Subject: VingCard evaluation Live from EveCon: We have completed our analysis of the VingCard key system as used in this hotel, obtaining the following educational info which has since been cleaned up and made presentable. The lock is a matrix of 32 pins which have two possible positions each [sort of like a vax...]. Two of these are special and aren't really used in the keying. The remaining 30 are constructed out of standard pin and driver parts, except that all the drivers are the same length and all the pins are the same length. The pin-driver combinations sit pointing upward [the springs are underneath] in a sort of matrix about 1.5 inches on a side. Above each pin-driver combination sits a steel ball. The entire matrix is enclosed in a *plastic* assembly, part of which can slide "forward" [i.e. away from the user]. Some of you may be familiar with the keys: white plastic cards about 3 inches long with a bunch of holes in one end. Pushing this into the slot until it "clicks" forward opens the locking mechanism. The lock combination is set by inserting a similar card, only half as long, into the *back* of the lock. This card is the same thickness as the opening card and has part of the hole matrix cut out. A juxtaposition of this combination card from the back and the key card from the front closes the matrix: i.e. if you overlay the combination and key cards in their opening configuration, there are no open holes left, *exclusively*: i.e. where there is a hole on the combination card there is solid on the key card, and vice versa. Thus the complement of the proper key card is the combination card. This is enforced by the placement of the ballbearings and pins in relation to the sliders and top plate, so a workaround like a card with all holes cut out or a solid card does not open the thing. The combination card slides in between the conical pin ends and the steel ballbearings [and is thus harder to push in than the key card]. The key card comes in over the balls, and its thickness pushes the balls under its solid regions downward. So each pin assembly is pushed down, when the lock is open, the same amount, be it by the key card hitting the ballbearing or the combination card wedging the actual pin downward. Clarification: Let us define a "1" pin as a hole in the opening card. Thus a "0" pin sits under a solid portion of the opening card and a hole in the combination card. A 0 pin opens as follows: Since the combination card lets the pin rise up against the steel ball, the keycard pushes the ball [and its pin] down to the bottom of the keycard slot. This brings that pin to its shear line. Simple. Here's the magic -- a 1 pin opens in the following fashion: Since the combination card is solid there, the steel ball is sitting directly on the commbination card, and the pin underneath is *already* at its shear line. If a solid keycard portion arrives over this ball, the ball is pushed down against the combination card and *pushes the entire area of the combination card down under it*, lousing up not only that pin's shear line but probably a few around it. Although a clever mechanism, this depends on the elasticity of the combination card to work. Note that as the key card is inserted and removed, the combination card will be flexed up and down randomly until the keycard comes to rest at its opening position. [Correction to above: each pin really has *three* possible positions. Hmm.] All this happens within the confines of the sliding *plastic* frame; this part carries the two cards, the balls, and the top halves of the pins. The stationary part underneath this contains the drivers and springs. A metal plate bolts down on top of the sliding piece, leaving a gap just big enough for the key card. If the screws holding this plate were to become loose, the plate would rise up, the key card would sit too high up, and the lock would not open. All the positioning is done by the thickness of the keys while they rest against the surfaces of their slots. Therefore a piece of thin cardboard will not serve as a duplicate key. We found that two pieces of plastic "do not disturb" sign, cut identically and used together, were thick enough to position things correctly and open the lock. A rough top view: Pin mechanism: Back _ = top plate Front Back o o o o <> = balls ________________________________ o o o H = keycard HHHHHHHHHHHHH<>HHHHHHHHHH<>HHHHHH ## QQ o o o o O = comb. card --> QQ OOOOOOOO<>OOOOOOOOOOOOOOOOOOOOOO o o o # = slider QQ# [] [] [] ## QQ @ o o @ [] = pins QQ###[]####[]####[]################# o o o || = driver/ QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ o o o o spring asm. QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ o o o Q = stationary QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ o o o o housing QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ Front It is hoped that the diagram on the right, with its three example pins, will show sufficiently that if two holes concide the pin will rise too far, and if two solid places concide, the entire combination card would be pushed down by the ballbearings. There is sufficient space underneath the combination card for it to sag down and foul the shear line; it is normally held upward by the pins' spring tension against the underside. This diagram may be misleading if it is not understood that the balls are actually larger than shown; i.e. the height of approximately three cards stacked up equals the diameter of the ballbearing. There is a thin layer of slider plastic between the keycard and the combination card, which separates them and retains the ballbearings. The @'s in the top view are the two magic pins. These prevent the lock from working at all unless a combination card is inserted. They are a bit thicker than the other pins and do not have ballbearing parts. The slider above the combination card slot here is solid, so these pins have nothing to do with the keycard. They simply hold the lock shut if no combination card is installed, regardless of what is done with a keycard. Therefore if one were to make a combination card that only pushed down these pins, a solid keycard would work. And if one inserts a solid combination card, the lock is already open before you insert anything. [This is a useful hack that will allow anyone to open the door with just about any tool, in case you are crashing lots of people in a room, don't have enough keys, and don't feel like making more. Naturally your security is compromised, but only those who know what's going on will be able to get in.] The slider has a bracket bolted on to it, which reaches down toward the doorknob and pushes a moveable sleeve with a square hole through it. This joins two sections of a three-section split shaft together, which allows the outside knob to retract the bolt. The inside knob is "hardwired" to the bolt action and always opens the door. The extra split in the shaft is so that with the card in place, the lock will still behave like a regular split-shaft knobset [and disable opening if the deadbolt is shot]. There is a hinged plastic door on the back [inside] of the lock, which is held shut with a screwdriver tab inside a slot. This is where the combination card goes, although this door exposes enough to see the entire slider mechanism [except for its inner works; the entire back must be taken off to get the slider out]. Now, the security evaluation: I see no clear way to "pick" it. The rear pins are hard to get at without touching the frontmost ones. However, this lock would be *very* easy to defeat, in the following fashion: A thin tool about the thickness of a keycard and about .2 inch wide can cover one column of ballbearings. If this tool is slowly slid straight into the slot along each column in turn, the resistance encountered as it contacts each ball indicates whether there is a hole or not underneath it in the combination card. The combination card presses upward against the ball more strongly than the pin's spring does, so this would allow one to map the combination card and then construct the keycard complement. This process wouldn't take very long. I therefore recommend that these locks be considered less than high-security. Furthermore, come to think of it, a small hole drilled in the front plate [which I doubt is hardened] would make it easy to frob the slider or split shaft. _H*