The Lockdown: Locked, but not secure (Part I)
by Marc Weber Tobias 
posted Aug 24th 2006 at 2:54PM
Noted security expert Marc Weber Tobias contributes a new column, The Lockdown, exposing the shoddy security you may depend on.
The Bump Key: A new old threat to the security of mechanical locks
The most popular locking mechanism in the world utilizes the pin tumbler design, first developed 4000 years ago in Egypt and then rediscovered and perfected a century and a half ago by Linus Yale. There are billions of these locks in the world and they come in all sizes, configurations, and security ratings. Some are secure; most are not, and even some high security rated cylinders can be easily compromised. All that is required to open many times of pin tumbler cylinders -- the kind of lock that probably keeps the bad guys out of your home -- is a bump key and a tool for creating a bit of force. The bump key shown above opens an extremely popular five pin lock, and the plastic bumping tool is produced by Peterson manufacturing, although many others are now being offered for sale. With these two cheap implements, anyone -- and I do mean anyone -- can get into your home or business in a matter of seconds.
In 2004, this relatively old technique of opening locks was rediscovered by the European locksmith community in Germany and other countries. As the word spread as to the ease with which certain locks could be bypassed, several sports lock picking clubs and notably the members of TOOOL began to examine the issue more closely. Subsequently, tests were conducted by the prestigious consumer research organization in the Netherlands in 2006 and published last March. In early April, we issued a security alert on security.org with regard to the vulnerability of United States Postal Service and Mail Boxes Etc. locks. Two White Papers were also posted, dealing with the security threat and legal issues involving bumping: A detailed technical analysis of bumping and Bumping of Locks: Legal issues in the United States.
There is significant misunderstanding about the bumping technique, what locks are affected, and which products will provide real security against this threat. Barry Wels and I discussed bumping during a panel at HOPE in New York in July, and Matt Fiddler and I presented the same topic at DEFCON 14. A great deal of international media attention resulted from these talks because of the apparent simplicity of opening cylinders that were previously believed to be secure. The photograph to the right shows an eleven year old girl that opened a popular five pin cylinder in seconds at Defcon 14. She had no prior experience or expertise. You can watch a video (WMV) of her opening the lock here, it's actually a little scary.
I interviewed and videotaped the eleven year old girl at the lock picking village at DEFCON who demonstrated how she could quickly open a popular cylinder. She had no prior experience with locks and did not understand the underlying theory. Her parents simply thought that she might be intrigued with the challenge of opening locks. And they were correct! All she had was a pre-cut bump key and a "tomahawk" kinetic energy tool, like the one pictured above. The Kwikset that she opened is sold in every hardware and DIY store in the country, and is believed to be secure by the public. It is far from it, and that is at the crux of the security issue at hand. The manufacturers have failed to warn the consumer that certain cylinders can potentially be opened in seconds with this technique.
Definition of terms and how a pin tumbler locks works
You should become conversant with a few terms that are used to describe the critical components of a pin tumbler lock.
In the modern pin tumbler lock, each chamber contains a spring, top pin and bottom pin. If the lock is master-keyed, then one or more additional pins will be inserted into each chamber to provide for additional unlocking combinations. In the standard cylinder, a rotating portion, called the plug, is the part that is controlled by the key and actuates the bolt when it is turned. The plug is normally prevented from moving because there are normally five, six, or seven pin tumblers that protrude from the fixed part of the lock, called the shell, into the plug.
In order for this lock to be opened, all of the bottom pin tumblers must be raised precisely to the shear line, (the exact point at the top of the plug), so that it can rotate freely. If any pin is even a couple thousandths of an inch above or below the shear line, then the plug is stopped from turning.
In the diagram above (we slapped it in a second time so you don't have to keep scrolling up), all of the bottom pins are aligned at shear line. They are shown in green. The depths for four of the pins are shown. Note the shortest bottom pin corresponds with the shallowest cut of the key and is given the code value of "0" by the manufacturer. There is a direct correlation between the depth of the pin and its number. All lock makers assign values to each pin depth so that keys can be replicated by number rather than requiring the physical key. The deepest pin in this lock is 9. This is an important concept to understand when discussing bump keys, because the proper bump key requires that all of the bitting positions be cut to the lowest depth. In this example, that would be 999999 (see: the topmost picture).
We need to understand two concepts: what keeps the lock from opening, and more importantly, how can we unlock our cylinder? The first question is simple to answer. Without any key inserted, each top pin will occupy space in the chambers of both the shell and the plug. This will prevent the plug from turning. When the wrong key is inserted, one or more tumblers are either above or below shear line, depending upon the key bitting. Either way, the plug is prevented from rotating because the pin forms an obstruction that binds the plug to the shell. The lock can only be opened only when there is no obstruction crossing the shear line. This can happen in one of several ways.
Of course, a key can raise all of the lower pins to the shear line, which will in effect make the plug into a solid block of round metal, free to turn. Note, I said "a key" rather than the "correct key," because in a master key system, many different keys will open a given cylinder. In our simplest of examples, we raise the lower pins to shear line with the correct key, and the lock opens.
One form of bypass is picking, which actually simulates a key. Pins are individually raised to shear line and trapped there. Once all tumblers are "set" at this position, the plug is free to rotate and the lock can be opened. Another form of bypass, and the subject of this article, is bumping.
Earlier I stated that there can be no obstruction at the shear line for the plug to rotate. That means that the pins must be split precisely at the shear line, as would be the case in the normal operation of the correct key. But, there is another way, and that involves not only splitting the pins but creating a gap that crosses the shear line. This is what bumping is all about. The top and bottom tumblers are separated for a brief moment; just long enough for a gap to be created at shear line which allows the plug to be turned. As I will explain, this method is perhaps the simplest and fastest way to compromise a pin tumbler mechanism. The problem is integral to any lock that employs split pins in each chamber. Many have asked me if this means that the lock is defective. The answer is no; it is just a built-in problem that needs to be understood and addressed.
Theory and history of bumping
The technique of utilizing a specially cut key to open pin tumbler locks has been known for at least twenty-five years and appears to have been first developed by locksmiths in Denmark to disassemble cylinders quickly in their shops. It actually began by "rapping" a lock on the work bench while applying slight pressure to the back of the plug. If done properly, the movable portion of the cylinder would be forced slightly forward, and could be rotated and removed. Locksmiths then figured out that a key cut to all "9" depths (deepest value) could be used to simultaneously transmit energy to the pins to cause the bottom and top tumblers to separate.
The theory of bumping is quite simple and was actually formulated by Sir Isaac Newton around 1650, long before modern pin tumbler locks were invented. Energy is created and used to split the bottom and top pin, thereby allowing the plug to rotate. The original method of bumping, which required the key to be withdrawn by one tumbler position and then slammed forward, was replaced in 2004 by what I have referred to as the "negative shoulder" method. This new process made opening some locks quite a bit simpler and more reliable than the original method. In an instant, almost all of the conventional locking mechanisms became vulnerable.
As shown in the diagram below, a bump key is inserted fully into the lock. Because of the removal of a slight bit of material from the shoulder, the key is free to move forward when struck with a mallet (tomahawk), plastic-handled screwdriver, piece of wood, or almost any other weighted item. All of the pins are violently forced upward by making contact with the ramps of the key. This causes the top pins to move and creates a momentary gap between the two within each chamber. If the timing is correct, the plug is free to turn and the lock is open. It is just that simple!
Although I learned the Denmark technique almost fifteen years ago while in Copenhagen, I did not pay a great deal of attention to it in the first edition of Locks, Safes, and Security because it was not thought to be applicable as a covert method of entry. Since 2004, that has all changed. As I have noted in several articles, bumping is perhaps the fastest and easiest way to open a conventional pin tumbler lock, but there are caveats that the reader must understand. The bottom line: a high percentage of the locks in the world are pin tumbler mechanisms. A significant number of those can be compromised by exploit of Newton's Third Law of Motion, "For every action, there is an equal and opposite reaction."
Mechanical Locks: what constitutes security against covert entry?
Security against covert entry can be measured by what I refer to as the 3T-2R rule. All locks can be gauged by this standard, and all standards organization, UL included, essentially employ the same formula. Simply stated, it relates to the amount of time, the sophistication of the tools and the amount of training that is required to open the lock. Then, the reliability and repeatability of the process must be assured. The lower the requirements for the 3Ts, then the greater the threat to security. The problem is compounded if the reliability and repeatability of the process of compromising the lock is relatively high.
Bumping poses a serious security threat because the training to bump open a lock is minimal to non-existent. This was evidenced by three separate experiences that I had: a reporter that interviewed me in a recent television story, a correspondent for Newsweek, and the eleven year old at DEFCON were all shown the basic technique of bumping, and within a couple of minutes each was able to open five and six pin cylinders. The tools required are readily available. I have opened thousands of locks using screwdriver handles, a plastic mallet, and even wooden sticks.
Finally, the time to open a cylinder can range from two seconds to more than a minute. As a lawyer, my view is that if a cylinder, any cylinder, can be compromised in under a minute, there is a serious security issue and potential legal ramifications. But this is not the end of the story, because there are certain technical issues that you need to understand. All locks cannot be opened by this method. As noted in my White Paper, there are certain obstacles to success. Unless you have a pre-cut bump key for the proper keyway, the process can prove more difficult or even impossible.
In the second part of this article, I will talk about locks that are secure and which are not. You might be surprised!
Additional materials can be found on security.org and toool.nl. Bumping is thoroughly detailed in LSS+, the multimedia edition of Locks, Safes and Security by the author.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.
The most popular locking mechanism in the world utilizes the pin tumbler design, first developed 4000 years ago in Egypt and then rediscovered and perfected a century and a half ago by Linus Yale. There are billions of these locks in the world and they come in all sizes, configurations, and security ratings. Some are secure; most are not, and even some high security rated cylinders can be easily compromised. All that is required to open many times of pin tumbler cylinders -- the kind of lock that probably keeps the bad guys out of your home -- is a bump key and a tool for creating a bit of force. The bump key shown above opens an extremely popular five pin lock, and the plastic bumping tool is produced by Peterson manufacturing, although many others are now being offered for sale. With these two cheap implements, anyone -- and I do mean anyone -- can get into your home or business in a matter of seconds.
In 2004, this relatively old technique of opening locks was rediscovered by the European locksmith community in Germany and other countries. As the word spread as to the ease with which certain locks could be bypassed, several sports lock picking clubs and notably the members of TOOOL began to examine the issue more closely. Subsequently, tests were conducted by the prestigious consumer research organization in the Netherlands in 2006 and published last March. In early April, we issued a security alert on security.org with regard to the vulnerability of United States Postal Service and Mail Boxes Etc. locks. Two White Papers were also posted, dealing with the security threat and legal issues involving bumping: A detailed technical analysis of bumping and Bumping of Locks: Legal issues in the United States.
There is significant misunderstanding about the bumping technique, what locks are affected, and which products will provide real security against this threat. Barry Wels and I discussed bumping during a panel at HOPE in New York in July, and Matt Fiddler and I presented the same topic at DEFCON 14. A great deal of international media attention resulted from these talks because of the apparent simplicity of opening cylinders that were previously believed to be secure. The photograph to the right shows an eleven year old girl that opened a popular five pin cylinder in seconds at Defcon 14. She had no prior experience or expertise. You can watch a video (WMV) of her opening the lock here, it's actually a little scary.I interviewed and videotaped the eleven year old girl at the lock picking village at DEFCON who demonstrated how she could quickly open a popular cylinder. She had no prior experience with locks and did not understand the underlying theory. Her parents simply thought that she might be intrigued with the challenge of opening locks. And they were correct! All she had was a pre-cut bump key and a "tomahawk" kinetic energy tool, like the one pictured above. The Kwikset that she opened is sold in every hardware and DIY store in the country, and is believed to be secure by the public. It is far from it, and that is at the crux of the security issue at hand. The manufacturers have failed to warn the consumer that certain cylinders can potentially be opened in seconds with this technique.
Definition of terms and how a pin tumbler locks works
You should become conversant with a few terms that are used to describe the critical components of a pin tumbler lock.
- Bitting: The actual cuts of the key.
- Center-to-center measurement: The required spacing between each cut.
- Chamber (or bore): A series of holes are drilled through the shell of the lock and into the plug, one for each set of tumblers (the pins that keep locks shut). Each chamber contributes to the overall security of the lock by housing a set of pin tumblers and springs that can individually prevent the plug from turning without the proper key.
- Code value for each depth: The number that the manufacturer assigns to each individual bitting depth.
- Keyway: The combinations of obstructions (wards) at the front of the plug that allows or prevents a specific key from entering.
- Pin Tumbler: A round pin that moves up and down within each chamber and whose purpose is to block the ability to turn the plug unless it is raised to shear line.
- Plug: The round center core of a lock that is activated by the proper key and is utilized to turn the bolt.
- Shell: The fixed portion of the lock that contains the springs, top pins and plug;
- Shoulder of the key: The portion of the key that abuts against the face of the plug. The purpose of the shoulder is to stop the key from forward movement, once fully inserted into the plug.
In the modern pin tumbler lock, each chamber contains a spring, top pin and bottom pin. If the lock is master-keyed, then one or more additional pins will be inserted into each chamber to provide for additional unlocking combinations. In the standard cylinder, a rotating portion, called the plug, is the part that is controlled by the key and actuates the bolt when it is turned. The plug is normally prevented from moving because there are normally five, six, or seven pin tumblers that protrude from the fixed part of the lock, called the shell, into the plug.
In order for this lock to be opened, all of the bottom pin tumblers must be raised precisely to the shear line, (the exact point at the top of the plug), so that it can rotate freely. If any pin is even a couple thousandths of an inch above or below the shear line, then the plug is stopped from turning.
In the diagram above (we slapped it in a second time so you don't have to keep scrolling up), all of the bottom pins are aligned at shear line. They are shown in green. The depths for four of the pins are shown. Note the shortest bottom pin corresponds with the shallowest cut of the key and is given the code value of "0" by the manufacturer. There is a direct correlation between the depth of the pin and its number. All lock makers assign values to each pin depth so that keys can be replicated by number rather than requiring the physical key. The deepest pin in this lock is 9. This is an important concept to understand when discussing bump keys, because the proper bump key requires that all of the bitting positions be cut to the lowest depth. In this example, that would be 999999 (see: the topmost picture).
We need to understand two concepts: what keeps the lock from opening, and more importantly, how can we unlock our cylinder? The first question is simple to answer. Without any key inserted, each top pin will occupy space in the chambers of both the shell and the plug. This will prevent the plug from turning. When the wrong key is inserted, one or more tumblers are either above or below shear line, depending upon the key bitting. Either way, the plug is prevented from rotating because the pin forms an obstruction that binds the plug to the shell. The lock can only be opened only when there is no obstruction crossing the shear line. This can happen in one of several ways.
Of course, a key can raise all of the lower pins to the shear line, which will in effect make the plug into a solid block of round metal, free to turn. Note, I said "a key" rather than the "correct key," because in a master key system, many different keys will open a given cylinder. In our simplest of examples, we raise the lower pins to shear line with the correct key, and the lock opens.
One form of bypass is picking, which actually simulates a key. Pins are individually raised to shear line and trapped there. Once all tumblers are "set" at this position, the plug is free to rotate and the lock can be opened. Another form of bypass, and the subject of this article, is bumping.
Earlier I stated that there can be no obstruction at the shear line for the plug to rotate. That means that the pins must be split precisely at the shear line, as would be the case in the normal operation of the correct key. But, there is another way, and that involves not only splitting the pins but creating a gap that crosses the shear line. This is what bumping is all about. The top and bottom tumblers are separated for a brief moment; just long enough for a gap to be created at shear line which allows the plug to be turned. As I will explain, this method is perhaps the simplest and fastest way to compromise a pin tumbler mechanism. The problem is integral to any lock that employs split pins in each chamber. Many have asked me if this means that the lock is defective. The answer is no; it is just a built-in problem that needs to be understood and addressed.
Theory and history of bumping
The technique of utilizing a specially cut key to open pin tumbler locks has been known for at least twenty-five years and appears to have been first developed by locksmiths in Denmark to disassemble cylinders quickly in their shops. It actually began by "rapping" a lock on the work bench while applying slight pressure to the back of the plug. If done properly, the movable portion of the cylinder would be forced slightly forward, and could be rotated and removed. Locksmiths then figured out that a key cut to all "9" depths (deepest value) could be used to simultaneously transmit energy to the pins to cause the bottom and top tumblers to separate.
The theory of bumping is quite simple and was actually formulated by Sir Isaac Newton around 1650, long before modern pin tumbler locks were invented. Energy is created and used to split the bottom and top pin, thereby allowing the plug to rotate. The original method of bumping, which required the key to be withdrawn by one tumbler position and then slammed forward, was replaced in 2004 by what I have referred to as the "negative shoulder" method. This new process made opening some locks quite a bit simpler and more reliable than the original method. In an instant, almost all of the conventional locking mechanisms became vulnerable.
As shown in the diagram below, a bump key is inserted fully into the lock. Because of the removal of a slight bit of material from the shoulder, the key is free to move forward when struck with a mallet (tomahawk), plastic-handled screwdriver, piece of wood, or almost any other weighted item. All of the pins are violently forced upward by making contact with the ramps of the key. This causes the top pins to move and creates a momentary gap between the two within each chamber. If the timing is correct, the plug is free to turn and the lock is open. It is just that simple!
Mechanical Locks: what constitutes security against covert entry?
Security against covert entry can be measured by what I refer to as the 3T-2R rule. All locks can be gauged by this standard, and all standards organization, UL included, essentially employ the same formula. Simply stated, it relates to the amount of time, the sophistication of the tools and the amount of training that is required to open the lock. Then, the reliability and repeatability of the process must be assured. The lower the requirements for the 3Ts, then the greater the threat to security. The problem is compounded if the reliability and repeatability of the process of compromising the lock is relatively high.
Bumping poses a serious security threat because the training to bump open a lock is minimal to non-existent. This was evidenced by three separate experiences that I had: a reporter that interviewed me in a recent television story, a correspondent for Newsweek, and the eleven year old at DEFCON were all shown the basic technique of bumping, and within a couple of minutes each was able to open five and six pin cylinders. The tools required are readily available. I have opened thousands of locks using screwdriver handles, a plastic mallet, and even wooden sticks.
Finally, the time to open a cylinder can range from two seconds to more than a minute. As a lawyer, my view is that if a cylinder, any cylinder, can be compromised in under a minute, there is a serious security issue and potential legal ramifications. But this is not the end of the story, because there are certain technical issues that you need to understand. All locks cannot be opened by this method. As noted in my White Paper, there are certain obstacles to success. Unless you have a pre-cut bump key for the proper keyway, the process can prove more difficult or even impossible.
In the second part of this article, I will talk about locks that are secure and which are not. You might be surprised!
Additional materials can be found on security.org and toool.nl. Bumping is thoroughly detailed in LSS+, the multimedia edition of Locks, Safes and Security by the author.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.
Reader Comments (Page 1 of 2)
William Antonio @ Jan 24th 2008 8:33AM
Great article Marc,
I wanted to know if any of you can suggest me a good locksmith in New York. So far I've only found them:
http://www.locksmithnewyorkcity.com
Kiwisweeti @ Jan 29th 2008 11:02PM
I know this might sound like a dumb question but, I don't understand all of this lock lingo. So, can you tell me which doorlock for the house I can buy that is the safest, and the key can't be replicated anywhere but only certain places? And where can I buy this lock? Please help. Thankyou so much!!!
Lock Bumper @ Feb 27th 2008 10:23AM
www.LockBumpingShop.com for all your Lock Bumping Needs
Arthur @ Mar 12th 2008 9:27AM
Although bump keying, raking, pick guns, and other mechanical lock defeating techniques are obviously security threats, they pose very little danger to the average person. The average home break-in is performed by unskilled criminals using speed and force as their primary strategies. Smashing locks, breaking windows, and shimming doors are all faster and easier than even the slickest lock-defeat strategies. The only purpose of criminal lock-picking is to silently enter and exit a place without leaving a trace. The criminal already intends to leave a trace- you are probably going to notice when you come home and your TV/Blackberry/PC/jewelry is missing. Lock-picking has few practical applications outside of legitimate locksmithing, and the few people who do pick locks- mostly professional high-value burglars and spies- have advanced techniques and equipment and are unlikely to be deterred by anything that we average people can muster. So, in conclusion, this is an interesting read but it isn't really a matter of concern to us.
keyman @ Jul 7th 2008 2:44PM
It seems that almost any lock can be defeated in some way or another. It’s all a matter of time. So the only thing u can do is delay the burglar so long that he does not have enough time to steal your things. A good way to do this is to install a hidden floor safe like these ones http://www.a1qualitysafe.com/site/408162/page/91221
Hopefully the crook will not find it hidden in the floor and if he does safe locks are always much harder to pick than door locks
keyman @ Jul 7th 2008 3:03PM
It seems that almost any lock can be defeated in some way or another. It’s all a matter of time. So the only thing u can do is delay the burglar so long that he does not have enough time to steal your things. A good way to do this is to install a hidden floor safe like these ones http://www.a1qualitysafe.com/site/408162/page/91221
Hopefully the crook will not find it hidden in the floor and if he does safe locks are always much harder to pick than door locks
Morgan @ Dec 1st 2008 12:06AM
Pickbuster makes your locks bump proof with one application. It is endorsed by the ICL, is used in their locks, and has been proven to make lock bumping completely impractical when to you locks. You can learn more about it at http://www.unbumpable.com.
Thanks!
Dave @ May 21st 2009 6:06PM
Why not make the pins out of srong little magnets? Then the upper and lower pins would stick together when bumped. This shouldn't affect the use of a normal key.
clintditto @ Feb 27th 2009 10:51PM
i ordered a set of bump keys this weed from http://www.bumpmylock.com just got them today and going to try it out.
Seth Winter @ Mar 20th 2009 11:02PM
This is in reply to Hal Thompson. A female has been stalking me and breaking into my home as well for 15 years. Egyptian, from Cairo, an electrical engineer, very thin, muscular, 62, natural dirty white hair, 5'4", thin lips, olive complexion, brown eyes, middle eastern accent, highly educated, can speak as if very well to do. She never puts anything into her name and only rents rooms. I used Medeco locks for years which she got in constantly, then I added Mul T locks, and some Primus locks, but, it did not help any. She still enters even though I have an ADT system. She picks or bumps her way in, steals my car alarm pads (then devises remotes to control my car alarms), bank deposit lock box keys, keys to the house (extra ones), reaks havoc inside the home and car, with very small but, continual vandalisms and thefts. How does she bypass the ADT system!!!!????!!! Are there devices which negate ADT systems? Which locks are recommended?? She told me she would never do anything traceable. She doesn't knock doors down, shoot locks out, bust through glass or climb through open windows (I keep all windows secured from the inside with locks and nails). She just goes in through the doors.
alex @ Aug 24th 2006 3:06PM
"You're completely and totally screwed! But never fear the key to salvation is....."
Stay tuned for our exciting conclusion....
Thanks engadget! Now I don't need to worry about sleeping.
chaosrain @ Aug 24th 2006 3:12PM
This is an interesting, if not exactly new, article about lockpicking. I wonder if part two will go into the whitepaper released a few years ago which goes into explicit detail about how to perform a "rights amplification" within a master keyed system by cutting a series of keys closely matched to your suite key in order to create a copy of the master key. Clearly, the bump method is a quicker way to go, but you look like a hooligan trying to pick a lock. The "rights amplification" method will take up to a month of going home to cut new keys, then trying them at work the next day, but it's much more stealthy and ultimately provides a master key to your entire building! Here's a link to that whitepaper: http://www.crypto.com/papers/mk.pdf#search=%22rights%20amplification%20master%20key%22
Rod @ Aug 24th 2006 3:12PM
I don't know.
Second time this is being posted here and I wonder if it makes thieves out of unsuspecting gadget geeks?
Warhorse @ Aug 24th 2006 3:15PM
Does this kind of thing work on cars as well? Might be time to update my security alarm...
Mack Swift @ Aug 24th 2006 3:19PM
Picking a lock isn't exactly rocket science folks. All a lock does is add an extra layer of time to a bad guy's schedule when trying to break into something.
Case in point - what's quicker to break into, start up, and drive away in? A car with The Club? Or the car without? The Club may add an extra 30 seconds; 30 seconds you can use to get the engine turned over, put it into grear, and drive off.
What's quicker? Kicking the door down (nearest to the knob), or picking the locks one way or the other?
And remember this; there's always the window folks.
SurferNerd @ Aug 24th 2006 3:40PM
Why is this being posted here, I find it offensive to show the world how easy it is in details. If your going to tell us, then tell us, don't show how its done. I personally use Medeco locks, courtesy of my fathers locksmithing business. Their the most secure, and unhackable locks on the market. So if you feel threatened by this new hack, and have about $100US per deadbolt, go get Medeco. The keys are irreplacable and uncutable without the medeco credit card(looks like one), and it can only be done by the few medeco certified technicians that payed the $$$$ for the propietary medeco key cutters.
Squelchtone @ Sep 19th 2006 10:00AM
oh yeah, security through obscurity because only a handful of locksmiths know about it and the general public is not made aware of how bad of an idea it is to have a Kwikset on their front door? Get serious man, the public needs to know this stuff. It's not posted here to educate crooks, it's posted here because the more information you have about a subject the better informed you are as a consumer. Then you can decide if you want Medeco on your front doors, and ps.. a lot more than just a 'few' locksmiths out there payed for Medeco key cutters. I hope this mentalilty that only locksmiths should know how a lock works goes away sometime soon, it's been veiled in this guild of secrecy for far too long, and thieves will find this info out anyway because they are determined.
The secrets only keep the public in the blind and make them think that the 'pick resistant' Defiant brand lock from Home Depot is really protecting their house. Right now bumping is a fad, and I'm a good lockpicker but sometimes it takes me 10 minutes to bump a Kwikset. It's not like you put a bump key into a lock and boom it's open, it takes practice and skill. Same with lock picks, you don't just stick a pick into a lock and it opens in 10 seconds.. that takes skill and commitment, and a crook would sooner use a brick to get into a window than learn bumping or picking.
Andrew @ Aug 23rd 2007 10:15PM
I would like to point out that your medeco is also not the greatest, and can be opened with a paperclip. You want security, make yourself your own deadbolt. use a garage door opener to lower a bar across your door internally. but if you think your medeco is bulletproof, read this:
http://www.engadget.com/2007/07/19/the-lockdown-the-medeco-m3-meets-the-perilous-paper-clip/
and if you want to buy a set of bumps,
www.bumpkey.us is where I bought mine, and they work GREAT.
David Li @ Aug 24th 2006 3:46PM
In reply to Warhorse:
No, it does not apply to cars. However, cars are already insanely insecure. Using a slim jim (you can fashion out of a coat hanger if needed), you can slip the tool between the rubber and the window and open the majority of cars (execpt for some luxury cars). Also, car keys are not really as unique as you would like to believe (many cars use the same key). Err, bascially, cars are designed to be insecure on purpose.
In reply to Mack Swift:
The point is, if you break into a house by lock picking, people wouldn't know you broke in (except with detailed forensic analysis). It's pretty hard to tell that a lock has been bumped without at least breaking open the lock. Also, keep in mind that the lockpicking community does not aim to break into people's houses, but rather learn about locks and developing lockpicking skills. Thieves and criminals are already able to bypass locks with lock drills that do the same thing.
So the bottom line: Bad guys don't pick locks. People pick locks for fun.
Paul @ Aug 24th 2006 3:46PM
great article so far! I am guessing medeco are on the list of secure locks and I will shocked and scared if they are not!
Matt @ Aug 24th 2006 3:49PM
Of course that girl was able to open that lock in the video... the key is in the lock! Am I missing something? I can open any lock as fast as that when I have the key.
rtdunham @ Mar 11th 2008 3:15PM
does anybody READ anymore? in the article there's text AND PICTURES, MATT, showing the bump KEY. jeez.
Harbinger @ Aug 24th 2006 3:58PM
Re:Matt
The key is the bump key, the tool is for bumping. The key isn't specifically for that lock.
David Li @ Aug 24th 2006 3:58PM
Okay, I should probably also give a primer to what is likely to show up in the next part (spoilers):
* Cheap crappy locks can't be bumped as easily. The reason is that they have larger tolerance margins for the lock parts. The pins are sort of loose. Thus, they are less likely to bump the right way
* Abloy locks can't be bumped. They use a system of disks instead of pins. However, there are tools to pick cheaper/less secure abloy locks using more conventional methods (for fun).
* Those circular locks you might see on bicycle locks or computer/laptop locks are probably harder to bump, but definately not worth it. You can pick those in a minute easily which a thin piece of cardboard or what have you.
Also, now that we are on the subject of locks and stuffs, I should also like to talk about those pesky master locks. You've seen them everywhere. They are in Walmart, gyms, and every US high school. You know, the upside down U shaped latch and the dial where you have to enter 3 numbers...
Well, if you search on google, chances are you'll find the technique whereby you can limit the possible combinations to 100. What isn't so well known is that they can be opened in about 3 seconds with a padlock shim. Basically, it's a thin piece of metal that you insert between the latch and the hole where the latch goes in. If you rotate it a bit, the lock just pops open. This was kind of popularized by Hack a day (hi Elliot, it's David Li again) and the lock enthusiast, Barry Wels in Hope 5 (or was it 6?).
Dave Schroeder @ Aug 24th 2006 4:03PM
Medeco's response:
http://www.medeco.com/about/whats_new/pr/bump.html
David Li @ Aug 24th 2006 4:03PM
In response to Matt:
Did you read the fine article? Anyways, here's a quick summary:
Bump keys are specialized keys that can open any lock that it fits in if you "bump" it in the the lock. So the "key" in the lock is not the key that open's the lock, but it's the bump key that can open the locks like that.
A bump key can be easily made for almost any lock at it doesn't require any specialized equipment (a nail filer is fine) and no very speciallized knowledge. It is not like a "master key" backdoor to some locks.
crackpipe @ Aug 24th 2006 4:03PM
Can I sue my apt building for having locks that are not bump key proof?
james @ Aug 24th 2006 4:06PM
the last key i was bumping was to pick locks...but later i was picking my nose
David Li @ Aug 24th 2006 4:13PM
In reply to Dave Schroeder and Paul:
Medeco's pin based locks are as vulnrable as any. The thing is, Medeco is a subsidary (or something like that) of Abloy with does make bump proof locks. See my post above about Abloy.
d3 @ Aug 24th 2006 4:17PM
Matt, you are missing something: using this method, that key can open ANY of that style of lock, its not the key for that particular lock. It is also easily made. (look at the top photo)
Paul, I'm guessing you have Medeco locks? I was shocked to learn my Mul-T-Locks were compromised this way. However, I have seen video of this performed on a variety of locks but not a Medeco3. (the one with the sidebar) That doesn't mean it's impervious, but to compromise it you might need to have several bump keys made with the sidebar notch in different places. Hopefully, the Mul-T-Lock CLIQ cylinders will come down in price ($700 per, ouch) and I can recylinder my locks with them, which would be resistant to bumping.
Greg Evans @ Aug 24th 2006 4:22PM
The real issue of this is the fact that Insurance companies will deny your claim if there is no proof of burglary - these bump keys leave no trace of use... So imagine your house being cleared out and the Insurance company saying that there is no proof that there was illegal entry - that you just left the door unlocked.
Tyler Durden @ Aug 24th 2006 4:24PM
You know what they say. Locks only keep honest people honest. Last March they didn't bother to pick the lock they just kicked in the door and split the jamb. They didn't ruin the dead bolt or the lock.
The best home security measure is to make your house tougher to break into than your neighbors. Otherwise if you have something they want, they will find a way to get it.
It's like keeping 14 year old boys out of porno. When there's a will, there's always a way. If you think differently you're kidding yourself.
David Li @ Aug 24th 2006 4:27PM
In reply to d3:
Yes, RFID keys is one solution that can potentially prevent bumping or picking for that matter. Beware however, becuase the technology is fairly new are prone to new attacks. Specifically, there was one company whose's RFID lock compnent could be disabled by simply attaching a strong magenet to the lock. After attaching the magnet, the lock acted like a normal lock :D.
Also, to add to the list of bump proof locks, there are locks that move pins up and down using magenets instead of through physical contact. They can't be bumped for obvious reasons. However, they potentially suffer from a problem that the pin states are atomic. They are either "up" or "down" with no in between state. Thus, it's possible to build brute forcing equipement that tries every single key combination quickly. Plus, magnetic locks are extremely rare/expensive.
David Li @ Aug 24th 2006 4:31PM
In response to Greg Evans:
Yes, you are correct sir. It's believed that bumping could be detected if it has been done many times on a lock. There's nothing that put's strain on the pins like the way bumping does. However, it probably needs some specialized forensics because AFAIK, a quick visual inspection can't detect anything.
Also, the lock warranty/insurace won't cover stolen property if the lock is picked/bumped instead of broken.
William Wilkinson @ Aug 24th 2006 4:54PM
I actually have a set of bump keys next to me, after I read something on Digg about them I bought them on eBay. I still haven't been able to open a lock yet, not sure if its my technique or the keys.
d3 @ Aug 24th 2006 5:03PM
The CLIQ system is not RFID, and although that doesn't mean it's not resistant to a magnet attack, I would think that Mul-T-Lock would have tested against something as simple as a magnet. This isn't Kwikset we're talking about here.
Oscar Feliciano @ Aug 24th 2006 5:19PM
David Li: CLIQ is not RFID. It is electromechanical.
Here is Mul-T-Lock's response, btw:
"In recent months some printed information has been circulated on the subject of bump keys. Despite seeing themselves as breaking new news, the bump key technique, also known as the “999 Method”, has been familiar to locksmiths around the world for many years.
The two most recent publications are really the same one. Both were written following a meeting of a group of hackers that took place in Amsterdam, Holland. Severely weakening their claims and perhaps most noteworthy in these documents is the “Important disclaimer” it contains:
“Locks are expensive and we are not a commercial testing lab, so we have had only a very limited number of testing locks available to us. The presence of a lock in the list just means bumping worked at least once on a cylinder we had access to.”
The article published in the January edition of “Keynotes” is written almost two years after most of the testing institutes in Europe have made it mandatory for lock manufacturers to test against this “technique” as well. Mul-T-Lock®, a company that puts standards above all, was tested and passed all the required tests.
Mul-T-Lock’s Standards of High Security
Mul-T-Lock’s telescopic pin cylinders have been equipped for the last 20 years with plug mushroom pins, which are very effective in preventing this opening technique. This same feature was added to the 7X7 line.
In addition, about three years ago Mul-T-lock introduced the new patented “Anti- picking” telescopic pins that defeat even the most skilled lock picker – not only in the field, but also in “comfortable” laboratory conditions.
Always be aware that locks can be “cooked” (prepared in advance) to look like they have been picked open. Through the years we have seen many variations: cylinders in which 1 pin tumbler was left and other cases in which the “objective examiner” had looked at the working key, before he performed his magic. This is more show business than High Security. So be aware and do not fall into the traps they set."
Incognito @ Aug 24th 2006 5:54PM
An interesting video on YouTube about this: http://www.youtube.com/watch?v=7Uv45y6vkcQ&search=bump%20key
Anthony Nguyen @ Aug 24th 2006 6:43PM
I mean it's great news and all, but seriously, these innocent geeks reading this site are gonna think its a great idea to try it on their neighbor. Little will they know the neighbor just bought a new Pioneer plasma television. Door's wide open. No one's around. Free tv!
abigsmurf @ Aug 24th 2006 6:52PM
what about chubb locks? They have a mechanism where if any pin gets bumped too far it stops the lock from opening. They take an insane amount of time to pick
Tom @ Aug 24th 2006 7:02PM
bla bla bla... just shoot out the lock and kick down the door! That's what total badasses like me do!
Jon @ Mar 11th 2008 3:02PM
super cool!
That's what I do too, but with my shades on!
Chris Tucker @ Aug 24th 2006 7:12PM
SurferNerd, not wanting to pay the obscene fees to get a couple of spare keys to the front door of the apartment building, I took my Medco key to a friend of mine at MIT. A sixpack of good beer later, I had exact copies of the keys.
The original key was 3-D scanned and then a chunk of steel barstock was CADCAMed milled down towo exact copies of the original key.
So much for the "unduplicateable"/Can be duplicated ONLY by MEDCO suthorized licensed locksmiths".
Mike @ Aug 24th 2006 7:22PM
Great article - this DEFCON I was tempted to try lockpicking, but was distracted by other things. Next year I think I'll definitely put my diapers on.
Just a quick note - (quote) "Energy is created and used to split the bottom and top pin, thereby allowing the plug to rotate." - this violates the first law of thermodynamics, which states that energy cannot be created or destroyed, but only transfered (in this case from the speeding tomahawk to the key). Minor detail, I'm just being a picky a**.
Cheers,
Seth Mills @ Aug 24th 2006 7:40PM
as a licensed locksmith i can tell you that although bump keys work with a large majority of locks, there are easy wasys to keep any lock bump proof. The bump key is cut to the lowest depth for that type of lock, so if you have several pins which are also the the deepest cut in the key, it will not push them all the way above the shear line, thus not allowing the lock to open. Basically if it's a schlage lock, as long as there is one or more 9 cuts in your key, a bump key will most likely not work. the problem is basically this, if the key is cut to any lower than the deepest cut, it won't push the other pins up, so if there are nine cuts in a schlage or six cuts in a kwikset(maybe a 7) you should be fine!
rick @ Aug 24th 2006 7:43PM
WRT forensic analysis, I heard that it's possible to externally show a lock had been bumped based on the shoulder of the key leaving indentations above the keyhole. Having never bumped a lock myself, I haven't been able to verify the veracity of that remark. Also, I'm told that simply affixing a small bit of rubber cement will prevent that mark from showing up also.
thoughts?
Prometheus @ Aug 24th 2006 8:30PM
My grandfather gave me an abloy padlock a long time ago (I have a thing for locks) but only recently did I find out that they're special. I would use it to secure things but it's kinda an antique.
Allen Murphy @ Aug 24th 2006 8:47PM
OK,folks--it's like this.
A good professional locksmith can modify ANY pin tumbler cylinder to be "bump" resistant, if not "bump" PROOF!
Yes, this a old technique for opening locks, and yes, there is a very simple way to defeat it on even the cheapest cylinders--I know, as I do it on a regular basis here in the metro Milwaukee, WI area.
This problem was best summed up by the Bard himself--"Much ado about nothing!"
HotGarbage @ Aug 24th 2006 9:17PM
Reply to Rod...
Knowledge of how to commit a crime doesn't turn you into a criminal. Everyone knows how to commit murder.
Joey Kelly @ Aug 24th 2006 9:50PM
About the master padlocks, back when I was in junior high (1976 or so), we used to throw them down onto concrete sidewalks, and they would pop open. The trick was to hold the lock upside down, so that the U-shaped latch would strike the concrete. We never could figure out how to open a lock that was actually attached to anything, though.