• We are now running on a new, and hopefully much-improved, server. In addition we are also on new forum software. Any move entails a lot of technical details and I suspect we will encounter a few issues as the new server goes live. Please be patient with us. It will be worth it! :) Please help by posting all issues here.
  • The forum will be down for about an hour this weekend for maintenance. I apologize for the inconvenience.
  • If you are having trouble seeing the forum then you may need to clear your browser's DNS cache. Click here for instructions on how to do that
  • Please review the Forum Rules frequently as we are constantly trying to improve the forum for our members and visitors.

Should a customer be made aware of a security flaw?

Freedom1Man

Regular Member
Joined
Jan 14, 2012
Messages
4,462
Location
Greater Eastside Washington
If you discovered an interesting security flaw in a customer's security, in this case it being the customer's own fault, should you point it out?

In this case I noticed that building sites use a construction key and construction balls. The way that things are setup if you gained access to a construction key and at least one end user key, you can cut one key that would open almost all the homes in a development. More so with one brand of lock than another.



Sent from my SM-G386T using Tapatalk
 

solus

Regular Member
Joined
Aug 22, 2013
Messages
9,315
Location
here nc
Freedom, as i am sure you are aware, a construction key is not the same as a master key. once the homeowner uses their personal property key, the 'balls' are pushed into a cavity and therefore render the construction key inoperable. now if the new homeowner doesn't walk around to use their key in all locks, there is an opportunity to leave an outside lockset in construction mode. additionally, having a user's key and construction key you should only gain you access to the one property key was from.

where the problem ensue is if the builder is the financier and has a long term interest in the development and properties and maybe asked for locksets which are construction keyed as well as master keyed so there may be a 'master key' or physically pinned to have one key open each of the property locksets.

fyi, there are perhaps no more than 30-35 construction key combinations currently in use as well as construction keys have been around a long time with minimal issues to date.

Bottom line, a known risk

i personally knew who lived in my current adobe and still upgraded to dbl keyed deadbolts around the property...some fool might get in through a window...but they aren't getting out through a door. :lol:

ipse
 
Last edited:

Freedom1Man

Regular Member
Joined
Jan 14, 2012
Messages
4,462
Location
Greater Eastside Washington
Freedom, as i am sure you are aware, a construction key is not the same as a master key. once the homeowner uses their personal property key, the 'balls' are pushed into a cavity and therefore render the construction key inoperable. now if the new homeowner doesn't walk around to use their key in all locks, there is an opportunity to leave an outside lockset in construction mode. additionally, having a user's key and construction key you should only gain you access to the one property key was from.

where the problem ensue is if the builder is the financier and has a long term interest in the development and properties and maybe asked for locksets which are construction keyed as well as master keyed so there may be a 'master key' or physically pinned to have one key open each of the property locksets.

fyi, there are perhaps no more than 30-35 construction key combinations currently in use as well as construction keys have been around a long time with minimal issues to date.

Bottom line, a known risk

i personally knew who lived in my current adobe and still upgraded to dbl keyed deadbolts around the property...some fool might get in through a window...but they aren't getting out through a door.[emoji38]
ipse
The construction balls though normally replace only one pin. I go for as many as I can.

And the master pins that are installed to allow the construction key to work, stay there.
So, normally only one pin changes when the user key is used leaving 4 out of 5 pins with 2 numbers that will clear that position. So the construction key, with one number smaller, will open most of the locks.

I demonstrated that today. Boss is being an Ahole told me that we cannot tell our customers that this could be an issue to be aware of.

Instead, home owners are getting houses that an odd ball key could be used to open their front door. The same key could be used to open up 90+% of all the homes in many developments.

Sent from my SM-G386T using Tapatalk
 

solus

Regular Member
Joined
Aug 22, 2013
Messages
9,315
Location
here nc
The construction balls though normally replace only one pin. I go for as many as I can.

And the master pins that are installed to allow the construction key to work, stay there.
So, normally only one pin changes when the user key is used leaving 4 out of 5 pins with 2 numbers that will clear that position. So the construction key, with one number smaller, will open most of the locks.

I demonstrated that today. Boss is being an Ahole told me that we cannot tell our customers that this could be an issue to be aware of.

Instead, home owners are getting houses that an odd ball key could be used to open their front door. The same key could be used to open up 90+% of all the homes in many developments.

Sent from my SM-G386T using Tapatalk

construction key'd locksets are pinned, normally number 2 cylinder with 1 - 3 'balls', which as indicated previously the balls are cleared when the formal key is used and in application renders the construction key inoperable.

masterkeyb3.jpg



as mentioned, these type of builder's locksets are not physically pinned in each cylinder to allow 'master keys' to function after the 'ball' has been cleared.

that said...perhaps there is some shady deal transpiring which you might not wish to be privy to...but your comment, quote: Instead, home owners are getting houses that an odd ball key could be used to open their front door. The same key could be used to open up 90+% of all the homes in many developments. unquote tells me someone might have inadvertently (read as given the benefit of the doubt on mistake) mis-ordered the locksets as mastered and since they are installed would cost too much to correct the cylinders...(read first underlined sentence in this paragraph and act accordingly).

that darn rock & a hard spot coupled w/putting food on the table is a tough spot to be in...

ipse
 
Last edited:

Freedom1Man

Regular Member
Joined
Jan 14, 2012
Messages
4,462
Location
Greater Eastside Washington
You have to use master pins when keying the two major residential key brands. They are only used on the front doors and we construction ball the which even pin the manufacturer tells us to. I do an extra spot when I can to eliminate one more pin combo.


In Kwikset the balls =2 and then in Schlage the balls equal 3.

To clear all of the pins the user key would have to be only one off from the construction key and the 2 or 3 shallower in the cut.

Construction key (in Kwikset)#66666 could have an end user key of 12343 in that key schedule you would have 11141 11143 11241 ......
The construction ball would be in the 4th spot. So a key of 66646 would open all of the locks in that schedule.

Sent from my SM-G386T using Tapatalk
 
Last edited:
Top