Advertisement

The Lockdown: Locked, but not secure (Part 2)

Marc Weber Tobias
Updated ·19 min read

Noted security expert Marc Weber Tobias contributes a new column, The Lockdown, exposing the shoddy security you may depend on.

Locks that are not at risk

In yesterday's column, I set up key bumping -- what it is, how to do it, what it means for most anyone who relies on a lock for their safety and security. Now, let's get into generic locking mechanisms that cannot be bumped. There are several and all share a common trait; none of them have a split set of moving components, like pin tumblers do. Thus, warded, lever, wafer, magnetic, and disk locks cannot be bumped open. (Neither can laser-track vehicle locks, as they're really made of sliders, disks or wafers.)

Warded locks are used in cheap padlocks and old hotel room doors. They are neither secure nor very prevalent.

Wafer locks are used in many low security applications, mainly on cabinets, desks, showcases, inexpensive padlocks, alarm panels, vending machines, elevators, filing cabinets and many other venues. Interestingly, they can be easily picked but are immune to bumping.

Lever locks can be found on blue postal collection boxes and access for groups of mailboxes and key keepers in apartment complexes that are accessed by the postal service. They are also the primary lock for safe deposit boxes and high security safes and vaults, primarily in Europe and other countries. Again, lever locks cannot be opened by bumping but may be picked and decoded.

Disk locks, such as employed by Abloy, likewise cannot be bumped. Their internal design resembles a combination lock and they can be very secure, although there are decoding tools for some models. Like Bic pens.

Locks that employ sliders, such as the Evva 3KS are immune from bumping. I note the 3KS which is produced in Austria and very popular in Europe. This and similar slider locks are particularly secure against most forms of attack. Similar technology is employed in several automobiles.

Locks that are at risk

What are the types of generic locking mechanism that can be opened by bumping? The answer is simple: almost any conventional pin tumbler lock. So what does that mean? Virtually any lock that employs split pin tumblers can be rapidly compromised by bumping. That list would include low to high security conventional designs, but what does "conventional" mean? It denotes any pin tumbler mechanism that does not employ secondary locking systems, such as sidebars. Remember that sidebars in and of themselves do not prevent the lock from being bumped; they just may make it more difficult and require additional information. It all depends upon the mechanical design of the lock.

As I stated earlier, any pin tumbler lock that utilizes two or more moving pins within each chamber is at risk. Door locks, post office locks, file cabinet locks, access control override locks, and padlocks. All of them can be bumped if you have the key that will fit the keyway and has been properly cut to all "9"s. Are there exceptions? Yes. Can every conventional lock be bumped open? No, but statistically, a very high percentage can. As detailed in my white paper, there are complicating factors which may make the process difficult or impossible.

You may be asking if conventional lock manufacturers have implemented designs to stop or frustrate bumping. Might these include measures such as the use of security pins (mushroom, spool, serrated or other designs), increasing the number of pin tumblers within a given cylinder, employing removable core locks, or increasing spring bias on some or all of the pins? What about making one or more of the bores shorter than the rest? How about employing interactive elements like are used by Mul-T-Lock? Don't worry if you don't know what any of that means, because the simple answer is that none of these countermeasures are really effective. There have been some patents granted for anti-bumping pins, notably to Moshe Dolev, the co-inventor of Mul-T-Lock in Israel, and to Evva in Austria. Some locks do have anti-bump technology, but some of these schemes can often be defeated. In fact, my original White Paper on this subject has been revised after I did extensive testing on some cylinders and found that what was believed to present an obstacle to bumping in fact did not. So, the short answer is that not much is effective against the problem, unless you utilize certain high security mechanisms.



High Security Locks that are Resistant to Bumping

Most high security locks employ secondary locking systems to add another layer of security. Sidebars are the most common design. Without going into a great amount of detail, a sidebar prevents the plug from rotating unless another separate locking system is actuated by the correct key. Secondary locking may take many forms, which are described in detail within my book. For example, Medeco was the first in the United States to introduce high security pin tumbler locks more than thirty-five years ago. They employed a revolutionary design concept: a lock that utilized pin tumblers that required both lifting (as in a conventional lock) and rotating to the correct angle.

In 2005, Medeco introduced a new innovation into their locks: a slider that was controlled by the forward movement of the key upon its insertion into the plug. This product is known as the M3. Although the purpose of this design was mainly to enhance key control and to extend their Biaxial patent, it can also add security to their cylinder. Medeco locks are not bump proof if you have prior intelligence about a specific lock. As documented in the latest edition of LSS+, even the M3 can be bumped, as associates and I have demonstrated on a number of occasions -- but the issue is repeatability and prior knowledge regarding the sidebar code. However, having said that, Medeco does offer other options, including their ARX pin, that make their locks extremely secure against all forms of attack.

Schlage Primus (above) also utilizes a sidebar design which accomplishes the same security result as Medeco and other manufacturers but in a very different way. The Primus, like the Assa (both of which were invented by Bo Widen in Sweden), utilizes an added set of pins that must be separately activated by side millings in the key. Both locking systems (conventional pins and finger pins) must be properly set by the key before the lock can be opened.

Can the Primus lock be bumped open? Some locksmiths have provided random reports of bumping open the Primus but none have really been verified and consistently repeated. The mechanical design of this lock will make the process extremely difficult, unreliable, and realistically all but precludes bypass in this manner. Actually, the Primus, which is also UL 437 rated, goes one step further than Medeco in its design; there are conventional pins that must be lifted as well as the finger pins which must be separately lifted and rotated. So, one might consider that there is actually an additional level of security in this lock, as compared to Medeco. The fence-gate tolerances of the finger pins all but prevent bumping because they will not tolerate any forward movement of the key which is required during bumping. Is it impossible? I never say never, and in isolated instances with certain finger pin combinations, a lock might be compromised but I would not count on it. Primus is, in my view, is quite secure against this technique.

The design of the key is one of the critical differences between Primus and Medeco. Whereas Primus separates the functions of the sidebar from its traditional pin tumbler mechanism, Medeco does not and integrates the two. In my view, Primus offers a higher level of security against bumping, but Medeco is more secure against picking.

So, does UL 437 or ANSI 156.30 (the certifications that denotes a high security cylinder) mean that the lock cannot be bumped open? Not necessarily. My associates and I have opened certain cylinders in the U.S. and Europe that ostensibly should have been immune to the technique. As we test different locks, we are constantly surprised by the results.

So, what about other high security lock designs such as Assa and Mul-T-Lock? We have bumped open some models of these brands, as well as other manufacturers, but there is a caveat to all such claims. The repeatability and reliability of the ability to open these locks is not high in many cases. Thus, they might not pass the 3T-2R test that I described earlier.

In a later column, I plan on exploring the differences in the popular high security locks in the United States. There are definitely pros and cons to the designs employed by the major manufacturers. But the bottom line is that certain high security locks can make bumping extremely difficult; others not. While I am not in the business of endorsing products, you might logically ask what I have on my home, office and evidence storage area? Medeco and Schlage Primus for my residence, and the Evva MCS and Primus for secure evidence storage.

Notes on reader comments to the original article on Engadget

There were many comments to the original article on bumping. I thought it might be helpful to answer some of these in summary fashion because there were certain misconceptions that should be clarified. Here goes!

Bumping is a real threat. If you have conventional pin tumbler locks, they are at risk. Statistically you may be safe unless you are targeted. If a burglar wants to bump open your locks and you have pin tumbler mechanisms, then there is a high probability that your lock can be compromised.

Readers complained that this material will educate the criminals, but I doubt it. They are already well aware of the technique. The consumer needs to understand the risk so they can decide whether they wish to accept it or install better locks. There is no security through obscurity -- or as I prefer to call it, ignorance. There are no more secrets! The internet took care of all of that a while ago. I see no ethical bar to disclosure, In fact, quite the reverse. Failure to warn the public leaves them vulnerable and ultimately does them a disservice.

You get what you pay for when buying a lock, usually. Even some really good locks can be opened by bumping, so you need to learn which ones are vulnerable. In the Netherlands, the report can be found on toool.nl. We are working on the equivalent rating for locks produced in the United States, and will be releasing it shortly on my.security.org.

Although locks are a primary defense, you need security in depth. This means layers, like locks, alarms, cameras, guards, fences and other measures. It depends on what is to be protected and what is at risk. Locks should not be the only measure of protection.

There are insurance issues when there is no sign of forced entry. You should definitely check your policy to determine what is covered and what is required to prove a loss, because bumping often leaves no trace of illegal entry.

Where are the locksmiths in all of this, and is this just a scare tactic on their part to generate sales? Well, this matter was not brought to the public's attention by the locksmith community. In fact, many of them would prefer that nobody knew about it at all. Many locksmiths that I deal with were really unaware of the technique or of the security ramifications. In the United States, it was not their fault; there was a lack of publicity, in contrast with Europe. Barry Wels, Matt Fiddler and myself, through a series of high-profile lectures and interviews, have brought this to the attention of the general public in the United States within the past few months. In December of 2005, I began meeting with the US Postal Inspection Service to bring the problem to their attention long before publishing any report.

Many locksmiths have been aware of bumping for a long time, but not as a viable means of bypass. The locksmiths also have a problem disclosing the issue, even if they wanted to. They are prevented by ethical rules from disclosing security vulnerabilities other than in broad terms, except to other locksmiths or security professionals. That is a real problem for them, although some will disregard such rules to protect their customers. Yes, the locksmiths could increase their sales by taking a public stand on bumping but most have not done so. From my perspective, nobody has encouraged them to do so, and many are loathe to disclose any vulnerability that could place their customers at risk. Although I understand the perspective that many locksmiths advocate, I do not agree with it, and have argued the point with ALOA, their professional trade organization of which I have been a member for many years. I believe in a policy of full disclosure with regard to vulnerabilities; an educated public is the best security measure. If a piece of hardware of software is vulnerable, then everyone should know it.

Yes, locks do matter in protecting a residence. Many burglaries are crimes of opportunity. If the locks prevent bumping and that is the chosen method of attack, then the burglary may not occur. There are many break-ins where there is no sign of forced entry. Was bumping the culprit? Nobody knows, but why take the chance?

My view is that pre-cut bump keys should not be sold through interstate commerce except to locksmiths, law enforcement, security professionals, academic researchers, and others with a legitimate need. I have suggested changes in current federal laws to prevent such trafficking.

There are other serious vulnerabilities in mechanical locks that I will address in later columns. The compromise of master key systems is one of them, and may be more dangerous than bumping.

Although one can argue that bumping locks is not quite as simple as portrayed, the security threat paradigm shifts If a pre-cut bump key is available. Yes, there can be complicating factors, but at the end of the day, the lock will probably open with the correctly cut bump key.

Damage can occur to pins and springs if the lock is bumped repeatedly. However, there are usually few if any forensic traces, especially if the lock is opened in less than five strikes. I am often able to turn the plug with one or two blows. There are also ways to mask the fact that bumping has occurred at all. This may pose a serious problem for insurance companies who need proof of loss in order to substantiate and pay a claim.

One of the posts indicated that enough force was required that would break the glass in a commercial metal door frame. That is not true. In fact, depending upon the lock, little force may be required, and in any event, never to the extent that would break the surrounding glass on a metal door frame.

As to the required training, I think the video and photograph of the eleven year old girl speaks for itself. This is not security. The question I posed to the attendees at Defcon was just exactly what the term "security" or "maximum security" represented in packaging and advertising? Does it mean than a ten year old cannot open these locks, but that an eleven year old can? Not very comforting, is it?

There were a couple comments from locksmiths, stating that bumping was not quite so simple. Again, this is in part correct to the extent that a key must be properly cut for the correct keyway. This is not particularly difficult. In the latest version of LSS+, Barry Wels demonstrates the ease with which a key can be prepared. We were sitting in a hotel conference room in Amsterdam. He brought a key and a file and a small vice. That was it. In less than a minute, he prepared a bump key and proceeded to open a new lock. I view the real problem as pre-cut bump keys. No, most burglaries do not involve picking locks or other forms of bypass, but that may change if legislation does not stop the trafficking in bump keys. Most locksmiths would never cut a bump key for a customer unless there was a very good reason. So, unless the individual wants to make his own, then the other option is to secure them through interstate commerce, usually via the internet.

Bumping presents a special security risk as compared to picking and other forms of bypass, because of the 3T-2R rule. It is, as I have shown, literally child's play to open many locks.

A bump key is not a rake pick; far from it. The process is entirely different. And, contrary to the reader comments, torque is always required.

The comment was made that "there are no mechanical locks that cannot be picked." This is not really true, although it sounds good. For example, I would challenge any reader to open the Evva MCS or the Abloy Protec, for example. Medeco and other high security cylinders are always targets. Although the Medeco biaxial and other locks have reportedly been picked, these instances do not tell the entire story, nor in my view are representative of the security of these locks. Most locks can be randomly opened if a number of factors happen to be present. There is a vast difference in being able to open one lock and opening a vast majority of the locks reliably and repeatedly. The same goes for claims of bumping these cylinders. Statements on web sites that Medeco, for example, can be picked are misleading. That is why I noted several disclaimers in my white paper, which have now been adopted by several lock picking sites as being the responsible way to report bypass successes with different cylinders.

A reader stated that if there is no key, then there is no picking. He was going to employ a complicated system to ensure the security of his residence through the use of computers and remote control through his cell phone and other various devices. Just let me know where he lives. This all sounds good, but it is neither practical or in the end, secure. The real answer is to buy better locks employ tested layers of security, not to dream up all of these technical obstacles that will be compromised or will fail.

A reader asked if anything was accomplished by all of the publicity about the insecurity of locks? Haven't we just educated the criminal? My answer: the more knowledgeable the consumer, the more secure they will be. Not everyone can afford high security locks, nor do they need them. But they do need to know the threat so they can decide whether to assume the risk.

Some locksmiths have known about bumping for many years. However you might be surprised at the number that were not really familiar with the newer technique.

With few exceptions, any key can be made into a bump key, although for some of the high security locks this statement must be qualified. In some cases, such as Schlage Primus, presently the statement is not true. Even if you have a 999 key with the correct side milling, the lock cannot be opened. This, by the way, is one of the interesting distinctions between Medeco and Primus which will be explored in a subsequent article.

Restricted keyways do not provide any more security against bumping, so long as a key that fits the lock can be obtained. This also brings into question the security policies of corporations that take locks out of service and do not account for discarded keys, because any of them can be made into a bump key. The critical issue in bumping, as I have previously stated, is the ability to obtain a key that fits the lock.

Conclusions

There are locks that are secure against bumping. A detailed description of their specific mechanisms can be found in Locks, Safes and Security or LSS+. The bottom line is that in the world of locks, you get what you pay for. There is no real security in ten or twenty dollar locks. This was aptly demonstrated by the eleven year old girl when she opened an extremely common and well known brand with little difficulty. This, in my view, is not security. It leaves the public vulnerable and at risk. Whether you are a home owner, business executive, IT manager, Security Director, or in charge of risk assessment, you need to understand the threat and make your own decision as to whether your cylinders offer sufficient protection. You should demand answers from the people that sell you your locks, whether that is your local locksmith, architect, jobber or the lock manufacturer. To indicate that a lock provides "maximum security" or other similar verbiage on packaging when that manufacturer is well aware that the lock may well be opened in seconds is misleading and deceptive and places you, the consumer at risk.

I can think of no reason why manufacturers should not place warnings on their packaging, advising that certain cylinders may be subject to easy compromise and that higher security locks are available. After all, locks provide the first line of defense for most locations. The specific threat from bumping has not yet been adequately addressed by the standards organizations, such as UL, although they are now examining this issue. My suggestion: talk to your local locksmith or security advisor and purchase UL listed high security locks that have been specifically tested for their resistance to bumping.
Additional materials can be found on security.org and toool.nl. Bumping is thoroughly detailed in LSS+, the multimedia edition of Locks, Safes and Security by the author.

Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.