The Lockdown: Locked, but not secure (Part I)
Noted security expert Marc Weber Tobias contributes a new column, The Lockdown, exposing the shoddy security you may depend on.
The Bump Key: A new old threat to the security of mechanical locks
The most popular locking mechanism in the world utilizes the pin tumbler design, first developed 4000 years ago in Egypt and then rediscovered and perfected a century and a half ago by Linus Yale. There are billions of these locks in the world and they come in all sizes, configurations, and security ratings. Some are secure; most are not, and even some high security rated cylinders can be easily compromised. All that is required to open many times of pin tumbler cylinders -- the kind of lock that probably keeps the bad guys out of your home -- is a bump key and a tool for creating a bit of force. The bump key shown above opens an extremely popular five pin lock, and the plastic bumping tool is produced by Peterson manufacturing, although many others are now being offered for sale. With these two cheap implements, anyone -- and I do mean anyone -- can get into your home or business in a matter of seconds.
In 2004, this relatively old technique of opening locks was rediscovered by the European locksmith community in Germany and other countries. As the word spread as to the ease with which certain locks could be bypassed, several sports lock picking clubs and notably the members of TOOOL began to examine the issue more closely. Subsequently, tests were conducted by the prestigious consumer research organization in the Netherlands in 2006 and published last March. In early April, we issued a security alert on security.org with regard to the vulnerability of United States Postal Service and Mail Boxes Etc. locks. Two White Papers were also posted, dealing with the security threat and legal issues involving bumping: A detailed technical analysis of bumping and Bumping of Locks: Legal issues in the United States.
There is significant misunderstanding about the bumping technique, what locks are affected, and which products will provide real security against this threat. Barry Wels and I discussed bumping during a panel at HOPE in New York in July, and Matt Fiddler and I presented the same topic at DEFCON 14. A great deal of international media attention resulted from these talks because of the apparent simplicity of opening cylinders that were previously believed to be secure. The photograph to the right shows an eleven year old girl that opened a popular five pin cylinder in seconds at Defcon 14. She had no prior experience or expertise. You can watch a video (WMV) of her opening the lock here, it's actually a little scary.
I interviewed and videotaped the eleven year old girl at the lock picking village at DEFCON who demonstrated how she could quickly open a popular cylinder. She had no prior experience with locks and did not understand the underlying theory. Her parents simply thought that she might be intrigued with the challenge of opening locks. And they were correct! All she had was a pre-cut bump key and a "tomahawk" kinetic energy tool, like the one pictured above. The Kwikset that she opened is sold in every hardware and DIY store in the country, and is believed to be secure by the public. It is far from it, and that is at the crux of the security issue at hand. The manufacturers have failed to warn the consumer that certain cylinders can potentially be opened in seconds with this technique.
Definition of terms and how a pin tumbler locks works
You should become conversant with a few terms that are used to describe the critical components of a pin tumbler lock.
In the modern pin tumbler lock, each chamber contains a spring, top pin and bottom pin. If the lock is master-keyed, then one or more additional pins will be inserted into each chamber to provide for additional unlocking combinations. In the standard cylinder, a rotating portion, called the plug, is the part that is controlled by the key and actuates the bolt when it is turned. The plug is normally prevented from moving because there are normally five, six, or seven pin tumblers that protrude from the fixed part of the lock, called the shell, into the plug.
In order for this lock to be opened, all of the bottom pin tumblers must be raised precisely to the shear line, (the exact point at the top of the plug), so that it can rotate freely. If any pin is even a couple thousandths of an inch above or below the shear line, then the plug is stopped from turning.
In the diagram above (we slapped it in a second time so you don't have to keep scrolling up), all of the bottom pins are aligned at shear line. They are shown in green. The depths for four of the pins are shown. Note the shortest bottom pin corresponds with the shallowest cut of the key and is given the code value of "0" by the manufacturer. There is a direct correlation between the depth of the pin and its number. All lock makers assign values to each pin depth so that keys can be replicated by number rather than requiring the physical key. The deepest pin in this lock is 9. This is an important concept to understand when discussing bump keys, because the proper bump key requires that all of the bitting positions be cut to the lowest depth. In this example, that would be 999999 (see: the topmost picture).
We need to understand two concepts: what keeps the lock from opening, and more importantly, how can we unlock our cylinder? The first question is simple to answer. Without any key inserted, each top pin will occupy space in the chambers of both the shell and the plug. This will prevent the plug from turning. When the wrong key is inserted, one or more tumblers are either above or below shear line, depending upon the key bitting. Either way, the plug is prevented from rotating because the pin forms an obstruction that binds the plug to the shell. The lock can only be opened only when there is no obstruction crossing the shear line. This can happen in one of several ways.
Of course, a key can raise all of the lower pins to the shear line, which will in effect make the plug into a solid block of round metal, free to turn. Note, I said "a key" rather than the "correct key," because in a master key system, many different keys will open a given cylinder. In our simplest of examples, we raise the lower pins to shear line with the correct key, and the lock opens.
One form of bypass is picking, which actually simulates a key. Pins are individually raised to shear line and trapped there. Once all tumblers are "set" at this position, the plug is free to rotate and the lock can be opened. Another form of bypass, and the subject of this article, is bumping.
Earlier I stated that there can be no obstruction at the shear line for the plug to rotate. That means that the pins must be split precisely at the shear line, as would be the case in the normal operation of the correct key. But, there is another way, and that involves not only splitting the pins but creating a gap that crosses the shear line. This is what bumping is all about. The top and bottom tumblers are separated for a brief moment; just long enough for a gap to be created at shear line which allows the plug to be turned. As I will explain, this method is perhaps the simplest and fastest way to compromise a pin tumbler mechanism. The problem is integral to any lock that employs split pins in each chamber. Many have asked me if this means that the lock is defective. The answer is no; it is just a built-in problem that needs to be understood and addressed.
Theory and history of bumping
The technique of utilizing a specially cut key to open pin tumbler locks has been known for at least twenty-five years and appears to have been first developed by locksmiths in Denmark to disassemble cylinders quickly in their shops. It actually began by "rapping" a lock on the work bench while applying slight pressure to the back of the plug. If done properly, the movable portion of the cylinder would be forced slightly forward, and could be rotated and removed. Locksmiths then figured out that a key cut to all "9" depths (deepest value) could be used to simultaneously transmit energy to the pins to cause the bottom and top tumblers to separate.
The theory of bumping is quite simple and was actually formulated by Sir Isaac Newton around 1650, long before modern pin tumbler locks were invented. Energy is created and used to split the bottom and top pin, thereby allowing the plug to rotate. The original method of bumping, which required the key to be withdrawn by one tumbler position and then slammed forward, was replaced in 2004 by what I have referred to as the "negative shoulder" method. This new process made opening some locks quite a bit simpler and more reliable than the original method. In an instant, almost all of the conventional locking mechanisms became vulnerable.
As shown in the diagram below, a bump key is inserted fully into the lock. Because of the removal of a slight bit of material from the shoulder, the key is free to move forward when struck with a mallet (tomahawk), plastic-handled screwdriver, piece of wood, or almost any other weighted item. All of the pins are violently forced upward by making contact with the ramps of the key. This causes the top pins to move and creates a momentary gap between the two within each chamber. If the timing is correct, the plug is free to turn and the lock is open. It is just that simple!
Although I learned the Denmark technique almost fifteen years ago while in Copenhagen, I did not pay a great deal of attention to it in the first edition of Locks, Safes, and Security because it was not thought to be applicable as a covert method of entry. Since 2004, that has all changed. As I have noted in several articles, bumping is perhaps the fastest and easiest way to open a conventional pin tumbler lock, but there are caveats that the reader must understand. The bottom line: a high percentage of the locks in the world are pin tumbler mechanisms. A significant number of those can be compromised by exploit of Newton's Third Law of Motion, "For every action, there is an equal and opposite reaction."
Mechanical Locks: what constitutes security against covert entry?
Security against covert entry can be measured by what I refer to as the 3T-2R rule. All locks can be gauged by this standard, and all standards organization, UL included, essentially employ the same formula. Simply stated, it relates to the amount of time, the sophistication of the tools and the amount of training that is required to open the lock. Then, the reliability and repeatability of the process must be assured. The lower the requirements for the 3Ts, then the greater the threat to security. The problem is compounded if the reliability and repeatability of the process of compromising the lock is relatively high.
Bumping poses a serious security threat because the training to bump open a lock is minimal to non-existent. This was evidenced by three separate experiences that I had: a reporter that interviewed me in a recent television story, a correspondent for Newsweek, and the eleven year old at DEFCON were all shown the basic technique of bumping, and within a couple of minutes each was able to open five and six pin cylinders. The tools required are readily available. I have opened thousands of locks using screwdriver handles, a plastic mallet, and even wooden sticks.
Finally, the time to open a cylinder can range from two seconds to more than a minute. As a lawyer, my view is that if a cylinder, any cylinder, can be compromised in under a minute, there is a serious security issue and potential legal ramifications. But this is not the end of the story, because there are certain technical issues that you need to understand. All locks cannot be opened by this method. As noted in my White Paper, there are certain obstacles to success. Unless you have a pre-cut bump key for the proper keyway, the process can prove more difficult or even impossible.
In the second part of this article, I will talk about locks that are secure and which are not. You might be surprised!
Additional materials can be found on security.org and toool.nl. Bumping is thoroughly detailed in LSS+, the multimedia edition of Locks, Safes and Security by the author.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.
The most popular locking mechanism in the world utilizes the pin tumbler design, first developed 4000 years ago in Egypt and then rediscovered and perfected a century and a half ago by Linus Yale. There are billions of these locks in the world and they come in all sizes, configurations, and security ratings. Some are secure; most are not, and even some high security rated cylinders can be easily compromised. All that is required to open many times of pin tumbler cylinders -- the kind of lock that probably keeps the bad guys out of your home -- is a bump key and a tool for creating a bit of force. The bump key shown above opens an extremely popular five pin lock, and the plastic bumping tool is produced by Peterson manufacturing, although many others are now being offered for sale. With these two cheap implements, anyone -- and I do mean anyone -- can get into your home or business in a matter of seconds.
In 2004, this relatively old technique of opening locks was rediscovered by the European locksmith community in Germany and other countries. As the word spread as to the ease with which certain locks could be bypassed, several sports lock picking clubs and notably the members of TOOOL began to examine the issue more closely. Subsequently, tests were conducted by the prestigious consumer research organization in the Netherlands in 2006 and published last March. In early April, we issued a security alert on security.org with regard to the vulnerability of United States Postal Service and Mail Boxes Etc. locks. Two White Papers were also posted, dealing with the security threat and legal issues involving bumping: A detailed technical analysis of bumping and Bumping of Locks: Legal issues in the United States.
There is significant misunderstanding about the bumping technique, what locks are affected, and which products will provide real security against this threat. Barry Wels and I discussed bumping during a panel at HOPE in New York in July, and Matt Fiddler and I presented the same topic at DEFCON 14. A great deal of international media attention resulted from these talks because of the apparent simplicity of opening cylinders that were previously believed to be secure. The photograph to the right shows an eleven year old girl that opened a popular five pin cylinder in seconds at Defcon 14. She had no prior experience or expertise. You can watch a video (WMV) of her opening the lock here, it's actually a little scary.I interviewed and videotaped the eleven year old girl at the lock picking village at DEFCON who demonstrated how she could quickly open a popular cylinder. She had no prior experience with locks and did not understand the underlying theory. Her parents simply thought that she might be intrigued with the challenge of opening locks. And they were correct! All she had was a pre-cut bump key and a "tomahawk" kinetic energy tool, like the one pictured above. The Kwikset that she opened is sold in every hardware and DIY store in the country, and is believed to be secure by the public. It is far from it, and that is at the crux of the security issue at hand. The manufacturers have failed to warn the consumer that certain cylinders can potentially be opened in seconds with this technique.
Definition of terms and how a pin tumbler locks works
You should become conversant with a few terms that are used to describe the critical components of a pin tumbler lock.
- Bitting: The actual cuts of the key.
- Center-to-center measurement: The required spacing between each cut.
- Chamber (or bore): A series of holes are drilled through the shell of the lock and into the plug, one for each set of tumblers (the pins that keep locks shut). Each chamber contributes to the overall security of the lock by housing a set of pin tumblers and springs that can individually prevent the plug from turning without the proper key.
- Code value for each depth: The number that the manufacturer assigns to each individual bitting depth.
- Keyway: The combinations of obstructions (wards) at the front of the plug that allows or prevents a specific key from entering.
- Pin Tumbler: A round pin that moves up and down within each chamber and whose purpose is to block the ability to turn the plug unless it is raised to shear line.
- Plug: The round center core of a lock that is activated by the proper key and is utilized to turn the bolt.
- Shell: The fixed portion of the lock that contains the springs, top pins and plug;
- Shoulder of the key: The portion of the key that abuts against the face of the plug. The purpose of the shoulder is to stop the key from forward movement, once fully inserted into the plug.
In the modern pin tumbler lock, each chamber contains a spring, top pin and bottom pin. If the lock is master-keyed, then one or more additional pins will be inserted into each chamber to provide for additional unlocking combinations. In the standard cylinder, a rotating portion, called the plug, is the part that is controlled by the key and actuates the bolt when it is turned. The plug is normally prevented from moving because there are normally five, six, or seven pin tumblers that protrude from the fixed part of the lock, called the shell, into the plug.
In order for this lock to be opened, all of the bottom pin tumblers must be raised precisely to the shear line, (the exact point at the top of the plug), so that it can rotate freely. If any pin is even a couple thousandths of an inch above or below the shear line, then the plug is stopped from turning.
In the diagram above (we slapped it in a second time so you don't have to keep scrolling up), all of the bottom pins are aligned at shear line. They are shown in green. The depths for four of the pins are shown. Note the shortest bottom pin corresponds with the shallowest cut of the key and is given the code value of "0" by the manufacturer. There is a direct correlation between the depth of the pin and its number. All lock makers assign values to each pin depth so that keys can be replicated by number rather than requiring the physical key. The deepest pin in this lock is 9. This is an important concept to understand when discussing bump keys, because the proper bump key requires that all of the bitting positions be cut to the lowest depth. In this example, that would be 999999 (see: the topmost picture).
We need to understand two concepts: what keeps the lock from opening, and more importantly, how can we unlock our cylinder? The first question is simple to answer. Without any key inserted, each top pin will occupy space in the chambers of both the shell and the plug. This will prevent the plug from turning. When the wrong key is inserted, one or more tumblers are either above or below shear line, depending upon the key bitting. Either way, the plug is prevented from rotating because the pin forms an obstruction that binds the plug to the shell. The lock can only be opened only when there is no obstruction crossing the shear line. This can happen in one of several ways.
Of course, a key can raise all of the lower pins to the shear line, which will in effect make the plug into a solid block of round metal, free to turn. Note, I said "a key" rather than the "correct key," because in a master key system, many different keys will open a given cylinder. In our simplest of examples, we raise the lower pins to shear line with the correct key, and the lock opens.
One form of bypass is picking, which actually simulates a key. Pins are individually raised to shear line and trapped there. Once all tumblers are "set" at this position, the plug is free to rotate and the lock can be opened. Another form of bypass, and the subject of this article, is bumping.
Earlier I stated that there can be no obstruction at the shear line for the plug to rotate. That means that the pins must be split precisely at the shear line, as would be the case in the normal operation of the correct key. But, there is another way, and that involves not only splitting the pins but creating a gap that crosses the shear line. This is what bumping is all about. The top and bottom tumblers are separated for a brief moment; just long enough for a gap to be created at shear line which allows the plug to be turned. As I will explain, this method is perhaps the simplest and fastest way to compromise a pin tumbler mechanism. The problem is integral to any lock that employs split pins in each chamber. Many have asked me if this means that the lock is defective. The answer is no; it is just a built-in problem that needs to be understood and addressed.
Theory and history of bumping
The technique of utilizing a specially cut key to open pin tumbler locks has been known for at least twenty-five years and appears to have been first developed by locksmiths in Denmark to disassemble cylinders quickly in their shops. It actually began by "rapping" a lock on the work bench while applying slight pressure to the back of the plug. If done properly, the movable portion of the cylinder would be forced slightly forward, and could be rotated and removed. Locksmiths then figured out that a key cut to all "9" depths (deepest value) could be used to simultaneously transmit energy to the pins to cause the bottom and top tumblers to separate.
The theory of bumping is quite simple and was actually formulated by Sir Isaac Newton around 1650, long before modern pin tumbler locks were invented. Energy is created and used to split the bottom and top pin, thereby allowing the plug to rotate. The original method of bumping, which required the key to be withdrawn by one tumbler position and then slammed forward, was replaced in 2004 by what I have referred to as the "negative shoulder" method. This new process made opening some locks quite a bit simpler and more reliable than the original method. In an instant, almost all of the conventional locking mechanisms became vulnerable.
As shown in the diagram below, a bump key is inserted fully into the lock. Because of the removal of a slight bit of material from the shoulder, the key is free to move forward when struck with a mallet (tomahawk), plastic-handled screwdriver, piece of wood, or almost any other weighted item. All of the pins are violently forced upward by making contact with the ramps of the key. This causes the top pins to move and creates a momentary gap between the two within each chamber. If the timing is correct, the plug is free to turn and the lock is open. It is just that simple!
Mechanical Locks: what constitutes security against covert entry?
Security against covert entry can be measured by what I refer to as the 3T-2R rule. All locks can be gauged by this standard, and all standards organization, UL included, essentially employ the same formula. Simply stated, it relates to the amount of time, the sophistication of the tools and the amount of training that is required to open the lock. Then, the reliability and repeatability of the process must be assured. The lower the requirements for the 3Ts, then the greater the threat to security. The problem is compounded if the reliability and repeatability of the process of compromising the lock is relatively high.
Bumping poses a serious security threat because the training to bump open a lock is minimal to non-existent. This was evidenced by three separate experiences that I had: a reporter that interviewed me in a recent television story, a correspondent for Newsweek, and the eleven year old at DEFCON were all shown the basic technique of bumping, and within a couple of minutes each was able to open five and six pin cylinders. The tools required are readily available. I have opened thousands of locks using screwdriver handles, a plastic mallet, and even wooden sticks.
Finally, the time to open a cylinder can range from two seconds to more than a minute. As a lawyer, my view is that if a cylinder, any cylinder, can be compromised in under a minute, there is a serious security issue and potential legal ramifications. But this is not the end of the story, because there are certain technical issues that you need to understand. All locks cannot be opened by this method. As noted in my White Paper, there are certain obstacles to success. Unless you have a pre-cut bump key for the proper keyway, the process can prove more difficult or even impossible.
In the second part of this article, I will talk about locks that are secure and which are not. You might be surprised!
Additional materials can be found on security.org and toool.nl. Bumping is thoroughly detailed in LSS+, the multimedia edition of Locks, Safes and Security by the author.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.
Reader Comments (Page 1 of 2)
alex @ Aug 24th 2006 3:06PM
"You're completely and totally screwed! But never fear the key to salvation is....."
Stay tuned for our exciting conclusion....
Thanks engadget! Now I don't need to worry about sleeping.
chaosrain @ Aug 24th 2006 3:12PM
This is an interesting, if not exactly new, article about lockpicking. I wonder if part two will go into the whitepaper released a few years ago which goes into explicit detail about how to perform a "rights amplification" within a master keyed system by cutting a series of keys closely matched to your suite key in order to create a copy of the master key. Clearly, the bump method is a quicker way to go, but you look like a hooligan trying to pick a lock. The "rights amplification" method will take up to a month of going home to cut new keys, then trying them at work the next day, but it's much more stealthy and ultimately provides a master key to your entire building! Here's a link to that whitepaper: http://www.crypto.com/papers/mk.pdf#search=%22rights%20amplification%20master%20key%22
Rod @ Aug 24th 2006 3:12PM
I don't know.
Second time this is being posted here and I wonder if it makes thieves out of unsuspecting gadget geeks?
Warhorse @ Aug 24th 2006 3:15PM
Does this kind of thing work on cars as well? Might be time to update my security alarm...
Mack Swift @ Aug 24th 2006 3:19PM
Picking a lock isn't exactly rocket science folks. All a lock does is add an extra layer of time to a bad guy's schedule when trying to break into something.
Case in point - what's quicker to break into, start up, and drive away in? A car with The Club? Or the car without? The Club may add an extra 30 seconds; 30 seconds you can use to get the engine turned over, put it into grear, and drive off.
What's quicker? Kicking the door down (nearest to the knob), or picking the locks one way or the other?
And remember this; there's always the window folks.
SurferNerd @ Aug 24th 2006 3:40PM
Why is this being posted here, I find it offensive to show the world how easy it is in details. If your going to tell us, then tell us, don't show how its done. I personally use Medeco locks, courtesy of my fathers locksmithing business. Their the most secure, and unhackable locks on the market. So if you feel threatened by this new hack, and have about $100US per deadbolt, go get Medeco. The keys are irreplacable and uncutable without the medeco credit card(looks like one), and it can only be done by the few medeco certified technicians that payed the $$$$ for the propietary medeco key cutters.
Squelchtone @ Sep 19th 2006 10:00AM
oh yeah, security through obscurity because only a handful of locksmiths know about it and the general public is not made aware of how bad of an idea it is to have a Kwikset on their front door? Get serious man, the public needs to know this stuff. It's not posted here to educate crooks, it's posted here because the more information you have about a subject the better informed you are as a consumer. Then you can decide if you want Medeco on your front doors, and ps.. a lot more than just a 'few' locksmiths out there payed for Medeco key cutters. I hope this mentalilty that only locksmiths should know how a lock works goes away sometime soon, it's been veiled in this guild of secrecy for far too long, and thieves will find this info out anyway because they are determined.
The secrets only keep the public in the blind and make them think that the 'pick resistant' Defiant brand lock from Home Depot is really protecting their house. Right now bumping is a fad, and I'm a good lockpicker but sometimes it takes me 10 minutes to bump a Kwikset. It's not like you put a bump key into a lock and boom it's open, it takes practice and skill. Same with lock picks, you don't just stick a pick into a lock and it opens in 10 seconds.. that takes skill and commitment, and a crook would sooner use a brick to get into a window than learn bumping or picking.
Andrew @ Aug 23rd 2007 10:15PM
I would like to point out that your medeco is also not the greatest, and can be opened with a paperclip. You want security, make yourself your own deadbolt. use a garage door opener to lower a bar across your door internally. but if you think your medeco is bulletproof, read this:
http://www.engadget.com/2007/07/19/the-lockdown-the-medeco-m3-meets-the-perilous-paper-clip/
and if you want to buy a set of bumps,
www.bumpkey.us is where I bought mine, and they work GREAT.
David Li @ Aug 24th 2006 3:46PM
In reply to Warhorse:
No, it does not apply to cars. However, cars are already insanely insecure. Using a slim jim (you can fashion out of a coat hanger if needed), you can slip the tool between the rubber and the window and open the majority of cars (execpt for some luxury cars). Also, car keys are not really as unique as you would like to believe (many cars use the same key). Err, bascially, cars are designed to be insecure on purpose.
In reply to Mack Swift:
The point is, if you break into a house by lock picking, people wouldn't know you broke in (except with detailed forensic analysis). It's pretty hard to tell that a lock has been bumped without at least breaking open the lock. Also, keep in mind that the lockpicking community does not aim to break into people's houses, but rather learn about locks and developing lockpicking skills. Thieves and criminals are already able to bypass locks with lock drills that do the same thing.
So the bottom line: Bad guys don't pick locks. People pick locks for fun.
Paul @ Aug 24th 2006 3:46PM
great article so far! I am guessing medeco are on the list of secure locks and I will shocked and scared if they are not!
Matt @ Aug 24th 2006 3:49PM
Of course that girl was able to open that lock in the video... the key is in the lock! Am I missing something? I can open any lock as fast as that when I have the key.
rtdunham @ Mar 11th 2008 3:15PM
does anybody READ anymore? in the article there's text AND PICTURES, MATT, showing the bump KEY. jeez.
Harbinger @ Aug 24th 2006 3:58PM
Re:Matt
The key is the bump key, the tool is for bumping. The key isn't specifically for that lock.
David Li @ Aug 24th 2006 3:58PM
Okay, I should probably also give a primer to what is likely to show up in the next part (spoilers):
* Cheap crappy locks can't be bumped as easily. The reason is that they have larger tolerance margins for the lock parts. The pins are sort of loose. Thus, they are less likely to bump the right way
* Abloy locks can't be bumped. They use a system of disks instead of pins. However, there are tools to pick cheaper/less secure abloy locks using more conventional methods (for fun).
* Those circular locks you might see on bicycle locks or computer/laptop locks are probably harder to bump, but definately not worth it. You can pick those in a minute easily which a thin piece of cardboard or what have you.
Also, now that we are on the subject of locks and stuffs, I should also like to talk about those pesky master locks. You've seen them everywhere. They are in Walmart, gyms, and every US high school. You know, the upside down U shaped latch and the dial where you have to enter 3 numbers...
Well, if you search on google, chances are you'll find the technique whereby you can limit the possible combinations to 100. What isn't so well known is that they can be opened in about 3 seconds with a padlock shim. Basically, it's a thin piece of metal that you insert between the latch and the hole where the latch goes in. If you rotate it a bit, the lock just pops open. This was kind of popularized by Hack a day (hi Elliot, it's David Li again) and the lock enthusiast, Barry Wels in Hope 5 (or was it 6?).
Dave Schroeder @ Aug 24th 2006 4:03PM
Medeco's response:
http://www.medeco.com/about/whats_new/pr/bump.html
David Li @ Aug 24th 2006 4:03PM
In response to Matt:
Did you read the fine article? Anyways, here's a quick summary:
Bump keys are specialized keys that can open any lock that it fits in if you "bump" it in the the lock. So the "key" in the lock is not the key that open's the lock, but it's the bump key that can open the locks like that.
A bump key can be easily made for almost any lock at it doesn't require any specialized equipment (a nail filer is fine) and no very speciallized knowledge. It is not like a "master key" backdoor to some locks.
crackpipe @ Aug 24th 2006 4:03PM
Can I sue my apt building for having locks that are not bump key proof?
james @ Aug 24th 2006 4:06PM
the last key i was bumping was to pick locks...but later i was picking my nose
David Li @ Aug 24th 2006 4:13PM
In reply to Dave Schroeder and Paul:
Medeco's pin based locks are as vulnrable as any. The thing is, Medeco is a subsidary (or something like that) of Abloy with does make bump proof locks. See my post above about Abloy.
d3 @ Aug 24th 2006 4:17PM
Matt, you are missing something: using this method, that key can open ANY of that style of lock, its not the key for that particular lock. It is also easily made. (look at the top photo)
Paul, I'm guessing you have Medeco locks? I was shocked to learn my Mul-T-Locks were compromised this way. However, I have seen video of this performed on a variety of locks but not a Medeco3. (the one with the sidebar) That doesn't mean it's impervious, but to compromise it you might need to have several bump keys made with the sidebar notch in different places. Hopefully, the Mul-T-Lock CLIQ cylinders will come down in price ($700 per, ouch) and I can recylinder my locks with them, which would be resistant to bumping.
Greg Evans @ Aug 24th 2006 4:22PM
The real issue of this is the fact that Insurance companies will deny your claim if there is no proof of burglary - these bump keys leave no trace of use... So imagine your house being cleared out and the Insurance company saying that there is no proof that there was illegal entry - that you just left the door unlocked.
Tyler Durden @ Aug 24th 2006 4:24PM
You know what they say. Locks only keep honest people honest. Last March they didn't bother to pick the lock they just kicked in the door and split the jamb. They didn't ruin the dead bolt or the lock.
The best home security measure is to make your house tougher to break into than your neighbors. Otherwise if you have something they want, they will find a way to get it.
It's like keeping 14 year old boys out of porno. When there's a will, there's always a way. If you think differently you're kidding yourself.
David Li @ Aug 24th 2006 4:27PM
In reply to d3:
Yes, RFID keys is one solution that can potentially prevent bumping or picking for that matter. Beware however, becuase the technology is fairly new are prone to new attacks. Specifically, there was one company whose's RFID lock compnent could be disabled by simply attaching a strong magenet to the lock. After attaching the magnet, the lock acted like a normal lock :D.
Also, to add to the list of bump proof locks, there are locks that move pins up and down using magenets instead of through physical contact. They can't be bumped for obvious reasons. However, they potentially suffer from a problem that the pin states are atomic. They are either "up" or "down" with no in between state. Thus, it's possible to build brute forcing equipement that tries every single key combination quickly. Plus, magnetic locks are extremely rare/expensive.
David Li @ Aug 24th 2006 4:31PM
In response to Greg Evans:
Yes, you are correct sir. It's believed that bumping could be detected if it has been done many times on a lock. There's nothing that put's strain on the pins like the way bumping does. However, it probably needs some specialized forensics because AFAIK, a quick visual inspection can't detect anything.
Also, the lock warranty/insurace won't cover stolen property if the lock is picked/bumped instead of broken.
William Wilkinson @ Aug 24th 2006 4:54PM
I actually have a set of bump keys next to me, after I read something on Digg about them I bought them on eBay. I still haven't been able to open a lock yet, not sure if its my technique or the keys.
d3 @ Aug 24th 2006 5:03PM
The CLIQ system is not RFID, and although that doesn't mean it's not resistant to a magnet attack, I would think that Mul-T-Lock would have tested against something as simple as a magnet. This isn't Kwikset we're talking about here.
Oscar Feliciano @ Aug 24th 2006 5:19PM
David Li: CLIQ is not RFID. It is electromechanical.
Here is Mul-T-Lock's response, btw:
"In recent months some printed information has been circulated on the subject of bump keys. Despite seeing themselves as breaking new news, the bump key technique, also known as the “999 Method”, has been familiar to locksmiths around the world for many years.
The two most recent publications are really the same one. Both were written following a meeting of a group of hackers that took place in Amsterdam, Holland. Severely weakening their claims and perhaps most noteworthy in these documents is the “Important disclaimer” it contains:
“Locks are expensive and we are not a commercial testing lab, so we have had only a very limited number of testing locks available to us. The presence of a lock in the list just means bumping worked at least once on a cylinder we had access to.”
The article published in the January edition of “Keynotes” is written almost two years after most of the testing institutes in Europe have made it mandatory for lock manufacturers to test against this “technique” as well. Mul-T-Lock®, a company that puts standards above all, was tested and passed all the required tests.
Mul-T-Lock’s Standards of High Security
Mul-T-Lock’s telescopic pin cylinders have been equipped for the last 20 years with plug mushroom pins, which are very effective in preventing this opening technique. This same feature was added to the 7X7 line.
In addition, about three years ago Mul-T-lock introduced the new patented “Anti- picking” telescopic pins that defeat even the most skilled lock picker – not only in the field, but also in “comfortable” laboratory conditions.
Always be aware that locks can be “cooked” (prepared in advance) to look like they have been picked open. Through the years we have seen many variations: cylinders in which 1 pin tumbler was left and other cases in which the “objective examiner” had looked at the working key, before he performed his magic. This is more show business than High Security. So be aware and do not fall into the traps they set."
Incognito @ Aug 24th 2006 5:54PM
An interesting video on YouTube about this: http://www.youtube.com/watch?v=7Uv45y6vkcQ&search=bump%20key
Anthony Nguyen @ Aug 24th 2006 6:43PM
I mean it's great news and all, but seriously, these innocent geeks reading this site are gonna think its a great idea to try it on their neighbor. Little will they know the neighbor just bought a new Pioneer plasma television. Door's wide open. No one's around. Free tv!
abigsmurf @ Aug 24th 2006 6:52PM
what about chubb locks? They have a mechanism where if any pin gets bumped too far it stops the lock from opening. They take an insane amount of time to pick
Tom @ Aug 24th 2006 7:02PM
bla bla bla... just shoot out the lock and kick down the door! That's what total badasses like me do!
Jon @ Mar 11th 2008 3:02PM
super cool!
That's what I do too, but with my shades on!
Chris Tucker @ Aug 24th 2006 7:12PM
SurferNerd, not wanting to pay the obscene fees to get a couple of spare keys to the front door of the apartment building, I took my Medco key to a friend of mine at MIT. A sixpack of good beer later, I had exact copies of the keys.
The original key was 3-D scanned and then a chunk of steel barstock was CADCAMed milled down towo exact copies of the original key.
So much for the "unduplicateable"/Can be duplicated ONLY by MEDCO suthorized licensed locksmiths".
Mike @ Aug 24th 2006 7:22PM
Great article - this DEFCON I was tempted to try lockpicking, but was distracted by other things. Next year I think I'll definitely put my diapers on.
Just a quick note - (quote) "Energy is created and used to split the bottom and top pin, thereby allowing the plug to rotate." - this violates the first law of thermodynamics, which states that energy cannot be created or destroyed, but only transfered (in this case from the speeding tomahawk to the key). Minor detail, I'm just being a picky a**.
Cheers,
Seth Mills @ Aug 24th 2006 7:40PM
as a licensed locksmith i can tell you that although bump keys work with a large majority of locks, there are easy wasys to keep any lock bump proof. The bump key is cut to the lowest depth for that type of lock, so if you have several pins which are also the the deepest cut in the key, it will not push them all the way above the shear line, thus not allowing the lock to open. Basically if it's a schlage lock, as long as there is one or more 9 cuts in your key, a bump key will most likely not work. the problem is basically this, if the key is cut to any lower than the deepest cut, it won't push the other pins up, so if there are nine cuts in a schlage or six cuts in a kwikset(maybe a 7) you should be fine!
rick @ Aug 24th 2006 7:43PM
WRT forensic analysis, I heard that it's possible to externally show a lock had been bumped based on the shoulder of the key leaving indentations above the keyhole. Having never bumped a lock myself, I haven't been able to verify the veracity of that remark. Also, I'm told that simply affixing a small bit of rubber cement will prevent that mark from showing up also.
thoughts?
Prometheus @ Aug 24th 2006 8:30PM
My grandfather gave me an abloy padlock a long time ago (I have a thing for locks) but only recently did I find out that they're special. I would use it to secure things but it's kinda an antique.
Allen Murphy @ Aug 24th 2006 8:47PM
OK,folks--it's like this.
A good professional locksmith can modify ANY pin tumbler cylinder to be "bump" resistant, if not "bump" PROOF!
Yes, this a old technique for opening locks, and yes, there is a very simple way to defeat it on even the cheapest cylinders--I know, as I do it on a regular basis here in the metro Milwaukee, WI area.
This problem was best summed up by the Bard himself--"Much ado about nothing!"
HotGarbage @ Aug 24th 2006 9:17PM
Reply to Rod...
Knowledge of how to commit a crime doesn't turn you into a criminal. Everyone knows how to commit murder.
Joey Kelly @ Aug 24th 2006 9:50PM
About the master padlocks, back when I was in junior high (1976 or so), we used to throw them down onto concrete sidewalks, and they would pop open. The trick was to hold the lock upside down, so that the U-shaped latch would strike the concrete. We never could figure out how to open a lock that was actually attached to anything, though.
Billy Jones @ Aug 24th 2006 11:43PM
As for bumping locks I don't know much about it. I worked for a towing company for about 4 years and unlocked more cars than most of the locksmiths in town (often 20-25 each day) sometimes at a customer's request but usually because they were illegally parked with the parking brakes on. (I live in a college town and police officers were usually present.)
I've seen many cars (even new cars) with locks that could be opened by jiggling the door latch-- no tools needed. (Yugos were the easiest but several high end models weren't much better.)
Those combination padlocks-- piece of cake to open-- been doing it since I was 12 years old. As hall moniters in Jr. High School we thought it cool to switch everyone's locks from locker to locker.
And while I have no idea how she does it, my 10 year old niece makes a game of showing people how she can discover the combinations on cars with push button electric combination locks. She got in my daddy's Mercury in less than 30 seconds the first time she ever laid eyes on the car.
So, that said I'm hardly suprised that the locks on my house are easy to open, but beware as my guns are loaded for bear.
A Finn @ Aug 25th 2006 1:00AM
First I read this and think - Oh gosh, millions of unsecure locks. But then I look at the pictures and start to think: "Huh huh, this has not been a problem in Scandinavia for tens of years anymore". Even now almost "old fashioned" most popular key system here seems to be more secure than this example of Kwikset etc...Don't know thou, is my feeling of security unfounded? So, all you lock pickers what do you like from the picture below -->
/I would have provided an english page but they did not have nice pics.) Here is a picture of key system I know has been popular here for ages:
http://www.abloy.fi/008/inet/abloy/Contman.nsf/0/B1302A6CF119B7E9C225702F00505621?opendocument&loadfs=0
Now it has been in replacement process (because it was unsecure - the key was easy to make copies;)) with a key system where keys are numbered and you need permission to make a copy etc...
http://www.abloy.fi/008/inet/abloy/Contman.nsf/0/9C8A436FF6D547D1C225702F004DF488?opendocument&loadfs=0
Richard Lewis @ Aug 25th 2006 5:22AM
"lasershield" monitoring $14.95 a month. Costco had a deal where you got a second motion sensor in package for $249, promo no activation fee, and reduced monthly monitoring from $25. Even if they cut phone lines, it wakes you in plenty of time to lock and load
Joel @ Aug 25th 2006 9:02AM
I saw a German news documentary on bumping a couple of weeks ago. I found it fascinating. The principle wasn't explained very well in the documentary or this article. It is based on the same principle as those toys with the five steel balls hanging from strings in a row. If you pick one ball up and release it, it falls and bumps one ball up on the other end. Raise and release two balls, and two balls rise, etc.
The bump key acts like one ball, and the pins act like two others. When you tap the key it is like dropping one ball. The middle "ball" (pin) doesn't move, but the end "ball" (pin) jumps up. This creates a momentary gap between the pins, and a quick turn of the lock has it open. I am interested in trying it, but the demonstrations I have seen make it look trivial. The concept is totally fascinating, but the demonstration would be anticlimactic.
I bet if you had a dirty lock, pins with dampers, or a little viscous oil in your lock the bumping wouldn't work. Hey, a business idea! Sticky "security oil" you can put in your lock to make it secure!
hardcorespotter @ Aug 25th 2006 9:31AM
This article is complete bullshit. How do you know? Read the following quote:
"I presented the same topic at DEFCON 14. A great deal of international media attention resulted from these talks because of the apparent simplicity of opening cylinders that were previously believed to be secure. The photograph to the right shows an eleven year old girl that opened a popular five pin cylinder in seconds at Defcon 14. She had no prior experience or expertise."
Now look at it more closely. Notice he said:
"..an eleven year old girl that opened a popular five pin cylinder in seconds at Defcon 14.."
GIRLS AT DEFCON?!?!?!?! LIEES!!!!!1!!1!!
Daniel Lewkovitz @ Aug 25th 2006 9:43AM
The insecurities of locking systems on low to mid-security premises (such as most homes and offices) is nothing new. Locks have been pickable for centuries and locksmiths and security professionals know this.
For this reason, amongst my clients, pick-resistant locks are specified and significant additional layers of security implemented.
In other words - nothing to see here.
Instead, the modern environment of disclosure brought around by IT Security researchers has created a situation where a bunch of hackers can convince other hackers and the media they've discovered a huge insecurity - easily picked locks. They haven't, it's just news to them.
On the other hand, returning to the IT comparison, despite the hyperventilation, none of this will actually result in the vast majority of society rushing out to harden their locks. To the contrary, in much the same way people are *still* not installing anti-virus and patching their systems, these vulnerabilities will continue to exist for the broader population.
Bottom line: If your physical security consists of a lock and that's it - don't be too surprised when you get robbed, and not just by a cunning lockpicking criminal, but a brick through the window or a boot through the doorframe.
Fellow Australians should look into the Bilock products and note a lot of security key systems on the local market amount to little more than an otherwise standard key system with "restricted - do not copy" engraved on the key.
sfeng1 @ Aug 25th 2006 1:12PM
thanks for informing us with something from the previous decade.
CJ @ Aug 25th 2006 4:02PM
Thanks for pointing this out. (non-sarcastic)
Thanks for pointing this out. (sarcastic)
Obiwan @ Aug 25th 2006 7:58PM
The bumping method can be foiled by using tumblers made out of a non-magnetic alloy, with a small magnetic "dot" on the connecting side. The behavior would be such that both tumbler halves still move freely, and the lock can be turned at the shearpoint. However, when "bumped", the small magnetic force would hold both tumbler halves together, forcing both upwards and thus preventing turning the lock.
(Above is prior art to any future patent being filed for this system or method)
Emil @ Aug 26th 2006 2:18AM
I'll suggest installing one of those hidden cameras and have it email you pictures of everyone who opens your door. Cameras are cheap, most people have high speed internet. Nothing ideal, but something for insurance company to show.