 00:10:24,590 --> 00:10:26,719 screwdriver besides its price 301 00:10:26,720 --> 00:10:28,879 is it had a generous return policy, so. 302 00:10:38,130 --> 00:10:40,559 So we use this tool to measure how 303 00:10:40,560 --> 00:10:42,719 how how much talk we could 304 00:10:42,720 --> 00:10:44,730 take before it snapped off in the lock 305 00:10:45,780 --> 00:10:47,429 and the results surprised us. 306 00:10:47,430 --> 00:10:49,799 We printed these on icemaker 307 00:10:49,800 --> 00:10:52,229 bought using clay, and this 308 00:10:52,230 --> 00:10:54,359 would cost pretty cheap for for each key. 309 00:10:54,360 --> 00:10:55,949 Now, the maker bot itself is not eight 310 00:10:55,950 --> 00:10:57,719 cents, but it's a couple thousand 311 00:10:57,720 --> 00:11:00,059 dollars. But nonetheless, each individual 312 00:11:00,060 --> 00:11:01,319 key that you print off of that is going 313 00:11:01,320 --> 00:11:02,249 to be fairly cheap. 314 00:11:02,250 --> 00:11:04,319 And to our surprise, this key was 315 00:11:04,320 --> 00:11:06,359 strong enough to open most of the 316 00:11:06,360 --> 00:11:08,249 applications that you would come across 317 00:11:08,250 --> 00:11:10,169 if you're using these keys in practice. 318 00:11:10,170 --> 00:11:12,569 So we rank these four things, 319 00:11:12,570 --> 00:11:13,979 opening a door latch, which is just a 320 00:11:13,980 --> 00:11:16,479 very sort of light spring at a couple 321 00:11:16,480 --> 00:11:18,569 of inch pounds of torque all the 322 00:11:18,570 --> 00:11:20,639 way down to a crash bar where 323 00:11:20,640 --> 00:11:22,799 you're actually physically pulling in one 324 00:11:22,800 --> 00:11:25,109 of those sort of massive crash bars 325 00:11:25,110 --> 00:11:27,449 from the outside with just the key. 326 00:11:27,450 --> 00:11:28,679 And to our surprise, the plane was 327 00:11:28,680 --> 00:11:31,169 actually able to do most of these. 328 00:11:31,170 --> 00:11:32,249 We marked passive. 329 00:11:32,250 --> 00:11:34,469 All of the keys were stronger than 330 00:11:34,470 --> 00:11:36,199 the talk it took to open one of these. 331 00:11:36,200 --> 00:11:37,889 So all of the all of the keys that we 332 00:11:37,890 --> 00:11:39,809 tested were stronger than, say, the 333 00:11:39,810 --> 00:11:41,949 torque it takes to open various padlocks. 334 00:11:41,950 --> 00:11:43,349 We marked it fail if none of them were 335 00:11:43,350 --> 00:11:45,509 strong enough to open any of the tests 336 00:11:45,510 --> 00:11:47,609 of of opening them and we marked it may 337 00:11:47,610 --> 00:11:49,289 fail if some of them passed and some of 338 00:11:49,290 --> 00:11:50,290 them didn't. 339 00:11:52,400 --> 00:11:55,099 So we also tested nylon and acrylic 340 00:11:55,100 --> 00:11:56,809 and these are two different materials, 341 00:11:56,810 --> 00:11:58,849 but they had basically the same results 342 00:11:58,850 --> 00:12:00,439 despite being sort of having different 343 00:12:00,440 --> 00:12:01,579 failure modes and properties. 344 00:12:01,580 --> 00:12:03,649 Nylon is a very stretchy material and 345 00:12:03,650 --> 00:12:05,629 acrylic sort of just snaps off and lock. 346 00:12:05,630 --> 00:12:08,239 And despite being more expensive 347 00:12:08,240 --> 00:12:10,969 and coming from actually a 348 00:12:10,970 --> 00:12:13,039 3D printing service, 349 00:12:13,040 --> 00:12:15,409 these were much weaker than than the play 350 00:12:15,410 --> 00:12:16,410 originally. 351 00:12:17,350 --> 00:12:19,149 And this probably would not be used in 352 00:12:19,150 --> 00:12:20,499 any kind of attack that you would want to 353 00:12:20,500 --> 00:12:22,869 do, we tried Ali 354 00:12:22,870 --> 00:12:24,459 Meid, which is a slightly stronger 355 00:12:24,460 --> 00:12:26,649 plastic that has some sort of aluminum 356 00:12:26,650 --> 00:12:27,849 filings mixed into it. 357 00:12:27,850 --> 00:12:30,279 And and this 358 00:12:30,280 --> 00:12:32,019 was a little bit better, you know, three 359 00:12:32,020 --> 00:12:33,429 dollars per key. So it's still pretty 360 00:12:33,430 --> 00:12:35,559 cheap and it's able to open some of the 361 00:12:35,560 --> 00:12:37,779 weaker components, but it won't 362 00:12:37,780 --> 00:12:39,639 open a crack bar or some of the padlocks 363 00:12:39,640 --> 00:12:41,440 that we had testing on this. 364 00:12:42,730 --> 00:12:44,589 But now you might also had this bad 365 00:12:44,590 --> 00:12:46,089 property that it had the very rough 366 00:12:46,090 --> 00:12:47,919 surface to it. It almost had a sandpaper 367 00:12:47,920 --> 00:12:49,149 like feel to it. 368 00:12:49,150 --> 00:12:50,289 So when you were putting it in and out of 369 00:12:50,290 --> 00:12:52,059 a lock, it felt like you were grinding 370 00:12:52,060 --> 00:12:53,239 down the brass of the lock. 371 00:12:53,240 --> 00:12:55,059 So you might you might actually damage it 372 00:12:55,060 --> 00:12:57,399 ultimately if you use lots of these in 373 00:12:57,400 --> 00:12:59,200 locks and then it might also break off. 374 00:13:00,630 --> 00:13:02,729 Finally, we tested 375 00:13:02,730 --> 00:13:04,469 a couple of medals, several medals, 376 00:13:04,470 --> 00:13:06,899 actually, stainless steel and brass 377 00:13:06,900 --> 00:13:08,309 and bronze as well. 378 00:13:08,310 --> 00:13:10,529 But but it was the same as brass, 379 00:13:10,530 --> 00:13:11,969 which is something that you can 380 00:13:11,970 --> 00:13:14,129 surprisingly print in 381 00:13:14,130 --> 00:13:15,569 three dimensions with with these 382 00:13:15,570 --> 00:13:17,159 services. You can go to these services 383 00:13:17,160 --> 00:13:19,169 and and give them a CAD model and they'll 384 00:13:19,170 --> 00:13:20,999 ship you that same object printed in 385 00:13:21,000 --> 00:13:22,000 whatever metal you want. 386 00:13:23,430 --> 00:13:25,139 You can even printed in gold, I guess, if 387 00:13:25,140 --> 00:13:27,539 you want to match your Apple Watch 388 00:13:27,540 --> 00:13:28,540 or something. 389 00:13:30,390 --> 00:13:32,609 So when 390 00:13:32,610 --> 00:13:33,869 we tested this in practice, the metal 391 00:13:33,870 --> 00:13:35,339 does cost a little bit more. 392 00:13:35,340 --> 00:13:36,689 It's about ten dollars for the stainless 393 00:13:36,690 --> 00:13:38,849 steel or thirty dollars or so, 25 dollars 394 00:13:38,850 --> 00:13:41,039 for the breast of that 395 00:13:41,040 --> 00:13:43,559 amount of metal in in breast. 396 00:13:43,560 --> 00:13:45,269 And this works flawlessly. 397 00:13:45,270 --> 00:13:47,039 This opened everything that we had access 398 00:13:47,040 --> 00:13:48,839 to and then some. It was about half as 399 00:13:48,840 --> 00:13:51,089 strong as the real blanks 400 00:13:51,090 --> 00:13:52,499 that you would buy from, say, a hardware 401 00:13:52,500 --> 00:13:54,269 store. But that's still an order of 402 00:13:54,270 --> 00:13:56,489 magnitude stronger than you need to 403 00:13:56,490 --> 00:13:58,889 to open many of these locks in practice. 404 00:14:00,090 --> 00:14:01,979 And as an anecdote, I've actually been 405 00:14:01,980 --> 00:14:04,049 using a brass printed 406 00:14:04,050 --> 00:14:06,239 key for all of my 407 00:14:06,240 --> 00:14:07,859 opening my office door for the last few 408 00:14:07,860 --> 00:14:10,229 years and haven't had really any problems 409 00:14:10,230 --> 00:14:12,059 with the brass one. 410 00:14:12,060 --> 00:14:13,319 Though I will note that the stainless 411 00:14:13,320 --> 00:14:15,689 steel one is a little bit rough 412 00:14:15,690 --> 00:14:17,399 on the lock, in part because it's 413 00:14:17,400 --> 00:14:19,139 actually stronger than the lock, which is 414 00:14:19,140 --> 00:14:20,159 made out of brass. 415 00:14:20,160 --> 00:14:22,229 So if it's not quite perfectly aligned, 416 00:14:22,230 --> 00:14:24,479 you may actually, you know, break some 417 00:14:24,480 --> 00:14:25,739 of the lock in some ways. 418 00:14:25,740 --> 00:14:27,509 And I believe all of the locks that had 419 00:14:27,510 --> 00:14:29,669 regular stainless steel key use had to be 420 00:14:29,670 --> 00:14:30,579 replaced ultimately. 421 00:14:30,580 --> 00:14:31,580 So. 422 00:14:33,210 --> 00:14:35,159 But what happens when these keys break 423 00:14:35,160 --> 00:14:37,439 off in a lock is kind of important 424 00:14:37,440 --> 00:14:39,269 and how these keys fail. 425 00:14:39,270 --> 00:14:41,099 So I will just, you know, note that the 426 00:14:41,100 --> 00:14:42,739 things like acrylic are things that are 427 00:14:42,740 --> 00:14:44,579 they're very brittle, have these really 428 00:14:44,580 --> 00:14:46,199 bad failure cases that you're turning it, 429 00:14:46,200 --> 00:14:47,099 you're turning it. And then all of a 430 00:14:47,100 --> 00:14:48,100 sudden it breaks. 431 00:14:49,080 --> 00:14:50,759 And now you have this piece of plastic 432 00:14:50,760 --> 00:14:52,439 stuck in this lock and it can be very 433 00:14:52,440 --> 00:14:54,689 difficult to get out if it's play. 434 00:14:54,690 --> 00:14:56,459 I'll note the best thing to do is to 435 00:14:56,460 --> 00:14:58,649 remove the lock from the door, soak 436 00:14:58,650 --> 00:15:01,019 it in acetone for about 12 hours, 437 00:15:01,020 --> 00:15:02,999 then take some rubbing alcohol, mix it 438 00:15:03,000 --> 00:15:04,379 out, put it back in the door and hope 439 00:15:04,380 --> 00:15:06,149 that no one notices your door smells like 440 00:15:06,150 --> 00:15:08,219 paint stripper anymore and move on 441 00:15:08,220 --> 00:15:09,220 with your life. 442 00:15:11,750 --> 00:15:13,999 But things like brass fell much 443 00:15:14,000 --> 00:15:15,469 more gracefully. 444 00:15:15,470 --> 00:15:17,779 They you can actually turn 445 00:15:17,780 --> 00:15:19,909 this and feel as it's as it's 446 00:15:19,910 --> 00:15:22,249 bending and, 447 00:15:22,250 --> 00:15:24,049 you know, in many cases we were able to 448 00:15:24,050 --> 00:15:25,789 turn these keys more than about 90 449 00:15:25,790 --> 00:15:27,319 degrees before they failed completely. 450 00:15:27,320 --> 00:15:29,599 So it's very obvious that this thing is 451 00:15:29,600 --> 00:15:31,459 breaking and not going to open this lock. 452 00:15:31,460 --> 00:15:33,529 And you can feel much before you 453 00:15:33,530 --> 00:15:35,509 would, you know, need to get out your 454 00:15:35,510 --> 00:15:37,669 broken key extractors if 455 00:15:37,670 --> 00:15:38,929 this were to snap off in the lock. 456 00:15:41,120 --> 00:15:42,679 So how do you make these models in the 457 00:15:42,680 --> 00:15:44,689 first place? I mean, have we just punted 458 00:15:44,690 --> 00:15:46,879 the skill to making these models 459 00:15:46,880 --> 00:15:48,649 at all? Well, in some ways, yes. 460 00:15:48,650 --> 00:15:50,809 But the modeling tools are fairly good. 461 00:15:52,670 --> 00:15:55,069 Autodesk Inventor is one of the software 462 00:15:55,070 --> 00:15:57,349 packages we use, has a very fast 463 00:15:57,350 --> 00:15:58,699 learning curve. It took us about a night 464 00:15:58,700 --> 00:16:00,889 to learn and print 465 00:16:00,890 --> 00:16:03,019 working keys despite not having 466 00:16:03,020 --> 00:16:05,119 any background in this kind of 467 00:16:05,120 --> 00:16:06,409 in this area. 468 00:16:06,410 --> 00:16:08,449 SolidWorks is another tool for this, but 469 00:16:08,450 --> 00:16:09,859 those both cost money. 470 00:16:09,860 --> 00:16:11,209 Autodesk has this nice feature that you 471 00:16:11,210 --> 00:16:13,369 can actually put visual basic scripts 472 00:16:13,370 --> 00:16:15,019 in it so you can just put the key cuts 473 00:16:15,020 --> 00:16:17,059 that you want to do and say, well, you 474 00:16:17,060 --> 00:16:19,189 know, this program will execute and cut 475 00:16:19,190 --> 00:16:21,319 the key down to whatever combination you 476 00:16:21,320 --> 00:16:23,389 want, which is handy for 477 00:16:23,390 --> 00:16:24,390 testing 478 00:16:25,550 --> 00:16:26,809 on the free side of things. 479 00:16:26,810 --> 00:16:28,399 There's a 3-D modeling tool called 480 00:16:28,400 --> 00:16:29,899 openside, which is pretty cool. 481 00:16:29,900 --> 00:16:31,989 It's entirely sort of scripting based. 482 00:16:31,990 --> 00:16:33,559 You write out a program that essentially 483 00:16:33,560 --> 00:16:35,599 describes the object that you're trying 484 00:16:35,600 --> 00:16:38,059 to build. So you build, you know, spheres 485 00:16:38,060 --> 00:16:40,129 and rectangular solids and you take 486 00:16:40,130 --> 00:16:42,199 differences and unions of these until you 487 00:16:42,200 --> 00:16:44,599 get the desired shape that you want. 488 00:16:44,600 --> 00:16:46,819 So this is pretty cool for for people 489 00:16:46,820 --> 00:16:49,099 that are used to programing, but 490 00:16:49,100 --> 00:16:51,109 it does take some skill to, you know, 491 00:16:51,110 --> 00:16:52,970 write off this code in the first place. 492 00:16:54,570 --> 00:16:56,669 So what we did to sort of 493 00:16:56,670 --> 00:16:58,799 demonstrate that this is even easier than 494 00:16:58,800 --> 00:17:00,779 using those tools is we made an 495 00:17:00,780 --> 00:17:03,149 automatically generating 3-D 496 00:17:03,150 --> 00:17:04,618 model program. 497 00:17:04,619 --> 00:17:06,779 This program takes a single picture of 498 00:17:06,780 --> 00:17:08,399 the keyway that you're trying to make and 499 00:17:08,400 --> 00:17:10,649 model a model for and produces 500 00:17:10,650 --> 00:17:12,779 that model in in 501 00:17:12,780 --> 00:17:15,029 in CAD, basically from 502 00:17:15,030 --> 00:17:16,030 this image. 503 00:17:17,520 --> 00:17:19,259 You can then take that blank and printed 504 00:17:19,260 --> 00:17:20,789 on a 3D printer or ship it off to 505 00:17:20,790 --> 00:17:22,769 Shapeways or rematerialize or whatever 506 00:17:22,770 --> 00:17:24,779 your 3D printing service that you want to 507 00:17:24,780 --> 00:17:27,059 uses and have 508 00:17:27,060 --> 00:17:29,129 it made for you pretty cheap. 509 00:17:29,130 --> 00:17:31,919 So how this tool works, 510 00:17:31,920 --> 00:17:33,839 first you take an image that can just be 511 00:17:33,840 --> 00:17:35,609 taken from a smartphone that's straight 512 00:17:35,610 --> 00:17:37,619 out of the lock, that has a good view of 513 00:17:37,620 --> 00:17:39,659 the keyway itself that's, you know, sort 514 00:17:39,660 --> 00:17:41,190 of the darkest part of this image. 515 00:17:42,620 --> 00:17:44,029 And the next thing that the tool does is 516 00:17:44,030 --> 00:17:46,279 it tries to threshold this image into 517 00:17:46,280 --> 00:17:48,349 various places so 518 00:17:48,350 --> 00:17:50,689 it tries a threshold it into a black 519 00:17:50,690 --> 00:17:52,579 and white image entirely. 520 00:17:52,580 --> 00:17:54,859 So if things are more than 25 521 00:17:54,860 --> 00:17:57,619 in magnitude out of 255, 522 00:17:57,620 --> 00:18:00,109 then that pixel is black and 523 00:18:00,110 --> 00:18:01,339 otherwise it's white. 524 00:18:01,340 --> 00:18:03,719 And same for all of the other ones. 525 00:18:03,720 --> 00:18:05,389 And so you can see that depending on what 526 00:18:05,390 --> 00:18:07,249 threshold value we choose, we get 527 00:18:07,250 --> 00:18:09,589 different sort of goodness 528 00:18:09,590 --> 00:18:11,809 of our of finding the keyway 529 00:18:11,810 --> 00:18:13,219 mask out of this image. 530 00:18:13,220 --> 00:18:15,049 And 35 seems to be the optimal here. 531 00:18:16,680 --> 00:18:18,809 And once we find 532 00:18:18,810 --> 00:18:21,599 what the keyway mask is, 533 00:18:21,600 --> 00:18:23,789 then we we actually once we find 534 00:18:23,790 --> 00:18:25,859 the optimal threshold, rather, we pull 535 00:18:25,860 --> 00:18:27,869 out this keyway by looking for the 536 00:18:27,870 --> 00:18:30,059 largest blob in this image. 537 00:18:30,060 --> 00:18:31,949 So if we do that for all three of these, 538 00:18:31,950 --> 00:18:34,539 we find that again in 35, we find 539 00:18:34,540 --> 00:18:36,179 the best image here. 540 00:18:36,180 --> 00:18:38,369 Whereas in the other ones we find either 541 00:18:38,370 --> 00:18:40,049 not enough of the keyway or something 542 00:18:40,050 --> 00:18:41,879 that's actually not even related to the 543 00:18:41,880 --> 00:18:42,880 way at all. 544 00:18:44,010 --> 00:18:46,199 But how do we determine that 35 value 545 00:18:46,200 --> 00:18:47,639 automatically, how do we make sure that 546 00:18:47,640 --> 00:18:49,469 that's not, you know, image dependent and 547 00:18:49,470 --> 00:18:51,449 so forth? Well, one thing that we noticed 548 00:18:51,450 --> 00:18:53,579 that that was true across many 549 00:18:53,580 --> 00:18:55,829 different locks and pictures that we took 550 00:18:55,830 --> 00:18:58,079 was that if you looked at the area 551 00:18:58,080 --> 00:19:00,389 of the largest blob 552 00:19:00,390 --> 00:19:02,129 area that you pulled out from an image 553 00:19:02,130 --> 00:19:04,049 after thresholding, there was this large 554 00:19:04,050 --> 00:19:06,239 jump in area right after you had 555 00:19:06,240 --> 00:19:08,669 sort of the optimal keyway mask. 556 00:19:08,670 --> 00:19:10,199 And so you can see that here, that if you 557 00:19:10,200 --> 00:19:12,299 look in the normalizes blob 558 00:19:12,300 --> 00:19:15,179 area, it jumps right after 35, 559 00:19:15,180 --> 00:19:17,160 which is the optimal one for this value. 560 00:19:18,850 --> 00:19:21,189 So that's how we determine 561 00:19:21,190 --> 00:19:22,959 what the what the keyway mask is, we just 562 00:19:22,960 --> 00:19:25,059 go and look for that jump and say the 563 00:19:25,060 --> 00:19:27,339 value before that is the optimal value. 564 00:19:27,340 --> 00:19:28,689 This allows us to pull out the keyway 565 00:19:28,690 --> 00:19:30,429 mask. And we found this to be fairly 566 00:19:30,430 --> 00:19:32,019 robust. We tried some more complicated 567 00:19:32,020 --> 00:19:33,699 things that I won't get into the detail 568 00:19:33,700 --> 00:19:35,709 of for for computer vision sake. 569 00:19:35,710 --> 00:19:36,710 But 570 00:19:37,810 --> 00:19:39,039 we found that this was this was 571 00:19:39,040 --> 00:19:40,900 surprisingly effective in practice. 572 00:19:42,010 --> 00:19:45,099 So once you have this this keyway mask, 573 00:19:45,100 --> 00:19:46,899 we have a program that then takes this 574 00:19:46,900 --> 00:19:49,149 mask and generates some open 575 00:19:49,150 --> 00:19:51,519 CAD code that will essentially 576 00:19:51,520 --> 00:19:53,679 extrude this into a 3D model 577 00:19:53,680 --> 00:19:55,749 and places a bow on it that you can 578 00:19:55,750 --> 00:19:58,059 then, you know, put on a keychain and 579 00:19:58,060 --> 00:19:59,060 carry around with you. 580 00:20:00,680 --> 00:20:02,869 So finally, you get your 3D model of 581 00:20:02,870 --> 00:20:04,999 your key and optionally you 582 00:20:05,000 --> 00:20:07,159 can provide cuts to this this program 583 00:20:07,160 --> 00:20:08,899 so that it can cut it down to whatever, 584 00:20:08,900 --> 00:20:10,939 you know, key that you want to open, 585 00:20:10,940 --> 00:20:12,469 whatever door that you're trying to do. 586 00:20:12,470 --> 00:20:13,549 And if you're trying to do, say, a 587 00:20:13,550 --> 00:20:15,139 privileged escalation attack, maybe you 588 00:20:15,140 --> 00:20:16,969 make, you know, seven copies of this with 589 00:20:16,970 --> 00:20:17,970 different cuts on each one. 590 00:20:20,340 --> 00:20:22,619 So we released this tool as 591 00:20:22,620 --> 00:20:24,089 open source and. 592 00:20:25,940 --> 00:20:28,159 It's available on Kei's Forbes.com 593 00:20:28,160 --> 00:20:30,379 as a demonstration, you can actually go 594 00:20:30,380 --> 00:20:32,599 and try this out, you just upload 595 00:20:32,600 --> 00:20:34,699 a picture and optionally provide the 596 00:20:34,700 --> 00:20:36,919 key cuts that you want on on 597 00:20:36,920 --> 00:20:38,299 whatever key you have. 598 00:20:38,300 --> 00:20:40,579 And it will produce this steel file 599 00:20:40,580 --> 00:20:42,199 that you can download. And then three 600 00:20:42,200 --> 00:20:43,200 different. 601 00:20:53,350 --> 00:20:55,569 So what can you do with these 3D 602 00:20:55,570 --> 00:20:57,189 printed keys? As we said before, there's 603 00:20:57,190 --> 00:20:59,379 these these three main attacks, still 604 00:20:59,380 --> 00:21:00,909 a duplication in bumpkins and privileged 605 00:21:00,910 --> 00:21:01,899 escalation. 606 00:21:01,900 --> 00:21:03,579 But what have people been doing with 3D 607 00:21:03,580 --> 00:21:04,720 printed keys in practice? 608 00:21:05,800 --> 00:21:07,059 Well, there's a number of people that 609 00:21:07,060 --> 00:21:07,989 have have printed keys. 610 00:21:07,990 --> 00:21:09,039 We're not the only ones that do this. 611 00:21:09,040 --> 00:21:10,809 And we're not even the first people to 612 00:21:10,810 --> 00:21:11,810 have publicly done this. 613 00:21:12,970 --> 00:21:15,069 In 2013, there was a couple 614 00:21:15,070 --> 00:21:18,009 of MIT students at DEFCON that printed 615 00:21:18,010 --> 00:21:20,439 Prima's key, which is a moderately 616 00:21:20,440 --> 00:21:22,809 high security key that has actually to 617 00:21:22,810 --> 00:21:23,810 sort of cut 618 00:21:25,760 --> 00:21:28,149 short lines on it that 619 00:21:28,150 --> 00:21:31,089 they replicated using 620 00:21:31,090 --> 00:21:33,519 openness can actually and and 621 00:21:33,520 --> 00:21:35,139 publish this code so that other people 622 00:21:35,140 --> 00:21:37,209 could make Prima's keys 623 00:21:37,210 --> 00:21:38,469 as well. 624 00:21:38,470 --> 00:21:40,689 That was, again, a custom modeling of 625 00:21:40,690 --> 00:21:42,219 just that one keyway. 626 00:21:42,220 --> 00:21:44,319 And they printed it using materials 627 00:21:44,320 --> 00:21:46,449 which after this this all went public in 628 00:21:46,450 --> 00:21:48,789 materials, released the statement that so 629 00:21:48,790 --> 00:21:51,039 that it did not support 3D printing 630 00:21:51,040 --> 00:21:52,599 of high security keys in particular. 631 00:21:52,600 --> 00:21:54,969 They said that it materialized, rejects 632 00:21:54,970 --> 00:21:56,799 any use of its services to promote 633 00:21:56,800 --> 00:21:58,629 activities or to create products which 634 00:21:58,630 --> 00:22:01,299 pose a safety or security risk to others. 635 00:22:01,300 --> 00:22:02,889 Had they known at the time, they would 636 00:22:02,890 --> 00:22:05,499 not have printed these keys. 637 00:22:05,500 --> 00:22:07,509 Which is funny, given that if you look at 638 00:22:07,510 --> 00:22:09,819 Dematerialize website right now 639 00:22:09,820 --> 00:22:11,619 under their platinum or sorry, their 640 00:22:11,620 --> 00:22:13,509 titanium page, they actually use this 641 00:22:13,510 --> 00:22:15,279 image as on their marketing page to show 642 00:22:15,280 --> 00:22:17,409 you what you can print with with their 643 00:22:17,410 --> 00:22:18,079 service. 644 00:22:18,080 --> 00:22:19,080 So. 645 00:22:27,450 --> 00:22:29,729 More recently, there was this picture 646 00:22:29,730 --> 00:22:31,829 published of the TSA master keys in 647 00:22:31,830 --> 00:22:34,019 some article, for some reason, 648 00:22:34,020 --> 00:22:36,179 I guess the reporter or whoever was being 649 00:22:36,180 --> 00:22:37,379 interviewed thought it would be cool to 650 00:22:37,380 --> 00:22:38,380 flash them keys. 651 00:22:39,570 --> 00:22:41,339 And this picture was published and then 652 00:22:41,340 --> 00:22:42,839 later taken down. But it's the Internet. 653 00:22:42,840 --> 00:22:44,669 So it's, you know, floating around and 654 00:22:44,670 --> 00:22:45,599 here it is here. 655 00:22:45,600 --> 00:22:47,280 So there's that 656 00:22:50,070 --> 00:22:52,199 this this does allow you to you 657 00:22:52,200 --> 00:22:53,879 know, it's high enough resolution that 658 00:22:53,880 --> 00:22:55,469 you can actually figure out the cuts of 659 00:22:55,470 --> 00:22:56,399 each of these keys. 660 00:22:56,400 --> 00:22:58,799 And someone did this and actually modeled 661 00:22:58,800 --> 00:23:01,259 all of the keys and and 662 00:23:01,260 --> 00:23:02,880 modeled this and published this. 663 00:23:07,820 --> 00:23:09,979 Now, I will note that TSA, Masterji, 664 00:23:09,980 --> 00:23:11,419 it sounds pretty bad, but at the end of 665 00:23:11,420 --> 00:23:13,639 the day, the TSA locks were probably not 666 00:23:13,640 --> 00:23:15,649 that high security to begin with. 667 00:23:15,650 --> 00:23:17,029 There were probably ways around them 668 00:23:17,030 --> 00:23:18,439 already. You could probably pick them in 669 00:23:18,440 --> 00:23:20,449 a matter of seconds or just bypass the 670 00:23:20,450 --> 00:23:22,249 lock entirely by opening the zipper with 671 00:23:22,250 --> 00:23:23,239 a big pen or something. 672 00:23:23,240 --> 00:23:25,759 But nonetheless, it's an interesting 673 00:23:25,760 --> 00:23:28,369 sort of experiment and lesson in 674 00:23:28,370 --> 00:23:30,549 when not to show your keys on camera. 675 00:23:32,760 --> 00:23:35,039 And finally, the most recent 676 00:23:35,040 --> 00:23:37,289 study here is a tool called 677 00:23:37,290 --> 00:23:39,539 Photobomb, which is very similar to ours, 678 00:23:39,540 --> 00:23:41,609 which from a single image is able 679 00:23:41,610 --> 00:23:44,339 to produce bump keys of of 680 00:23:44,340 --> 00:23:45,929 that can be printed in plastic. 681 00:23:45,930 --> 00:23:48,359 And this was done 682 00:23:48,360 --> 00:23:50,219 late last year and the tool was never 683 00:23:50,220 --> 00:23:51,719 actually published. That was just talked 684 00:23:51,720 --> 00:23:53,369 about at Lacon, I believe. 685 00:23:53,370 --> 00:23:54,599 And I don't think they've released any of 686 00:23:54,600 --> 00:23:56,639 the code or anything opensource, but 687 00:23:56,640 --> 00:23:58,469 nonetheless, a very cool tool that could 688 00:23:58,470 --> 00:24:00,209 make bunkie's that that worked on some of 689 00:24:00,210 --> 00:24:02,009 these pretty high security locks that 690 00:24:02,010 --> 00:24:04,109 were fairly difficult to bump, even 691 00:24:04,110 --> 00:24:06,209 with metal keys, but sufficient to 692 00:24:06,210 --> 00:24:07,349 work with with plastic. 693 00:24:09,790 --> 00:24:10,790 So 694 00:24:12,880 --> 00:24:15,309 how can we defend against these attacks 695 00:24:15,310 --> 00:24:17,349 besides just shoving superglue in our 696 00:24:17,350 --> 00:24:18,579 locks and giving up? 697 00:24:20,240 --> 00:24:21,979 I think there's a number of different 698 00:24:21,980 --> 00:24:24,739 directions that we can go in with this 699 00:24:24,740 --> 00:24:26,779 with with trying to defend against 3D 700 00:24:26,780 --> 00:24:28,039 printed attacks. 701 00:24:28,040 --> 00:24:29,659 One is to look at non mechanical locks. 702 00:24:29,660 --> 00:24:31,939 So electronic locks are sort of 703 00:24:31,940 --> 00:24:33,679 growing in popularity these days. 704 00:24:33,680 --> 00:24:35,629 No, actually, that does bring in other 705 00:24:35,630 --> 00:24:36,709 kinds of vulnerabilities. 706 00:24:36,710 --> 00:24:38,899 And, you know, now you have now you have 707 00:24:38,900 --> 00:24:40,699 other problems to worry about, like 708 00:24:40,700 --> 00:24:42,799 replay attacks or or any kind of 709 00:24:42,800 --> 00:24:44,599 software vulnerabilities that might exist 710 00:24:44,600 --> 00:24:46,759 in whatever protocols you're using. 711 00:24:46,760 --> 00:24:48,919 But this this will scale pretty 712 00:24:48,920 --> 00:24:51,109 well and it won't have the problem that 713 00:24:51,110 --> 00:24:53,119 a lot of the mechanical locks will have 714 00:24:53,120 --> 00:24:54,950 when it comes to 3D printing attacks. 715 00:24:57,470 --> 00:24:59,029 Sort of slightly related, but a little 716 00:24:59,030 --> 00:25:00,259 bit more on the mechanical side of 717 00:25:00,260 --> 00:25:01,549 things. There are a number of high 718 00:25:01,550 --> 00:25:03,649 security keys that use active keys 719 00:25:03,650 --> 00:25:05,779 and key ways to authenticate 720 00:25:05,780 --> 00:25:07,669 that the right key is in the lock. 721 00:25:07,670 --> 00:25:09,829 So in addition to, say, having very high 722 00:25:09,830 --> 00:25:11,809 tolerances and pin tumblers and things 723 00:25:11,810 --> 00:25:13,879 like that, this these keys, 724 00:25:13,880 --> 00:25:16,369 like the multi lock, can have actual 725 00:25:16,370 --> 00:25:18,469 spring components in the key that sort 726 00:25:18,470 --> 00:25:20,119 of, you know, fold in and then come back 727 00:25:20,120 --> 00:25:22,579 out at different parts in the insertion 728 00:25:22,580 --> 00:25:24,049 process. 729 00:25:24,050 --> 00:25:26,239 And this might be difficult to replicate 730 00:25:26,240 --> 00:25:28,339 with 3D printing, given that most most 731 00:25:28,340 --> 00:25:30,529 of 3D printing at this scale right now 732 00:25:30,530 --> 00:25:32,749 is limited to entirely solid fillers 733 00:25:32,750 --> 00:25:34,639 and can't have these very intricate, fine 734 00:25:34,640 --> 00:25:35,720 features in them. 735 00:25:38,270 --> 00:25:40,309 And finally, I think magnetic locks are 736 00:25:40,310 --> 00:25:41,899 kind of an interesting sort of cool 737 00:25:41,900 --> 00:25:44,299 gadget. But Max is an example 738 00:25:44,300 --> 00:25:46,429 of this. This has magnetic HP-UX 739 00:25:46,430 --> 00:25:48,559 inside of it that actually rotate 740 00:25:48,560 --> 00:25:50,359 physical, mechanical things inside the 741 00:25:50,360 --> 00:25:52,669 lock that have to line up in order 742 00:25:52,670 --> 00:25:54,169 for the lock to open. 743 00:25:54,170 --> 00:25:56,419 This would again be a little bit tricky 744 00:25:56,420 --> 00:25:58,639 to replicate with with 3D printing 745 00:25:58,640 --> 00:26:00,289 alone, although you might be able to do 746 00:26:00,290 --> 00:26:02,329 some kind of inlay thing where you put 747 00:26:02,330 --> 00:26:04,459 magnetic things and be able to 748 00:26:04,460 --> 00:26:06,769 copy a key remotely. 749 00:26:06,770 --> 00:26:08,419 If you had, say, you know, a 3D printer 750 00:26:08,420 --> 00:26:09,710 and a good compass or something, but. 751 00:26:12,730 --> 00:26:14,829 I think one interesting 752 00:26:14,830 --> 00:26:16,719 idea that I haven't really seen proposed 753 00:26:16,720 --> 00:26:18,999 for for defending against 3D 754 00:26:19,000 --> 00:26:20,269 printing is trackways. 755 00:26:20,270 --> 00:26:23,199 So trapped highways are pretty 756 00:26:23,200 --> 00:26:25,449 unknown sort of thing in the 757 00:26:25,450 --> 00:26:28,239 world, but they can be used to 758 00:26:28,240 --> 00:26:30,429 essentially trap a key in 759 00:26:30,430 --> 00:26:31,509 the lock when it's inserted. 760 00:26:31,510 --> 00:26:33,129 So if you have someone, let's say a 761 00:26:33,130 --> 00:26:35,409 contractor or something that goes away 762 00:26:35,410 --> 00:26:36,879 and takes their key with them or 763 00:26:36,880 --> 00:26:38,049 something, and you don't want them to 764 00:26:38,050 --> 00:26:40,089 come back at some point and be able to 765 00:26:40,090 --> 00:26:42,459 access whatever 766 00:26:42,460 --> 00:26:44,829 door that they used to have access to, 767 00:26:44,830 --> 00:26:47,199 you can install a different keyway that's 768 00:26:47,200 --> 00:26:49,479 essentially configured to trap 769 00:26:49,480 --> 00:26:51,259 that key when it's inserted and turned in 770 00:26:51,260 --> 00:26:53,169 lock. And if that happens, you won't be 771 00:26:53,170 --> 00:26:54,939 able to pull the lock the key out of the 772 00:26:54,940 --> 00:26:56,919 lock and the lock will actually have to 773 00:26:56,920 --> 00:26:57,679 be drilled. 774 00:26:57,680 --> 00:26:58,899 But nonetheless, the person will be 775 00:26:58,900 --> 00:27:01,269 stopped from entering that 776 00:27:01,270 --> 00:27:02,270 facility. 777 00:27:02,980 --> 00:27:04,959 And this is useful for for unauthorized 778 00:27:04,960 --> 00:27:05,949 old keys like that. 779 00:27:05,950 --> 00:27:07,269 But it could also prevent privileged 780 00:27:07,270 --> 00:27:09,249 escalation and other attacks that are 781 00:27:09,250 --> 00:27:11,410 enabled by 3D printing, just by 782 00:27:12,760 --> 00:27:14,859 being able to trap all of the 783 00:27:14,860 --> 00:27:16,569 different sort of iterations of the blaze 784 00:27:16,570 --> 00:27:18,489 attack that that might happen during that 785 00:27:18,490 --> 00:27:19,490 process. 786 00:27:21,820 --> 00:27:23,979 So looking forward into the future, 787 00:27:23,980 --> 00:27:26,229 I think there's it's a pretty exciting 788 00:27:26,230 --> 00:27:27,819 time for 3D printing in locks. 789 00:27:28,840 --> 00:27:30,519 We're really just starting to be able to 790 00:27:30,520 --> 00:27:32,409 make these keys that are viable in 791 00:27:32,410 --> 00:27:34,539 practice. And 3D printing is only getting 792 00:27:34,540 --> 00:27:35,739 better. It's only getting higher 793 00:27:35,740 --> 00:27:37,929 resolution and cheaper and more 794 00:27:37,930 --> 00:27:39,759 ubiquitous. And there's more materials 795 00:27:39,760 --> 00:27:40,719 every day, I think. 796 00:27:40,720 --> 00:27:43,029 Recently, I saw that you can now 3D print 797 00:27:43,030 --> 00:27:44,030 in wood, 798 00:27:45,850 --> 00:27:47,709 which is pretty cool. 799 00:27:47,710 --> 00:27:49,899 But all of this sort of improvement 800 00:27:49,900 --> 00:27:51,999 of technology is happening on the 3D 801 00:27:52,000 --> 00:27:52,929 printing side. 802 00:27:52,930 --> 00:27:55,059 I don't see an analog happening 803 00:27:55,060 --> 00:27:56,229 in the lock innovation. 804 00:27:56,230 --> 00:27:58,389 And to be fair, locks are fairly old 805 00:27:58,390 --> 00:28:00,459 and have, you know, done 806 00:28:00,460 --> 00:28:02,559 fairly well in in recent 807 00:28:02,560 --> 00:28:04,659 years in history 808 00:28:04,660 --> 00:28:06,399 for the most part. 809 00:28:06,400 --> 00:28:08,499 But I am a little bit concerned 810 00:28:08,500 --> 00:28:10,599 because locks sort of have 811 00:28:10,600 --> 00:28:12,129 this intrinsic property that they're 812 00:28:12,130 --> 00:28:14,709 limited in sort of how small they can get 813 00:28:14,710 --> 00:28:16,479 because the humans that operate them 814 00:28:16,480 --> 00:28:18,579 aren't getting any smaller. 815 00:28:18,580 --> 00:28:20,889 So on the other hand, 816 00:28:20,890 --> 00:28:22,689 the 3D printing tools that we have are 817 00:28:22,690 --> 00:28:24,189 able to get smaller and smaller. 818 00:28:24,190 --> 00:28:25,749 And so at some point I think we'll be 819 00:28:25,750 --> 00:28:27,609 able to do more of these active keyway 820 00:28:27,610 --> 00:28:28,929 attacks and things like that with 3D 821 00:28:28,930 --> 00:28:30,009 printing and moving. 822 00:28:30,010 --> 00:28:31,689 Even beyond that, I think that there's a 823 00:28:31,690 --> 00:28:33,789 lot of room for looking at 824 00:28:35,860 --> 00:28:38,409 different ways that 3D printed materials 825 00:28:38,410 --> 00:28:40,719 could actually actively interact with 826 00:28:40,720 --> 00:28:41,769 the pins in the lock. 827 00:28:41,770 --> 00:28:43,899 Maybe that you could actually make a lock 828 00:28:43,900 --> 00:28:45,459 picking device that actually did a single 829 00:28:45,460 --> 00:28:47,829 pin picking inside of the device 830 00:28:47,830 --> 00:28:49,239 using just something that was 831 00:28:49,240 --> 00:28:51,999 manufactured on a 3D printer. 832 00:28:52,000 --> 00:28:53,649 That's probably a ways out. 833 00:28:53,650 --> 00:28:55,119 But I think that that that sort of, you 834 00:28:55,120 --> 00:28:56,709 know, combination of 3D printing and 835 00:28:56,710 --> 00:28:58,809 meme's like devices would would 836 00:28:58,810 --> 00:29:01,239 be a really interesting future for 837 00:29:01,240 --> 00:29:03,319 the combination of 3D printing and locks. 838 00:29:04,360 --> 00:29:06,429 So with that, I'll 839 00:29:06,430 --> 00:29:08,289 wrap up and be happy to answer any 840 00:29:08,290 --> 00:29:09,639 questions that you have. 841 00:29:09,640 --> 00:29:10,640 Thanks. 842 00:29:18,150 --> 00:29:19,349 Well, thank you for this interesting 843 00:29:19,350 --> 00:29:21,299 talk, Eric, I'm fairly sure that this was 844 00:29:21,300 --> 00:29:23,129 the magic moment for all the lock pickers 845 00:29:23,130 --> 00:29:24,689 present and the highlight of that 846 00:29:24,690 --> 00:29:25,619 Congress. 847 00:29:25,620 --> 00:29:27,629 So if you have any questions, please move 848 00:29:27,630 --> 00:29:29,579 to one of the microphones we have here in 849 00:29:29,580 --> 00:29:30,719 the room. 850 00:29:30,720 --> 00:29:32,339 I was told that we are only using the 851 00:29:32,340 --> 00:29:34,509 four microphones that are down here with 852 00:29:34,510 --> 00:29:36,539 the numbers one, two, three and four. 853 00:29:36,540 --> 00:29:38,759 If you have questions, please move to 854 00:29:38,760 --> 00:29:39,760 the mikes. 855 00:29:40,500 --> 00:29:42,159 Even the Internet is not awake yet. 856 00:29:42,160 --> 00:29:43,589 We don't have any questions from the 857 00:29:43,590 --> 00:29:44,549 Internet. 858 00:29:44,550 --> 00:29:46,139 All right. But we have a question at 859 00:29:46,140 --> 00:29:47,579 microphone number one, please, to ask you 860 00:29:47,580 --> 00:29:48,719 a question. 861 00:29:48,720 --> 00:29:50,969 Does the tool include 862 00:29:50,970 --> 00:29:53,129 taking a picture from a key and then make 863 00:29:53,130 --> 00:29:56,069 it or only the keyway? 864 00:29:56,070 --> 00:29:58,199 So is it able that I can 865 00:29:58,200 --> 00:29:59,689 photograph your key from here? 866 00:30:00,960 --> 00:30:02,399 It only does it from the lock. 867 00:30:02,400 --> 00:30:04,469 So because it's using the outline 868 00:30:04,470 --> 00:30:06,809 of the keyway, if 869 00:30:06,810 --> 00:30:08,909 you were able to take a picture of the 870 00:30:08,910 --> 00:30:11,279 end on view of the key, 871 00:30:11,280 --> 00:30:12,299 then perhaps you could, you know, 872 00:30:12,300 --> 00:30:13,859 Photoshop that to make that the darkest 873 00:30:13,860 --> 00:30:15,629 part of the image and then use that to 874 00:30:15,630 --> 00:30:17,669 upload and maybe you have to mirror it at 875 00:30:17,670 --> 00:30:19,889 some point, but that 876 00:30:19,890 --> 00:30:20,849 would also work. 877 00:30:20,850 --> 00:30:22,259 OK, thank you. 878 00:30:22,260 --> 00:30:23,639 Next question from Michael on the floor, 879 00:30:23,640 --> 00:30:24,629 please. 880 00:30:24,630 --> 00:30:25,630 Thank you for the. 881 00:30:27,730 --> 00:30:30,039 American locks are notorious 882 00:30:30,040 --> 00:30:31,929 for having bad tolerances. 883 00:30:31,930 --> 00:30:34,269 Did you try your findings 884 00:30:34,270 --> 00:30:36,339 with European locks, for example, with 885 00:30:36,340 --> 00:30:38,469 equal locks, which are pretty 886 00:30:38,470 --> 00:30:40,779 much better manufactured 887 00:30:40,780 --> 00:30:43,089 than Chicago or some other 888 00:30:43,090 --> 00:30:44,090 junk? 889 00:30:48,040 --> 00:30:49,689 So we did not try it on on those 890 00:30:49,690 --> 00:30:51,279 particular locks. We did try it on a 891 00:30:51,280 --> 00:30:53,409 number of different ways. 892 00:30:53,410 --> 00:30:55,479 But the latest 893 00:30:55,480 --> 00:30:57,759 ones that we tried it on are not the easy 894 00:30:57,760 --> 00:30:58,719 ones or something like that. 895 00:30:58,720 --> 00:31:01,299 They were Everist and high security. 896 00:31:01,300 --> 00:31:03,459 They were often so 897 00:31:03,460 --> 00:31:05,529 small format, interchangeable cores, 898 00:31:05,530 --> 00:31:07,599 which can be harder to 899 00:31:07,600 --> 00:31:09,039 pick because they have the control shear 900 00:31:09,040 --> 00:31:11,139 and everything. But in general, it's 901 00:31:11,140 --> 00:31:12,099 all in the system. 902 00:31:12,100 --> 00:31:14,289 So any system key, 903 00:31:14,290 --> 00:31:16,449 the 3D printers have enough tolerance and 904 00:31:16,450 --> 00:31:18,789 resolution to print at that sort of 905 00:31:18,790 --> 00:31:20,359 twelve point five miles per. 906 00:31:23,880 --> 00:31:25,199 All right, next question for Mike, number 907 00:31:25,200 --> 00:31:26,039 two, please. 908 00:31:26,040 --> 00:31:28,889 OK, thank you for the interesting talk. 909 00:31:28,890 --> 00:31:31,049 I was noticing that the key ways of 910 00:31:31,050 --> 00:31:33,449 the criminal system seem pretty 911 00:31:33,450 --> 00:31:35,219 overcomplicated. 912 00:31:35,220 --> 00:31:37,379 Is it possible to actually simplify them 913 00:31:37,380 --> 00:31:39,599 by replicating the keys? 914 00:31:39,600 --> 00:31:41,759 So is the question, can you can you 915 00:31:41,760 --> 00:31:44,339 print simpler key ways and not the entire 916 00:31:44,340 --> 00:31:45,359 the whole thing? Yeah, right. 917 00:31:45,360 --> 00:31:47,579 I mean, yeah, they have details that 918 00:31:47,580 --> 00:31:49,109 don't seem to be necessary. 919 00:31:49,110 --> 00:31:50,099 Yeah. 920 00:31:50,100 --> 00:31:52,199 So the short answer is 921 00:31:52,200 --> 00:31:52,859 yes. 922 00:31:52,860 --> 00:31:54,779 And people have discovered this before, 923 00:31:54,780 --> 00:31:56,399 especially with Medco. 924 00:31:56,400 --> 00:31:58,289 There's this surprising property that 925 00:31:58,290 --> 00:32:00,299 there's that actually a straight line 926 00:32:00,300 --> 00:32:02,099 fits through the keyway just fine. 927 00:32:02,100 --> 00:32:03,449 So you can just, you know, stamp out 928 00:32:03,450 --> 00:32:05,339 sheet metal or a credit card or something 929 00:32:05,340 --> 00:32:06,869 like that. You don't have to actually 930 00:32:06,870 --> 00:32:09,299 replicate any of the the squiggles 931 00:32:09,300 --> 00:32:10,739 or anything like that. But on most high 932 00:32:10,740 --> 00:32:12,449 security locks, that's not true. 933 00:32:12,450 --> 00:32:13,679 You will have to get at least, you know, 934 00:32:13,680 --> 00:32:15,269 some corner or something that that 935 00:32:15,270 --> 00:32:16,319 actually comes. 936 00:32:16,320 --> 00:32:17,669 And the key market is a great example of 937 00:32:17,670 --> 00:32:19,829 that. It has this very wide sort of leg 938 00:32:19,830 --> 00:32:20,910 that comes off to the side. 939 00:32:22,140 --> 00:32:23,399 But in general, yes, you could make 940 00:32:23,400 --> 00:32:25,499 something that smaller for 941 00:32:25,500 --> 00:32:27,359 3D printed things you might not want to 942 00:32:27,360 --> 00:32:29,579 because it's stronger if it's thicker 943 00:32:29,580 --> 00:32:31,319 in different areas. And sometimes that's 944 00:32:31,320 --> 00:32:33,329 part of the the keyway design is to make 945 00:32:33,330 --> 00:32:35,409 sort of these these these ridges 946 00:32:35,410 --> 00:32:38,279 and runners that make the key stronger. 947 00:32:38,280 --> 00:32:38,939 Thank you. 948 00:32:38,940 --> 00:32:40,709 All right. Thanks. After I bashed the 949 00:32:40,710 --> 00:32:42,389 Internet, woke up and decided that it 950 00:32:42,390 --> 00:32:44,159 actually does have a question. 951 00:32:44,160 --> 00:32:45,539 Yes. Thank you, Al. 952 00:32:45,540 --> 00:32:47,639 Straight on just the picture 953 00:32:47,640 --> 00:32:49,799 has to be of the of the keyboard. 954 00:32:49,800 --> 00:32:51,269 How sensitive is it? 955 00:32:51,270 --> 00:32:53,339 Yeah, I don't know exactly how many 956 00:32:53,340 --> 00:32:55,589 degrees, but it's not too sensitive as 957 00:32:55,590 --> 00:32:57,419 far as sort of, you know, you can just 958 00:32:57,420 --> 00:32:58,409 walk up. You don't have to stand there 959 00:32:58,410 --> 00:32:59,909 with a protractor or anything or any kind 960 00:32:59,910 --> 00:33:00,910 of guide. 961 00:33:01,380 --> 00:33:02,789 It's a little bit tolerant because it 962 00:33:02,790 --> 00:33:04,949 will actually make a key slightly smaller 963 00:33:04,950 --> 00:33:06,539 for tolerance reasons to fit in the lock. 964 00:33:06,540 --> 00:33:08,729 So you have some leeway there 965 00:33:08,730 --> 00:33:10,709 to sort of figure out if you're at some 966 00:33:10,710 --> 00:33:12,180 SKU or something like that. 967 00:33:13,200 --> 00:33:14,999 But in general, you know, just taking it 968 00:33:15,000 --> 00:33:17,279 straight on and eyeballing it 969 00:33:17,280 --> 00:33:18,280 seems to be good enough. 970 00:33:19,500 --> 00:33:21,089 Thank you. Next question from Mike 971 00:33:21,090 --> 00:33:22,499 Namath, right? 972 00:33:22,500 --> 00:33:24,749 Yeah. Did you notice 973 00:33:24,750 --> 00:33:26,819 that any lock manufacturer is 974 00:33:26,820 --> 00:33:28,919 for traditional mechanical locks, so no 975 00:33:28,920 --> 00:33:30,989 active components trying to do 976 00:33:30,990 --> 00:33:32,759 something to prevent 3D printing? 977 00:33:32,760 --> 00:33:35,219 Of course, I haven't seen 978 00:33:35,220 --> 00:33:37,679 anything concrete from the manufacturers. 979 00:33:37,680 --> 00:33:39,809 I know they have mentioned that 980 00:33:39,810 --> 00:33:41,189 they're aware of these attacks, that 981 00:33:41,190 --> 00:33:42,989 they're interested in looking into 982 00:33:42,990 --> 00:33:44,759 defenses. But I haven't seen anyone that 983 00:33:44,760 --> 00:33:47,099 made any specific changes 984 00:33:47,100 --> 00:33:48,119 that are locks yet. But 985 00:33:49,350 --> 00:33:51,149 given that, it probably takes some time 986 00:33:51,150 --> 00:33:52,769 to actually, you know, make these changes 987 00:33:52,770 --> 00:33:54,779 in practice, I don't really fault them 988 00:33:54,780 --> 00:33:56,459 for, you know, not coming out right away. 989 00:33:56,460 --> 00:33:58,499 But nonetheless, these these printed 3D 990 00:33:58,500 --> 00:34:00,329 printed keys have sort of been a long 991 00:34:00,330 --> 00:34:02,249 time coming, I think, in the last few 992 00:34:02,250 --> 00:34:04,229 years, and they're just getting more 993 00:34:04,230 --> 00:34:06,479 popular. So I think it would be kind 994 00:34:06,480 --> 00:34:08,189 of foolish for for manufacturers to 995 00:34:08,190 --> 00:34:09,089 ignore that. 996 00:34:09,090 --> 00:34:10,139 But I haven't seen anything yet. 997 00:34:11,520 --> 00:34:13,259 All right. I see someone at Mike No.7. 998 00:34:13,260 --> 00:34:14,939 I'm not 100 percent sure it's open, but 999 00:34:14,940 --> 00:34:16,319 you can try. 1000 00:34:16,320 --> 00:34:17,320 All right. 1001 00:34:18,060 --> 00:34:20,039 Have you tried to make a negative form 1002 00:34:20,040 --> 00:34:22,229 and fill this up with some kind of resin 1003 00:34:22,230 --> 00:34:23,669 with carbon or fiber in it? 1004 00:34:25,010 --> 00:34:27,439 Are you make a 3D printing 1005 00:34:27,440 --> 00:34:29,779 of the negative form and then build 1006 00:34:29,780 --> 00:34:31,908 the key as the positive while filling 1007 00:34:31,909 --> 00:34:33,499 up with some fluids? 1008 00:34:33,500 --> 00:34:35,629 Yes, so that's actually how 1009 00:34:35,630 --> 00:34:37,879 the metal 3D printed 1010 00:34:37,880 --> 00:34:40,249 keys are manufactured by the service 1011 00:34:40,250 --> 00:34:41,299 that that makes them. 1012 00:34:41,300 --> 00:34:43,459 Brath is done with essentially a lost 1013 00:34:43,460 --> 00:34:45,799 wax casting where the wax is printed, 1014 00:34:45,800 --> 00:34:47,448 a plaster mold is put around it and then 1015 00:34:47,449 --> 00:34:49,428 melted, the wax melted out and then 1016 00:34:49,429 --> 00:34:51,079 molten brass poured in. 1017 00:34:51,080 --> 00:34:53,178 Stainless steel is printed 1018 00:34:53,179 --> 00:34:54,739 in a slightly different process with 1019 00:34:56,730 --> 00:34:58,699 you have this sort of sintered stainless 1020 00:34:58,700 --> 00:35:00,769 steel and glue resin that you print 1021 00:35:00,770 --> 00:35:02,239 the positive of. And they say it has the 1022 00:35:02,240 --> 00:35:04,419 consistency and structural integrity of 1023 00:35:04,420 --> 00:35:05,480 a sandcastle 1024 00:35:06,710 --> 00:35:08,389 at that point, that they then put in an 1025 00:35:08,390 --> 00:35:10,459 oven and fill the rest 1026 00:35:10,460 --> 00:35:12,859 with bronze, which then replaces the 1027 00:35:12,860 --> 00:35:14,329 glue so that you have an all metal 1028 00:35:15,350 --> 00:35:17,299 key at the object or whatever you're 1029 00:35:17,300 --> 00:35:20,299 printing at the end of that process. 1030 00:35:20,300 --> 00:35:22,879 We haven't tried doing that ourselves, 1031 00:35:22,880 --> 00:35:24,979 but that's certainly what the 1032 00:35:24,980 --> 00:35:26,929 services are doing for some of the more 1033 00:35:26,930 --> 00:35:28,849 complicated materials. 1034 00:35:28,850 --> 00:35:30,199 And it seems to work quite well. 1035 00:35:30,200 --> 00:35:32,419 Brass has a really high resolution, as 1036 00:35:32,420 --> 00:35:34,279 you can see here. This is a 3D printed 1037 00:35:34,280 --> 00:35:36,649 brass key and the replication prohibited 1038 00:35:36,650 --> 00:35:38,749 is part of the 3D model and 1039 00:35:38,750 --> 00:35:39,860 shows up when you print this. 1040 00:35:41,070 --> 00:35:42,419 All right, we have another question from 1041 00:35:42,420 --> 00:35:44,549 the Internet, thank you, have two 1042 00:35:44,550 --> 00:35:45,719 brief questions. 1043 00:35:45,720 --> 00:35:47,789 First of all, as have you 1044 00:35:47,790 --> 00:35:49,979 also looked at a rotating cylinder 1045 00:35:49,980 --> 00:35:52,169 logs and have you ever used 1046 00:35:52,170 --> 00:35:53,580 abscessed material? 1047 00:35:55,860 --> 00:35:58,019 I printed a key 1048 00:35:58,020 --> 00:36:00,750 on an ABS commercial machine, 1049 00:36:02,040 --> 00:36:04,199 and it was, I believe, not as strong as 1050 00:36:04,200 --> 00:36:06,809 the play, but it was sort of comparable 1051 00:36:06,810 --> 00:36:08,069 as far as that goes. 1052 00:36:08,070 --> 00:36:10,199 It was it was still able to open 1053 00:36:10,200 --> 00:36:11,579 many of the locks. 1054 00:36:11,580 --> 00:36:13,499 And what was the first question? 1055 00:36:13,500 --> 00:36:15,839 Have you ever looked at rotating disc 1056 00:36:15,840 --> 00:36:17,369 cylinder locks? 1057 00:36:17,370 --> 00:36:18,959 Oh, detaining Justin? 1058 00:36:18,960 --> 00:36:20,789 No, I haven't looked at that specifically 1059 00:36:20,790 --> 00:36:21,899 for 3D printing. 1060 00:36:21,900 --> 00:36:23,969 I think a lot of these would extend 1061 00:36:23,970 --> 00:36:25,259 to that. 1062 00:36:25,260 --> 00:36:28,139 But there's probably different tolerances 1063 00:36:28,140 --> 00:36:29,639 in sort of the Z direction that you can 1064 00:36:29,640 --> 00:36:32,039 get for some of these printers. 1065 00:36:32,040 --> 00:36:34,019 Part of the tricks here can be sometimes 1066 00:36:34,020 --> 00:36:36,089 to figure out what angle 1067 00:36:36,090 --> 00:36:37,859 or what orientation you want to print the 1068 00:36:37,860 --> 00:36:40,049 key on, because some of these printers 1069 00:36:40,050 --> 00:36:42,089 will have better resolution in the X Y 1070 00:36:42,090 --> 00:36:43,739 direction and the Z direction or vice 1071 00:36:43,740 --> 00:36:44,740 versa. 1072 00:36:45,300 --> 00:36:47,069 So you have to sort of play around and 1073 00:36:47,070 --> 00:36:49,319 find what the what the actual tolerances 1074 00:36:49,320 --> 00:36:51,029 there. But I haven't I haven't personally 1075 00:36:51,030 --> 00:36:52,109 played around with that. 1076 00:36:52,110 --> 00:36:54,209 Kind of like another question from Mike 1077 00:36:54,210 --> 00:36:55,839 number before ask away. 1078 00:36:55,840 --> 00:36:58,049 Okay. Um, you've 1079 00:36:58,050 --> 00:37:00,179 been tried you've been testing a few 1080 00:37:00,180 --> 00:37:01,259 locks. Right. 1081 00:37:01,260 --> 00:37:03,599 So do you think that in the future 1082 00:37:03,600 --> 00:37:06,119 will we'll see more like 1083 00:37:06,120 --> 00:37:08,489 locks that with hardening steel 1084 00:37:08,490 --> 00:37:11,699 or that have challenge response 1085 00:37:11,700 --> 00:37:13,319 authentication systems? 1086 00:37:13,320 --> 00:37:15,569 Because from an emergency services point 1087 00:37:15,570 --> 00:37:17,339 of view, it's quite important to be able 1088 00:37:17,340 --> 00:37:18,639 to just drill them open. 1089 00:37:19,800 --> 00:37:20,800 Yeah. 1090 00:37:22,060 --> 00:37:24,189 I mean, a huge important 1091 00:37:24,190 --> 00:37:26,259 part of of of of LOCKSS that they have 1092 00:37:26,260 --> 00:37:28,359 to always work, right? If you run of a 1093 00:37:28,360 --> 00:37:30,099 battery or something like that, then 1094 00:37:30,100 --> 00:37:31,299 that's a problem. 1095 00:37:31,300 --> 00:37:33,429 A lot of electronic locks have solved 1096 00:37:33,430 --> 00:37:35,559 that by having the key provide 1097 00:37:35,560 --> 00:37:37,329 the battery so that, you know, you know, 1098 00:37:37,330 --> 00:37:39,009 you now have a battery that's external 1099 00:37:39,010 --> 00:37:40,509 and you can replace that. 1100 00:37:40,510 --> 00:37:42,009 But still, that's kind of finicky because 1101 00:37:42,010 --> 00:37:43,239 maybe your battery runs out, you don't 1102 00:37:43,240 --> 00:37:44,440 have an extra one and so forth. 1103 00:37:45,940 --> 00:37:48,309 I think that it's likely 1104 00:37:48,310 --> 00:37:49,749 in the short term that people will go 1105 00:37:49,750 --> 00:37:51,639 more toward the active ways for at least 1106 00:37:51,640 --> 00:37:53,139 the high security locks. 1107 00:37:53,140 --> 00:37:54,549 It's still expensive to do that. 1108 00:37:54,550 --> 00:37:56,139 It's expensive to manufacture that and 1109 00:37:56,140 --> 00:37:58,089 expensive to make in practice. 1110 00:37:58,090 --> 00:37:59,889 So it will probably be reserved only for 1111 00:37:59,890 --> 00:38:00,849 the high security locks. 1112 00:38:00,850 --> 00:38:02,889 And most of the homeless will sort of 1113 00:38:02,890 --> 00:38:04,839 have the same same problems that they 1114 00:38:04,840 --> 00:38:05,799 always did. 1115 00:38:05,800 --> 00:38:07,359 It will be interesting to see which 1116 00:38:07,360 --> 00:38:09,639 institutions adopt these higher security 1117 00:38:09,640 --> 00:38:11,499 locks. If universities say, for example, 1118 00:38:11,500 --> 00:38:13,779 that traditionally heavily used, 1119 00:38:13,780 --> 00:38:15,879 say, MasterCard systems will 1120 00:38:15,880 --> 00:38:18,069 move toward higher security locks or 1121 00:38:18,070 --> 00:38:19,809 moved completely away from MasterCard 1122 00:38:19,810 --> 00:38:21,699 systems to avoid some of these these 1123 00:38:21,700 --> 00:38:24,339 problems, but I don't know have what 1124 00:38:24,340 --> 00:38:25,589 will happen in the future. 1125 00:38:25,590 --> 00:38:26,590 OK. 1126 00:38:26,780 --> 00:38:28,909 Another question from the Internet, 1127 00:38:28,910 --> 00:38:31,129 is it possible to use a metallic core 1128 00:38:31,130 --> 00:38:32,479 and print the key around it? 1129 00:38:33,960 --> 00:38:36,179 Sorry, can you repeat to use a metallic 1130 00:38:36,180 --> 00:38:38,459 core and print a plastic 1131 00:38:38,460 --> 00:38:40,380 key around this core? 1132 00:38:41,560 --> 00:38:43,809 A metallic core and a 1133 00:38:43,810 --> 00:38:46,059 key around the core, it would 1134 00:38:46,060 --> 00:38:48,279 be difficult to do that. 1135 00:38:48,280 --> 00:38:50,529 It is so I have seen people 1136 00:38:50,530 --> 00:38:52,599 on 3D printers sort of print 1137 00:38:52,600 --> 00:38:55,109 some base layer of plastic, then print 1138 00:38:55,110 --> 00:38:57,279 and play something else, say even 1139 00:38:57,280 --> 00:38:59,409 a PCB or some kind of electronic or 1140 00:38:59,410 --> 00:39:01,629 a battery or something or a magnet even, 1141 00:39:01,630 --> 00:39:03,739 and then print the rest of the player. 1142 00:39:03,740 --> 00:39:04,740 Maybe on top of that, 1143 00:39:06,340 --> 00:39:08,529 I don't know that you would be able 1144 00:39:08,530 --> 00:39:10,179 to do that with the thickness of these 1145 00:39:10,180 --> 00:39:11,649 keys. They're fairly thin. 1146 00:39:11,650 --> 00:39:13,779 I mean, the actual especially 1147 00:39:13,780 --> 00:39:16,209 with all of the key ways, sort of wiggles 1148 00:39:16,210 --> 00:39:18,349 and and so forth, 1149 00:39:18,350 --> 00:39:20,409 it's kind of hard to get an actual very 1150 00:39:20,410 --> 00:39:22,059 thick part that you could put something 1151 00:39:22,060 --> 00:39:22,959 metal in. 1152 00:39:22,960 --> 00:39:24,459 One thing that you can do, however, is 1153 00:39:24,460 --> 00:39:26,529 you can sort of leave out a gap in the 1154 00:39:26,530 --> 00:39:28,839 back of the key and then insert 1155 00:39:28,840 --> 00:39:30,819 a tension wrench there instead. 1156 00:39:30,820 --> 00:39:32,109 And so now you have, you know, all the 1157 00:39:32,110 --> 00:39:34,299 strength of attention and the plastic 1158 00:39:34,300 --> 00:39:36,669 key is just operating 1159 00:39:36,670 --> 00:39:38,769 the PIN tumblers and and raising them to 1160 00:39:38,770 --> 00:39:39,770 the right height. 1161 00:39:40,760 --> 00:39:42,799 All right, the brave person waiting for 1162 00:39:42,800 --> 00:39:44,119 quite some time at Magic number eight. 1163 00:39:45,860 --> 00:39:47,719 How do you actually get the dimensions of 1164 00:39:47,720 --> 00:39:48,909 the key from the picture? 1165 00:39:49,940 --> 00:39:52,069 Yeah, so in the 1166 00:39:52,070 --> 00:39:54,229 tool that we use, 1167 00:39:54,230 --> 00:39:56,599 the dimensions are assumed 1168 00:39:56,600 --> 00:39:58,669 to be in sort of a standard 1169 00:39:58,670 --> 00:40:00,860 small format, interchangeable core, so. 1170 00:40:02,860 --> 00:40:05,019 From that, most of those are standardized 1171 00:40:05,020 --> 00:40:06,789 to a specific height, so you can just 1172 00:40:06,790 --> 00:40:08,529 sort of take the top to the bottom and 1173 00:40:08,530 --> 00:40:10,629 you know what that height is for more 1174 00:40:10,630 --> 00:40:13,119 complicated locks you might 1175 00:40:13,120 --> 00:40:15,369 try. And something that we tried to do 1176 00:40:15,370 --> 00:40:17,469 early on was detect the circle 1177 00:40:17,470 --> 00:40:19,179 around the lock out of the mortise. 1178 00:40:19,180 --> 00:40:21,189 And then if you knew how big that was, 1179 00:40:21,190 --> 00:40:23,289 either by measuring it or entering it 1180 00:40:23,290 --> 00:40:25,749 in or knowing, you know, the standard 1181 00:40:25,750 --> 00:40:27,909 sizes of Martz's, then you would be able 1182 00:40:27,910 --> 00:40:29,320 to scale that image based off of that. 1183 00:40:30,940 --> 00:40:32,460 All right, Mike, number four, please. 1184 00:40:34,750 --> 00:40:36,039 I'm quite excited. 1185 00:40:36,040 --> 00:40:38,350 I haven't been thinking that line 1186 00:40:39,580 --> 00:40:42,009 that it's possible to do that with a 3D 1187 00:40:42,010 --> 00:40:44,379 printing, and 1188 00:40:44,380 --> 00:40:46,629 I want to look from a different angle, 1189 00:40:46,630 --> 00:40:49,059 like the one who wants to protect 1190 00:40:49,060 --> 00:40:51,429 himself against any threat 1191 00:40:51,430 --> 00:40:53,889 with reasonable means 1192 00:40:53,890 --> 00:40:55,059 financially. 1193 00:40:55,060 --> 00:40:56,559 What would you do? 1194 00:40:56,560 --> 00:40:57,560 In my case, 1195 00:40:59,440 --> 00:41:00,999 I think you'd have to define reasonable, 1196 00:41:01,000 --> 00:41:02,139 you know, financial means. 1197 00:41:02,140 --> 00:41:04,209 But, you know, if you're if 1198 00:41:04,210 --> 00:41:06,819 you're running a master kid system, 1199 00:41:06,820 --> 00:41:09,339 then I think you would probably want to 1200 00:41:09,340 --> 00:41:10,959 either upgrade to a higher security lock 1201 00:41:10,960 --> 00:41:12,759 or a different kind of master key system. 1202 00:41:12,760 --> 00:41:15,089 I know Yale has a, 1203 00:41:15,090 --> 00:41:17,199 I think, Biaggio lock that 1204 00:41:17,200 --> 00:41:18,849 has actually two different ways. 1205 00:41:18,850 --> 00:41:21,669 One that one, that's for 1206 00:41:21,670 --> 00:41:23,049 the master key and one that's for the 1207 00:41:23,050 --> 00:41:24,789 change key. And so then these privileged 1208 00:41:24,790 --> 00:41:26,859 escalation attacks are not a problem 1209 00:41:26,860 --> 00:41:28,599 for that kind of system. 1210 00:41:28,600 --> 00:41:30,129 I don't know the relative cost of that 1211 00:41:30,130 --> 00:41:32,229 offhand, but I know that MIT has 1212 00:41:32,230 --> 00:41:34,299 moved to those locks almost exclusively. 1213 00:41:34,300 --> 00:41:35,889 I guess they maybe had a problem with 1214 00:41:35,890 --> 00:41:37,809 students being part of the escalation or 1215 00:41:37,810 --> 00:41:38,810 something like that. 1216 00:41:41,050 --> 00:41:42,549 But I don't know many other universities 1217 00:41:42,550 --> 00:41:44,709 that have done that in recent years. 1218 00:41:44,710 --> 00:41:46,179 I think that's a good compromise for that 1219 00:41:46,180 --> 00:41:47,739 particular attack. But again, it depends 1220 00:41:47,740 --> 00:41:49,119 on your threat model, right? If you're 1221 00:41:49,120 --> 00:41:51,159 concerned about people copying your keys, 1222 00:41:51,160 --> 00:41:52,509 then maybe you want to go with something 1223 00:41:52,510 --> 00:41:54,969 that's just restricted and so has active 1224 00:41:54,970 --> 00:41:56,649 components to it, like a multi lock or 1225 00:41:56,650 --> 00:41:57,650 something like that. 1226 00:41:59,200 --> 00:42:00,849 Or if you're concerned about bumping or 1227 00:42:00,850 --> 00:42:03,189 picking, then you can find bump resistant 1228 00:42:03,190 --> 00:42:05,259 locks or something like that as well. 1229 00:42:05,260 --> 00:42:06,260 So. 1230 00:42:06,910 --> 00:42:09,179 I may add one 1231 00:42:09,180 --> 00:42:10,679 more question. 1232 00:42:10,680 --> 00:42:13,229 I've seen some people using 1233 00:42:13,230 --> 00:42:15,959 no locks on these 1234 00:42:15,960 --> 00:42:18,059 not so good or so, 1235 00:42:18,060 --> 00:42:18,689 no pads. 1236 00:42:18,690 --> 00:42:19,979 I mean, they're kind of an electronic 1237 00:42:19,980 --> 00:42:22,049 lock, right? It's it has many of the 1238 00:42:22,050 --> 00:42:24,509 problems, but it has a limited interface. 1239 00:42:24,510 --> 00:42:26,399 So it's a little bit better than say 1240 00:42:26,400 --> 00:42:27,599 something that's, you know, talking to 1241 00:42:27,600 --> 00:42:29,759 your smartphone or something like that 1242 00:42:29,760 --> 00:42:31,859 as far as the attack surface goes. 1243 00:42:31,860 --> 00:42:33,209 But it still has the problems of, you 1244 00:42:33,210 --> 00:42:34,439 know, if it runs out of a battery, 1245 00:42:34,440 --> 00:42:35,759 there's no backup or something like that. 1246 00:42:35,760 --> 00:42:37,439 It can be difficult to to get in 1247 00:42:38,760 --> 00:42:40,859 and reliability problems there 1248 00:42:40,860 --> 00:42:42,719 and can also be hard to weatherproof them 1249 00:42:42,720 --> 00:42:43,799 in some locations. 1250 00:42:43,800 --> 00:42:45,989 And no pads in particular 1251 00:42:45,990 --> 00:42:47,789 have this problem that if you only ever 1252 00:42:47,790 --> 00:42:49,589 enter correct combinations on the number 1253 00:42:49,590 --> 00:42:51,689 pad, the correct buttons were down more 1254 00:42:51,690 --> 00:42:52,619 than the incorrect ones. 1255 00:42:52,620 --> 00:42:54,149 And so you don't have this side channel 1256 00:42:54,150 --> 00:42:56,229 for learning on. 1257 00:42:56,230 --> 00:42:57,909 What the correct combination is so. 1258 00:42:59,000 --> 00:43:00,569 All right, the Internet is curious and 1259 00:43:00,570 --> 00:43:02,119 has many questions this morning. 1260 00:43:02,120 --> 00:43:03,320 Yes, yes, yes. 1261 00:43:04,400 --> 00:43:06,439 Have you looked at Kramnik or EPOXI like 1262 00:43:06,440 --> 00:43:09,039 materials for keys, sorry, 1263 00:43:09,040 --> 00:43:11,839 Carmac or EPOXI like materials 1264 00:43:11,840 --> 00:43:12,840 for kids. 1265 00:43:13,560 --> 00:43:15,809 I have not I don't know that you can 1266 00:43:15,810 --> 00:43:17,939 print any epoxy, but 1267 00:43:17,940 --> 00:43:19,229 maybe you could do some kind of, you 1268 00:43:19,230 --> 00:43:21,569 know, mold based thing on 1269 00:43:21,570 --> 00:43:22,570 and use that instead. 1270 00:43:23,640 --> 00:43:25,829 Play, I think was fairly good in 1271 00:43:25,830 --> 00:43:28,169 part because it has this sort of sweet 1272 00:43:28,170 --> 00:43:31,289 spot between being flexible and rigid. 1273 00:43:31,290 --> 00:43:33,389 Nylon was was way too flexible and 1274 00:43:33,390 --> 00:43:35,369 just sort of like a rubber rubber band 1275 00:43:35,370 --> 00:43:36,479 inside the lock. 1276 00:43:36,480 --> 00:43:38,759 And acrylic was way too brittle 1277 00:43:38,760 --> 00:43:40,469 and sort of didn't have any give to it 1278 00:43:40,470 --> 00:43:42,629 and just snapped off. So I'm finding that 1279 00:43:42,630 --> 00:43:44,340 sweet spot is, I think, pretty important. 1280 00:43:46,110 --> 00:43:47,399 All right. Any other questions? 1281 00:43:47,400 --> 00:43:49,349 You have another 10 to 15 minutes to ask 1282 00:43:49,350 --> 00:43:50,759 the hell out of the speaker. 1283 00:43:50,760 --> 00:43:52,769 Now, that is here and you can get your 1284 00:43:52,770 --> 00:43:53,399 hands on him. 1285 00:43:53,400 --> 00:43:55,939 So any other questions? 1286 00:43:55,940 --> 00:43:58,159 It does not seem to be the case, and 1287 00:43:58,160 --> 00:44:00,049 even the Internet is satisfied, at least 1288 00:44:00,050 --> 00:44:00,979 for now. 1289 00:44:00,980 --> 00:44:02,659 So please give another warm round of 1290 00:44:02,660 --> 00:44:04,309 applause to speak, Eric. 1291 00:44:04,310 --> 00:44:05,310 Thank you.