💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › ving.car captured on 2023-01-29 at 10:51:38.

View Raw

More Information

⬅️ Previous capture (2020-10-31)

-=-=-=-=-=-=-

Subject: VingCard evaluation

Live from EveCon: We have completed our analysis of the VingCard
key system as used in this hotel, obtaining the following educational info
which has since been cleaned up and made presentable.

The lock is a matrix of 32 pins which have two possible positions each [sort
of like a vax...].  Two of these are special and aren't really used in the
keying.  The remaining 30 are constructed out of standard pin and driver
parts, except that all the drivers are the same length and all the pins are
the same length.  The pin-driver combinations sit pointing upward [the springs
are underneath] in a sort of matrix about  1.5 inches on a side.  Above each
pin-driver combination sits a steel ball.  The entire matrix is enclosed in a

	
plastic* assembly, part of which can slide "forward" [i.e. away from the


user].  Some of you may be familiar with the keys: white plastic cards about 3
inches long with a bunch of holes in one end.  Pushing this into the slot
until it "clicks" forward opens the locking mechanism.

The lock combination is set by inserting a similar card, only half as long,
into the *back* of the lock.  This card is the same thickness as the 
opening card and has part of the hole matrix cut out.  A juxtaposition of
this combination card from the back and the key card from the front
closes the matrix: i.e. if you overlay the combination and key cards in
their opening configuration, there are no open holes left, *exclusively*:
i.e. where there is a hole on the combination card there is solid on the
key card, and vice versa.  Thus the complement of the proper key card is
the combination card.  This is enforced by the placement of the ballbearings
and pins in relation to the sliders and top plate, so a workaround like a
card with all holes cut out or a solid card does not open the thing.

The combination card slides in between the conical pin ends and the steel
ballbearings [and is thus harder to push in than the key card].  The key card
comes in over the balls, and its thickness pushes the balls under its solid
regions downward.  So each pin assembly is pushed down, when the lock is open,
the same amount, be it by the key card hitting the ballbearing or the
combination card wedging the actual pin downward.  Clarification: Let us
define a "1" pin as a hole in the opening card.  Thus a "0" pin sits under a
solid portion of the opening card and a hole in the combination card.  A 0 pin
opens as follows:  Since the combination card lets the pin rise up against the
steel ball, the keycard pushes the ball [and its pin] down to the bottom of
the keycard slot.  This brings that pin to its shear line.  Simple.  Here's
the magic -- a 1 pin opens in the following fashion:  Since the combination
card is solid there, the steel ball is sitting directly on the commbination
card, and the pin underneath is *already* at its shear line.  If a solid
keycard portion arrives over this ball, the ball is pushed down  against the
combination card and *pushes the entire area of the combination card down
under it*, lousing up not only that pin's shear line but probably a few around
it.  Although a clever mechanism, this depends on the elasticity of the
combination card to work.  Note that as the key card is inserted and removed,
the combination card will be flexed up and down randomly until the keycard
comes to rest at its opening position.  [Correction to above: each pin really
has *three* possible positions.  Hmm.]

All this happens within the confines of the sliding *plastic* frame; this part
carries the two cards, the balls, and the top halves of the pins.  The 
stationary part underneath this contains the drivers and springs.  A metal
plate bolts down on top of the sliding piece, leaving a gap just big enough
for the key card.  If the screws holding this plate were to become loose,
the plate would rise up, the key card would sit too high up, and the lock
would not open.  All the positioning is done by the thickness of the keys
while they rest against the surfaces of their slots.  Therefore a piece
of thin cardboard will not serve as a duplicate key.  We found that two
pieces of plastic "do not disturb" sign, cut identically and used together,
were thick enough to position things correctly and open the lock.

A rough top view:....Pin mechanism:

    Back.    _ = top plate    Front ...      Back
  o   o   o   o.    <> = balls..________________________________
    o   o   o.    H = keycard HHHHHHHHHHHHH<>HHHHHHHHHH<>HHHHHH ##  QQ
  o   o   o   o.    O = comb. card -->  QQ OOOOOOOO<>OOOOOOOOOOOOOOOOOOOOOO
    o   o   o.    # = slider..QQ#  []    []    []       ##  QQ
  @   o   o   @.    [] = pins..QQ###[]####[]####[]#################
    o   o   o.    || = driver/.QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ
  o   o   o   o.         spring asm..QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ
    o   o   o.    Q = stationary.QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ
  o   o   o   o.        housing..QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
     Front

It is hoped that the diagram on the right, with its three example pins, will
show sufficiently that if two holes concide the pin will rise too far, and 
if two solid places concide, the entire combination card would be pushed 
down by the ballbearings.  There is sufficient space underneath the combination
card for it to sag down and foul the shear line; it is normally held upward 
by the pins' spring tension against the underside.  This diagram may be
misleading if it is not understood that the balls are actually larger than
shown; i.e. the height of approximately three cards stacked up equals the
diameter of the ballbearing.  There is a thin layer of slider plastic 
between the keycard and the combination card, which separates them and retains
the ballbearings.

The @'s in the top view are the two magic pins.  These prevent the lock from
working at all unless a combination card is inserted.  They are a bit thicker
than the other pins and do not have ballbearing parts.  The slider above
the combination card slot here is solid, so these pins have nothing to do 
with the keycard.  They simply hold the lock shut if no combination card is
installed, regardless of what is done with a keycard.  Therefore if one were
to make a combination card that only pushed down these pins, a solid keycard
would work.  And if one inserts a solid combination card, the lock is already
open before you insert anything.  [This is a useful hack that will allow 
anyone to open the door with just about any tool, in case you are crashing lots
of people in a room, don't have enough keys, and don't feel like making more.
Naturally your security is compromised, but only those who know what's going 
on will be able to get in.]

The slider has a bracket bolted on to it, which reaches down toward the
doorknob and pushes a moveable sleeve with a square hole through it.  This
joins two sections of a three-section split shaft together, which allows the
outside knob to retract the bolt.  The inside knob is "hardwired" to the bolt
action and always opens the door.  The extra split in the shaft is so that
with the card in place, the lock will still behave like a regular split-shaft
knobset [and disable opening if the deadbolt is shot].

There is a hinged plastic door on the back [inside] of the lock, which is
held shut with a screwdriver tab inside a slot.  This is where the combination
card goes, although this door exposes enough to see the entire slider 
mechanism [except for its inner works; the entire back must be taken off
to get the slider out].  

Now, the security evaluation:  I see no clear way to "pick" it.  The rear pins
are hard to get at without touching the frontmost ones.  However, this lock
would be *very* easy to defeat, in the following fashion:  A thin tool about
the thickness of a keycard and about .2 inch wide can cover one column of 
ballbearings.  If this tool is slowly slid straight into the slot along 
each column in turn, the resistance encountered as it contacts each ball 
indicates whether there is a hole or not underneath it in the combination
card.  The combination card presses upward against the ball more strongly
than the pin's spring does, so this would allow one to map the combination
card and then construct the keycard complement.  This process wouldn't take
very long.  I therefore recommend that these locks be considered less than
high-security.  Furthermore, come to think of it, a small hole drilled in the
front plate [which I doubt is hardened] would make it easy to frob the
slider or split shaft.

_H*