Index Home About Blog
Date: Wed, 26 Mar 86 04:04:16 est
From: *Hobbit* <AWalker@red.rutgers.edu>
Subject: Medecos

Pushing Medeco pins up while applying torque is probably just the beginning.

The pins have mushroom-shaped drivers above them in most cases, so these
would hang up in strange positions.  Also the sides of the pins have
false half-depth grooves that the sidebar teeth drop into, so attempting
to feel these out would give you a range of possibilities, not the real
correct configuration of the pin twists.

It is possible to manipulate things enough to get the plug to cock over
a little bit.  When you're in this state, a properly designed precision
instrument could tell you about the current state of the pins and build
a table of possibilities about each one.  Modifying each possibility 
in turn, and checking for the same half-cocked position, might eventually
yield the proper opening combination.  In other words, if you can get the
lock into this state you can gather info about it.  [I mentioned this in
an earlier message about the "ideal mechanical lock" in which one could
gather *no* information about the innards by applying various forces to
it.  So far this problem is still open for suggestions.]  It is hoped that
while considering a design for a Medeco opener, an improvement in the 
basic Medeco design could also be considered that would come closer to
this ideal lock...

_H*

Date:	Wed, 25 May 88 16:14:00 EDT
From:	dasys1!stanleyw@rutgers.edu
Subject: Medeco Cylinder Testing

Medeco Lock Co. had their cylinder tested by a government lab at Port
Hueneme, California.  The test, I believe, used sound waves to determine
pin height. The test was performed around 1980. 

Does anyone have any info on the test and is there an NTIS number.

-- 
Stanley Wociechowski
Big Electric Cat Public UNIX
..!cmcl2!phri!dasys1!stanleyw

Date:	Fri, 10 Jun 88 06:52:00 EDT
From:	wadlow@godot.psc.edu
Subject: Re: Medeco Cylinder Testing

>Medeco Lock Co. had their cylinder tested by a government lab at Port
>Hueneme, California.  The test, I believe, used sound waves to determine
>pin height. The test was performed around 1980. 

I have never seen any info about tests of that sort... It sounds kind
of pointless to perform this sort of test on a Medeco though.  Once
you know pin heights, you still don't know the rotation of the assorted
pins, so you still have a decent number of permutations in order to find
the correct combination.  I can see more use in performing this sort of
test on a Best cylinder, or some other cylindar that doesn't rotate the
pins.

					Steve

Date:	Fri, 10 Jun 88 08:49:00 EDT
From:	Douglas Humphrey <deh@eneevax.umd.edu>
Subject: Re:  Medeco Cylinder Testing

An interesting possibility for lock work would be a Sonogram system,
used to look into peoples internal organs, etc. with sound waves. These
seem to be pretty portable. I wonder how well they would work. 
Anyone know more about this?

Doug

Date:	Wed, 13 Jul 88 08:40:00 EDT
From:	ZSYJKAA%WYOCDC1.BITNET@cunyvm.cuny.edu
Subject: Sonogramming locks

I'd bet that the sonogram equipment and techniques used on people would be
pretty useless on a Medeco-sized lock.  First, the things you're looking at
are much smaller.  Second, the speed of sound in metal is, I believe, much
higher than water (people), meaning the electronics must switch between
pulsing and receiving much faster (definitely not impossible, just the
"baby-watching" stuff probably won't hack it).  Third, you probably only
have access to the front face of the lock (if you have access to the sides
and top, just open it up) and that means you'd be "looking" at the pins
all at once; you'd rather have a side view so as to see them individually.

I sent a long response to the original poster of the question about using
sound waves; I guess I should have kept a copy to send to the group.  My
own speculation of such techniques involves using one of two methods.
First method:  The "time domain reflectometry" type.  Using a key-shaped
holder if possible, hold a transducer against the bottom of a pin.  Repeatedly
(1 kHz?) send a pulse out of it, switch to receive mode, and display the
echos on a 'scope and time them.

Second method: resonance.  Again hold a transducer against the pin.  Sweep
a range of frequencies (50-250 kHz or so) and look for resonances as
indicated by peaks and dips in the induced voltage (you'd have to play
with the impedances to get the right "Q" for optimum sensing).

Several factors effect how well either method works.  Keep in mind that
round-trip time for a pulse in a .1" pin made of metal with speed of sound
around 3000fps is 5 microseconds; corresponding resonant frequency is 200
kilohertz.  Very thin pins (as used in some mastering methods) would be
even "quicker".  You must (or should) know the pin material, since I would
guess speed of sound is quite different in steel versus brass, and maybe
significantly so in differing types of brass (I don't have the proper
references handy).  Some "pin assemblies" consist of a steel ball contacting
the key followed by a brass pin, so that can be nasty (but easy to discover
with a flashlight); perhaps the ball would yield a distinctive "signature"
on the instrument, or perhaps it would obscure desired signal.  The pins
should ideally be isolated from the lock body but that's impossible, so
I'd guess it would be best to thoroughly clean the lock with a fast-drying
liquid that leaves no residue.  On the other hand, getting some graphite
or teflon particles in there might help "insulate" the pins.  You'd have
to try it and see.  I have no idea how badly misleading or mangled a
signal would be from mushroom pins.  You might get a false sense of a
possible shear line from locks constructed with a second cylinder (a
better mastering technique, as used at least on better Russwins) depending
on how much signal got conducted from the pins into the body.  Such diversion
of signal would also degrade the system's response (e.g. echo strength).
If there are many pins involved, the multiple echos and/or resonance modes
could be pretty hairy to sort out, except for the first pin or two.

Question: "WHY?"  Sounds a bit like a high-tech B&E tool.  Yeah, but even
a screwdriver can be used for illicit gains.  It is obviously a useful
item to ponder for legitimate locksmith use, such as very secure installations
where the key was lost and no copy existed.  This would be very expensive
to buy if it were available, or non-trivial to build in either case, and
most of the bad guys couldn't cut a key if you handed them the cut numbers
or a blueprint.  Significant skilled "interpretation" might be required
as well, if the methods work at all.

One last thought:  Yes, knowing the pin heights on a Medeco doesn't get you
in.  But there's only three possible rotations for each pin, so heights
gets you a lot farther than knowing nothing.  A neat feat of miniature
machining would be to make a Medeco key (as keys go they're rather big)
with shim-adjustable heights and rotatable "seats" for the pins.  Making one
that could be adjusted while seated in the lock would be even better,
best if you could transmit back some "feel" to the operator.

P.S. I probably have the speed of sound in metal way off.  Air is 1100fps
I think, and I vaguely recall it is 6 times that in steel.  Maybe one
could steal techniques from reflection seismology too.

Date:	Wed, 25 Jan 89 01:58:00 EST
From:	Stephen Wadlow <sw0y+@andrew.cmu.edu>
Subject: rotating pin locks

Over the summer I managed to obtain a few Medeco cylinders for
examination.  After disassmbly, reassembly, and lots of referring to the
medeco diagram, I knew enough to pick the little bugger open.  It just
took a *long* time (on the scale of hours for a fully loaded cylinder).  I
have heard stories of people being able to pick a fully loaded medeco in a
matter of minutes, and have been trying to figure out how the h-ll they do
it (assuming it's true).

Anyone have any pointers or techniques they'd like to share?

				steve

======================================================================
Stephen G. Wadlow               Internet: stephen.wadlow@andrew.cmu.edu
System Manager			Bitnet:   wadlow@drycas
Center for Fluorescence Research -- Carnegie-Mellon University

Date:	Sat, 28 Jan 89 04:51:00 EST
From:	nugent@anubis.uchicago.edu
Subject: Re: rotating pin locks 

I understand from our local locksmith that Medeco still offers a
reward for someone who can pick a Medeco lock on request and I think
you get several hours.  I have to admit, I'm curious how you do
it since there is no way to apply pressure to the side bar (the part
that checks the rotation of the pins) beyond what the springs supply.

For those not familiar with Medeco locks, the keys incorporate a left, right
or center rotation as well as the usual up and down positioning for each
pin, so picking the lock requires adjusting 6 angles as well as 6 different
heights.

Collecting the Medeco reward probably requires that you pick one of their
newer Biaxial locks, which include the forward and backward pin alignments
as well as left and right.

Todd 

Date:	Tue, 31 Jan 89 00:53:00 EST
From:	*Hobbit* <hobbit@pyrite.rutgers.edu>
Subject: Friction is your friend

This is sort of a followup to Steve Wadlow's medeco question.  I should
point out a common truth about most mechanical locks that in theory allows
any of the "high-security" ones to be opened.  I call it the Differential
Pressure algorithm...

The "method" for Medecos involves manipulating until you have every tumbler
either at a correct position or a "false" position, whereupon the cylinder
cocks over a little bit and binds.  These false positions are highly touted as
a security feature in any lock that has them -- the manufacturers perceive
these as complete dead ends to anyone trying to pick the lock, and that if you
hit any of them you've lost and have to completely start over.  Wrong!
Consider this: the difference between a real position and a false one is
usually a few thousandths of metal.  A tumbler at a correct position will no
longer be binding the cylinder closed, and will have plenty of perceivable free
play, while a false-notched tumbler will be held tightly in place and exhibit
no slop at all.  The Method involves finding these falsely-positioned tumblers
and correcting them as they appear, usually by twisting them around with a
pointy probe, until they allow the sidebar to drop.  Naturally due to random
machining slop you may lose a couple of other tumblers while backing out far
enough to clear the false notch and get over to a real one, but they can be
re-corrected.  The point is that even while "stuck" at the false positions, one
can "map" which positions are definitely false, and optionally correct them.

This thinking can be applied to numerous other types of locks including but not
limited to Simplex, most cheap combination padlocks and bicycle locks, Abloys,
and quite possibly plenty I haven't had a chance to examine.  This rather
simple idea appears to be out of reach of most locksmiths, though, who
seem to unquestioningly believe the manufacturer's party line...

By the way, there is no longer a "reward" for picking Medecos.  Even the
Medeco people acknowledge that "it happens occasionally" when a bored locksmith
decides to have a go at one.  Neither is there a reward for Abloys, even if
they're said to be harder yet...

_H*

Date:	Tue, 14 Feb 89 05:38:00 EST
From:	stanleyw@dasys1.uucp
Subject: Re: rotating pin locks

> After disassmbly, reassembly, and lots of referring to the
> medeco diagram, I knew enough to pick the little bugger open.

Congratulations.  In order to effectively open a Medeco cylinder in under
an hour, One must feel the bind on the pins.  As you may well be aware, in
picking a regular cylinder the bottom pins will not have any pressure on them
when the top pins are trapped in the shell. Using this knowledge one can
determine if the side bar is binding against the bottom pin in the false
notch or other part of the pin and not in its appropriate notch.

Date:	Sat, 25 Feb 89 05:20:00 EST
From:	*Hobbit* <hobbit@pyrite.rutgers.edu>
Subject: more sophisticated medecos

   Our campus key shop guru told me that we have even a more advanced
   Medeco than the standard, and was almost foolproof...

I believe that these are the biaxials. They are no big deal; the chisel points
are offset forward or back by .025".  It effectively gives each pin twice the
keying versatility, since the key cut can be the right depth and twist, but if
it's not under the chisel tip, you lose.  A master key for this system would
have two cuts right next to each other that would address either offset [and I
believe they would be at the same height, since it's difficult to cut two
different heights only .050" apart and have enough "meat" left to turn the
pin].  With regard to picking, it essentially makes no difference.  In fact, it
was a biaxial that I first started working with to develop the current
theory..

Lessee, (6 cuts * 3 rotations * 2 offsets) = 36 positions per pin, to the 6th
power gives you something like 2 gigapossibilities...

_H*

Date:	Wed, 8 Mar 89 09:52:00 EST
From:	nugent@anubis.uchicago.edu
Subject: Re: more sophisticated medecos 

>  I believe that these are the biaxials .....  A master key for this
>  system would have two cuts right next to each other that would address
>  either offset.....

Actually one problem with the Medecos is that within a given master
key system (typically a building), all of the pin rotations are the
same for all of the changes.  If you have the lowest key to, say the
garbage room, you know the pin rotations to the grandmaster key which
opens all doors.  Because of this, the Medecos are only marginally
better than other precision locks at preventing the usual university
problem, which is a student adding a little solder to his office/dorm key
and using a file to turn it into a master key.

It probably belongs in RISKS, but I can't help commenting that when
the Biaxials first came out, the Medeco keying software had some
problems with cross-keying, with the result that one of our office
keys was also a submaster for a different series....that student had fun!

Todd

Date:	Thu, 13 Apr 89 22:21:00 EDT
From:	spot!petersed@boulder.colorado.edu
Subject: MEDCO locks

I am currently working for a small business that is trying to beef up
their security.  I had heard that Medco keys cannot be copied by your
local locksmith.  Is this true?

If not, are there any high security locks that have keys which are
difficult to copy?

Thanks
Dan

[Moderator tack-on:  That's "Medeco", btw; I believe that the company will
sometimes contract with a locksmith in a given area such that that locksmith
is the only user of a certain blank.  I.e. they manufacture a bunch of custom
blanks for just that locksmith, so he's the only one who can [in theory]
duplicate the keys he has made.  There are also some "standard" Medeco blanks,
available more universally.  So the answer to your question is "sometimes".
Wadlow, you know any more about this?

Naturally, some enterprising metalwork can usually get around this...  _H*]

Date:	Tue, 25 Apr 89 22:42:00 EDT
From:	shz@io.att.com
Subject: Re: MEDECO locks

>If not, are there any high security locks that have keys which are
>difficult to copy?

	MEDECO Biaxial
	ABLOY DiskLock
	ASSA
	SECURITY 777

All of the above locks use restricted key blanks that are not available to
hardware stores or to most locksmiths.  The last three also require special
machines which are only available to contractually obligated dealers at a
cost of 2K to 3K.

Seth  Zirin, CPL
att!packard!shz

Date:	Tue, 25 Apr 89 23:25:00 EDT
From:	GREENY <MISS026@ECNCDC.BITNET>
Subject: re: Medeco Keys

   I had heard that Medco keys cannot be copied by your local locksmith...

Yeah, this is usually true, depending upon who your local locksmith is.
Most smaller locksmiths just dont have the money to purchase the special
machine which cuts Medeco keys.  Each key cut is cut at a specific angle
and the machine is *VERY* accurate.  Consequently, many locksmiths will
send your request for a key either to the factory, or to a larger outfit
which does have a Medeco key cutting machine.

Each Medeco key/cylinder comes with a "credit card" that has a specific
factory-assigned number on it.  When you ask for a duplicate key, the locksmith
takes the card, runs it thru a credit card like machine onto a special form
from Medeco, and sends the form, and whatever he/she/it charges ya for the
key (the place I work for charges $5.00/key + certified mailing costs).

Also the locks are pretty hard to pick, but not impossible.

One thing to consider tho, is that the security provided by the lock is only
as great as the surrounding door frame/door.  I.e.: If the door/door frame
are pretty cheesy, then having an $80 lock isnt worth it...

Bye for now but not for long
Greeny

BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU

Date:	Tue, 25 Apr 89 23:57:00 EDT
From:	rjg@sialis.mn.org
Subject: Re: MEDCO locks

Medeco has a range of varying security key blanks.  All differing in
their difficulty to copy.

They replaced a key system about two years ago.  Those keys can be
duplicated through contracted locksmiths.  It is assumed that they
will follow the Medeco guidelines for duplication (which is require ID
against a "Valids" list, make the copies, then have you return to pick
them up).

The keys they replaced this system with are only available through
Medeco directly.

To duplicate the key, you must go to a contracted locksmith who has
your account on file.  You must request a key by _number_, and sign a
form.  You must be on a list of authorized parties...  Once verified
by the locksmith as to your identity, the request is delivered to
Medeco who also does their own verification against an authorization
file, and then make the copies.  The copies are shipped to the
locksmith, where you can pick them up, showing proper ID.

This is the plan, at least... :-)

But, keep in mind that a lock is only as good as the door and frame
around it.  if your hinges are exposed to the outside, pin the
hinges.  Also pay attention to the strike plate area.  A steel door
and steel frame can be pried far enough apart with a crowbar to let
you get in.  The lock does nothing for you here.  Cover the strike
plate zone with a door-strike guard, at least.  Next, can the entire
lock mechanism be cut out?  I've seen gadgets that attach to the door
handle, and a little battery operated cutting blade will cut the whole
lock mechanism out of the door.  Works on wood and steel.

You'll never beat them, but you can discourage them...

-- 
       Robert J. Granvin           
   National Computer Systems     "Looks like the poor devil died in his sleep."
       rjg@sialis.mn.org         "What a terrible way to die."
{amdahl,hpda}!bungia!sialis!rjg

Date:	Sun, 30 Apr 89 11:12:00 EDT
From:	gwyn@brl.mil
Subject: Re: MEDCO locks

As the moderator said, that's probably Medeco.  Machines for duplicating
Medeco keys are available to locksmiths.  The blanks are probably harder to
obtain, but anyone with access to a good milling machine could in principle
manufacture his own.  The main protection is that your corner drugstore is
probably incapable of correctly duplicating Medeco keys, and most locksmiths
realize that they are "high-security" items and should verify that you're
entitled to make copies before doing so.

Sargent's KESO series, since emulated with slight variations by other
manufacturers, uses dimples drilled into the sides of the blank rather
than notches cut out of the edge.  Not many key duplicators are set up
to duplicate/manufacture KESO keys.

I think forced entry is more likely for most businesses than unauthorized
key duplication; you can always rekey when an employee leaves (and it's
pretty easy to do so if you use interchangeable-core cylinders).

Date:	Thu, 4 May 89 14:18:00 EDT
From:	simsong@idr.cambridge.ma.us
Subject: Re: Medeco Keys

This has gone far enough.

When I was in New York, I was living with a cocaine dealer who had a 
Medeco lock on her front door.  I wanted a spare key for my girlfriend,
but the landlady wouldn't give one to me.

I took the key to a tiny, Israeli locksmith near 98th street and Broadway.
He measuered the hights of each using a tool with a triangular hole in it
(with calibrations along the side), and wrote down the orientation of each
notch.  He then took a blank (that did not say "Medeco" on it) put it in
a machine and started cutting the key.  On each notch, he would change the
orientation of the blank in the machine, in accordance with the original.

The process took about 4 minutes and cost $5.00.  The key worked the first
time.

-simson

Date:	Thu, 18 May 89 06:16:00 EDT
From:	nugent@anubis.uchicago.edu
Subject: Re: Medeco Keys

Medeco patents each of their key blanks.  The patents on the older
keyways ran out a couple of years ago and blanks started showing up,
which is one of the reasons that Medeco has moved into the Biaxial locks.

I would be interested to know if the key you had copied had a round or
a square shoulder end(the part you hold onto).  I think all the older
keyways had round keys.  It is certainly interesting news if the
Biaxial Medeco key blanks are available in spite of the patent
infringement.  

Of course as people have pointed out, if you are good with a
machinest's file or a milling machine, not having the key blank is not
a problem.  But that kind of person is difficult to keep out of a bank
vault as well.

Todd

Date:	Wed, 7 Jun 89 20:55:00 EDT
From:	barnett@unclejack.crd.ge.com
Subject: Re: Medeco Keys

>On the other hand, picking a Medeco lock is again, significantly more
>difficult than other locks.

I was talking to someone selling home security units.
He laughed at a Medeco lock, saying someone invented a device that lets
you pick/defeat it in minutes.

Of course he wanted to sell me HIS security system.
-- 
Bruce G. Barnett	<barnett@crdgw1.ge.com>  a.k.a. <barnett@[192.35.44.4]>
			uunet!crdgw1.ge.com!barnett

[Moderator tack-on:  He was probably talking about the various Medeco
"mapping" devices, that were actually patented at one point.  I doubt if
these tools were ever marketed to locksmiths; they utilized some weaknesses
of the cylinder in really bizarre twisted ways, such as shoving a small wire
up the twist-limiting guide slot to feel where the top of the pin was.You
would still have to cut a key based on what the tool told you.  You might
ask this fellow if he ever *saw* these tools being used...

_H*]

Date:	Thu, 8 Jun 89 06:31:00 EDT
From:	Stephen Wadlow <sw0y+@andrew.cmu.edu>
Subject: Re-keying  [Was:  Re: MEDCO locks]

Rekeying is feasible depending on the availability of pins.  Many
cylinders use a fairly standard pin (.115 in diameter, frequently in
.003 or .005 increments).  Medeco and a few other companies (Best
comes to mind) use different size pins that aren't as easily
available.  Medeco also requires very specific types of pins if they
are addressing the sidebar, otherwise, other pins are useless.

What I would really like to see is more venders going to the hex-nut
caps that medeco uses.  It would make re-keying much easier and
quicker.

			steve

======================================================================
Stephen G. Wadlow               Internet: stephen.wadlow@andrew.cmu.edu
				Bitnet:   wadlow@drycas
"Hey Man, A ship in harbor is safe, but that ain't what ships are for"

Date:	Tue, 13 Mar 90 23:34:00 EST
From:	jimkirk@outlaw.uwyo.edu
Subject: Medeco vs Keso vs Kaba

Any opinions of the Medeco lock versus the Seargent Keso
versus the Kaba lock?  The application would be on a safe door, and
one consideration beyond security against picking or destructive
entry would be vandalism by a frustrated burglar, which could lock out
the legitimate owner.  The Keso and Kaba seem very similar apart from
the angle of the Kaba's cuts, but I don't know how much better/worse they
might be compared against Medeco.

[for theurious, Keso and Kaba keys are flat with "dimples" of varying
depth which match opposing rows of pins in the cylinder; the key is not
one that can be easily duplicated, and with up to 20 pins it is difficult
to pick open!]

Date:	Tue, 3 Apr 90 16:46:00 EDT
From:	nagle@well.sf.ca.us
Subject: Re: Medeco vs Keso vs Kaba

      The first major installation of the Sargent Keso system was at
Case Institute of Technology in the 1960s.  It was then called the
"Maximum Security" system.  It wasn't.  One person had made a grand
master for the system within days of installation.

      Weaknesses:

	1.  There are only three depths for each dimple in the keys,
	    and they can be easily distinguished visually.  So, if
	    you get a glance at a key, you can remember the code
	    and make your own key later.

	2.  The keys are easy to make in a drill press.  The blank is
	    just a piece of rod with a diamond-shaped cross section.

	3.  This is really just an unusual form of pin-tumbler lock,
	    with all the usual vulnerabilities, including those of 
	    master-keyed systems.

				John Nagle

Date:	Tue, 3 Apr 90 18:09:00 EDT
From:	sgw@cad.cs.cmu.edu
Subject: Re: Medeco vs Keso vs Kaba

For picking purposed, I'd consider the medeco to be more secure (even moreso
for their biaxial line, which actually may be the default by now).  I don't
expect that your average burglar would generally attempt to pick a medeco.
You also have the security that more people know of medeco locks as being
"high security locks" and may just avoid the lock.  

In terms of vandalism, I'd still go with medeco.  Medeco's have hardened 
steel rods inserted in strategic places so as to make drilling difficult,
so the brute force method won't easily work.  Also, the keyways are more
warded then the Kaba/Keso (which I have always seen as beening totally 
unwarded) so it is far less likely that they will be able to wedge a 
piece of metal stock into the core just to annoy you.

the caveat of it all is that if the burglar wants in badly enough, (s)he'll
get in.  If they want to vandaize, they will.  All security systems have
their own weaknesses.  Some just aren't as easy to exploit as others.

			steve

Date:	Tue, 3 Apr 90 18:47:00 EDT
From:	"Joseph C. Pistritto" <jcp@cgch.uucp>
Subject: Re: Medeco vs Keso vs Kaba

Here in Switzerland, virtually every door is locked with a KESO style
lock, (I have seen one Medeco cylinder in use here, it was on a shop
door).  Locksmiths here know which blanks of Keso they're not supposed
to duplicate, (always the ones that are used for entrance doors).

Having seen a vandalized Medeco cylinder, I would guess that Keso is
better that way.  The keyway is somewhat narrower.  Against a really
determined vandal however, all key locks suffer from the 'fill up the
keyway with Araldite (the local epoxy glue)' technique.  I don't really
know how to defend against this effectively.  Also note that it can be
difficult in some Keso installations to remove the cylinder if you can't
insert a key!.

======================================================================
Joseph C. Pistritto  HB9NBB N3CKF
                    'Think of it as Evolution in Action' (J.Pournelle)
  Ciba Geigy AG, R1241.1.01, Postfach CH4002 Basel, Switzerland
  Internet: jcp@brl.mil                       Phone: (+41) 61 697 6155
  Bitnet:   bpistr%cgch.uucp@cernvax.bitnet   Fax:   (+41) 61 697 2435
  Also:     cgch!bpistr@mcsun.eu.net

Index Home About Blog