Hacker Perspective: Barry Wels
The story below is my youth confession. In a way I am a little reluctant to tell it, but since it is a story over 20 years old... I just hope you will see it in its rightful perspective.
Normally when people ask where my interest in locks and lockpicking comes from, my answer is that I became fascinated watching James Bond movies as a kid, wondering if locks really could be opened that simply. Now that in itself is a true statement. But the one thing that really seriously motivated me, and made me put a lot of creative energy into locks and circumventing some security features, was something else...
As long as I can remember, I was interested in locks and ways of opening them. And as a kid, I was eager to learn all the "tricks from the street" to open bicycle locks, often using simple tools like filed down scissors or other flat and thin pieces of metal. Still, I can honestly say I never stole a bike in my life. But I just had to know and test the tricks on how to open these locks. The real challenge came at around age 17. A friend of mine, who was a graffiti artist, had access to a very special key: a master key to the Amsterdam subway.
This highly restricted key would open any door in the entire Amsterdam subway system. This included the nuclear shelters that are deep underneath some of the stations. In particular, the entrance to the nuclear shelters was rather spectacular.
The best way to get into the shelters was to take the elevator that would normally bring you from street level to the subway platform. The only difference is that instead of pushing the elevator buttons you would insert the key in the keyhole just below the buttons and turn it. Now the elevator would not stop at the platform level but instead would go much deeper until reaching the shelters. I must say it was quite a thrill going deeper underground than most people knew was possible - not to mention the spooky atmosphere in the shelter. Deep below the subway station were hundreds of packaged bunk beds and many weird machines and other interesting things.
Needless to say this master key had a magical attraction to me. I just had to get a copy of it! And even though my friend told me he had already tried to get it copied and had concluded that it was truly impossible, i knew I could do it.
I quickly learned that even though the key looked like a standard key, it had several copy protection features. And instead of the standard five pins, this one had seven. The key profile was highly restricted, meaning only the factory had blank keys for it. Besides the blanks not being available, the key also had two "wings" or "ribs" that operated pins on the left and right side of the lock. For its time, this was one of the best high security locks on the market and its keys were known to offer the highest degree of copy protection.
But determined and challenged as I was to somehow get a copy, I decided to compile a list of locksmiths from the Yellow Pages and pay them all a visit to see if they could copy the key. After all, locksmiths are the people with knowledge on copying keys, and it must be possible to find one that could do it?
Unfortunately, most visits did not last long. In general, the locksmiths all looked at me real funny when showing them the key. Some of them took the effort to explain that they simply did not have a blank key for it, while others just said "no" and pointed me to the door. Instead of giving up, I learned a little from each visit and was able to ask more to-the-point questions at my next visit.
Finally, after at least 20 visits, I found a locksmith that did not send me off straight away. This locksmith was very curious about what the key was for and I decided to be open with him. So I started explaining that I had no criminal intent with this key. If I had, I would have used it right away and not bothered to copy it. And I told him it was the top master key for the Amsterdam subway. I explained to him that by now I had become sort of obsessed to copy this "uncopyable key" and that I was determined and would succeed one way or another. After all, technically it is just an odd-shaped piece of metal.
After thinking it over, he said he could help me a little bit. He studied the key for quite some time and started comparing it with some blanks from his racks. In a few minutes he came up with a blank key that more or less had the same profile as the master key, except it did not have wings. And he made it very clear that he would not help me with the wings; I was on my own for that part. The blank he found was a little fatter than the original, meaning it had more material on it than the master key and would not yet fit the lock. The locksmith advised me to get a fine file and try to file or grind away some of the metal in strategic places until it was slim enough to fit the target lock. He made me three keys and was kind enough to already copy the normal seven cuts of the master key on them. I was now getting somewhere!
At home I studied both the original and the "fat" copy for a long time and determined three positions where I would have to remove material from the copy. After spending 30 minutes with my file, I ended up with a relatively thin key that I figured would fit the subway locks.
The next day I went to the subway to give it a try, and somewhere in a dark corner I inserted the key into one of the many maintenance locks. These locks normally just cover power outlets used by cleaners or workers and sometimes are not used much at all. To my surprise the key entered smoothly and... turned!
However, this euphoric moment did not last long. As I turned the key 90 degrees, the lock stopped and the key got stuck! No matter how I tried, I could not turn the key left or right, nor get it out of the lock. I panicked and came close to the point of breaking off the head of the key and just going home. But after I calmed down a little and started to analyze the problem, I came to the conclusion that the missing side wing(s) was probably the reason for the lock jamming. So I started looking around for something thin to poke the side channel of the lock. I ended up with a bent paper clip (or was it a needle?) that, to my great relief, allowed the lock to turn back to the original position where I was then able to take the key out again. Phewwwww...
Back home I tried to think of a way to somehow create wings on the key. I tried to solder them on using a soldering iron. One of the first problems was that if I soldered a wing on one side, it would come loose when trying to solder one to the other side. The second problem was that the lead was not strong enough to keep support the thin small wings even when I managed to solder them on correctly. The key simply was too fragile and not usable this way. So I had to think of something else.
I had some good contacts with an optic shop, and one of the opticians showed me how they repaired broken metal frames. They used a technique called hard soldering. With hard soldering you use a gas flame to heat the object and solder the parts together using thin silver or gold sticks. When done properly, you do not even notice the frame has been repaired. I realized I had to learn and master this hard soldering technique, and I asked if they could teach me. It took me some time, but finally I managed to master the hard soldering technique. And I was finally ready to solder wings on my key...
Still, I had the same problem as with lead solder. If one rib was fixed, it came loose when I tried to solder the other side. The solution was to use two different kinds of soldering material. One type would melt at a high temperature, the other at a low(er) temperature. My first experiments were soldering one rib using silver through the hard solder method (high melting point) while for the other rib I used a soldering iron and lead-based solder (low melting point). Later I mastered the hard solder technique even better so I could solder one side of the key with silver solder (high melting point) and the other side using gold solder that had a slightly lower melting point.
And now, two years after seeing the subway key for the first time, I was ready for the final test. I went back to the same dark corner of the subway system and tried my key. And it worked like a charm. I could not have been happier.
Truth is I never used it much. For me the challenge was to copy the key. But some of my friends had great fun with it. In the early-1990s we were known as the unofficial tour guides of the Amsterdam underground, proudly showing all our (international) friends the Amsterdam nuclear shelters.
But the story continues...
After some exploring, my friends told me they found a few doors deep inside the system that this master key could not open. It could enter the lock, but not turn. This was a new challenge.
At about the same time we met a group of artists who were officially allowed to give an art performance inside the subway system. They had been given a very low priority key that could only open two doors in the entire subway system. And even though we could already open these doors with our own master key, I was still eager to examine this low priority key.
Comparing the two keys I found they were almost identical. On just two out of seven positions the keys differed. I did not expect much of it, but decided to combine both keys and cut the remaining two combinations.
To clarify this: if you have two different values in a key system, you can make four keys. Let's say the master key had a cut depth 2 and 3 on the positions that differed. And let's say the low priority key had a cut 4 and 5.
The remaining two combinations would be a key cut to 2 and 5, and one cut to 4 and 3.
To this day I still don't know why I cut these extra keys. I guess I was just curious. And I did not have high hopes it would open anything more then the locks we could already open. So I never bothered to solder wings on these two experimental keys. I just added them to my key ring.
The next time I was present at one of the underground tours, we ended up at the doors we could not open. Only then I remembered the experimental keys I made, and gave them a try. And guess what? One of them worked! Now that was a truly euphoric moment! And I immediately realized I had better not try to fully rotate the key as it did not have wings yet. So after turning it ten degrees, I went back to the original position and removed it from the lock.
I soldered on wings the same day and found that the key worked really well. (As to be expected behind the door there were just some more maze tunnels and some high voltage equipment you do not want kids playing around in.) We called it the "super master key" as we never found a lock it could not open in the entire Amsterdam subway system. And it took some time to realize what I had achieved. I made a copy of an uncopyable super master key, of which I had never seen the original key. I was root at the subway system, and it earned me my nickname "The Key."
Now there is a reason for this confession. First of all, I just turned 40, and figured an over-20-year-old story could be told by now. The second reason is to show you that no matter how sophisticated a mechanical lock is, it can always be bypassed by a determined attacker. And the final reason is that it's a nice introduction to my presentation at The Last HOPE conference.
The title of the presentation will be "Methods of Copying High-Security Keys." And it will cover many more modern techniques than this 20-year-old story.
I hope to see you there, and urge you to bring your uncopyable mechanical keys for us to evaluate.
Barry Wels is president and founder of Toool, The Open Organization Of Lockpickers. Toool's expertise, integrity, and publications are well received in the lock industry, and Toool is often requested to do tests for lock manufacturers and organizations such as Dutch Consumer Reports. He runs a weblog at www.toool.nl/blackbag.