School buildings in which every locked room is accessible through the use of a single master key are vulnerable to serious security breaches, owing in part to the simplicity of a little-known lock-picking technique that allows master copies to be made in minutes.

Law enforcement agencies are being warned the technique could be used to defeat locks in most schools, dormitories, offices, and apartment buildings, which raises the question: Should school leaders consider alternative locking systems, such as computerized locks and swipe cards, that use technology to secure their students and their valuables?

A cryptographer working for AT&T stumbled upon the secret, which primarily had been known only by locksmiths and a handful of criminals: Anybody with a key to a building whose locks have a master key can create their own master copy.

“Creating such a key requires no special skill, leaves behind no evidence, and does not require engaging in recognizably suspicious behavior. The only materials required are a metal file and a small number of blank keys, which are often easy to obtain,” said the researcher, Matt Blaze of AT&T Labs.

Security experts say the vulnerability should prompt school building managers to consider switching to “control key” systems, which use blanks that are not sold to the public, or adding alarms or video surveillance.

“We have to realize that the term ‘key control’ in many schools is an oxymoron,” said Kenneth Trump, president and chief executive of Cleveland-based consulting firm National School Safety and Security Services. “There is very limited control of keys.”

According to Trump, the threat that master keys might be forged often is compounded by the reckless disregard with which school administrators often treat their security systems. Many officials, he said, are too willing to lend their keys to volunteers. Others don’t move quickly enough to replace locks when keys are reported lost or employees turn over. With so many potential security breaches, Trump warned, imposters likely could target schools with relative ease.

Some school leaders already were turning to technology to tighten their building security, even before Blaze’s findings became public. Several companies—such as Locknetics, a Connecticut-based division of Ingersoll-Rand—now manufacture electronic key and security systems designed specifically with the needs of schools in mind.

Little Falls Community Middle School in Minnesota, for instance, currently uses one of Locknetics’ magnetic swipe-card locks to control access at its main entrance. Principal Bill Turk said officials settled on the computerized locking system after realizing the number of building keys in circulation presented a security risk.

“The building is 40 years old,” he said. “Obviously there are a lot of those keys out there.”

Currently, Little Falls employs the electronic system only to control traffic at its main entrance. But Turk said officials are considering outfitting all of its locks with similar devices.

“The [computerized] system keeps track of who goes in and who comes out, and at what time,” he said. “If a card is lost, all you have to do is change the code. It’s not a perfect system, but it’s better than a key system.”

The locks, which can be activated by push-button keypad or magnetic swipe card, can cost more than $1,000 a piece, according to Locknetics’ catalog. Turk said Little Falls paid approximately $800 for its single-entrance swipe-card system.

At those prices, security expert Trump said a transition would be out of the question for most schools.

“In an ideal world, we would turn to technology to address the problems associated with key control,” he said. But as schools nationwide continue to suffer from shrinking budgets, funding for massive security overhauls is virtually nonexistent.

For that reason, Blaze’s findings probably will have only a modest impact on the lock industry.

“There’s been an ongoing trend toward key control. He’s moved the ball forward a little bit,” said Lloyd Seller, senior training manager for Schlage Lock Co. of Security, Colo.

Each year, about 20,000 people learn of the technique to defeat master key locks in locksmith training provided by private companies, the military, and law enforcement, Seller estimated.

Blaze, 40, usually works on codes to protect computers and other systems, and on finding weaknesses that hackers exploit to break into networks.

Last year, he examined whether codes can protect other things and turned first to locks. After months of reading, he found the vulnerability, he said in an interview with the Associated Press.

“This technique has been discovered and rediscovered over the years by locksmiths, and probably criminals,” Blaze said. “I may be the first to work out all the details.”

Among them: It usually takes less than 50 “probes” of a lock to gain enough information about the master key to create a copy.

The vulnerability stems from the design of basic master key systems. Pins in the lock cylinder, which are pushed to different positions by the teeth of the key, have two positions that allow the lock to open—one for its individual key, the other from the master key.

“Since this research was completed last fall, we have been quietly circulating details of the vulnerability to the lock, law enforcement, and security communities,” Blaze wrote in a summary of his findings on the internet. “However, there is some evidence that the details are now circulating in the underground world.”

He added: “We believe that it is no longer possible to keep the vulnerability secret and that more good than harm would now be done by warning the wider community.”

Marc Webber Tibias, a former prosecutor and author of “Locks, Safes, and Security,” agreed that few people would change their locks after learning of the vulnerability.

“The majority won’t, because they’ll say they haven’t had any problems to date,” said Tibias, of Sioux Falls, S.D.

He said he tested Blaze’s technique by providing a 15-year-old boy with the instructions, a file, and blank keys. The teen crafted a master key in 15 minutes.

Blaze’s paper “certainly does raise an ongoing question with respect to security in schools,” said Sandra Becker, director of technology for the Governor Mifflin School District in Pennsylvania. “As in network security, the biggest risks are internal. Responsibility and loyalty are key.”

Links:

National School Safety and Security Services
http://www.schoolsecurity.org

Locknetics
http://www.locknetics.com

Blaze’s summary
http://www.crypto.com/masterkey.html

Blaze’s paper
http://www.crypto.com/papers/mk.pdf

Associated Locksmiths of America
http://www.aloa.org