This action might not be possible to undo. Are you sure you want to continue?
datagram, Summer 2009
Hello, I'm datagram, I run www.lockpickingforensics.com and www.lockwiki.com. I chose to write about Mul-T-Lock because they are interesting and (mostly) unique on a technical level. Additionally, there are few references on how they work outside of marketing material, especially for the newer models. (Plus, Han Fey already did Abloy!) This article analyzes Mul-T-Lock telescoping pin-tumbler systems throughout the company's nearly forty year history. We'll also look at security; attacks on the various Mul-T-Lock models and how the company has dealt with these problems. Finally, there are several appendices that provide keying, coding, and patent references for Mul-T-Lock systems. I can be reached at firstname.lastname@example.org. See http://www.lockpickingforensics.com/ for more contact information. Corrections, additions, comments, and criticism are all welcome. Note: While I know more than most about Mul-T-Lock systems there are many areas where I could use your expertise. I've done my best to note these places; please contact me if you can help! All contributors will be properly credited unless anonymity is preferred.
2. History of Mul-T-Lock
Mul-T-Lock is an Israeli lock manufacturer founded in 1973 by Avraham Bachri and Moshe Dolev. The motivation behind Mul-T-Lock began in 1972 when a customer asked a locksmith to install “four extra locks for her front door.” After installing the locks the locksmith consulted with a friend and the two (Bachri and Dolev) designed a multi-point locking system. They went on to form a company around their system, aptly named “Mul-T” Lock. The company gained international popularity over the next thirty years, designing and patenting a multitude of locking systems. Mul-T-Lock is currently one of the most recognized names in security, being used in a wide variety of high security installations, including many prisons. Mul-T-Lock was purchased by the ASSA-ABLOY group in 2000. Though they hold patents for various locking mechanisms, Mul-T-Lock are best known for their dimple pin-tumbler locks that feature telescoping pin pairs, also known as pin-in-pin. In a normal pin-tumbler, pin pairs have a top and bottom pin which separate at the shear line to open the lock. In a telescoping system there are two sets of pin pairs, one outer pair and one inner pair. The outer pin encases all but the tips of the bottom inner pin pair. Both inner and outer tumblers must be properly aligned at the shear line to open the lock.
Mul-T-Lock: Design and Security (LockpickingForensics.com) 1/56
It appears the original idea for telescoping pins dates as far back as 1897. Thorsten Rydberg's 1897 patent titled “Lock” describes a lock in which “each tumbler consists of such a severed pin or bar (solid or hollow) surrounded by one, two, or more concentric tubes, severed and springactuated in the same manner as the pin, or it may be of only two or more concentric tubes made to slide in each other.” Unfortunately the patent images are not very clear, but the text clearly describes telescoping pins. In 1914 an interesting telescoping pin-tumbler patent was granted to Christian Hansen of Davenport, Iowa. In Hansen's design, a double bitted pin-tumbler key is used to position telescoping pin pairs (Figure 2.1) on the top and bottom of the keyway. In his design there are inner pins, intermediate sleeves, and outer sleeves. One of Hansen's claims is the ability that the key can be withdrawn in either horizontal orientation, an interesting effect of the position of tumblers and an inverted key bitting. The negative effect of this claim is that number of key differs is drastically reduced for the sake of usability. Hansen provides a complex description of the telescoping pins: “The radial inner pin 24 and the sleeves 26 and 28 of each tumbler, upon insertion of the key 14, are moved outwardly the proper distance so that their outer ends come into registration with the periphery of the key cylinder 9, whereby the latter may be turned.”
Figure 2.1: 1914, Patent images showing a dual-bitted pin-tumbler key with telescoping pins on the top and bottom of the key blade.
Mul-T-Lock: Design and Security (LockpickingForensics.com)
In 1935 Clarence L. Williams and Earl M. Simmons were issued a patent that describes a lock with components described as a “double interfitted pin type.” The patent image (Figure 2.2) shows telescoping pins being used on a traditional pin-tumbler key on both the top and sides of the bitting area. The design of the telescoping pins in this patent most closely resemble early generations of Mul-T-Lock telescoping pins.
Figure 2.2: 1935, Patent images showing outer (13/15) and inner (14/16) telescoping pin-tumblers on the top and side of the keyway. In 1977 Avraham Bachri and Moshe Dolev, founders of Mul-T-Lock, were granted a patent for a telescoping pin-tumbler lock. Unlike the 1935 version, this would have only one row of telescoping pins and would use a horizontal keyway and dimple key. Another important addition was the inverted mushroom security pins and the use of a rounded mating surface between the pins, plug, and cylinder. This would improve tolerances to enhance keying capabilities and pick resistance. Noach Eizen and Rishon Lezion of Mul-T-Lock were granted a patent in 1987 for a similar telescoping pin lock. The 1977 and 1987 patents are the basis for the Mul-T-Lock Classic model. The Classic began a rich history for Mul-T-Lock, the basic principles of which still exist in modern Mul-T-Lock designs. The next few sections will discuss the various Mul-T-Lock models, how they work, and varieties in their design.
Mul-T-Lock: Design and Security (LockpickingForensics.com)
3. Mul-T-Lock Classic
The original Mul-T-Lock telescoping design, patented in 1977, is dubbed the Classic version. The Classic is a dimple lock featuring four or five telescoping pin stacks. The addition of telescoping pins does not change how a dimple pin-tumbler lock works, fundamentally. Pins must still be raised to the correct position; only now that includes both inner and outer pins. When all pins are correctly positioned at the shear line the plug can rotate. One important distinction is that inner and outer pins can be raised to different heights, and a specially cut key is required to do so. Figure 3.1: The Mul-T-Lock Classic, 006 Keyway
The Mul-T-Lock Classic is the first in a series of telescoping locks developed by Mul-T-Lock. From the outside it looks like a standard dimple lock (Figure 3.2). When disassembled we see a unique look to both the pin-tumblers and the plug. When the correct key is used inner and outer tumblers are aligned at the shear line (Figure 3.3). When an incorrect key is used inner and outer pairs are misaligned, causing the shear line to be blocked by one or both sets of pins. This design is the basis for all Mul-T-Lock telescoping systems.
Figure 3.2: A Mul-T-Lock Classic rim cylinder assembled and disassembled.
Mul-T-Lock: Design and Security (LockpickingForensics.com) 4/56
Figure 3.3: The Mul-T-Lock Classic when the correct (top) and incorrect (bottom) keys are used.
Figure 3.4 (Left): Standard Classic inner and outer bottom pins Figure 3.5 (Right): An inverted mushroom (outer) bottom pin The bottom pins consist of an inner and outer pin pair (Figure 3.4). The inner pin is spooled to prevent it from falling through the outer pin, but it also acts as a mild anti-picking mechanism. Outer bottom pins are generally standard, though there are variations that resemble an inverted mushroom that provide picking resistance (Figure 3.5).
Mul-T-Lock: Design and Security (LockpickingForensics.com) 5/56
7: Spooled.6).7.6: Assembled and exploded views of standard Classic top pins The top pins consist of a three piece assembly of outer pin. Mul-T-Lock: Design and Security (LockpickingForensics. Outer top pins have a variety of security designs. including: spooled. This design is a result of a serious vulnerability known as the “Michaud Attack. Mul-TLock is interesting because they've used various designs. right) and combined with bottom pins that have internal milling for additional pick resistance. A traditional spring is used above the top pins to push all pin stacks down. and serrated (Figure 3. Serrated are the most popular security pin in almost all Mul-T-Lock systems. but only partially. serrated.” discussed further in Section 8. and inner spring (Figure 3. most companies stick with one. and mushroom top pins. and the design of the top pins allows the inner pin to escape the top pin. inner pin. Figure 3. mushroom.Figure 3. Security Analysis. Also note the serrated inner pin (right). Inner top pins can also be lightly spooled (3.7). The inner spring pushes down on the inner pin stack.com) 6/56 .
Of course. Mul-T-Lock: Design and Security (LockpickingForensics. When used in a 4 pin lock. and I have only run across a couple in the dozens of Classic keys I own or have had access to. a skilled machinist could easily reproduce a Classic key. can be bitted for 5 pins. These are somewhat rare. the first four cuts manipulate tumblers and the fifth is unused.8: Bitting of a Mul-T-Lock Classic key.Figure 3. Notice the concentric cuts used to position each telescoping pin.8). meaning further insertion is prevented by the tip of the key contacting the cam (back) of the lock. keyway 006C. Though the majority of Classic keys are sized alike.com) 7/56 . a specially cut key allows telescoping pins to be raised to different heights. Classic keys are also “convenience” keys because either side can be used for proper operation. this only defends against casual duplication. This is interesting because it means that all Classic keys. whether they be for a 4 or 5 pin lock. there are some that use a shorter key (cuts are still properly spaced). All Classic keys are tip stopped. Keying Specifications Unlike traditional pin-tumblers. especially due to the horizontal orientation of the dimple key. Cuts are a combination of two concentric rings. This provides increased key security because handmade keys are difficult to make. one each for inner and outer pins (Figure 3.
Mul-T-Lock: Design and Security (LockpickingForensics. the inner pin must be 3 or higher. Warding on the blade is the most common.857 theoretical key differs in a five pin Classic (175). and in the Classic warding extends the full length of the blade.14). Master keying and side pins are discussed thoroughly in the Mul-T-Lock Interactive section.11). and so on.9: Classic bottom pins (all).9). Mushroom bottom pins can be used but only as C and D pins.12). There are other variations which use multiple wards. with D being the largest.Figure 3. but between inner and outer pins there are a few restrictions: • • With a D outer pin. the inner pin must be 2 or higher. designated A-D. Combinations of blade and side warding make for rather complex key blanks and allow for a wide range of key profiles (Figure 3. and works like master keying in a normal pin-tumbler lock. The number of real differs is naturally lower due to key restrictions against easy to pick patterns. The 06 keyway is the most common.10). There are four depths available for outer pins. with 5 being the largest (Figure 3. with two single wards along the blade of the key (Figure 3. master keying. Classic keys can be warded on both the blade and side of the key. Side (profile) pins are also available but uncommon. Notice the difference in lips on the mushroom pins. There are five depths available for inner pins. but is still fairly accurate.) There is no Maximum Adjacent Cut Specification (MACS) for the outer pins. but instead use side warding. designated 1-5. though it is more common near the bitting area (Figure 3.13). and a total of 1.419. With a C outer pin. Blade warding can be used anywhere on the blade. Master keying is provided by the use of small master pins (both inner and outer). (Note: Full key and pinning specifications are listed in Appendix A. as well as off-center warding (Figure 3. All of this put together allows 17 combinations of inner/outer pin per chamber. Most sidewarded keys use a single ward down the center of the side of the key (Figure 3.com) 8/56 . Some Classic keys do not use blade warding at all.
com) 9/56 .10 (Left): The 006C.13 (Right): A comparison of side warding on two different Classic keys.11 (Right): A Classic key with light warding on the edge of the blade. Mul-T-Lock: Design and Security (LockpickingForensics. Figure 3.Figure 3. by far the most common Classic key profile.14 (Bottom Left): A key with complex blade and side warding patterns. Figure 3.12 (Top Left): A key with no blade wards but a single side warding. Figure 3. Figure 3.
Right-Up/Left-Down is the most common (Figure 3.15). The most common is the black plastic square shaped bow. The patent on Classic keys and key bows ended in 2007. The last (right) is shared with the Interactive. but if we consider locks mounted upside down (such as European profile cylinders) there are four total.15: Classic key bow styles. Bitting Orientations In addition to key blanks and warding. Figure 3. Mul-T-Lock: Design and Security (LockpickingForensics. keys may be bitted on either side of the key.com) 10/56 . Figure 3.16). There are two orientations of the blank (Figure 3. which we'll discuss in Section 8. Bitting orientation must be considered when choosing lockpicking tools.16: Left-Up/Right-Down and Right-Up/Left-Down bitting orientations. Orientations are classified by the side of the plug pins are located on and if they point up or down.1). but key bows are available in ten different colors.The Classic has three styles of key bow that identify it. Security Analysis. two of which are unique (Figure 3.
above the keyway and steel rods. are hardened steel rods above and below the keyway (Figure 3. More on what UL certification means in Section 8. near the second and third pin chamber. One is normal. in both the UL and non-UL cylinders.17). and the other used for UL 437 certified cylinders (cylinder is stamped “UL”). The UL version provides better resistance to attack. Most Classics also use a ball bearing at the top of the plug. Figure 3.17: The UL (left) and non-UL steel rod inserts in a Classic cylinder. above the keyway and upper steel rod (Figure 3. Figure 3. The other components used. above and below the keyway.Destructive/Forced Entry Protection The Classic provides various additions that make it resistant to forced entry.18 (Left): Hardened steel rods are inserted in the plug.19 (Right): A ball bearing sits at the top of the plug. Mul-T-Lock: Design and Security (LockpickingForensics. overall.com) 11/56 .18). above the plug (Figure 3. Figure 3.19). There are two versions of anti-forced entry components. Security Analysis. The difference is in the use of two extra steel rods in the cylinder. Euro profile type cylinders may also use steel inserts in the cylinder and plug.
Of course. including those of the present day. Many of the principles of the Classic are used in other models. While they provide a similar telescoping pin system. Mul-T-Lock: Design and Security (LockpickingForensics. and in my opinion is probably “good enough” for most small businesses. but you can still get the Classic from many online vendors and local locksmiths.Classic Clones Since the patent expired on Classic cylinders and keys. the quality of most of these knock-offs is poor. various companies now produce knockoff versions of Classic cylinders and key blanks.com) 12/56 . Now that the patent has expired most dealers have began promoting the Interactive instead. the Classic has since been superseded by newer models. In the next section we'll look at the second generation of Mul-T-Lock telescoping locks. Most do not have manufacturing tolerances as high as a legitimate Mul-T-Lock and usually do not include security pins or the antiforced entry inserts. the MulT-Lock Interactive. but it is still a great medium security cylinder (by modern standards) for residential use. Conclusion The Classic began a rich history for Mul-T-Lock.
and key Mul-T-Lock: Design and Security (LockpickingForensics. key bumping. but the moving element has a surprising effect on design and security.2: Top and side views of the plug's interactive chamber. and serrated top pins are again the most popular.1: The Mul-T-Lock Interactive. At heart it is still a four or five pin dimple lock that uses telescoping pin-tumblers. Mul-T-Lock Interactive Patented in 1994. anti-forced entry components are the same. the Mul-T-Lock Interactive takes the design of the Classic one step further by using a moving element in the key to interface with one of the pin stacks. and visual decoding. The Interactive (moving) Component The Interactive is functionally equivalent to the Classic in most ways. All keys are tip stopped by the cam. 206 Keyway Figure 4.com) 13/56 . the Interactive provides heightened security against unauthorized key duplication. When compared with the Classic. It uses the same top and bottom pin designs.4. Figure 4. various warding styles are used. impressioning.
overall. Mul-T-Lock: Design and Security (LockpickingForensics.com) 14/56 . The main difference is the chamber with the moving element. to the correct position (Figure 4.3: The Interactive moving element in the default (left) and raised (right) positions. a normal pin stack is used but on the bottom of the plug is a spring-biased component that resembles a pin tip (Figure 4. the moving element is always in the first pin chamber and the key uses the second cut as the moving element. In that chamber. Figure 4. and thus the pins.4: The Interactive moving element can be in the first or second pin position. Figure 4.4). Security Analysis. The moving element in the lock may be in the first or second pin chamber. In four pin models.3).2). having the moving element in the second chamber is better. In my opinion. with the moving element on the key in the same position (Figure 4. Further discussion on this will be saved until Section 8. The pin tip raises the moving element on the key.bitting may be in either orientation.
and Black moving elements. raises both pins equally Concave. each raises the inner/outer pins differently (Figure 4. The number of side pins available is the same as the number of telescoping pin stacks. and left in a Left-Up or Left-Down lock. Side Pins The Classic and Interactive can also use side pins (Figure 4. raises outer pin higher Pinning A-0 Z-0 Z-1 Figure 4. Bitting for side pins is on the side of the blade and corresponding cuts are located in the plug and cylinder (Figure 4. raises inner pin higher Flat.There are three types of moving element. Side pins are always located on the same side as the pins.5).5: Left to right – Gold. and five in a five tumbler lock. Side pins are an optional passive key profiling mechanism used to ensure the correct key is used. which defines how inner and outer pins are raised: Color Gold Silver Black Code Type/Description G S B Convex.6). right in a Right-Up or Right-Down lock. Moving elements are classified by color. Figure 4.com) 15/56 . four in a four tumbler lock.7).6: A Mul-T-Lock Interactive Side Pin Mul-T-Lock: Design and Security (LockpickingForensics. Silver.
Many people mistake these for magnets or some form of electronic component. Figure 4.8: Interactive vs.Figure 4. Similar bores are located in the cylinder to restrict plug rotation when an improper key is used.com) 16/56 . for outer and inner pins. The main advantage of the moving element is the ability to lift pin stacks higher than the top of the keyway. machining blanks for the Interactive is much harder because placement and style of the moving element must be considered. With this information we can produce a working key on a proper Interactive blank. Keying Specifications The moving element makes the Interactive key visually distinct. Classic. smallest pins The moving element also prevents the ability to directly cast and impression a key. Each is a cut smaller than the Classic's smallest pins (Figure 4.8). At the same time. Mul-T-Lock: Design and Security (LockpickingForensics. something a normal key cannot do. This ability adds two additional pins to the Interactive. but they are just a moving piece of metal. including the position and style of the moving element. respectively. Figure 4.7 (Right): Side pins inserted into an Interactive plug. though a cast of the bitting may be used to decode the key. They are Z and 0 (zero).7 (Left): Side pin bitting on the side of an Interactive key.
One important distinction is that Interactive keys can never have warding extend past the moving element. While it doesn't remove the possibility of attack. This is why the moving element is restricted to the first two chambers. though. down about 2/3 from the Classic. manufacturing. Figure 4. In spite of this. Security Analysis.10). with the 2 prefix because the moving element is in the second position.10 (Right): Interactive keys with and without warding on the edge of the blade. which means cylinders can never have visible warding. Warding patterns in the Interactive are as varied as the Classic.9). Of course the use of side pins increases this number quite a bit. though in my experience most Interactives do not come with side pins. Mul-T-Lock: Design and Security (LockpickingForensics. especially since a key with the incorrect moving element simply will not work. make the Interactive stronger. or simulating Interactive keys also helps to ease fears.126 (174 * 6). All in all this is a strange combination of factors that. While there is limited side warding. Having only three types of pinning available for the Interactive chamber reduces our theoretical key differs to 501. More on this in Section 8. It also means that any lock observed with warding can't be an Interactive. regardless of the other cuts.The Interactive has downsides. Like the Classic. wards on the edge of the blade are common (Figure 4. but side warding is limited due to side pins. it does make the job of gathering information harder for the attacker. the most common Interactive profile is the 206 (Figure 4. we couldn't heavily ward a key with it in the fourth or fifth position.com) 17/56 . This is important because it implies the keyway profile of an Interactive lock cannot be casually observed without special tools to look deep into the keyway (which may be problematic because of the pins) or an analysis of the key. in my opinion. with the G (Gold) moving element. Regardless of the decrease. The difficulty in obtaining. it is likely an attacker could just file down the tip of a key to bypass the wards. many complex warding schemes are used to provide a variety of key profiles.9 (Left): The Interactive 206 key profile. Figure 4. the number is still high enough to prevent key interchange. Even if we did.
but examination of the key to identify the moving element can clear up any confusion. left) provides master keying for both inner and outer pins. Master Keying The Classic and Interactive models provide for complex master keying systems through the use of three types of traditional master pins (Figure 4. The rounded plastic design is shared with the Classic.12: Three styles of master pins used in Classic and Interactive models. with 3 being the largest.13). two of which are unique (Figure 4. and external master pins as 1 to 3.12.The Interactive uses three styles of key bow. The external master (4. Mul-T-Lock: Design and Security (LockpickingForensics. center) and the internal master (4.com) 18/56 . The patent for Interactive keys expires in 2014. but are often combined to avoid MACS problems between inner and outer pins.12.11). with 4 being the largest. The external and internal masters can be used individually.11: Mul-T-Lock Interactive key bows. Figure 4. Figure 4. right) provide master keying for outer and inner pins individually.12. I've seen key gauges list the pinning for inner master pins as 1 to 4. The first two are unique to the Interactive. The one I own lists them in millimeters instead of by code (Figure 4. The solid master (4. There are 4 sizes available for inner master pins and 3 sizes available for external master pins.12).
left) for additional master keying requirements. These each have their own pin codes based on what shape they are (Figure 4. Again. because we need to consider the MACS between inner and outer pin stacks. I'll leave figuring out the math up to you :) In addition to the three traditional master pins.12.14). For example.13: A Mul-T-Lock Classic/Interactive key gauge with 0/Z and master pins included. and X+ is a concave key cut. Of course.is a convex key cut. X. three types of solid bottom pins can be used. but with a maximum of 4 (D).com) 19/56 . Mul-T-Lock: Design and Security (LockpickingForensics. with any inner pin we add its value to the master pin.Figure 4. and if that number is higher than 5 it can't be used. all we need to do is run the numbers to make sure we're within our limits. XX is an even key cut. when using master pins we must consider the pinning rules when master keying locks. Each of the solid pins can be combined with solid master pins (4. These shapes are similar to the floating pin styles. This isn't too hard if we consider all pins to be numbered. The same goes for outer pins. Using the inner or outer master pins individually is trickier.
The difficulty in visually decoding the keyway profile of an Interactive is an interesting sideeffect of the design of the Interactive component. offering a variety of additional and improved security features. Conclusion The Mul-T-Lock Interactive is in many ways an improvement over the Classic. but the solid pin chambers will only have 5. Security Analysis. Of those. using the solid master pins drastically reduces the number of available key differs for a given lock. more can be added with solid master pins. A normal telescoping chamber will have 17 combinations of pins. more difficult.Figure 4. as well as the troubles associated with obtaining or creating the correct key blanks.com) 20/56 . In the next two sections we'll discuss variations on the Interactive design. especially bumping. the inability to directly cast a key is important. but this is at the expense of pick resistance and key interchange. the CLIQ and 3-in-1. The Michaud attack is discussed in-depth in Section 8. Why use solid bottom pins? They were implemented (as far as I know) as a standard part of master keying to defend against the Michaud attack. Mul-T-Lock: Design and Security (LockpickingForensics. Of course. Again. one that makes many techniques.14: Solid bottom pin shapes and codes used in master keying.
The CLIQ system is used in several other ASSA-Abloy locks.com) 21/56 . The main difference between Interactive and CLIQ locks are the CLIQ components on the bow of the key and inside the plug and cylinder of the lock itself. Introduced in 2004.1: The Mul-T-Lock CLIQ.2). the Mul-T-Lock Interactive CLIQ is a combination of the Interactive cylinder with an electronic authentication system known as CLIQ.com). The electronic components on the key bow make these keys stand out when compared with other Mul-T-Lock keys (Figure 5. Mul-T-Lock: Design and Security (LockpickingForensics. we see that the bow is actually hollow with electronic components placed inside of it (Figure 5. such as the ASSA Twin and Abloy Protec.ericschmiedl.1). When disassembled. The mechanical portions of the key and lock are mostly the same as the Interactive so we'll skip discussion of them. Key bows are oval and come in a variety of different colors. Developed by ASSA-Abloy for their other product lines.5. the CLIQ was made available to Mul-T-Lock after they joined the ASSAAbloy family in 2000. Figure 5. Figure 5. Mul-T-Lock CLIQ Note: All the photos in this section (except the SynerKey) are taken by and used with the permission of Eric Schmiedl (http://www. Euro profile.2: Disassembled and close-up view of the Interactive CLIQ key's electronics.
Note the lack of bitting cuts.5 (Right): The Mul-T-Lock CLIQ cylinder with sidebar recess shown. Figure 5. Control keys (“C-keys”) look similar to normal CLIQ keys. a sidebar-like system is used by the CLIQ to restrict rotation of the plug until authentication has taken place (Figure 5.3).5). Figure 5.4 (Left): The Mul-T-Lock CLIQ plug with the electronics shown. Inside the lock. Control keys cannot actually open the lock because they do not contain any bitting cuts or Interactive element (Figure 5. Mul-T-Lock: Design and Security (LockpickingForensics.3: Control key with CLIQ electronics exposed. At the bottom of the cylinder and plug.4). a large portion of the plug has been replaced with electronic components to power the CLIQ (Figure 5.Figure 5. but are used to reprogram the lock's internal CLIQ electronics and read the audit log.com) 22/56 .
) The sidebar is rather untraditional. If the numbers match. Security Analysis.6).6) contacts the inside of the lock. the CLIQ stores audit logs of authentication successes and failures (the last 1. master keying with the CLIQ is considerably simplified compared to traditional. The plug decrypts the number and compares to its own. Unfortunately. A more thorough discussion of CLIQ security and possible attacks is located in Section 8. Of course. Electronic Communication When a small contact on the side of the key (visible in Figure 5. Once authentication is successful the electronics rotate a blocking piece to allow the sidebar to drop into the plug (Figure 5. If not. I don't have more detail on this process.com) 23/56 . it will blink red. The key answers by encrypting its own number and sending it to the plug. the key sends a small pulse to power on the lock. and in shape it's more like a large side pin. but instead are powered by inserting the key. Audit logs can be read from the lock using the control key. Mul-T-Lock: Design and Security (LockpickingForensics.Figure 5. Mul-T-Lock refers to this as a “wakeup signal.000 attempts). If authentication is successful the LED on the key bow will blink green. mechanical master keying because of the relative ease with which keys can be added and removed from the electronic system.6: The CLIQ plug restricting (left) and retracting (right) the sidebar controls. In either case.” Once awake. the plug generates a random 64 bit number and broadcasts a challenge. Assuming the telescoping pins are also properly aligned. the sidebar is released and the plug can rotate. the plug can now rotate and unlock the lock. the addition of traditional master keying with a CLIQ system's electronic method may be preferred for sensitive installations as an added precaution. (Note: The actual sidebar component is not shown. The CLIQ components inside of the lock are not battery powered. Please contact me if you can help! Communication between the CLIQ key and lock takes place with 3DES encryption and claims to offer 264 possible authentication token combinations. Management of CLIQ authentication tokens is provided by Mul-T-Lock through a variety of software packages and the reprogramming keys. At the same time.
I would guess this isn't the case. An upgraded version of this is known as the SynerCLIQ.8 (Right): The SynerCLIQ Interactive key Conclusion The CLIQ is one of Mul-T-Lock's most complex models. it is currently unclear whether or not the 2014 patent expiration date for the Interactive will affect the ability to obtain CLIQ blanks.com) 24/56 .7 (Left): The SynerKey (non-CLIQ) Interactive key Figure 5.7). At the time of writing this the Mul-T-Lock Interactive CLIQ is considerably more expensive than almost all other Mul-T-Lock models.SynerKey / SynerCLIQ A similar system is the SynerKey. Figure 5. contact information is available in the introduction to this paper. but I'm not sure. The SynerCLIQ can be identified because the key bow has a distinct logo when compared to normal CLIQ keys (Figure 5. While the CLIQ uses the Interactive components and similar key. which is a CLIQ system with transponder included in the CLIQ bow. It provides the same basic anti-forced entry components as the other models.8). These are not CLIQ locks. but the electronic element makes covert and surreptitious attacks harder. More on this in Section 8. The actual security of the CLIQ is currently a hot topic. Research by Marc Tobias and Tobias Bluzmanis identified various electronic and mechanical design flaws. Security Analysis. Mul-T-Lock: Design and Security (LockpickingForensics. or at least those without an electronic component. which is a traditional Interactive key with a RFID transponder in the key bow (Figure 5. While it provides a high level of security. it is cost prohibitive for all but the most sensitive installations. The SynerKey may be an effective alternative for small to medium sized installations. but they do have their own special key bow. Please contact me if you can answer this. with cylinders alone retailing at $700-1000 USD.
com) 25/56 . some of the inner top pins have a modified design. All other pins in the lock are standard. At this point. Figure 6. There are Classic versions of the 3-in-1. the previous (non-construction) keys do not work. but their internals are the same.2). Mul-T-Lock 3-in-1 The 3-in-1 is a user-rekeyable form of the Classic and Interactive systems. Second. Mul-T-Lock: Design and Security (LockpickingForensics. which uses the same Interactive components. The 3-in-1 works like a construction keying system but takes advantage of the telescoping tumblers to do so. In a traditional construction keying system. This section will focus on the Interactive 3-in-1. Unlike the CLIQ. When normal keys are used the ball bearing remains below the shear line. the inner pins used for construction keying each have a small ball at the top (Figure 6. When we disassemble the plug we notice two oddities (Figure 6. It allows the user to progressively re-key the lock up to three times given a set of pre-supplied keys. a ball bearing is placed in one of the pin stacks. the ball bearing falls into a bore on the side of the plug and is removed from the pin stack. The 3-in-1 functions on the same principle. First.1). except it uses a break-away component on inner pin stacks instead of a free-floating ball bearing. with modified inner pins and construction keying bores.6. acting like a master pin.1 (left): 3-in-1 plug. When the construction key is used the ball bearing is raised above the shear line and the cylinder is turned.2 (right): 3-in-1 inner pin with breakaway ball on the top. The bores are considerably smaller than the outer pin stacks. Figure 6. construction keying bores are located on the side of each pin chamber. When the plug is rotated. When removed from the pin stacks. the 3-in-1's re-keying function changes the internals slightly.
com) 26/56 . The 3-in-1 comes with three different color keys.4). Mul-T-Lock: Design and Security (LockpickingForensics. From lowest to highest. Each key color represents a level of access in the 3-in-1 system. Figure 6. only the green keys work. Rotating the plug allows the ball to fall into the bore on the plug. The green keys raise all construction pins high enough that the top of the construction ball aligns with the shear line (as in Figure 6.5 (Right): Use of the key breaks the ball and drops it into the plug bore. they are green.3: The 3-in-1 system uses a color progression to signify access levels.1).5). and red (Figure 6.4 (Left): The yellow key raises the inner pin's ball above the shear line. Figure 6. The yellow key is then forcibly rotated and the ball snaps off. removing it completely from the pin stack (Figure 6. yellow. At this point only the yellow key can operate the lock. the yellow key is inserted. This raises one of the construction balls above the shear line (Figure 6. creating a new shear line.Figure 6.3). When it is time for the keys to change. When the lock is brand new.
Again. It is considered a variation on the traditional Classic and Interactive designs. In either case. The 3-in-1 can technically be made into a five level system. Conclusion The 3-in-1 is a fairly simple construction keying implementation using Mul-T-Lock's telescoping pin system. the red key is inserted. only the red key will operate the lock. In the Classic 3-in-1. At this point. Note that if we wanted to we could go straight to red.7).6).com) 27/56 . 3in-1 keys may be reused in traditional Interactive cylinders and vice versa. Figure 6. we snap off the remaining balls with rotation of the key and they are deposited into the plug bores (Figure 6. The same may be done for blue square plastic Interactive bows if keyed by a locksmith.After the yellow key is used we can again re-key the lock with the red key.6 (Left): The red key raises all balls above the shear line. The next section will discuss Mul-T-Lock's newest systems. but few real-world applications require that much re-keying in a short period of time. the MT5 and MT5+. the Black square plastic bow is commonly used with colored bow inserts to signify keying level. but for the most part it functions in exactly the same way. Mul-T-Lock: Design and Security (LockpickingForensics. while Classic keys may also use the same bow and colors a quick examination of the key can determine if it has the Interactive component. 3-in-1 keys are easily identified because factory original keys follow a green-yellow-red bow progression and only use the square plastic key bow design. as it will raise both balls above the shear line (Figure 6.7 (Right): Use of the key breaks the balls and drops it into the plug bore. it will raise the other ball above the shear line. Being normal Interactive keys. The same logic applies. Figure 6.
but the MT5 model is essentially the same thing without the sidebar. Alpha chamber (far left).2: The MT5/MT5+ plug. dubbed so because it is the fifth generation of Mul-T-Lock's telescoping pin system. Mul-T-Lock MT5/MT5+ The newest Mul-T-Lock design is the MT5. when people refer to the MT5 they are usually talking about the MT5+. Introduced in 2007. This section will focus on the MT5+.com) 28/56 . Figure 7. anyways! The MT5+ is a major improvement on the previous MulT-Lock designs. the MT5 contains the standard telescoping pins and a new moving element called the Alpha spring. In my experience. The MT5+ version also uses a slider-based sidebar system. showing five telescoping pin pairs. Mul-T-Lock: Design and Security (LockpickingForensics. 05 keyway Figure 7.7.1: The MT5+. It is a high-security cylinder that offers additional key control and resistance to compromise when compared to previous Mul-T-Lock models. and anti-drilling/grinding ball bearing.
the plug walls pinch the Alpha spring into the key. The sixth chamber is used for the Alpha spring.3 (Left): MT5/MT5+ bottom pins.4 (Right): Top and bottom pins of the Alpha spring chamber (chamber six). This is strange given the Interactives variety. currently.6). Mul-T-Lock: Design and Security (LockpickingForensics.5) and is used to interact with a sixth pintumbler pair. First.The primary locking components in the MT5 are still a set of five telescoping pin-tumblers (Figure 7. Figure 7. slightly different design than older models. The sixth pin chamber is used for the Alpha spring.2).4). it is not a telescoping but instead a traditional top pin with a very unusual bottom pin. discussed a little later. a cast of the bitting cuts may be used to decode the key and produce a working key. which share most pins. The chamber used to hold the Alpha pin stack is also unique as it only exposes the pointed part of the bottom pin (Figure 7. Like the Interactive. Top pins look the same as they did in the older models and serrated are again the security pins of choice. Instead. the Alpha spring prevents the ability to directly cast a working key. It doesn't seem like this is the case. Figure 7. Unlike the Classic and Interactive. the plug walls push the Alpha spring up to raise the pin in the Alpha chamber (Figure 7. It is unclear if the MT5/MT5+ use different size springs.com) 29/56 . causing variations in the Alpha chamber. When the key is fully inserted. the new moving element.3). we notice the Alpha spring sits in the center of the key. While the key is inserted. Pins in this chamber are not telescoping and are quite unique (Figure 7. but all samples I have access to are the same.7). Alpha Spring The Alpha spring sits near the tip of the key (Figure 7. The pin it raises is rather unique. the MT5 pins look a bit different (Figure 7. Looking at the key. Please contact me if you can confirm this! Contact details are available in the introduction to this paper. away from the bitting area.
Mul-T-Lock: Design and Security (LockpickingForensics.Figure 7. Instead.7: The Alpha chamber is not drilled like a traditional pin chamber.6 (Right): The Alpha spring component (cutaway key) is raised by the plug walls. Figure 7. Figure 7.com) 30/56 .5 (Left): The Alpha spring component at the center of the tip of the key. it only exposes the pointed part of the bottom pin.
Actuated by five free-floating sliders. MT5+ Sidebar MT5+ models have one major improvement over the MT5. The sidebar is made of nickel-silver and is positioned at the bottom of the plug (Figure 7.10).9). The MT5+ does not have this problem.Figure 7. Many sidebar systems became problematic when distribution of sidebar codes was an afterthought.8). Note the anti-picking false notches. Picking resistance is provided with false notches (Figure 7.10: MT5+ slider. as any available key blank can be used to create a working key. and the bottom (right) interfaces with the sidebar. Figure 7.8 (Left): The MT5+ sidebar. The top (left) interfaces with a laser track on the key. Mul-T-Lock: Design and Security (LockpickingForensics. Five freefloating sliders interact with the sidebar through the use of small notches.com) 31/56 . Figure 7. the use of a sidebar (Figure 7. If all sidebars have the same code. there is basically no point in having it.9 (Right): The MT5+ sidebar is located on the bottom of the plug.
showing arrangement of telescoping pins and sliders. Mul-T-Lock: Design and Security (LockpickingForensics. This is an adequate method of distributing keys with unique sidebars but also allows locksmiths to make working keys for customers. I am unsure how large a “locksmith region” is.11: Inside view of the plug. Figure 7. sliders are positioned horizontally. When all sliders are properly aligned the sidebar can fall into their true notches and plug rotation is no longer restricted (Figure 7.11). the sidebar can now be retracted and plug rotated.12). Figure 7. located underneath and in-between telescoping pin-tumbler stacks (Figure 7.12: MT5+ sliders properly aligned. Please contact me if you can help answer this.com) 32/56 .out of the five sliders two define a locksmith region and the other three are variable. When viewed in the plug.
Five telescoping pins are raised and the Alpha spring raises the pins in the Alpha chamber. the MT5+ uses a laser track cut for the sidebar pins.Figure 7. Like the restrictions for the Interactive's moving element.13: The MT5+ key with telescoping bitting. almost the same as the Interactive. The most interesting aspect of the MT5+ is that it uses both the top and bottom of the blade. This is similar to other laser track sidebars. Warding on the keys for both MT5 and MT5+ are also somewhat unique when compared to other Mul-T-Lock models. The top is used for the telescoping pins and bottom is used for the sidebar pins. Like previous models. If you have this information please contact me.13). I currently do not have any depth or coding information for the MT5/MT5+ pins or sliders. and laser track sidebar. such as those in the Scorpion CX-5 and the EVVA 3KS. Though both use the traditional telescoping pin cuts. The MT5+ key is quite different due to the use of the sidebar (Figure 7. MT5/MT5+ keys cannot have warding Mul-T-Lock: Design and Security (LockpickingForensics. Contact details are available in the introduction to this paper. the MT5/MT5+ can be bitted in various orientations.com) 33/56 . Alpha spring. Keying Specifications The normal MT5 key works much like a traditional Mul-T-Lock key.
15).com) 34/56 . As you can see.down the center of the key where the Alpha spring is located. the sidebar provides additional resistance against many forced entry techniques. but an examination of the bitting for the laser track can clear this up. warding can be on the laser track. a ball bearing is included below the bottom steel rod (mirroring the one above). In addition. but cannot be so deep that it breaks the track. and an anti-drill disc is placed in the face of the lock (Figure 7. This key bow is visually distinct and is slightly fatter than previous models.14: Front and back of the MT5/MT5+ key bow. The MT5/MT5+ use one type of key bow and it is unique to these models (Figure 7. In the MT5+. In the case of the MT5+. keys are marked “Patent Pending” so a date for patent expiration on MT5/MT5+ keys is currently unavailable. The key bow does not specify if the key is for an MT5 or MT5+ lock. above the plug Mul-T-Lock: Design and Security (LockpickingForensics. Anti-Forced Entry The MT5/MT5+ provides the same anti-forced entry components as previous models. Figure 7.15: Anti-drill disc placed in the MT5/MT5+ cylinder. Figure 7.14). Warding is instead reserved for the sides of the blade where the telescoping and laser track bitting is located.
It offers a wide variety of protections against both destructive and non-destructive entry techniques. In the next section we'll discuss various attacks against each generation of Mul-T-Lock model. but is available from a select few online vendors. but I don't consider it too different from the Interactive. I'd recommend going straight to the MT5+. but lack of sidebar makes this a bit dubious. The regular MT5 has a high number of key differs. telescoping pins.Conclusion From a purely mechanical standpoint.com) 35/56 . the MT5+ is the best Mul-T-Lock cylinder to date. Mul-T-Lock: Design and Security (LockpickingForensics. The MT5 is not available in the USA outside of second-hand channels. but with the lock being so new Mul-T-Lock has plenty of time to upgrade the design. The MT5/MT5+ is somewhat hard to find. The MT5 is an interesting change. If you're planning on upgrading. In the case of the MT5+. but is available to large installations (I'm assuming you would have to contact Mul-T-Lock or work through one of their dealers). The MT5+ is currently not available to USA dealers. but it operates on the same principles as the Interactive moving element. Of course. The seemingly static position and size of the Alpha spring pins is a little strange. and warding styles. a wide variety of key differs is available between sidebar. you can always contact your local Mul-T-Lock dealer to see if they have any special connections and whatnot. The Alpha spring is interesting. as well as design upgrades and varieties provided by Mul-T-Lock to resist each attack. Key control is quite high considering the Alpha spring. USA dealers are supposed to have access to the MT5+ by 2011. That's it for the discussion of Mul-T-Lock models.
a telescoping system is similar to traditional pin-tumblers. For a free listing and descriptions of these ratings. A security rating is a way for consumers to know what level of security to expect from a lock. This has been a source of confusion lately. Due to the cross-over of most of the Mul-T-Lock models I'm going to categorize by attack rather than lock model. This section will evaluate the strength of Mul-T-Lock systems against a variety of common attacks.” but there is really nothing that makes this so. All security ratings are given in time rather than absolutes. Having a security rating does not imply that the lock is “high-security”. In each section we'll go over how different models stack up against an attack. Security Analysis Functionally. The Hercular deadbolt series also have ANSI Grade 1 locking mechanisms.8. and how Mul-T-Lock models have evolved to deal with these problems. just that it passed whatever tests the specific rating requires. Mul-T-Lock models have received ratings from Underwriter's Laboratories (UL). Security Ratings All Mul-T-Lock telescoping lock models have earned one or more security ratings. it is just a “high-er” security standard. especially when we consider UL 437. American National Standards Institute (ANSI). and forced entry for 15 minutes. From a security standpoint.lockwiki.com/index. and SecuPlus (SKG). Unfortunately. As Marc Tobias likes to say. in general. vulnerabilities that may exist or previously existed. for example. locks have grades which define which attacks they resist and for how long.com) 36/56 . European Committee for Standardization (CEN). I don't know every trick in the book. Though Mul-TLock is not the first or only company to provide telescoping pin-tumblers. Many people associate UL 437 with “high-security. Their UL 437 certification is probably the most notable. Unfortunately. the exact wording of many standards are not publicly available and are quite expensive to obtain (UL 437. If you have any correction or additions please contact me! Contact information is available at the start of this paper. In the same way that beef can be rated Grade “A” by the USDA. so this section is one that I could use much help on. they are responsible for many improvements to telescoping systems and dimple locks. a popular lock security rating from Underwriter's Laboratories. For example. please see http://www. many non-destructive compromise techniques are much harder to do. Vertrauen durch Sicherheit (VDS). as well as many others used around the world. a lock may be rated to resist lockpicking for at least 10 minutes. is currently $490 USD).php/Security_Ratings. Mul-T-Lock: Design and Security (LockpickingForensics.
but they make the fatal error of splicing cuts rather than keeping the film running. It works by being screwed into the keyway. Mul-T-Lock systems use a variety of mechanisms to prevent forced entry. All five pin Mul-T-Lock systems have a total of 10 pin pairs when we consider inner and outer pins. Lockpicking – Classic & Interactive In terms of covert entry techniques. detailed in earlier sections. In modern day. we can't confirm that it actually took one minute. Think of it this way: inner pins cannot separate at the shear line before outer pins. Like this. offers a drill bit that claims to go through an entire Mul-TLock cylinder in about a minute.1: A Mul-T-Lock Classic fully picked Mul-T-Lock: Design and Security (LockpickingForensics. Multipick Service. and to not splice the clips together. in truth the Mul-T-Lock is two five pin locks in one. lockpicking is probably the most well known and respected skill an attacker can have.com) 37/56 . sometimes generalized as “manipulation. a locksmith tool company. While a ten pin lock sounds challenging.Forced Entry Resistance to forced or destructive entry is the primary concern of all locking systems. What this means is that we can pick the lock first by attacking the outer pins then the inner pins. Resistance to lockpicking tools and techniques has been increasingly important since the early 1800s. a Czech company. but some tools and techniques can be used to quickly compromise the older Mul-T-Lock Classic and Interactive systems. but encourage them to put up a new video which includes assembly of the lock (to verify all components are present). Wendt. They have a video of this on their website.” While key bumping has made headlines recently. and if successful it is often the fastest and cheapest way to defeat a locking system. only that the clock at the top says so. Figure 8. make a pulling screw that is effective against a variety of MulT-Lock cylinders. lockpicking is still the most tried and true way of opening almost any lock in the world given the correct tools and. more importantly. Forced entry is by far the most common method of entry. a lock's security is highly based on whether or not it can resist lockpicking. The outer pins being at the shear line is mostly independent of the position of inner pins. then extreme pulling force is applied to pull the lock out of it's mounting. skill. I'm willing to give them the benefit of the doubt.
and. The Souber dimple pick set is also effective against Mul-T-Lock systems.2).Matt Blaze. The main problem with traditional picks. this should be a much simpler task than ordinary lock picking. more so than the false set of a security pin (Figure 8.com) Wendt produce two sets of Mul-T-Lock picks (#0702.2: A Mul-T-Lock Classic in the normal (left) and partially picked (right) positions. “Notes on Mul-T-Lock Locks” (www. From here. and those sold by the companies listed above. Again. Picking of the inner pins is actually quite easy. Traditional dimple or pin-tumbler picks can also be used but they take more skill to use.com) 38/56 . is that they can get stuck between the inner and outer pins. Multipick Service also sell various Mul-TLock picks. How do we know when to pick the inner pins? When the outer pins are picked the cylinder rotates slightly. Mul-T-Lock: Design and Security (LockpickingForensics. Matt Blaze's site reiterates this quite nicely: “However. In particular.crypto. they all bind at once and over-setting is prevented by the severe angle at which the upper pins are held.” . sets are usually traditional dimple picks with slight modifications. Many times you'll end up having to release tension and start over. #0702-KPR).Figure 8. but is not designed or marketed specifically for this purpose. the attacker can move to the inner pins. for the most part. the inner pins can apparently be set in any order (or simultaneously). because of the angle at which the inner upper pins are trapped. the lock becomes a five pin dimple lock. Both sets resemble traditional dimple lockpicking tools with pointed tips. When this happens it takes a considerable amount of fiddling to get the pick out.
Shop around! Mul-T-Lock: Design and Security (LockpickingForensics. Tension is applied through a bar that can be placed on either side of the tool.3 (Left): The H&M Mul-T-Lock picking tool (Right-Up). Notice that the second chamber is slightly longer to account for Interactive cylinders. Figure 8. It does so through the use of small channels that indicate which pin stack you are working on (Figure 8.com) 39/56 . The Mul-T-Lock picking tool that has gained the most popularity is produced by a Chinese company called H&M Tools. The tool is inserted on the farthest ward in the plug and is tip-stopped by the cam of the lock.5 (Bottom right): Close-up of the tool's pin channels. Figure 8. The tool itself has a distinct look and does not resemble the traditional dimple picks sold by most other companies (Figure 8. The tool is calibrated precisely so that it lifts pin stacks only when it is directly beneath them.Figure 8.3). In addition. prices range from $75 USD to $600 (!) USD. Being tip-stopped.5). It is extremely effective in picking Classic and Interactive cylinders (compared to traditional tools).4) and is rotated with the large knob at the end of the tool. and how high up you are raising it. Because it only lifts when directly under pin stacks there is no guesswork with where the pick is. the tool works in both four and five pin locks without needing to be re-calibrated. which is one of the reasons that it is so effective in picking Mul-T-Lock Classic and Interactive systems. The pick itself sits on a ledge of the tool (Figure 8. Many companies sell the H&M tool. the H&M tool does not get stuck between telescoping pins.4 (Top right): Close-up of the ward track and pick tip.
7 (Right): Some counter-milled pins have a serration at the bottom of the pin. the position of the sidebar has an interesting effect on picking. so it should not be much harder to pick. Of course. tension can be completely released and sliders will not move. In short: when picking the MT5+. but are often combined with outer bottom pins that use counter milling (Figure 8.com) 40/56 . When tension is placed on the cylinder the inner and outer pin serrations hook together to prevent picking. but I'm not completely sure why (Figure 8. In essence. but it is only a matter of time before something is developed. Whether or not it can be picked fast enough to defy security ratings is another matter. horizontal to the ground. and depends on the sensitivity of the installation. Some pins with counter milling also have a serration on the bottom of the outer pin. At this time I have not heard of anyone picking the MT5+. Lockpicking – MT5/MT5+ As far as I know. there are currently no ready-made picking tools for the MT5/MT5+ cylinders.6 (Left): An outer bottom pin with counter-milling. On their own they offer a minimal defense. Scorpion CX-5). Mul-T-Lock: Design and Security (LockpickingForensics. While this doesn't make the sidebar a breeze to pick it is still important. inner top pins can also be lightly spooled.In order to combat lockpicking attacks Mul-T-Lock has devised a variety of improvements to their locks. but a moderate to highly skilled attacker should have no problem with these. Contact me if you can offer any insight! Figure 8. the normal MT5 is an upgraded Interactive cylinder. the time required to pick the sidebar may be excessive. Because the sliders are placed in between pin stacks. In addition to these. Unlike other laser track locks (see: EVVA 3KS. Figure 8. My guess would be as a crude overlifting defense.7). The H&M tool does not work because of the change in warding and the position of the Alpha spring. but I haven't been able to confirm this. widespread use of serrated outer top pins has become effective in deterring casual picking.6). but there is no doubt in my mind that a highly skilled attacker could do it. used to frustrate lockpicking. Being located on the bottom of the plug. gravity does not affect the position of MT5+ sliders. they are difficult to manipulate without hitting the pins. In the case of the MT5+.
Michaud Attack Early versions of the Mul-T-Lock Classic and Interactive were found to be vulnerable to an attack discovered by Eric Michaud (TOOOL USA) in 2004. Briefly. Master keying) also prevents the Michaud attack at the expense of pick-resistance and key differs. Dubbed the “Michaud Attack. Their idea was to make a hole in the top outer pin that allows the inner pin to push through when it is all the way at the top (Figure 8. Inside the lock. Use of solid bottom pins in master keyed systems (see Section 4. Once high enough. the cylinder could be rotated to trap all outer top pins above the shear line.8). Figure 8. Mul-T-Lock: Design and Security (LockpickingForensics. common in almost all new Mul-T-Lock cylinders. but there are still decades of locks produced and installed that are vulnerable. inner pins could be raised and they would carry the outer pins.8: An anti-Michaud Attack top pin. allowing all outer pins to be easily picked via overlifting.com) 41/56 .” he found that inner pin-pairs could be raised to lift the outer top pins. as discussed earlier. From there. this prevents the outer top pin from being raised to the top of the chamber through the use of the inner pins. Mul-T-Lock has since fixed this problem. Mul-T-Lock's fixed their design by using the recommendation of Eric Michaud and Matt Blaze. Interestingly enough. picking the inner pins is fairly easy.
My guess is the complexity of bumping 10 pin stacks at once. The sidebar distribution problems that have hampered other locks (ASSA V-10. is to just buy a lock that has the same keyway profile. The universal Mul-T-Lock bump key seems to be elusive. as they are assembled in our factories and distributed throughout our network of authorized professional dealers are not susceptible to this type of attack. as sometimes cylinders will not bump for whatever reason. the Silver (S) element is the most popular. if unavailable directly.” While I understand Mul-T-Lock's apprehension about admitting they have a (potential) problem. All of this is coupled with needing the correct keyway profile and the inability to casually observe the keyway profile of Interactive locks. While none of this stops the act of bumping itself. especially now that the patent has expired.com) 42/56 . they've been modified in some way to make bumping possible: “Not a single one of these supposedly successful bumping attempts was performed with a nontreated Interactive Mul-T-Lock cylinder. MT5+ sidebars are a combination of region and personal cuts. If we agree that the Classic and Interactive can be bumped then I see no reason that the MT5 (without sidebar) couldn't also be bumped. Finally. and keyway warding that can be visually decoded. Obtaining the proper key blank is a concern in bumping. Most online vendors sell the Gold (G) element on all cylinders (others may be available upon request). It may be possible if we assume the attacker can obtain a key with the proper sidebar. Obtaining the sidebar code without the bitting code always seemed a little far-fetched to me. is almost certainly not bump-able. they claim that all videos online are done by people that are not using proper cylinders. but it is possible. The normal way to obtain a key for a target lock. This leaves the Black (B). timing. personally. In my experience. we consider the MT5/MT5+. With the Alpha spring in a static position and shape. Mul-T-Lock released a press statement (24 May 2007). but I can say I've bumped and witnessed bumping of both Classic and Interactive cylinders without “treated” components. Whether or not Mul-T-Lock models are bumpable is a subject of much debate. force. which is surprisingly hard to find. the MT5 doesn't offer the same level of security through obscurity that the Interactive does. but with the Interactive we need the correct keyway profile and moving element. This isn't too hard for the Classic. however. In any event. In short. After the media frenzy on bumping in 2006. I don't agree that every video is a hoax. and a properly cut bump key all play a role. they all make obtaining the information to successfully bump the lock more difficult. The MT5+. this is still disputed. Mul-T-Lock’s bump-resistant Interactive cylinders. This may be challenging. Mul-T-Lock: Design and Security (LockpickingForensics.Key Bumping Key bumping is a covert entry technique in which force is applied to a specially modified key to cause pin-tumblers to split at the shear line. As we discussed. I can't point out real versus fake. We can't always do this with the Interactive because we have to consider the moving element. Schlage Primus) should not affect the MT5+.
Mul-T-Lock chose to implement a pin type they refer to as the “Split-D” pin (Figure 8. Regardless.9: Mul-T-Lock Split-D type outer bottom pin. At the moment I feel that the Classic. holds a variety of patents for bump-resistant pin-tumbler designs. but it is as close as most pin-tumbler locks can expect to get. but I don't fully agree with this for the same reasons as the mushroom pins. preventing it from separating at the shear line. the light tension used on the bump key is probably not going to engage mushroom tumblers to the point where they can effectively prevent bumping. Mul-T-Lock also note their interlocking (counter-milled) pins may resist bumping.com) 43/56 . The logic is that kinetic energy is not transferred properly to the outer top pin. but this is not terribly accurate. Mul-T-Lock: Design and Security (LockpickingForensics. While they protect against premature tension on the cylinder. Some of the Mul-T-Lock press releases also claim that mushroom security pins protect against bumping. Figure 8. Interactive. but I cannot comment on the universal nature of their bump keys. for key bumping resistance. and MT5 models without the Split-D components can be bumped. The MT5+ may not be bump-proof in the truest sense. most bumping attacks put tension on the cylinder only after it has been struck with a bump hammer. The Split-D is a modified outer bottom pin that uses two parts. not unlike the traditional outer/inner pins. Of these. and claims to prevent bumping attacks.Moshe Dolev. I have not had access to these for testing so I cannot comment on their effectiveness.9). Each fit into one another. one of the founders of Mul-T-Lock.
With these. Due to the telescoping pins we would need to make outer cuts without touching the inner area. This is fine for a skilled machinist but problematic to do by hand. With lockpicking we must pick outer pins then move to inner pins. to say the least. we bind a blank key against the components to make marks on the blank.10: Mul-T-Lock impressioning tool. but the Interactive and MT5's moving elements defeat this technique. Rather than fabricating full Classic blanks I decided to make a small piece of brass that simulates only the actual bitting area (Figure 8. Another major problem is making the actual impressioning cuts. we know where to file to produce a working key. This technique could still be used (against all models. I developed a method for impressioning Mul-T-Lock Classics using inexpensive materials and common hand tools. Copy impressioning makes a direct copy of a key by making a mold or impression in a medium such as clay. With the mold we can casting a working key for the lock. In both cases it is time consuming. There are two types of impressioning: copy and manipulation. Figure 8. you'll notice a small part of the key touches the pins. With a telescoping system (and a dimple key) this is problematic. It is surprisingly effective and easy to learn but how it affects Mul-T-Lock systems is unclear. made out of brass. this is most effective against the Classic. and indeed almost every lock in existence) to decode the bitting and sidebar codes. wax.Impressioning Impressioning is a covert entry technique used to open and make a working key for a lock. If you look at a Classic key.5 mm high. Mul-T-Lock: Design and Security (LockpickingForensics. In a normal pin-tumbler. As we discussed in previous sections. sort of a hybrid of lockpicking and decoding techniques. or silicon. Manipulation-based impressioning uses a blank key to gather information from the lock itself. It is just over 1 mm thick and ~2.com) 44/56 . Doing so without letting inner pins leave marks is hard.10). In the same way outer pins need to be impressioned first.
Figure 8. In addition to inner and outer pins. Avoiding the inner pins is easy because you can just file around them (Figure 8. large inner pins leave as little as 0. This was troublesome because I wasn't sure where to file. The tool is removed once outer pins are impressioned and the cylinder rotates. Mul-T-Lock: Design and Security (LockpickingForensics.12).11: Impressioning marks on the tool. viewed under UV light.com) 45/56 . but it takes much longer than picking the inner pins manually. but in a telescoping system the number of marks left is overwhelming. With extremely low pins it is helpful to file at an angle to prevent the tool from breaking easily (a common dimple impressioning trick).The tool is inserted between the bitting wards and a separate tension tool is used. Additionally. Aside from the ability to clearly see marks with UV ink. the main advantage is making the impressioning cuts.47 mm of material on the tool. Figure 8. the pin chambers also bind against the tool. You could continue impressioning. With UV it is easy to find marks as well as identify what made each mark (Figure 8. Early attempts to make impressions were successful.12: Tool after the first round of filing.11). Normal picks or the H&M tool are used to quickly pick the inner pins. I moved to a UV-based system. This decreases the strength of the tool and may cause bending or breaking. Methods of obtaining marks are the same as traditional impressioning. of course. With the key in a nondimple arrangement it is much easier to file where marks are.
marks could be made to decode the lock while it is being picked. but the telescoping pins are again a problem. but the associated key cards so.com) 46/56 .Pressure-responsive impressioning may also be possible. but ultimately it is not hard to do by hand. but it seems plausible. Marc Tobias and Tobias Bluzmanis reported they found various mechanical and electronic vulnerabilities in the Mul-T-Lock CLIQ. With the H&M picking tool. A mold taken of any Mul-T-Lock key could be decoded to determine the bitting and sidebar patterns for the lock. Classic and Interactive key cards use direct codes. I believe this is a progressive key system but I have not been able to get a better description or see one in person. It would be neat if the tool came like this. Many modern dimple locks are vulnerable to this type of attack. Please contact me if you have more information! Contact details are available at the start of the paper. I have not had access this system in person so I cannot comment further. Decoding is somewhat ambiguous. the Tobias boys are practicing responsible disclosure in order to make sure all the major players are prepared if/when they release vulnerability information. In the tool's description Mul-T-Lock is grouped in a category with other locks and it basically says. specific vulnerability information is unavailable but I am told it is quite serious. so it is hard to pin down exactly what decoding techniques the Mul-T-Lock may be vulnerable to. With this technique we use a soft. malleable material (such as foil. or soft wood) to quickly impression the lock. At the time of writing this. including the full keyway profile (See Appendix A). I believe it is just a traditional dimple pick set and a standard lever type decoder. With the information gained from decoding a working key can be made by hand or with a key cutting machine. lead. Mul-T-Lock: Design and Security (LockpickingForensics. Given the Mul-T-Lock CLIQ is used in various government and high-security installations (namely airports). More information on these vulnerabilities will be added when it is made available. “some may be harder to pick and decode than others. Mul-T-Lock does not use any bitting codes on factory original keys that could be used to decode them.” What this means for Mul-T-Lock specifically is unclear. Electronic Attacks (CLIQ & SynerKey) CLIQ security is currently a hot topic. Falle-Safe offers a picking and decoding system they claim work with Mul-T-Lock systems. At this time I have not seen a Mul-T-Lock impressioned this way. Falle-Safe offers an impressioning tool for Mul-T-Lock systems. Decoding Decoding is a class of attack that aims to figure out the bitting pattern of lock either through examining or manipulating the lock or a working key. in general.
The addition of the sidebar is a dramatic improvement over previous models. bump.lockpickingforensics. particularly the MT5+. and locksport visit http://www. forensic locksmithing. the MT5+ is Mul-T-Lock's best cylinder to date. Newer models. I hope you learned from and enjoyed this paper! For more articles on locks. best known for their telescoping “pin-inpin” systems. While older models are not without problems. they all use the same basic locking principles. offering a solid defense against various destructive and non-destructive entry methods. We went over the various Mul-T-Lock models and learned how each works. safes. but all samples I have seen or examined place the Alpha spring in the sixth pin chamber and don't appear to have alternate bitting styles. datagram.9. In most low to medium security installations the Mul-T-Lock Interactive (and even Classic. and impressioning resistance. At the time of writing this it is unclear whether or not the Alpha spring provides the same variety in position and style like the Interactive moving component.com.com) 47/56 . offering high pick. in some cases) will do an adequate job of providing protection. The choice of lock will depend on the type of installation and the security required. it just moves the floating component to the back of the lock and adds a sixth pin-stack. can provide security even in high security situations. even the newer MT5 models. Thank you for reading. Conclusion Mul-T-Lock is a world leader in locking technology. While they provide increasing resistance to attack over the years. Summer 2009 Mul-T-Lock: Design and Security (LockpickingForensics. Aside from the CLIQ. In my opinion the normal MT5 is not much of an improvement over the Interactive model. they are still effective in providing security to the majority of installations. Be sure to keep reading further for various appendices that you might find interesting and useful.
yellow. square plastic (Black) Classic. Below is a comparison of different Mul-T-Lock key bows: Classic. round plastic Interactive.Appendix A: Keying Specifications Key Bows Mul-T-Lock keys follow a simple key coloring and coding convention to identify the lock model. oval plastic Interactive SynerCLIQ Interactive SynerKey Notes • • 3-in-1 Interactive keys are square plastic keys with a green. The shape and color of key bows can be used to quickly identify the model of the key. 48/56 Mul-T-Lock: Design and Security (LockpickingForensics.com) . nickel silver Classic/Interactive. and moving element type (where applicable). moving element position. square plastic (Black) Interactive CLIQ. or red bow. square plastic (Blue) Interactive. nickel silver MT5/MT5+. 3-in-1 Classic keys may instead use a black square plastic bow with colored inserts. keyway profile.
A-0) M Integrator Master Profile P Integrator Internal Cut Profile E Integrator External Cut Profile 7 7x7 A MT5 B MT5+ Padlocks as usually listed as [KEY CODE]-[PADLOCK CODE] The 7x7 and Integrator are non-telescoping dimple locks made by Mul-T-Lock YY Z Notes • • Mul-T-Lock: Design and Security (LockpickingForensics.Keying Codes Mul-T-Lock key codes follow the format of XYYZ. X Moving element position: 0 Classic/7x7 (no moving element). Examination of the bitting can determine the Z code. Z-1) G Gold (inner pin higher.com) 49/56 . Key codes can be found on the blade. Z-0) B Black (outer pin higher. 1 Interactive/Integrator first position 2 Interactive/Integrator second position 5 Integrator position 5 6 Integrator position 6 7 Integrator position 7 8 MT5 9 MT5 Keyway profile Moving element type: C Classic S Silver (uniform heights. just below the bow of the key. Most codes printed on keys are limited to XYY or YY. if necessary.
45 mm 0.40 mm 1.00 mm 0.97 mm 0.25 mm Pin Length Outer 4.com) 50/56 . outer pin higher Pinning (Outer-Inner) A-0 Z-0 Z-1 Master Pin Specifications Pin Designation Inner 4 3 2 1 3 2 1 Outer (external & solid) Inner 2.Inner/Outer Bottom Pin Specifications* Pin Designation Inner 0 1 2 3 4 5 * Outer Z A B C** D** Key Blank Left (Cut Depth) n/a (Interactive) 2. inner pin higher Flat.65 mm 5.95 mm 0.75 mm 6. and 3-in-1 cylinders ** C and D outer pins may also be of the inverted mushroom style.15 mm 6. both pins equal Concave.65 mm Applicable to Classic.20 mm 5.65 mm 6.45 mm 0. Interactive.95 mm 1.50 mm 1.00 mm 1.47 mm Pin Length Outer (external & solid) Side/Back Pin Specifications Currently not available. Interactive CLIQ.25 mm 6. Mul-T-Lock: Design and Security (LockpickingForensics. Please contact me if you have this information! Contact details available in the Introduction section of this paper. Interactive (moving) Component Specifications Name Gold Silver Black Code G S B Description Convex.75 mm 5.25 mm 5.45 mm Inner 4.50 mm 1.75 mm 7.
Please contact me if you have this information! Contact details available in the Introduction section of this paper.MT5/MT5+ Pin Specifications Currently not available. MT5+ Slider Specifications Currently not available. Mul-T-Lock: Design and Security (LockpickingForensics.com) 51/56 . MT5/MT5+ Alpha Spring Specifications Currently not available. Please contact me if you have this information! Contact details available in the Introduction section of this paper. Please contact me if you have this information! Contact details available in the Introduction section of this paper.
and puck padlocks) Padlock “size” (meaning varies): E/C series Shackle clearance length (mm) G/T series Padlock horizontal length (mm) Shackle options: P “Popping” shackle R Removable shackle x Popping/removable shackle (up to consumer) C Various shackle sizes available (may be used with other Y options. Y may expand to YY if the 'C' option is used (such as xC. round body. A C13xCx defines a C series padlock with 13 mm of shackle clearance. sliding bolt. YZZ is sometimes omitted when browsing online stores or locksmith catalogs. your choice of popping or removable shackle. Padlocks as usually listed as [KEY CODE]-[PADLOCK CODE]. look at the table for clarification. W Padlock series: C “Heavy duty” (silver. Notes • • • • • • ZZ is frequently shortened to Z. such as xC/PC) Shackle protection: x Not shrouded P “protected” (with shroud) LE “low guard” (low shroud) HE “high guard” (full shroud) SP “shackle protector” (removable black shroud) SB “sliding bolt” (self-shrouded sliding bolt) XX Y ZZ Therefore. PC). 52/56 Mul-T-Lock: Design and Security (LockpickingForensics. and nonshrouded. square and lightly rounded) T “Heavy duty” (silver. 44 mm in horizontal length. Some E series padlocks may also be sliding bolt. it is not restricted to the T series. and with a shrouded/protected shackle. rectangular or square) E “Extra-high duty” (black/silver with a colored strip at the bottom) G “Medium duty” (silver.Appendix B: Padlock Naming Conventions Mul-T-Lock padlock model numbers follow the format of WXXYZZ. the G44P defines a G series padlock.com) . Sometimes ZZ and Y are swapped. varieties in shackle size.
267. or keys.520. Classic key blank 1991.259 Pick resistant lock 10. Classic key blank 1992. padlocks.308 Locking apparatus D411435 D411730 D415010 D422880 D422883 D426138 Padlock body Padlock body Padlock body Padlock shroud Key bow Padlock shroud 6.593.876 Padlock 7. E series padlock (body only) 1998. E series padlock. bolts and latches. Classic key bow (rounded plastic) 1990.331.035 Locking apparatus 5. The original telescoping patents discussed in Section 2 are listed there. Electronic padlock that monitors against forced entry 53/56 5.553 Monitorable lock Mul-T-Lock: Design and Security (LockpickingForensics. E series shrouded padlock 2000. Some other patents are excluded. Gear shift lock 1991. key machines. Classic cylinder with a variety of pin designs 1990. Cylinder guard shield. Classic key blank 1994. too. Interactive key blank (206 keyway) 1997.086. Classic key blank 1993. Classic key blank 1993.389 Cylinder lock 4.com) .856.461 Cylinder guard D933973 D335253 D342887 D353320 D353534 D353760 Key bow Key blade blank Key blank Key blank Key blank Key blank Description 1977. E series low shroud 2000. Interactive cylinder 1996. Classic cylinder 1987. all of which are interesting.268 Cylinder lock 5. If you have any additions or corrections please contact me! At the end of this section are telescoping pin-tumbler locks not registered to Mul-T-Lock.393.307 Gear shift lock 5. E series padlock (body only) 1998. marketed as “Top Guard” 1990. shrouded (body only) 1998. Telescoping lock with counter-milled bottom pins 2005.839. US Mul-T-Lock Patents Patent # Title 4.Appendix C: Patent Listing This is a list of all the patents I could find that are assigned to Mul-T-Lock relating to telescoping locks. and automotive patents. Interactive key bow (nickel-silver) 1998. Classic cylinder 1990.910 Locking apparatus 5.309 Cylinder lock 5.784.123. E series high shroud 1998.142. Interactive cylinder 1998.
509. D Key head 109. Cylinder guard shield. Tamper resistant Classic cylinder 1992.954.351.984. Classic style cylinder with three telescoping pins 1996. Patent # Title Description 1976. D Cylinder lock 59.606. D Locking device 83. C series padlock 1981.” Some have interesting titles. D Pin-tumbler lock 90. Padlock and shackle shaped to fit motorcycle tires 1987. D Locking system 116. The Israeli patent site segments the patent document. E series padlock (with low and high shrouds) 1999. Transponder key system for automobiles 2002. D Door lock 110.607 Key for cylinder locks 80. C series padlock (with removable shroud) 1990. marketed as “Top Guard” 1991. D Changeable lock cylinder 1996. D Cylinder lock guard 99.362.705. D Locking apparatus 109.563.349. so the patent # links to the claims and 'D' links to the drawings. C series padlock (removable shackle) 1992.263. D Padlock 102. Cylinder guard shield 1991. Classic cylinder 1980.982.com) .701.159.696. Classic cylinder 1989.Israeli Mul-T-Lock Patents Links are direct to patent PDF files.034. D Anti-theft apparatus 150. Classic style cylinder with counter-milled pins 54/56 Mul-T-Lock: Design and Security (LockpickingForensics. D Tamper resistant lock 102. Interactive cylinder 1994. D Padlock 99. so I'll try to add these if/when they become available. (Cool patent) 118.754. There are many patents that are “abandoned” or have not reached the “second publication phase.808. Protective cover for cylinder-based mortise locks 1982. Interactive cylinder 1994. Classic cylinder with two rows of pin chambers 1995.211.153. D Lock housing 122. D Anti-tampering lock 117. Interactive key bows 1994. D Padlock 129.323. Mechanically changeable lock cylinder and key and key rotating pins rotating pins. T series sliding bolt padlock 1997. D Cylinder lock 92. D Covering arrangement 67. Double sided dimple key (no drawing) 1986. D Padlock assembly 104.095. Padlock with anti-tamper mechanisms 50. Classic cylinder with key profiling mechanism(s) 1992.041. D Padlock 62. D Cylinder lock 119. D Pick resistant lock 1996.998. Padlock used as gear shift lock in automobiles 1993. D Cylinder lock 103.623. D Cylinder lock guard 96. Classic cylinder 1990.
Cruciform telescoping pin-tumbler 1997. Odd dimple lock.095.856 1987. Telescoping pin-tumbler 1917.” but these are usually slider based. Mul-T-Lock: Design and Security (LockpickingForensics.304 Description 1897.653.222.022. Possibly basis for Alpha spring? Structure of cylinder lock 1990.158. Note: I realize there are some locks from the early 1800s that are “telescoping. Telescoping pin-tumbler 1938.070 Lock 2.383 Cylinder lock 5.501 Tumbler lock 2.436 917.869.244.365 1. Telescoping pin tumbler Lock Pin-tumbler lock Cylinder lock 1. Sort-of telescoping pin-tumbler with “arms” 1935. immune) 1973.467 Anti-pick cylinder lock 3.500 Lock 2.750 Lock Please contact me if you find any telescoping pin-tumbler patents to add to this list! Contact information available at the beginning of this paper. Faux telescoping pin-tumbler 1951. Telescoping pin-tumbler (Michaud attk. I am primarily interested in telescoping pin-tumbler locks.894.889 Tumbler mechanism 3.818. Telescoping pin-tumbler / wafer hybrid 1914. Tubular 3-level telescoping lock 5. Telescoping pin-tumbler and tubular lock. Grouped telescoping pin-tumbler (cool keys) 1992.com) 55/56 .996. Telescoping pin-tumbler 1908.Other Telescoping Pin-Tumbler Locks Patent # Title 593.722 Cylinder lock 4. (Both are immune to the Michaud attack) 4.732 Cylinder lock construction 1973.760.
These pages in particular might interest you: • • • • • http://www.php/Bumping http://www. His page was helpful in understanding how to explain high security locks without making everything too complicated.toool.lockwiki. buttes.com. scorche.php/Pin_tumbler While not in the scope of Mul-T-Lock systems. and other systems was quite motivational and helpful in deciding how to organize this paper. press releases. Han Fey's work with ASSA. Deviant Ollam. locksmithing. Abloy. but if you are Mul-T-Lock and you are unhappy about me using these please let me know and I will remove them.com/index.crypto. References & Resources All patents referenced in the history section are available in Appendix C. If you liked reading this paper you'll enjoy many of those sites.nl.lockwiki. In no particular order: Jon King (JK_the_Cjer). His articles on various high security locks can be found on TOOOL NL's website: http://www.php/Mul_T_Lock http://www.com) 56/56 . and last but not least.ericschmiedl. Thanks Many people helped make this paper a reality. and forensic locksmithing.com/photos/misc/mul-t-lock/. DOM.lockwiki.asp?newsid=58 If you'd like more information on the locking systems and attack techniques discussed. Thanks for reading! Mul-T-Lock: Design and Security (LockpickingForensics.php/Lockpicking http://www. too. Marc Weber Tobias. A few pictures were used from Mul-T-Lock's site(s).lockwiki.com/index. and promotional material. Eric Schmiedl. Babak Javadi.com/newsdetails. visit his portfolio at http://www. Matt Blaze has an excellent introduction to Mul-T-Lock Classic cylinders on his website: http://www.php/Security_Ratings http://www.lockwiki. Tobias Bluzmanis. Security Analysis) is available at: http://mul-t-lockusa. The full text of Mul-T-Lock's key bumping press release (discussed in Section 8. stderr. I considered these to be “fair use” under United States law.com/index. be sure to visit the Links page for a list of sites related to locksport.Credits. Much thanks to Eric Schmiedl for letting me use his fantastic CLIQ photos for Section 5.com/index.com. visit LockWiki.com/index. Eric is a great photographer (and lock picker!).
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.