Full Disclosure mailing list archives
Re: Master Lock random key code generation/distribution Fails
From: Jon Hart <jhart () spoofed org>
Date: Wed, 26 Mar 2014 15:03:00 -0700
This is definitely an interesting finding. I'll admit that I don't know what the key code actually does or how it is used, but at the risk of stating the obvious this is physical world equivalent of problems we face daily in the infosec field -- randomization is hard, small key spaces are bad, and vendors will continue to make this mistake (hopefully) until it is disclosed. -jon On Wed, Mar 26, 2014 at 2:38 PM, Daniel Miller <bonsaiviking () gmail com>wrote:
On 03/26/2014 02:17 PM, Jimb0 Hon1nbo wrote:First this is not a physical finding in the normal sense, but a finding that Master Lock does not properly generate key codes differing in each batch, or that they do not randomize distribution of said key codes. After visiting a home depot, I found the following problem: among every model of padlock with a key, each model was matched in key codes for the entire model stock. I walked in for one set of matching locks (a little three or four pack), and I walked out with multiple sets all matched (will I trust these locks, no). WE checked every lock in stock and they all had the same issue. Example, every if buying Master Lock model "A", every model "A" would have the same key code. If model "B," every model "B" has the same key code. This means that with every stock a store like Home Depot receives, there is only one key combination for each model of lock. If a store only receives a few shipments a month, then there are only a few possible keys. If that store happens to be a large, if not only, source of locks in the area, then you have the probable key combination at each store attached is a photo I took showing a matched set I pulled off the shelf to buy when I found it. PS: This is not the special order contractor stuff that is designed to have the same key code, but individual packaged products on the shelf. -Hon1nbo _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/Hon1nbo, I worked at a Home Depot for 4 years, and I can confirm that this is standard practice, not only for Master locks, but also for the common household entry locks like Schlage and Kwikset, though in those cases the lot sizes are smaller (2 sets of 3 like-keyed boxes in a case of 6). This is for the convenience of the customer who wishes to have a set of like-keyed padlocks for their home and does not want to pay a locksmith to rekey them. Although all the locks you checked that day were identical, the chances of a burglar finding the customer who bought the same lock within a week or two (locks are fairly high-volume) are low compared with the relative ease of picking them, destructive entry, or just finding someone who didn't lock their stuff up. Dan _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Master Lock random key code generation/distribution Fails Jimb0 Hon1nbo (Mar 26)
- Re: Master Lock random key code generation/distribution Fails Daniel Miller (Mar 26)
- Re: Master Lock random key code generation/distribution Fails Jon Hart (Mar 26)
- Re: Master Lock random key code generation/distribution Fails Daniel Miller (Mar 26)
- Re: Master Lock random key code generation/distribution Fails Richard Chycoski (Mar 26)
- Re: Master Lock random key code generation/distribution Fails Jeff Kell (Mar 26)
- Re: Master Lock random key code generation/distribution Fails Deviant Ollam (Mar 27)
- Re: Master Lock random key code generation/distribution Fails Jon Hart (Mar 26)
- Re: Master Lock random key code generation/distribution Fails Steve Pordon (Mar 27)
- Re: Master Lock random key code generation/distribution Fails Daniel Miller (Mar 26)