Re: Master Lock random key code generation/distribution Fails

[Jon Hart <jhart () spoofed org>]

This is definitely an interesting finding.  I'll admit that I don't know
what the key code actually does or how it is used, but at the risk of
stating the obvious this is physical world equivalent of problems we face
daily in the infosec field -- randomization is hard, small key spaces are
bad, and vendors will continue to make this mistake (hopefully) until it is
disclosed.

-jon


On Wed, Mar 26, 2014 at 2:38 PM, Daniel Miller <bonsaiviking () gmail com>wrote:

> On 03/26/2014 02:17 PM, Jimb0 Hon1nbo wrote:
>
> > First this is not a physical finding in the normal sense, but a finding
> > that Master Lock does not properly generate key codes differing in each
> > batch, or that they do not randomize distribution of said key codes.
> >
> > After visiting a home depot, I found the following problem: among every
> > model of padlock with a key, each model was matched in key codes for the
> > entire model stock. I walked in for one set of matching locks (a little
> > three or four pack), and I walked out with multiple sets all matched (will
> > I trust these locks, no). WE checked every lock in stock and they all had
> > the same issue.
> >
> > Example, every if buying Master Lock model "A", every model "A" would have
> > the same key code.
> > If model "B," every model "B" has the same key code.
> >
> > This means that with every stock a store like Home Depot receives, there
> > is
> > only one key combination for each model of lock. If a store only receives
> > a
> > few shipments a month, then there are only a few possible keys. If that
> > store happens to be a large, if not only, source of locks in the area,
> > then
> > you have the probable key combination at each store
> >
> > attached is a photo I took showing a matched set I pulled off the shelf to
> > buy when I found it.
> >
> > PS: This is not the special order contractor stuff that is designed to
> > have
> > the same key code, but individual packaged products on the shelf.
> >
> >
> > -Hon1nbo
> >
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> Hon1nbo,
>
> I worked at a Home Depot for 4 years, and I can confirm that this is
> standard practice, not only for Master locks, but also for the common
> household entry locks like Schlage and Kwikset, though in those cases the
> lot sizes are smaller (2 sets of 3 like-keyed boxes in a case of 6). This
> is for the convenience of the customer who wishes to have a set of
> like-keyed padlocks for their home and does not want to pay a locksmith to
> rekey them.
>
> Although all the locks you checked that day were identical, the chances of
> a burglar finding the customer who bought the same lock within a week or
> two (locks are fairly high-volume) are low compared with the relative ease
> of picking them, destructive entry, or just finding someone who didn't lock
> their stuff up.
>
> Dan
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/