Part I: Methods of attack, an overview
In The Lockdown: Locked but not secure (see also part 2), the technique of "bumping" was described in detail, alerting Engadget readers to the vulnerability of virtually every pin tumbler lock from simple and rapid bypass. In this sequel, Marc analyzes mechanical locks and what really makes them secure or easy to defeat. Whether you are a consumer or security specialist, you need to understand the criteria established by UL (Underwriters Laboratories) and other rating organizations to define the term "high security," because some manufacturers will try to mislead the public into believing that their locks are secure, when in fact they are not. Read on.
In The Lockdown, Locked but not Secure, I described a method of rapidly compromising the security of almost all of the pin tumbler locks in this country and just about everywhere else in the world. This technique was punctuated by the actions of an eleven year old girl that I interviewed at Defcon 14 in Las Vegas this past August. As a result, a tremendous amount of media coverage on the security (or more to the point the insecurity) of mechanical locks has been generated, achieving the purpose for which I and my associates decided to publicize the vulnerability: public awareness.
In the many TV interviews that have aired throughout the country we have demonstrated how locks that were previously thought to be secure could be bypassed in seconds, often without any noise or trace. In fact, in a recent in-depth report in Cleveland, we went to five upscale houses and with permission of the homeowners, opened each of the front doors in less than ten seconds. The response was shock, alarm and anger at their contractor. Rightfully so.
Locks are only part of the physical security puzzle. Whether it is a residence, business, or government facility, locks often form the first line of defense, but for real protection, there should be other measures. In the residential setting, this means alarm systems, deadbolts, and maybe bars or grating that protects windows. In a commercial or government environment, layers of security would include fences, video surveillance, more sophisticated alarm systems, guards and other measures.
Most homeowners have little understanding of the security of their door locks -- and why should they? They trust their builder or locksmith to provide or recommend the right locks, not just based upon price, but on security. Usually, contractors specify the hardware and the homeowner receives a set of keys. Rarely are these locks replaced because everyone assumes that they provide "sufficient" security.
Most contractors will supply the cheapest lock possible, with little or no regard to security issues. In fact, in the Cleveland TV story, three of the houses had Kwiksets, while two had Kwikset knock-offs -- a real insult to both Kwikset and security.
Many of the locks available through consumer channels such as Home Depot, Lowe's, Ace Hardware, Wal-Mart and other locations are woefully inadequate. They are cheap locks, often costing less than two dollars to manufacture. As was demonstrated in my interview with eleven year-old Jenna Lynn, one of the most popular locks in the country is also one of the most insecure. Until the publicity on bumping, not many consumers knew that. The problem is compounded because of misleading statements on packaging, which offers a false sense of security to the consumer who really does not know the difference.
Statements that tout "security" "maximum security" "ultimate security" and "greater security" or other verbiage are vague, illusory, and are intended to create an illusion in the mind of the consumer. Lawyers and marketing professionals design packaging to convey the appearance of security, whether it exists in reality or not. But only the manufacturers that produce quality locks will actually tell you what security their locks provide, and how.
In the following weeks, I will present a series of articles that examine the mechanical lock and discuss just what constitutes security and what you should know to asses just how vulnerable you are. As I've pointed out in the past, most pin tumbler locks, especially the cheap ones, can be "bumped" open in seconds by kids, burglars, and even TV reporters. But bumping is not the only method of attack that you should be concerned about (although it is perhaps the most pernicious).
Other forms of covert and forced entry, as well as mechanical bypass of the locking mechanism, can be just as effective as a method of compromising your security. And it does not stop there. Related hardware components such as doors, strikes, door-jambs, door frames and windows must also be considered because locks do not function in a vacuum. They are part of an overall security strategy, where the old adage "the chain is only as strong as its weakest link" is particularly applicable.
Primary methods of attack
The most popular forms of attack are listed below. These and many others are described in detail in Locks, Safes, and Security.
Forced entry - Locks can be physically compromised through a variety of techniques, including drilling, sawing, punching, pulling, wrenching, twisting, shearing, and cutting. More sophisticated measures can also be utilized. Simple battery-powered hand-tools can make quick work of some locks.
Mechanical bypass - As will be described later in this series, many locking systems can be compromised by what we call mechanical bypass. This involves the circumvention of the locking cylinder, not its internal mechanism. You must keep in mind that it is not the lock (or key) that actually retracts the bolt, latch, or other device, but a linked-component of the locking cylinder. Often, we can gain access to the critical locking actuator to simulate the actions of the tail-piece or other interface device that is connected to the plug, which is turned by the key. In other words, wires, magnets, shock, vibration, or other devices and techniques can be utilized to mechanically bypass a cylinder and open a lock.
Covert entry - Covert or surreptitious entry (they are different) means that a lock is opened without any visible sign or forensic trace. Especially for high security containers, the government is concerned with these issues so that they know that classified information may have been compromised. There are at least forty forms of covert entry that are described in my book. They fall into five basic categories: picking, impressioning, decoding, bumping, and master key extrapolation.
So what makes your lock secure or vulnerable? And to what kind of attack? This depends on many factors that will be examined in this series. For covert methods of entry, the short answer can be summed up in my 3T2R rule (the Tobias Security Index, if you will), for assessing the ability to compromise mechanical cylinders: Time, Tools, and Training. The reliability and repeatability is also considered. These three "tests" mimic a part of the criteria established by Underwriters Laboratories (UL) and other testing organizations for the certification of high security locks.
The UL 437 standard rates a cylinder in terms of covert methods of attack, forced entry, and key control. If a cylinder achieves a UL 437 rating, then it is supposed to be secure against these three critical methods of attack. UL 437 certified locks are required to protect facilities where security is mandated by internal requirements or government regulation. The White House, Pentagon, US Embassies and all facilities that protect weapons or classified information must utilize these certified locks or their government-mandated equivalent. Many businesses have the same requirement because they need locks that are highly resistant to many forms of attack. Security is all about delay; the more time that is required in terms of physical or covert attack, the greater the risk of discovery, especially if there is "defense in depth." This concept relates to several layers of protection.
The four most popular high security cylinders in the United States are: Medeco, Schlage Primus, Assa and Mul-T-Lock. Each has a UL 437 rating, but which are really secure?
In the next article, we will examine methods of forced entry, and why some locks can be opened quickly with common tools. Are your locks vulnerable to screwdrivers, drills, grinders, wrenches or dent pullers. Do you think that a deadbolt makes your lock secure? Maybe, unless you have doorframes, door-jambs, or doors that can be easily compromised.
Even some high security locks can be compromised in less than a minute, requiring various levels of expertise. Bumping is still the favored method of defeat for some of these locks, notwithstanding the public claims of some manufacturers to the contrary. An analysis of the strengths and weaknesses of high security locks will be presented later in this series.
Suffice it to say, all that glitters is not gold in the lock industry. What you rely upon to provide protection may not, even with a UL 437 rating. You might ask what "locked and maybe secure" really means with regard to the locks you use? Stay tuned, because knowledge really does mean security.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.