The Lockdown: Locked, but maybe secure (part 1)
Noted security expert Marc Weber Tobias contributes The Lockdown, exposing the shoddy security you may depend on.
Part I: Methods of attack, an overview
All of these conventional locks look secure, but which really are? In the real world, none of them, and this is only a fraction of what ostensibly protects the consumer. This series of articles will describe what makes a lock secure and what is hype by the lock manufacturers.
In The Lockdown: Locked but not secure (see also part 2), the technique of "bumping" was described in detail, alerting Engadget readers to the vulnerability of virtually every pin tumbler lock from simple and rapid bypass. In this sequel, Marc analyzes mechanical locks and what really makes them secure or easy to defeat. Whether you are a consumer or security specialist, you need to understand the criteria established by UL (Underwriters Laboratories) and other rating organizations to define the term "high security," because some manufacturers will try to mislead the public into believing that their locks are secure, when in fact they are not. Read on.
Introduction
In The Lockdown, Locked but not Secure, I described a method of rapidly compromising the security of almost all of the pin tumbler locks in this country and just about everywhere else in the world. This technique was punctuated by the actions of an eleven year old girl that I interviewed at Defcon 14 in Las Vegas this past August. As a result, a tremendous amount of media coverage on the security (or more to the point the insecurity) of mechanical locks has been generated, achieving the purpose for which I and my associates decided to publicize the vulnerability: public awareness.
In the many TV interviews that have aired throughout the country we have demonstrated how locks that were previously thought to be secure could be bypassed in seconds, often without any noise or trace. In fact, in a recent in-depth report in Cleveland, we went to five upscale houses and with permission of the homeowners, opened each of the front doors in less than ten seconds. The response was shock, alarm and anger at their contractor. Rightfully so.
Locks are only part of the physical security puzzle. Whether it is a residence, business, or government facility, locks often form the first line of defense, but for real protection, there should be other measures. In the residential setting, this means alarm systems, deadbolts, and maybe bars or grating that protects windows. In a commercial or government environment, layers of security would include fences, video surveillance, more sophisticated alarm systems, guards and other measures.
Most homeowners have little understanding of the security of their door locks -- and why should they? They trust their builder or locksmith to provide or recommend the right locks, not just based upon price, but on security. Usually, contractors specify the hardware and the homeowner receives a set of keys. Rarely are these locks replaced because everyone assumes that they provide "sufficient" security.
Most contractors will supply the cheapest lock possible, with little or no regard to security issues. In fact, in the Cleveland TV story, three of the houses had Kwiksets, while two had Kwikset knock-offs -- a real insult to both Kwikset and security.
Many of the locks available through consumer channels such as Home Depot, Lowe's, Ace Hardware, Wal-Mart and other locations are woefully inadequate. They are cheap locks, often costing less than two dollars to manufacture. As was demonstrated in my interview with eleven year-old Jenna Lynn, one of the most popular locks in the country is also one of the most insecure. Until the publicity on bumping, not many consumers knew that. The problem is compounded because of misleading statements on packaging, which offers a false sense of security to the consumer who really does not know the difference.
Statements that tout "security" "maximum security" "ultimate security" and "greater security" or other verbiage are vague, illusory, and are intended to create an illusion in the mind of the consumer. Lawyers and marketing professionals design packaging to convey the appearance of security, whether it exists in reality or not. But only the manufacturers that produce quality locks will actually tell you what security their locks provide, and how.
In the following weeks, I will present a series of articles that examine the mechanical lock and discuss just what constitutes security and what you should know to asses just how vulnerable you are. As I've pointed out in the past, most pin tumbler locks, especially the cheap ones, can be "bumped" open in seconds by kids, burglars, and even TV reporters. But bumping is not the only method of attack that you should be concerned about (although it is perhaps the most pernicious).
Other forms of covert and forced entry, as well as mechanical bypass of the locking mechanism, can be just as effective as a method of compromising your security. And it does not stop there. Related hardware components such as doors, strikes, door-jambs, door frames and windows must also be considered because locks do not function in a vacuum. They are part of an overall security strategy, where the old adage "the chain is only as strong as its weakest link" is particularly applicable.
Primary methods of attack
The most popular forms of attack are listed below. These and many others are described in detail in Locks, Safes, and Security.
Forced entry - Locks can be physically compromised through a variety of techniques, including drilling, sawing, punching, pulling, wrenching, twisting, shearing, and cutting. More sophisticated measures can also be utilized. Simple battery-powered hand-tools can make quick work of some locks.
Mechanical bypass - As will be described later in this series, many locking systems can be compromised by what we call mechanical bypass. This involves the circumvention of the locking cylinder, not its internal mechanism. You must keep in mind that it is not the lock (or key) that actually retracts the bolt, latch, or other device, but a linked-component of the locking cylinder. Often, we can gain access to the critical locking actuator to simulate the actions of the tail-piece or other interface device that is connected to the plug, which is turned by the key. In other words, wires, magnets, shock, vibration, or other devices and techniques can be utilized to mechanically bypass a cylinder and open a lock.
Covert entry - Covert or surreptitious entry (they are different) means that a lock is opened without any visible sign or forensic trace. Especially for high security containers, the government is concerned with these issues so that they know that classified information may have been compromised. There are at least forty forms of covert entry that are described in my book. They fall into five basic categories: picking, impressioning, decoding, bumping, and master key extrapolation.
Above we have four common classes of bypass tools that allow locksmiths, covert entry specialists, and thieves to open your locks. Shown are a bump key, a lock decoding tool (Sputnik, made in Germany -- guess which one that is) to derive the combination of the pins, an electro-pick that bumps open the lock automatically, and a standard pick set. All of these tools are commercially available.
So what makes your lock secure or vulnerable? And to what kind of attack? This depends on many factors that will be examined in this series. For covert methods of entry, the short answer can be summed up in my 3T2R rule (the Tobias Security Index, if you will), for assessing the ability to compromise mechanical cylinders: Time, Tools, and Training. The reliability and repeatability is also considered. These three "tests" mimic a part of the criteria established by Underwriters Laboratories (UL) and other testing organizations for the certification of high security locks.
The UL 437 standard rates a cylinder in terms of covert methods of attack, forced entry, and key control. If a cylinder achieves a UL 437 rating, then it is supposed to be secure against these three critical methods of attack. UL 437 certified locks are required to protect facilities where security is mandated by internal requirements or government regulation. The White House, Pentagon, US Embassies and all facilities that protect weapons or classified information must utilize these certified locks or their government-mandated equivalent. Many businesses have the same requirement because they need locks that are highly resistant to many forms of attack. Security is all about delay; the more time that is required in terms of physical or covert attack, the greater the risk of discovery, especially if there is "defense in depth." This concept relates to several layers of protection.
The four most popular high security cylinders in the United States are: Medeco, Schlage Primus, Assa and Mul-T-Lock. Each has a UL 437 rating, but which are really secure?
In the next article, we will examine methods of forced entry, and why some locks can be opened quickly with common tools. Are your locks vulnerable to screwdrivers, drills, grinders, wrenches or dent pullers. Do you think that a deadbolt makes your lock secure? Maybe, unless you have doorframes, door-jambs, or doors that can be easily compromised.
Even some high security locks can be compromised in less than a minute, requiring various levels of expertise. Bumping is still the favored method of defeat for some of these locks, notwithstanding the public claims of some manufacturers to the contrary. An analysis of the strengths and weaknesses of high security locks will be presented later in this series.
Suffice it to say, all that glitters is not gold in the lock industry. What you rely upon to provide protection may not, even with a UL 437 rating. You might ask what "locked and maybe secure" really means with regard to the locks you use? Stay tuned, because knowledge really does mean security.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.
Part I: Methods of attack, an overview
In The Lockdown: Locked but not secure (see also part 2), the technique of "bumping" was described in detail, alerting Engadget readers to the vulnerability of virtually every pin tumbler lock from simple and rapid bypass. In this sequel, Marc analyzes mechanical locks and what really makes them secure or easy to defeat. Whether you are a consumer or security specialist, you need to understand the criteria established by UL (Underwriters Laboratories) and other rating organizations to define the term "high security," because some manufacturers will try to mislead the public into believing that their locks are secure, when in fact they are not. Read on.
Introduction
In The Lockdown, Locked but not Secure, I described a method of rapidly compromising the security of almost all of the pin tumbler locks in this country and just about everywhere else in the world. This technique was punctuated by the actions of an eleven year old girl that I interviewed at Defcon 14 in Las Vegas this past August. As a result, a tremendous amount of media coverage on the security (or more to the point the insecurity) of mechanical locks has been generated, achieving the purpose for which I and my associates decided to publicize the vulnerability: public awareness.
In the many TV interviews that have aired throughout the country we have demonstrated how locks that were previously thought to be secure could be bypassed in seconds, often without any noise or trace. In fact, in a recent in-depth report in Cleveland, we went to five upscale houses and with permission of the homeowners, opened each of the front doors in less than ten seconds. The response was shock, alarm and anger at their contractor. Rightfully so.
Locks are only part of the physical security puzzle. Whether it is a residence, business, or government facility, locks often form the first line of defense, but for real protection, there should be other measures. In the residential setting, this means alarm systems, deadbolts, and maybe bars or grating that protects windows. In a commercial or government environment, layers of security would include fences, video surveillance, more sophisticated alarm systems, guards and other measures.
Most homeowners have little understanding of the security of their door locks -- and why should they? They trust their builder or locksmith to provide or recommend the right locks, not just based upon price, but on security. Usually, contractors specify the hardware and the homeowner receives a set of keys. Rarely are these locks replaced because everyone assumes that they provide "sufficient" security.
Most contractors will supply the cheapest lock possible, with little or no regard to security issues. In fact, in the Cleveland TV story, three of the houses had Kwiksets, while two had Kwikset knock-offs -- a real insult to both Kwikset and security.
Many of the locks available through consumer channels such as Home Depot, Lowe's, Ace Hardware, Wal-Mart and other locations are woefully inadequate. They are cheap locks, often costing less than two dollars to manufacture. As was demonstrated in my interview with eleven year-old Jenna Lynn, one of the most popular locks in the country is also one of the most insecure. Until the publicity on bumping, not many consumers knew that. The problem is compounded because of misleading statements on packaging, which offers a false sense of security to the consumer who really does not know the difference.
Statements that tout "security" "maximum security" "ultimate security" and "greater security" or other verbiage are vague, illusory, and are intended to create an illusion in the mind of the consumer. Lawyers and marketing professionals design packaging to convey the appearance of security, whether it exists in reality or not. But only the manufacturers that produce quality locks will actually tell you what security their locks provide, and how.
In the following weeks, I will present a series of articles that examine the mechanical lock and discuss just what constitutes security and what you should know to asses just how vulnerable you are. As I've pointed out in the past, most pin tumbler locks, especially the cheap ones, can be "bumped" open in seconds by kids, burglars, and even TV reporters. But bumping is not the only method of attack that you should be concerned about (although it is perhaps the most pernicious).
Other forms of covert and forced entry, as well as mechanical bypass of the locking mechanism, can be just as effective as a method of compromising your security. And it does not stop there. Related hardware components such as doors, strikes, door-jambs, door frames and windows must also be considered because locks do not function in a vacuum. They are part of an overall security strategy, where the old adage "the chain is only as strong as its weakest link" is particularly applicable.
Primary methods of attack
The most popular forms of attack are listed below. These and many others are described in detail in Locks, Safes, and Security.
Forced entry - Locks can be physically compromised through a variety of techniques, including drilling, sawing, punching, pulling, wrenching, twisting, shearing, and cutting. More sophisticated measures can also be utilized. Simple battery-powered hand-tools can make quick work of some locks.
Mechanical bypass - As will be described later in this series, many locking systems can be compromised by what we call mechanical bypass. This involves the circumvention of the locking cylinder, not its internal mechanism. You must keep in mind that it is not the lock (or key) that actually retracts the bolt, latch, or other device, but a linked-component of the locking cylinder. Often, we can gain access to the critical locking actuator to simulate the actions of the tail-piece or other interface device that is connected to the plug, which is turned by the key. In other words, wires, magnets, shock, vibration, or other devices and techniques can be utilized to mechanically bypass a cylinder and open a lock.
Covert entry - Covert or surreptitious entry (they are different) means that a lock is opened without any visible sign or forensic trace. Especially for high security containers, the government is concerned with these issues so that they know that classified information may have been compromised. There are at least forty forms of covert entry that are described in my book. They fall into five basic categories: picking, impressioning, decoding, bumping, and master key extrapolation.
So what makes your lock secure or vulnerable? And to what kind of attack? This depends on many factors that will be examined in this series. For covert methods of entry, the short answer can be summed up in my 3T2R rule (the Tobias Security Index, if you will), for assessing the ability to compromise mechanical cylinders: Time, Tools, and Training. The reliability and repeatability is also considered. These three "tests" mimic a part of the criteria established by Underwriters Laboratories (UL) and other testing organizations for the certification of high security locks.
The UL 437 standard rates a cylinder in terms of covert methods of attack, forced entry, and key control. If a cylinder achieves a UL 437 rating, then it is supposed to be secure against these three critical methods of attack. UL 437 certified locks are required to protect facilities where security is mandated by internal requirements or government regulation. The White House, Pentagon, US Embassies and all facilities that protect weapons or classified information must utilize these certified locks or their government-mandated equivalent. Many businesses have the same requirement because they need locks that are highly resistant to many forms of attack. Security is all about delay; the more time that is required in terms of physical or covert attack, the greater the risk of discovery, especially if there is "defense in depth." This concept relates to several layers of protection.
The four most popular high security cylinders in the United States are: Medeco, Schlage Primus, Assa and Mul-T-Lock. Each has a UL 437 rating, but which are really secure?
In the next article, we will examine methods of forced entry, and why some locks can be opened quickly with common tools. Are your locks vulnerable to screwdrivers, drills, grinders, wrenches or dent pullers. Do you think that a deadbolt makes your lock secure? Maybe, unless you have doorframes, door-jambs, or doors that can be easily compromised.
Even some high security locks can be compromised in less than a minute, requiring various levels of expertise. Bumping is still the favored method of defeat for some of these locks, notwithstanding the public claims of some manufacturers to the contrary. An analysis of the strengths and weaknesses of high security locks will be presented later in this series.
Suffice it to say, all that glitters is not gold in the lock industry. What you rely upon to provide protection may not, even with a UL 437 rating. You might ask what "locked and maybe secure" really means with regard to the locks you use? Stay tuned, because knowledge really does mean security.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.
Reader Comments (Page 1 of 1)
kevin @ Nov 30th 2006 6:24PM
I am pretty sure criminals already knew all of this. And the second part is already published too. :)
soopergooman @ Nov 30th 2006 4:09PM
What a nice bit of info to give to thieves right before the Holidays. If anything I would have waited until after them to show this topic. Isn't the PS3 crime wave bad enough for you? Now there will be peeps "Bumping" their way into your homes this year(PS3 or Not).
Paul @ Nov 30th 2006 4:21PM
As a member of the security industry i can tell you these articles are hardly telling anything new to criminals... they are telling many new things to the public however...
jimbo bingbing @ Nov 30th 2006 4:10PM
wow that is actually kind of scary. too bad the house we moved into has 3 locks and a security system. tough luck burglars.
Jason @ Nov 30th 2006 4:19PM
Did you move to Spanish Harlem or what?
nintendo fanboy hater @ Nov 30th 2006 8:21PM
actually i live in Northeastern PA
Jerry @ Nov 30th 2006 5:17PM
Paul-
Excellent point. Anybody that is out to get your shiny new PS3 already knows about this.
To All-
The point of this article is to alert the public of potential vulnerabilities that the bad guys might exploit. Perhaps this will help you to decide on new locks, or remind you to think of other methods of securing yourself, those you love, and your property.
nate_public @ Nov 30th 2006 4:36PM
How dare you let this information out! I was so much safer when I didn't know jack about lock mechanisms and vulnerabilities.
Seriously Tobias, this is good work, thanks. We must be informed if we can hope to make good decisions.
andy @ Nov 30th 2006 4:37PM
"Lawyers and marketing professionals design packaging to convey the appearance of security, whether it exists in reality or not. "
I'm not sure how much I trust an article that says lawyers design product packaging to convey the appearance of security, whether it exists in reality or not. Now, I can see marketing professionals doing that, but I'm just wasn't aware of any lawyers responsible for desiging product packaging with the goal of fooling consumers. I am aware of some that warn their employers against misleading advertising, and some responsible for clearing advertising designed by others. But this is news to me. Thanks.
Tim UF @ Nov 30th 2006 5:24PM
The lawyers don't actually design so much as oversee to keep the "responsible" company safe from litigation should the product fail in some way... (Lawyers PWN the asterisk for example)
tekdroid @ Nov 30th 2006 5:00PM
nice, but the wording in this thing is not for Average Joe.
Dumb it down - a lot.
Joe wants a lock test and Joe Cyclist wants a lock test, too. Comparing brands - objectively. The sales drone cannot be relied upon.
Ed $ @ Nov 30th 2006 5:16PM
In lieu of this information, can I get more information on the RC Air Gun?
Paul @ Nov 30th 2006 9:11PM
I am very excited for him to address Medecos... hopefully it wont result in me having to put in a large number of new locks!
Stephan @ Nov 30th 2006 5:50PM
Seriously I know you have to post things over 100 post series for "ratings" but come one this one is more important than how to build your own projector in our 27 part series.
Chris @ Nov 30th 2006 5:58PM
I have a friend who about 10 years ago was walking through the local mall parking lot. A couple kids asked him if he had a coat hanger because they locked their keys in their Ford truck.
My friend also had a Ford truck, so he just took his key, put in in their door and unlocked it with a little bit of fiddling. My friend was surprised it was so easy, but took great satisfaction from not acting surprised. The kids just stared at him with their mouths open. :)
Pete @ Nov 30th 2006 6:12PM
Haters: stop whining.
Engadget: If people don't talk about what's broken, how's it gonna get fixed?
John @ Nov 30th 2006 7:07PM
My dad always said that locks were for honest folks.
jay.viz @ Nov 30th 2006 7:44PM
Engadget is a little late to the party, this was news no less than 3 months ago. Most of the good bumping kits sold out a while ago.
BSL-4 @ Nov 30th 2006 9:24PM
i have 5 "secure" keys of one of the four most popular high security cylinders , one of those is for my home, i can't wait to see if the one i have is "secure" .
Last June my neighbour appartment cought fire, the fire department tried to get in my appartment through the locked door with his shoulder , ( i imagine ) i didnt had the reflex to let the door unlock i tought it was a small fire. on the lower floor i saw a "fridge" 6'6" 300lbs , "souldering doors" 2 shoulder push and the lock was breaking. After the fire when i up to get stuff, my door was down but the lock was intact , its the hinges that broke.
the bolt was bended a bit but it was still sliding in and out of the door. i got a new 350$ lock for my new door and new appart.
i saw some lock that have been dammage with a sledge hammer but the theif was not able to get in. http://tinyurl.com/y2jvor
Jerod @ Nov 30th 2006 9:32PM
I suggest you guys actually buy a lock pick set...they're really cheap. I did it just to see if I could get into my own house after reading a MIT lock-picking summary similar to this, and after seeing a few cross-sectionals of locks and understanding how the tumbler and pins work, I can easily get into my house in 5-10 seconds.
Not surprisingly, I can do this with most of my friends houses as well.
Locks protect from a small percentage...having a sign in your yard saying you have security, whether you do or not, is a lot more effective in my opinion.
Mike @ Nov 30th 2006 11:40PM
This has been possible for years. Ive been able to open pretty much any lock under a minute for about 3 years now. Of course by putting this to the public more poeple will try it. But this is also when a person will also come up with a new idea to create a lock that cannot be bypassed by these systems.
threEchelon @ Dec 1st 2006 2:50AM
Engadget failed to mention that MORE EXPENSIVE LOCKS ARE GENERALLY EASIER TO BUMP!
Juaquin @ Dec 1st 2006 3:26AM
The fact is - while Engadget may publish this, any criminal who really wants to get in to your house is going to, whether they can bump a lock or just decide to break the windows. No one's security is at threat here. If anything, this should make you realize you need better locks.
Also, how about those electro-magnetic keycard locks like the ones they have at hotels? My dorm room uses one of these and I've always suspected they're not very secure at all.
GioNYC @ Dec 1st 2006 9:16AM
I have Multilock and its very good.
shawn @ Feb 22nd 2007 12:59PM
When is part 2 coming? This is a great series!
Dytrog @ May 18th 2007 11:37PM
I can pick most locks ok but every now and then i'm sure we have all ran into one that just didn't want to pick "even the so called easy ones" i was picking a schlage deadbolt and a locksmith that works with me asked if he could try the bump. took about 10 bumps and he got it. i gave him a lock i had keyed to make it very hard to pick told him to try it on that! 1 bump got it!!! For my sliding glass door i found a broom stick cut to length work great. dead bolt on other door not as good as the stick LOL
Dytrog @ May 18th 2007 11:40PM
I can pick most locks ok but every now and then i'm sure we have all ran into one that just didn't want to pick "even the so called easy ones" i was picking a schlage deadbolt and a locksmith that works with me asked if he could try the bump. took about 10 bumps and he got it. i gave him a lock i had keyed to make it very hard to pick told him to try it on that! 1 bump got it!!! For my sliding glass door i found a broom stick cut to length work great. dead bolt on other door not as good as the stick LOL
Lock Bumping @ Jul 20th 2007 12:56PM
LockBumping.org
Public service site about lock bumping!
http://LockBumping.org
farid Ghotbi @ Aug 19th 2007 4:14PM
Dear Sir Or Madam
Our company is the Silca sole agent in Iran.
I'm intersted in electro pick lock, Please send me more information and the price of it.
Best regards
Farid Ghotbi
www.klidavarshayan.com
Farid @ Aug 25th 2007 7:19AM
Deer Sir or Madam
I have sent one eamil to request before,
Our company is the Silca sole agent in Iran,
I'm intersted in your electro pick, Please send me more information and the price of it.
Best regards
Farid Ghotbi
www.klidavarshayan.com