The Lockdown: Locked, but maybe secure (part 2)
By Marc Weber Tobias 
posted Mar 19th 2007 8:53PM
posted Mar 19th 2007 8:53PM
Noted security expert Marc Weber Tobias contributes The Lockdown, exposing the shoddy security you may depend on.
The vast majority of door locks in the U.S. and many other parts of the world rely upon the security or insecurity of the pin tumbler mechanism. In part 1, I described the serious vulnerability to bumping and how most locks can be easily and quickly opened, even by a child. But in part 2 I will try to answer the question that most readers have asked in their emails: what lock should I buy?
Security: How much is enough?
The answer to the question of which lock you should buy is not quite so simple, and depends upon your definition of security. You need to consider a lock in the context of what it is designed to protect, where you are going to install it, and what your perceived risks are. In my opinion, conventional mechanical locks, the ones that do not carry any type of rating, are not secure and can be relatively easily compromised by a variety of techniques, bumping perhaps being the most onerous. When a kid can open a lock in seconds there is no security. As I have pointed out before, you get what you pay for in locks; the cheap ones like Kwikset and others that I have talked about offer no real security against anything when it comes to covert and other attacks.
Manufacturers can have their locks tested and certified as meeting high security criteria by Underwriters Laboratories (UL), Builders Hardware Manufacturers Association (BHMA) and the American National Standards Institute (ANSI). Generally, such standards contemplate higher resistance to forced entry, covert entry, and assurance that the ability to duplicate keys is restricted and protected by law. To meet the ANSI 156.30 standard on high security, a cylinder must meet all three requirements before receiving a rating. UL 437 only tests for forced and covert entry, even though it is actually touted by some manufacturers as the benchmark for high security locks.
If you purchase a high security lock with an ANSI rating, you are fairly secure against most forms of attack. Although UL 437 is specified by many experts as "the" high security standard, it is not and in my opinion, and should not be solely relied upon as the gauge to security. UL 437 does provide a minimum standard with regard to forced entry and protection against picking and impressioning. Neither UL or the ANSI standard addresses bumping even though it has been shown to be a real threat. Forced entry is the most common method of attack in residential and business burglaries and for that reason, a detailed discussion of common methods of forced entry has been prepared together with videos that demonstrate certain methods of attack so you can better assess your risks. See here for more.
Sorting fact from hype
There is a lot of hype by lock manufacturers, especially those that sell "high security" cylinders. After our alert in the national media about bumping last August, some manufacturers jumped on the bandwagon figuring it was a marketing bonanza. They confidently announced that their locks were absolutely secure against bumping attacks or that bumping posed no threat to their products because of internal designs. Not quite, according to our research. The fact is that some manufacturers were not even aware of the technique prior to the media coverage on bumping!
So don't believe everything you read; these statements by lock makers need to be taken in context. The top four UL or BHMA / ANSI rated cylinders in the United States (Medeco, Assa, Mul-T-Lock, and Schlage Primus) are highly bump resistant and for consumer applications are quite adequate to prevent bumping, picking and other forms of attack. But those that claim they are "bump proof" are not telling the whole story, and if you are a facilities manager or government agency, you need to understand the larger picture.
Protecting a residence is vastly different than securing a commercial or government facility. Forced entry specifications for locks can be largely irrelevant for homes because there is glass everywhere and most doors are of inferior quality and can be quickly compromised. Key control is generally not important either. The use of protected keyways for a residence is not really necessary or practical if high security locks are used, although it can offer added protection against bumping if blanks are difficult to obtain.
A UL 437 rated cylinder is supposed to provide at least ten minutes of protection against common methods of covert entry (picking and impressioning). The ANSI standard requires a minimum of fifteen minutes. Some of these high security locks may be compromised in significantly less time, notwithstanding the implied representations by UL or ANSI that are specified in their standards. Unfortunately, neither UL or ANSI or BHMA address bumping and that may be your greatest threat from a covert attack as our report will detail later this year.
If your intent is to protect your home then I can assure you that a lock that carries a UL 437 or ANSI rating is quite sufficient. Any of the four locks that I mentioned will stop most burglars, assuming that the accompanying hardware (doors, frames, and strikes) is also secure. Medeco, Primus, Assa and the latest Mul-T-Lock utilize what is called a sidebar, which is a secondary locking system that cannot ordinarily be bumped. Unless advanced attack procedures are employed these locks are quite secure.
The rules change if you are going to rely upon locks to protect high value targets such as cash, drugs (no comment!), information, munitions, or critical infrastructure. Then you might want to do a bit more research into what really constitutes a high security lock and how they can be compromised in the real world (the one I work in). Covert bypass methods of picking, bumping, and certain other techniques can be employed by determined criminals and may allow even the highest rated cylinders to be compromised in well under ten minutes. This topic is addressed in detail in the new edition of Locks, Safes, and Security.
UL 437 and ANSI 156.30 will guarantee minimum security standards which are more than sufficient for most commercial applications. But don't be misled by all the advertising hype. These locks can be compromised, which is why security in depth is an absolute requirement. That means proper locks and associated hardware, alarm systems and other layers of security.
If you are a commercial or government entity contemplating any large expenditure for locking hardware you might want to stay tuned. We will be releasing a major security alert and detailed analysis and evaluation regarding the key control, covert entry of, and compromise of some of the most popular high security locks in the United States. What Underwriters Laboratories, BHMA and ANSI do not address in their standards may be exposing your facility to risks that you are not aware of nor protected against. In this case, knowledge is definitely power -- and security.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.
Marc Webber Tobias will be in Dubai next month presenting a paper at the UAE's first deep-knowledge network security conference; HITBSecConf2007 – Dubai. His paper is entitled "Opened in Ten Seconds: The Insecurity of Mechanical Locks" and discusses the compromise of mechanical pin tumbler locks and how their weaknesses can affect the security of almost every physical facility. This conference is directed at IT professionals, security managers and law enforcement agencies with a view to provide detailed information about physical security vulnerabilities and the protection of information technology infrastructure and the investigation of criminal attacks by the compromise of locks. For more details and to register, please see the official conference website, or call +603-20394724.
About HITBSecConf2007 – Dubai
HITBSecConf2007 – Dubai is the 7th conference in our deep-knowledge series and the second time that an event is being organized in the Middle East (previous event was HITBSecConf2005 – Bahrain). The HITBSecConf series is a 100% Malaysian initiative and has been supported and endorsed by the Malaysian Communications and Multimedia Commission (MCMC) and Malaysia Administrative Modernisation & Management Planning Unit (MAMPU) for the past 3 years. For further details, call Hack In The Box (M) Sdn. Bhd. at +603-20394724.
Security: How much is enough?
The answer to the question of which lock you should buy is not quite so simple, and depends upon your definition of security. You need to consider a lock in the context of what it is designed to protect, where you are going to install it, and what your perceived risks are. In my opinion, conventional mechanical locks, the ones that do not carry any type of rating, are not secure and can be relatively easily compromised by a variety of techniques, bumping perhaps being the most onerous. When a kid can open a lock in seconds there is no security. As I have pointed out before, you get what you pay for in locks; the cheap ones like Kwikset and others that I have talked about offer no real security against anything when it comes to covert and other attacks.
Manufacturers can have their locks tested and certified as meeting high security criteria by Underwriters Laboratories (UL), Builders Hardware Manufacturers Association (BHMA) and the American National Standards Institute (ANSI). Generally, such standards contemplate higher resistance to forced entry, covert entry, and assurance that the ability to duplicate keys is restricted and protected by law. To meet the ANSI 156.30 standard on high security, a cylinder must meet all three requirements before receiving a rating. UL 437 only tests for forced and covert entry, even though it is actually touted by some manufacturers as the benchmark for high security locks.
If you purchase a high security lock with an ANSI rating, you are fairly secure against most forms of attack. Although UL 437 is specified by many experts as "the" high security standard, it is not and in my opinion, and should not be solely relied upon as the gauge to security. UL 437 does provide a minimum standard with regard to forced entry and protection against picking and impressioning. Neither UL or the ANSI standard addresses bumping even though it has been shown to be a real threat. Forced entry is the most common method of attack in residential and business burglaries and for that reason, a detailed discussion of common methods of forced entry has been prepared together with videos that demonstrate certain methods of attack so you can better assess your risks. See here for more.
Sorting fact from hype
There is a lot of hype by lock manufacturers, especially those that sell "high security" cylinders. After our alert in the national media about bumping last August, some manufacturers jumped on the bandwagon figuring it was a marketing bonanza. They confidently announced that their locks were absolutely secure against bumping attacks or that bumping posed no threat to their products because of internal designs. Not quite, according to our research. The fact is that some manufacturers were not even aware of the technique prior to the media coverage on bumping!
So don't believe everything you read; these statements by lock makers need to be taken in context. The top four UL or BHMA / ANSI rated cylinders in the United States (Medeco, Assa, Mul-T-Lock, and Schlage Primus) are highly bump resistant and for consumer applications are quite adequate to prevent bumping, picking and other forms of attack. But those that claim they are "bump proof" are not telling the whole story, and if you are a facilities manager or government agency, you need to understand the larger picture.
Protecting a residence is vastly different than securing a commercial or government facility. Forced entry specifications for locks can be largely irrelevant for homes because there is glass everywhere and most doors are of inferior quality and can be quickly compromised. Key control is generally not important either. The use of protected keyways for a residence is not really necessary or practical if high security locks are used, although it can offer added protection against bumping if blanks are difficult to obtain.
A UL 437 rated cylinder is supposed to provide at least ten minutes of protection against common methods of covert entry (picking and impressioning). The ANSI standard requires a minimum of fifteen minutes. Some of these high security locks may be compromised in significantly less time, notwithstanding the implied representations by UL or ANSI that are specified in their standards. Unfortunately, neither UL or ANSI or BHMA address bumping and that may be your greatest threat from a covert attack as our report will detail later this year.
If your intent is to protect your home then I can assure you that a lock that carries a UL 437 or ANSI rating is quite sufficient. Any of the four locks that I mentioned will stop most burglars, assuming that the accompanying hardware (doors, frames, and strikes) is also secure. Medeco, Primus, Assa and the latest Mul-T-Lock utilize what is called a sidebar, which is a secondary locking system that cannot ordinarily be bumped. Unless advanced attack procedures are employed these locks are quite secure.
The rules change if you are going to rely upon locks to protect high value targets such as cash, drugs (no comment!), information, munitions, or critical infrastructure. Then you might want to do a bit more research into what really constitutes a high security lock and how they can be compromised in the real world (the one I work in). Covert bypass methods of picking, bumping, and certain other techniques can be employed by determined criminals and may allow even the highest rated cylinders to be compromised in well under ten minutes. This topic is addressed in detail in the new edition of Locks, Safes, and Security.
UL 437 and ANSI 156.30 will guarantee minimum security standards which are more than sufficient for most commercial applications. But don't be misled by all the advertising hype. These locks can be compromised, which is why security in depth is an absolute requirement. That means proper locks and associated hardware, alarm systems and other layers of security.
If you are a commercial or government entity contemplating any large expenditure for locking hardware you might want to stay tuned. We will be releasing a major security alert and detailed analysis and evaluation regarding the key control, covert entry of, and compromise of some of the most popular high security locks in the United States. What Underwriters Laboratories, BHMA and ANSI do not address in their standards may be exposing your facility to risks that you are not aware of nor protected against. In this case, knowledge is definitely power -- and security.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.
Marc Webber Tobias will be in Dubai next month presenting a paper at the UAE's first deep-knowledge network security conference; HITBSecConf2007 – Dubai. His paper is entitled "Opened in Ten Seconds: The Insecurity of Mechanical Locks" and discusses the compromise of mechanical pin tumbler locks and how their weaknesses can affect the security of almost every physical facility. This conference is directed at IT professionals, security managers and law enforcement agencies with a view to provide detailed information about physical security vulnerabilities and the protection of information technology infrastructure and the investigation of criminal attacks by the compromise of locks. For more details and to register, please see the official conference website, or call +603-20394724.
About HITBSecConf2007 – Dubai
HITBSecConf2007 – Dubai is the 7th conference in our deep-knowledge series and the second time that an event is being organized in the Middle East (previous event was HITBSecConf2005 – Bahrain). The HITBSecConf series is a 100% Malaysian initiative and has been supported and endorsed by the Malaysian Communications and Multimedia Commission (MCMC) and Malaysia Administrative Modernisation & Management Planning Unit (MAMPU) for the past 3 years. For further details, call Hack In The Box (M) Sdn. Bhd. at +603-20394724.
In Finland the vast majority of mechanical locks are rotating-barrel ABLOY (http://www.abloy.com) locks that are considered much more secure than pin tumbler locks. As far as I know, the most efficient known method of attacking a rotating-barrel lock is crafting a makeshift key from a bar of some soft metal that is inserted into the lock, rotated and then filed at points that have been in contact with the rotating rings inside the lock barrel. As it might sound, this takes considerable time and effort.
(Disclaimer: I'm not an expert – I just read stuff, such as http://www.toool.nl/abloy.pdf.)
Very nice article. In my former life, long, long ago, I was a carpenter and we referred to Kwikset locks as Kwikshit; Schlage was better, but not much. You could yell hard at them and they would open. When I did side jobs for a property management company, I could drill out the pins of almost any lock in about a minute. Medeco was better about key control -- you would have to ask really nice to get someone who stocked their key blanks to make you a copy. And of course without an anti-jimmy plate or a reinforced strike-plate, most doors could be opened with hardly any damage (or noise) with a bump of the hip.
Security systems are a complete joke, but only because people don't use them, or use them and set them off, or pay no attention to them when they go off. I lived on a city street a while back and hard the car-alarm song memorized. The police take plenty of time to show up at a building whose alarm has gone off more than a few times in the last year.
So the solution? We always said you just needed to look harder to get into, and less attractive, than your neighbor (granted, installing locks was how I made money, and all). Drive down the street -- case your house and your neighbors' -- if yours doesn't look hard to get into, then it's time for some upgrades.
So the stuff you can get at Home Depot and Lowe's, the Schlages, Baldwins, and Kwikshits, mechanically they are all identical (5-pin tumblers). So what makes the Baldwins rated ANSI Grade 1, while the Schlages ANSI grade 2, and the kwikys Grade 3? Is it their resistance to Physical attacks like prying and drilling, etc? Because at the end of the day, a Baldwin could just as easily be bumped with the method mentioned above as the Kwiksets.
"Security systems are a complete joke, but only because people don't use them, or use them and set them off, or pay no attention to them when they go off. I lived on a city street a while back and hard the car-alarm song memorized. The police take plenty of time to show up at a building whose alarm has gone off more than a few times in the last year."
Car alarms are a completely different animal than home security systems. A home security system is not about the siren; it really doesn't matter if neighbors ignore it.
You are right that many municipalities will purposely downgrade the response to a home that is known for false alarms. But that's not really a damnation of security systems in general; it's a damnation of faulty installations. Like anything else, a security system needs to be installed properly to work effectively.
My county, like many others across the US, helps ensure this by issuing security system licenses. You technically cannot operate a security system that automatically dials the police without a license. They will come to your house anyway, but they will actually issue you a citation if it's a false alarm and you don't have a license.
I've had my security system for a year (GE Simon 3) and have never had a false alarm, even with a cat running around (I have motion sensors). I also never forget to turn it on because it just turns on with a key fob; turning it on is just part of my regular routine of locking the door. All modern security systems can be used the same way.
Security is all about layers. There's no magic bullet. I look at all these stories (especially during the bump key hysteria a while back) and wonder what people think the intent of a lock actually is. Locks are not intended to turn your house into a fortified castle - there are many other ways to get into your house if a criminal truly wants to. Locks are intended to make it more difficult for criminals, and to keep honest people honest. Most burglaries start with an unlocked door or window.
Good exterior lighting, deadbolts on all your doors (however good they are), working locks on all your windows and a decent and properly installed security system that's used dilligently will be basically 100% effective at keeping all intruders out of your house. If you're still paranoid at that point, you may as well just live in an underground bomb shelter for the rest of your life.
Uh oh I have a Kwikset...
So where do you live Ben?
This whole business about standards and picking a level of security is sort of, I don't know, complicated. How about this, just give us three locks rated in this order:
1- When they film the movie about how the slick, professional, European terrorists try to break into your home, they will need to shoot a scene where the charismatic leader has to recruit some autistic genius who is the only one of 3 people on the planet with the ability to pick the kind of locks you have on the front door to your home. Have a character mumble something about "These are the same locks the CIA uses on the doors to the room where they keep nuclear launch codes" or something similar. The key to this lock should look menacing, high tech and just downright evil.
2- The lock that is still overkill, but not AS overkill as number one listed above. It should still look evil though.
3- Good enough to keep every crack smoker who watched the YouTube videos about bumping out of your house, but not so amazing that the European terrorists outlined in #1 above would have too much trouble. The lock that most prudent people would install on their front door.
Speaking of #1, where can someone get some EVVA MCS action here in the US?
Great idea!
I have a Kwikset on the main door upstairs and whatever comes on the screen door in the basement. I REALLY DONT DIVE A ----. I have nothing worth value in my home, this computer sucks, and I only have .48 cents in the bank account. Worst cast scenario, they come in, hold me at gunpoint and crack a laugh. I'd help them load up my PC as an excuse to get a new one... eventually, Give them my 3rd gen. iPod, and tell them my phone is pre-paid. They might not get my bus pass though, I'd hide that in the crack of my ---. My Jack Spade bag is the only prize possession i have, and I love it.
Is Ansi Grade 2 good enough for most home uses, or do I have to look specifically for the 156.30 designation?
This being a tech gadget site, shouldn't we be discussing more advanced, tamper-proof mechanisms such as fingerprint readers? Those are certainly better... right?
Right? ;-)
http://www.engadget.com/2006/09/22/digital-fingerprint-door-lock-defeated-by-photocopied-print/
The problem is with most biometric (fingerprint) or optical readers is that they often do not interface with an access control system like a simple card reader or keypad does. Biometric readers are a bit more secure that traditional card readers, but are much more expensive and to be honest... ugly. While someone can pull a print from a finger and have it read on a biometric reader to gain entry, stealing someone's eye is a bit different. Optical readers are the most secure, but they are not only expensive they are also very impractical.
There are new technology standards that have been released for traditional card readers called Government Smart Card FIPS201 (Federal Information Processing Standards) that proves to be much more secure than any card encryption to date. Check out the leader in proximity card technology, HID www.hidcorp.com, for greater detail. Also, check out MIFARE and DESFire technologies.
I am an engineer for a security consulting firm in San Francisco that designs large scale security systems for airports, hospitals, and large commercial clients. Unfortunately, simple mechanical keys are no longer considered secure regardless of the cut. While we do specify Medeco or Primus cylinders, they are only for non secure areas. An integrated access control and surveillance system is the best way to secure a door, save for an armed guard posted at each entrance.
While I think the brief article is interesting, the fact is most law enforcement agencies (FBI, DHS, local police, etc) do not understand how security works or even how to implement it. The reason is simple; it is not a necessary entity to be a law enforcement officer. Also, the markets between IT and Security have been merging at ever rapid pace for the past few years and now it commonly takes a network administrator to manage a security system.
In regards to residential security, a more secure lock maybe more affective against a burglar attempting to pick the lock, however I have never run into a client that had an incident like that. Most residential burglaries are via a crowbar, breaking a window, or even entering through an open window. While someone previously commented that most fail to even turn on the alarm system is true, but that nice window or door decal stating that you have an alarm is deterrent enough for the burglar to choose your neighbor instead.
Check out the ISC West convention in Las Vegas at the end of this month to see the latest and greatest in all ranges of security - from simple residential burglar alarms to facial recognition video analytics software. Also check out the ASIS show, which I believe is also in Las Vegas this year.
Just because you haven't noticed it, doesn't mean it hasn't happened.
I have a question: What percentage of residential break-ins are accomplished by bumping or picking a fully-functional standard (Kwikset etc) door lock/deadbolt? I'd guess it's not a very high number, which would make most of this article pointless for the average homeowner.
Sure, it seems scary to think that your lock can be easily compromised, but unless you have secure doors, plexiglass windows or window bars, AND you remember to always lock the door, the lock is the least worry for a burglar.
How to bumb the Mul-T-Lock Interactive:
http://www.youtube.com/watch?v=xT5QMzF60EE
This key is absolutely not safe, the security items on it and on the MT5 are just for shifting the users.
Locks are for honest people.
""I have a question: What percentage of residential break-ins are accomplished by bumping or picking a fully-functional standard (Kwikset etc) door lock/deadbolt? ""
They don't know that information because law enforcement does not report it or track it in the reports, it's just like they don't track idiot users on cell phones getting into a wreck or killing someone while they were on the phone.
"There's no magic bullet."
i believe that there actually is one. it's called a .45 ACP ;)
The locks don't matter much when many homes are outfitted with wood or fiberglass entry doors that do not offer much security. Most doors can be opened with a swift kick or a battery powered drill through the door itself. Not to mention that one could also get through glass windows/patio doors with ease. As far as I'm concerned, get an alarm system if you are worried about getting burgled.
Probably the most important point of this is not about the locks directly, its about the insurance company response to a theft where no apparent force was employed to gain entry to the premises. If the police file a report with 'no sign of forced entry' your insurance company has an out to not deliver on your coverage. Bumpkeying and simple lock picking are your biggest worries here, when they are done properly, the leave little to no trace (that a policeman is going to find). Get a lock that forces physical desctruction. A good medeco or primus is sufficient, or perhaps some of the ones mentioned above which don't employ typical pin-tumbler mechanisms.
I agree, locks are for honest people. If the door is too hard to break into/through then the window will be broken. Lets be serious about this, if a thief wants in they are getting in.
A friend of mine's house has been broken into about half a dozen times, and only once did the burglars try to get in by jimmying the lock--unsuccessfully. They ruined the lock, but didn't compromise it. They ended up getting in by forcing a window.
My own security system is the best that money can buy: I live in a neighborhood where everyone knows and looks out for each other, where several neighbors are home during the day and can keep an eye on things, and where everyone feels as safe outdoors as in-. Granted, the price of a house in such a neighborhood is a bit more than most are willing to spend for good security, but security was about the last thing on our minds when we moved in.
I also agree with "K" if they want in they will find a way.
So we went with the Kwikset because it was cheap and easy to install. Yes, I'd be just as pissed off as the next guy if my crap was stolen but at least by buying a cheap lock set I have saved money towards my next computer.
My lock is spelled D-O-G
One German Shepard and one Alaskan Malamute. Did you watch the Mythbusters dog episode? I guarantee the guy is going next door to the ANSI unbreakable lock, and just breaking the damn window!
A security company sign, accompanied by a 'Forget the Dog, Beware of owner' sign and a sign that reads 'Protected by Smith & Wesson security systems' seems to have done well for me so far.
You want some good, low-tech security? Put a dog food and water bowl on your deck and get a dog-related welcome mat for the front door.
:)