Kwikset Smartkey Insecurity

The Kwikset Smartkey is a surprisingly clever cheap lock. It lets you rekey your lock yourself, instantly — insert a bit of wire in a hole (when the correct key is inserted) and you can now insert a new key and the lock will adapt itself. Easy way to lock out sketchy ex-roommates.

Even better, the lock is pick-resistant and bump-proof.

Unfortunately, it’s also cast from really cheap metal, with overall none-too-great attention to mechanical design. Therefore, it’s easy to do an end-run around the locking mechanism entirely… or insert a screwdriver, apply a little torque with a wrench, and force the lock to turn.

Well, you get what you pay for.

(You can even decode the sliders visually, using a borescope, but I feel like nobody’s going to bother. That said, with the limited number of available depths, it’s easy to make a key by cutting notches into a strip of credit cards — or make set of tryout keys.)

The details are in the first link. Since it’s written in MWT’s trademark “CAPSLOCK IS CRUISE-CONTROL FOR COOL” I included the Wired writeup for readability below it.

Is it “good enough”? Depends — in this price range, locks are more of a psychological barrier anyway.

“Locks that are used in millions of homes and residential buildings worldwide and that are designed specifically to thwart hacking are easily opened with both a screwdriver and wire, two researchers say.

Kwikset smartkey locks are certified Grade 1 security for residential use by the Builders Hardware Manufacturers Association and are advertised by Kwikset as being invulnerable to being hacked with wires, screwdrivers, or anything else inserted in the keyway.

But that’s not the case, as two noted lock hackers, Marc Weber Tobias and Toby Bluzmanis, demonstrated for WIRED and plan to show attendees today at the Def Con hacker conference[…]

The smartkey is a five-pin lock and has 6 depth increments (the height and depth of the mountains and valleys on a key). It can be reprogrammed by placing the original key in the lock and inserting a tool into a slot in the lock face, which moves the assembly back about an eight of an inch and separates the pins and slider and holds them apart while a new key is inserted. The lock then registers the impressions on the new key and resets the relationship between the pins and slider to correspond to the new key.

They demonstrated six different ways of defeating the locks, including inserting a piece of blank with a sharp end into the keyway then, using a hammer, punch out the cap on the back of the plug — a thin piece of metal. Then they inserted a wire with a looped end into the keyway to turn the tailpiece, which rotates independently of the plug, making a key irrelevant. The method works in just 30 seconds and leaves no damage and no trace, since the original key still works in the locks.

In a second attack, Bluzmanis inserted a 4-inch screwdriver into the keyway, grasped it with a wrench and turned it to open the lock in just 15 seconds. According to the standard, the lock should be able to withstand 300 pounds-force-inch of torque, but they used only a little more than 100 pounds-force-inch to open the lock.

Another attack involved decoding the lock by using a series of keys that are a single depth to determine the depth of each of the pins inside the lock.”

%d bloggers like this: