Home Depot Key Code Randomization Failure
I found a massive Key Space Reduction Attack on locks sold by Home Depot. The flaw lies in their procurement process, rather than the locks themselves, and enables an adversary to reduce the possible key codes for locks based on the time of shipment, identified by the approximate time of install. For commercial settings where building permits indicate construction time lines, this can give a significant advantage to an attacker in that he may use an actual key and not leave a trace. The flaw is caused by the Home Depot’s processes, not their lock vendors who have urged them not to refuse randomization.
This finding has the fortune of being one of the posts on the day Full Disclosure was resurrected from the dead, and why I like to nickname it Lazarus (and not because I just watched Interstellar again).
Originally, the issue was thought to be related to how Master Lock handled things. In reality, it was caused by how stores such as Home Depot order their locks.
Rather than accepting shipments of locks with randomized key codes, as is standard, Home Depot intentionally has all locks within a model line have the same key code. This is done on a regional distribution basis (rather than each store). The result is a Key Space Reduction Attack.
Let’s assume the regional distribution center receives one batch per week from their vendor (large batches, but a fast moving item). This would mean only 52 possible key codes per model lock, for the entire region they cover. If the lock is less common, like a high security lock versus a standard padlock, then the batches are less frequent allowing for a further key space reduction.
For home users this is not as much of a concern. However, with the ease of accessing building records in one way or another (and the requirement that permits be posted in many places including dates of work start), it is has a higher impact on commercial sites that are either under construction, or were built within the time period an attacker started logging key codes, which are often printed on the outside of boxes on the sales floor.
Home Depot rationalizes that consumers would prefer to not have to re-key their new locks to match when they buy a set of deadbolts. However, I would argue that if a customer realized every one of the deadbolts sold by that store in that week were keyed the same they might think twice, especially since many of these stores have lock and key services already.
The original post to full disclosure has more details, as well as feedback from community members who have worked at various hardware stores. Also, I learned the hard way that the update to my email client shortly before changed the way images were handled, and I no longer had an integration to an image host and instead caused a large load emailing a multi-MB attachment to a list of thousands of people. (totally not a DoS attempt on seclists)