To those who retain faith in mechanical pin and tumbler locks, a bit of information on the bump key as a means of picking them may unsettle you. It’s a hot topic on many of the news aggregation sites online at the moment (Metafilter and Engadget 1 and 2, for instance), but those who don’t frequent such sites may find it helpful to know. Perhaps the biggest issue is that this technique does not produce signs of forced entry, which may cause problems when making insurance claims.
This Dutch television segment shows how absurdly easy it is to open even quite expensive locks using a key cut in a particular way, an object to whack it with, and no skill whatsoever. Definitely enough to make a person fearful for their laptop, music equipment, etc. That is especially true in an area that has as high a burglary rate as North Oxford. Just last night, Emily saw someone trying to get into her flat. Thankfully, the front door of our flat uses horizontally-oriented “dimple” keys (Mul-T-Lock brand), that are somewhat less vulnerable to this attack (see the last PDF linked at the bottom of this post). Even so, our internal doors, as well as basically all the ones in Wadham College, use the pin and tumbler design vulnerable to bumping. Here is another video on how to make and use a bump-key. Apparantly, anyone with a file, a reasonably steady hand, and a bit of time can make their own.
The alternatives generally advanced to get around such vulnerabilities are other sorts of mechanical locks, electronic access control systems, or systems that use both mechanical and electronic elements (a system used increasingly often in cars). While they do have problems of their own, electronic access control systems do have many appealing features. In particular, if one were to use low-cost RFID tags or simple swipe-cards with a pre-set code as an authentication token, it would be easy to maintain a database of allowed and disallowed keys. If you lost your keys, you could disable that one and issue yourself a new one. Likewise, temporary keys could be issued to people, and restrictions could be placed upon the hours at which certain keys could be used. Features like these are what make keycard based systems so appealing, as well as common in commercial settings.
The first downside of such conversion is cost: replacing locks is expensive. Secondly, such systems are open to other kinds of attacks that people may not understand as easily. Thirdly, if an electronic lock fails in a profound way (no longer responds to authentication tokens), you have little choice but to break down the door or saw through the frame and bolt. Once again, the nature of security as a perpetual trade-off is demonstrated.
More detailed information (PDF) on key bumping is available from Security.org. Also, from The Open Organization of Lockpickers (TOOOL) (PDF).
{ 3 trackbacks }
{ 15 comments… read them below or add one }
Defence in depth is a very basic security measure. Having an imperfect light, along with other measures such as automatic exterior lighting, good insurance, and other defenses might be better than just having a better lock.
“Lockpicking information until very recently has been hidden not from the bad guys, but from us, the consumers,” says security guru and author Bruce Schneier, a cryptographer with enough clout to get a little shout out in Dan Brown’s “The Da Vinci Code.” “There’s no economic motivator for anyone to make a better lock because you, the consumer, don’t know [how vulnerable your lock really is].”
There are ways to improve upon locks, says Schneier. He points to the auto industry, which has an incentive to build cars that are tougher to break into. “If your car is easier to steal, your insurance will be more [expensive],” he points out. So automakers have begun equipping cars with locks that open only with the swipe of a card or in close proximity to a radio frequency identification (RFID) chip.
From a Newsweek article (heavily laden with ads, sorry)
R.K.
I agree with you 50%. What’s going to protect you while you are sleeping with your alarm deactivated? Nothing. Bumpkeys can open 80-90% of houses in the US.
And heck, with sites like http://www.bumpkey.us out there getting bump keys is a little too easy.
If you want the best protection start with a lock that can’t be opened in 10 seconds by a retarded 2nd graded.
HackVI,
I would say that dual-factor authentication (physical key and RFID) is the best option: at least for those with enough of a technical bent to have the interest and ability to handle a key database.
For others, it seems best to spread the word about serious vulnerabilities in mechanical locks until manufacturers and users have enough motivation to at least switch to more effective mechanical solutions.
HackVI
My point was more than we need to focus on complete security systems than just on the level of security provided by a particular barrier. That said, the level of threat associated with bumping (especially given the insurance issue) might be serious enough to compromise an entire setup.
The gardens at Wadham College, at least, are secured using a warded lock. So too, the rooms in Library Court.
An archaic type of lock, it’s generally trivial to circumvent, given a few basic tools and some knowledge.
“A Warded pick is a device for opening warded locks. It is a pick generally made using a key-shaped piece of thick spring steel (two hacksaw blades thick) and with the sides being as thin as possible without breaking off in the lock.
Such a pick will open nearly all warded locks on garden sheds, garages, etc.
Note: These are what people are referring to when they speak of skeleton keys. They are usually available in sets of five for about $20. They can easily be made by taking a key that comes with a warded lock and filing or grinding away all the protrusions except one or two at the end. These will work on many but not all warded locks.”
Bruce Schneier also wrote about this vulnerability, linking the TOOOL paper.
This is even worse:
How to open a Mazda using a tennis ball
Snopes.com now has an article on bump keys.
“I apologize to
you. At the end of this presentation you will not feel comfortable
anymore, realizing the trust you put in mechanical locks in the past
was based on wrong assumptions. For real security the mechanical lock
is a lost battle …”
From a presentation to the German Navy.
Another mechanical lock vulnerability:
HOWTO force a padlock with a tin-can shim
This short video illustrates a simple procedure for forcing open standard padlocks with a shim snipped out of a tin can. The technique is old, but this is a good, lucid explanation of it. Kids have been doing this for years, but schools and gyms still recommend these broken locks — and the manufacturers keep making them, which is practically criminal negligence.
See also: HOWTO pop a combination lock with a beer can
Golden (bump proof) pins
May 12th, 2008 by Barry
Pick a Lock, Any Lock
YouTube makes it easy to learn the finer points of breaking and entering—and locksmiths aren’t happy.
By Farhad Manjoo
Posted Wednesday, July 23, 2008, at 3:39 PM ET
Locksmiths and lock manufactures have found themselves in a jam. The skills of their trade, passed down through generations under conditions of occult secrecy, have been jimmied open online (subscription required). The professionals are crying foul over enthusiasts of “locksport”—amateur lock pickers who congregate on the Web to discuss how to pick locks. The amateurs do this for fun, not mischief, they say; there’s a sublime thrill in charming a deadbolt to turn your way. And they argue that by finding and publishing flaws in some of the most popular locks on the market—from the locks you’ve got on your front door to those the president has on his—they’re forcing improvements in security. Lock professionals say the opposite is true: that in showing people how to pick locks, hobbyists are swinging your doors wide open to criminals.
TENNIS BALL DOOR UNLOCKER - Trying to use a tennis ball with a hole cut in it to unlock a car door does not work. There is no part of the unlocking mechanism that can be affected by the small amount of air from the tennis ball. This myth was recently busted on the show. They also tried a strong, air compressor as well. Still could not unlock the car door.