NY Daily News MTA Master Key Disclosure

April 26-27th, 2010

Epic Fail

Reading through my usual Fark Links, I came across a link with a title: "The secret to getting unlimited free rides on the NYC subway: A copy of the system master key, yours for only $27".

As a lockpicker, I was intrigued. The article in the NY Daily News just about made me choke on my beverage because I saw something that made me want to beat my head on the wall.

The article explained that various people had been caught selling master keys to the general public. These keys would allow anyone with it to bypass fare collection at most if not all stations, and potentially access some not-so-public areas of stations and the subway.

What made me choke on my drink was the photo accompanying the article:

What caught my eye was the reporter, Pete Donohue, standing at an open gate to a station, holding up what I presume is the key in question. As a Lockpicker I cannot stress how monumentally dumb this move is.

The article stresses the security risk of these keys being in the wrong hands, however the reporter has completely destroyed any chance of stuffing the genie back in the bottle. *IF* the key he is holding in the photo is the real deal, then he has allowed anyone with access to a file to make thier own in the comfort of their own home.

The Defecation Hits The Ventilation

Things hit the fan because of the fact that has been known for a while among security professionals, lockpickers and hackers that it is possible to copy a key, completely from a photograph. A reasonably high resolution photo can reveal enough about the bitting (cuts) on a key to allow anyone to make thier own copy. This was well documented in Academic papers in 2008. Since keys from the same manufacturer all have cut depths of known measurements and increments, it is possible through some fairly simple geometry, to determine the bitting of a key from a photo, and then replicate the key by hand or by ordering it by 'code' from a locksmith. Mostly this involves comparison of known distances on the key to the cut depths (i.e. the width of the key, etc). It was this technique that allowed researchers to successfully copy the keys from a photo in the online store to open *ANY* (then named) Diebold Electronic Voting machine expected to be used in the 2008 US elections.

It is my assertion that there is enough detail in the photo, posted on the NY Daily news article to allow anyone to make thier own copy of the key. At worst, someone could make a series of 'best guess' keys to try out to determine a master key with little or no effort.

I can already tell that the MTA, Locksmith, Lockpicker community and others are all saying: "But Render, it's a 'magic key' according to the article. This means it is probably some uber-special type of lock and there is no way to get a key blank for it". I already thought of that. Bear with me.

A followup article by the NY Daily News shows a picture of (what, once again, I am presuming is) the same key from the previous article and the master key in question:

The key is shown inserted in the lock of what is likely the same gate as the previous photo based on the file names (alg_subway_key and alg_subway_key2). This assertion is backed up in the photo due to the previous authors participation, the bow shape (top of the key) and the blue cap on the key being visually identical. Also shown very clearly in the photo is the name "YALE" on the lock face. This pretty much eliminates any doubt as to the make of the lock. This narrows down things greatly for possibilities for an attacker. We now can guess the pin spacing, and depths with a fairly certain amount of accuracy.

I can still hear the shouting, "It's a magic key, so it must be a restricted keyway". *(A restricted keyway is a keyway shape that the company owns a patent on and as such, is able to control who makes and distributes blanks, thereby hopefully making it so you can't have the key easily copied at a Home Depot or such place)*. This would be fairly likely given the number of locks the MTA buys and the likelyhood they would work with YALE to establish one. However this would be easy to determine with a simple, clear photo of the keyway of the lock (easy to obtain on the sly with a modern smartphone or even a play-doh impression) and any catalogue of blanks will reveal if it's a restriced keyway or not in short order. While a restricted keyway might deter some casual attacks, never underestimate a person with boredom and a Dremel. It may be possible to modify or fashion an entire blank enough to fit the keyway enough to get the job done. Remember, the key can be cut anywhere, including far away from the subway and authorities.


So, to conclude. The NY Daily News and Pete Donohue's decision to post the photo's of the key in question (again, if it is the real key) has enabled the problem further. The photo of the key and lock have made it very simple for others to fashion thier own copies of this "Magical Key", thus undermining the entire point of the article about the seriousness of this key being loose in public and generally undermining security.

I would like to add that all of this was done based off of public information through Google, the articles mentioned and well known vulnerabilities in locks. I should also point out that I have a pretty decent idea of the bitting which I will not post as I don't want to make it too easy or to get sued/arrested/worse. I will also add that am 2000 miles away in Alberta, Canada as I write this and may have just sucessfully obtained the master key for the NYC Subway system while sitting on my couch while suffering from very little sleep.


I sincerly hope that this article is a complete waste of time and the key pictured is not in fact the actual master key and that the reporter substituted another key. However, if this is not the case and that's the real key pictured, then the cat is out of the bag and now the MTA finds itself in a very tight spot of having to potentially re-key 468 subway stations with dozens (or more) locks each and re-issue hundreds, if not thousands of new master keys at a substantial cost.

I would also hope that the MTA would take steps on the replacement master keys to ensure that since this information is public, that the keys are protected from being photographed (belt rings anyone...) or lent to non-authorized personnel for any reason.

I would invite the MTA, media, and anyone interested in learning more vulnerabilities in locks and physical security devices to come out to conferences like Hackers On Planet Earth in New York City, July 16-18th, 2010 or Defcon in Las Vegas, July 30-August 1st, 2010 and visit the Lockpicking villages that offer all sorts of hands on demonstrations of the strengths and weaknesses of the locks we use everyday. I'll be there if you want to ask me about this in person.

render {at] renderlab (dot/ net

Return to Main