lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 26 Mar 2014 16:38:03 -0500
From: Daniel Miller <bonsaiviking@...il.com>
To: Jimb0 Hon1nbo <hon1nbo.list@...il.com>, fulldisclosure@...lists.org
Subject: Re: [FD] Master Lock random key code generation/distribution Fails

On 03/26/2014 02:17 PM, Jimb0 Hon1nbo wrote:
> First this is not a physical finding in the normal sense, but a finding
> that Master Lock does not properly generate key codes differing in each
> batch, or that they do not randomize distribution of said key codes.
>
> After visiting a home depot, I found the following problem: among every
> model of padlock with a key, each model was matched in key codes for the
> entire model stock. I walked in for one set of matching locks (a little
> three or four pack), and I walked out with multiple sets all matched (will
> I trust these locks, no). WE checked every lock in stock and they all had
> the same issue.
>
> Example, every if buying Master Lock model "A", every model "A" would have
> the same key code.
> If model "B," every model "B" has the same key code.
>
> This means that with every stock a store like Home Depot receives, there is
> only one key combination for each model of lock. If a store only receives a
> few shipments a month, then there are only a few possible keys. If that
> store happens to be a large, if not only, source of locks in the area, then
> you have the probable key combination at each store
>
> attached is a photo I took showing a matched set I pulled off the shelf to
> buy when I found it.
>
> PS: This is not the special order contractor stuff that is designed to have
> the same key code, but individual packaged products on the shelf.
>
>
> -Hon1nbo
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
Hon1nbo,

I worked at a Home Depot for 4 years, and I can confirm that this is 
standard practice, not only for Master locks, but also for the common 
household entry locks like Schlage and Kwikset, though in those cases 
the lot sizes are smaller (2 sets of 3 like-keyed boxes in a case of 6). 
This is for the convenience of the customer who wishes to have a set of 
like-keyed padlocks for their home and does not want to pay a locksmith 
to rekey them.

Although all the locks you checked that day were identical, the chances 
of a burglar finding the customer who bought the same lock within a week 
or two (locks are fairly high-volume) are low compared with the relative 
ease of picking them, destructive entry, or just finding someone who 
didn't lock their stuff up.

Dan


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ