In an era when digital tools allow anyone to make practically anything, inscribing the words "do not duplicate" on a key only invites ambitious lock pickers to do exactly that. Now one group of researchers has released a piece of software that makes copying purportedly uncopyable keys easier than ever.

On Tuesday, a group of University of Michigan researchers released a new web-based tool that lets users 3-D print any of thousands of "restricted" keys designed to defy copying attempts. Aside from the "do not duplicate" warnings on restricted keys, lock makers also try to prevent their duplication by using contorted keyways—the space inside a lock that a key's inserted into—and selling the blanks that fit them only to users who can prove their affiliation with a big client like a corporation, university, or government agency.

Anyone with a 3-D printer can quickly and easily attack these systems. Ben Burgess

But the researchers' tool, which they've called Keysforge, is meant to demonstrate that those obscure key shapes no longer offer the security they did before accessible 3-D printing. With little more than the restricted key and a photo of the front of the lock, Keysforge can produce a CAD file ready to 3-D print a working key on any consumer-grade 3-D printer. "We've proven that restricted keyways are no longer a defense," says Michigan researcher Ben Burgess. "We’ve shown that anyone with a 3-D printer can quickly and easily attack these systems."

A 3-D printed copy of a restricted key. University of Michigan

The Michigan researchers aren't quite the first to make that point. In 2013, a pair of MIT students released a piece of software that could copy restricted Primus keys from the lockmaker Schlage. Then a year ago, lock-pickers Jos Weyers and Christian Holler demonstrated to WIRED that they could use a photo of a lock and a quick measurement of its depth to create a 3-D printed "bump" key—a key-shaped tool designed to open a lock by knocking its pins upward when the tool is rapped with a hammer.

But unlike those earlier demonstrations of how 3-D printing can defeat physical security measures, the Michigan researchers' technique works on a wide array of lock systems that use the common A-2 standard of pin spacing inside a lock. Input the series of depth cuts that represent the key's vertical contours—they can be found with a pair of calipers and a chart like this one—and a front-facing photo of the lock it fits into, and the software can automatically generate a CAD file for a duplicate key. And unlike the Photobump creators, the Michigan researchers have also released their software to the public in a bid to definitively demonstrate that restricted keys can be easily copied.

Replicating restricted keys allows for more than the unlimited copying of a key by, say, a rogue employee: It could also make it possible to duplicate a high-security key from a photograph taken from a distance with a high-powered lens. Researchers showed in 2009 they could find the measurements of a key's cuts from a photograph taken from as far as 200 feet away and at an angle. Like the earlier, unreleased Photobump software, the publicly accessible Keysforge software could enable the easy creation of bump keys for restricted key profiles. Or it could even allow what the researchers call "privilege escalation" attacks, like what University of Pennsylvania computer scientist Matt Blaze has demonstrated. Blazed showed that in a building or facility that uses master keys, a key holder can create a series of keys with small variations on his or her regular key and eventually create a master key that opens many more doors. Using Keysforge to build a series of 3-D printed keys would make that trial-and-error process vastly easier. "One of the biggest defenses for these methods was restricted keyways," says Burgess. "This reopens those attacks."

In addition to their proof-of-concept software, the researchers also tried to assess which 3-D printable materials work best for duplicating keys. They tested a variety of printable plastics, and found that the cheap polylactic acid (PLA) plastic used by the popular Makerbot line of 3-D printers was actually stronger than more expensive printers' materials like acrylic and nylon. They found that stainless steel, which can be printed with mail-order services like Shapeways and iMaterialise, was strongest of all, but due to its hardness can damage the internals of a lock. The researchers instead recommend softer brass, which is also available from those commercial printing services. They plan to present all of their research at the Usenix Workshop on Offensive Technologies next week.

Attackers and criminals, especially the high end ones, will learn these attacks. Eric Wustrow

WIRED reached out to some of the lock companies whose restricted keys could be duplicated with Keysforge, including Medeco, Yale, Schlage, EVVA and BEST. Schlage responded, saying it wasn't ready to comment before publication.

A Medeco spokesperson Clyde Roberson called the Michigan researchers' work "important and informative." He added that the company has been working to create locks with electronic and mechanical components that can't be 3-D printed. "Medeco and [its parent company] ASSA ABLOY have been researching this topic and have been actively pursuing improvements in our technology to help minimize this threat," Roberson wrote in an email. "This includes testing various scanning and printing devices available on the market, from highest quality to lowest. We have already developed some products directly as a result of this work and future products will continue to reflect added protection for this threat."1

It's safe to guess that the lock industry as a whole doesn't appreciate 3-D printing tools like Keysforge, which chip away at its monopoly on restricted key blanks. But the Michigan researchers argue that their software is necessary to demonstrate—both to lock makers and to consumers—that merely restricting access to keys is no longer enough. Instead, they say, the industry needs to move toward high-security locks that integrate electronic security measures, or keys that have moving or magnetic components. "Attackers and criminals, especially the high end ones, will learn these attacks," says Michigan researcher Eric Wustrow. "If this is a world where only the manufactures and the attackers know what’s going on, it's dishonest to sell these [restricted keys] to consumers."

"This lets consumers know what they’re buying—that restricted keyways won’t necessarily give them the best defense," Wustrow adds. "And it shows lock manufacturers that they need to improve their designs."

Read the Michigan researchers' full paper below.

Replication Prohibited: Attacking Restricted Keyways with 3D Printing

1Updated 8/4/2015 10pm EST with comments from a Medeco spokesperson.