Noted security expert Marc Weber Tobias contributes The Lockdown, exposing the shoddy security you may depend on.


The vast majority of door locks in the U.S. and many other parts of the world rely upon the security or insecurity of the pin tumbler mechanism. In part 1, I described the serious vulnerability to bumping and how most locks can be easily and quickly opened, even by a child. But in part 2 I will try to answer the question that most readers have asked in their emails: what lock should I buy?

Security: How much is enough?

The answer to the question of which lock you should buy is not quite so simple, and depends upon your definition of security. You need to consider a lock in the context of what it is designed to protect, where you are going to install it, and what your perceived risks are. In my opinion, conventional mechanical locks, the ones that do not carry any type of rating, are not secure and can be relatively easily compromised by a variety of techniques, bumping perhaps being the most onerous. When a kid can open a lock in seconds there is no security. As I have pointed out before, you get what you pay for in locks; the cheap ones like Kwikset and others that I have talked about offer no real security against anything when it comes to covert and other attacks.

Manufacturers can have their locks tested and certified as meeting high security criteria by Underwriters Laboratories (UL), Builders Hardware Manufacturers Association (BHMA) and the American National Standards Institute (ANSI). Generally, such standards contemplate higher resistance to forced entry, covert entry, and assurance that the ability to duplicate keys is restricted and protected by law. To meet the ANSI 156.30 standard on high security, a cylinder must meet all three requirements before receiving a rating. UL 437 only tests for forced and covert entry, even though it is actually touted by some manufacturers as the benchmark for high security locks.

If you purchase a high security lock with an ANSI rating, you are fairly secure against most forms of attack. Although UL 437 is specified by many experts as "the" high security standard, it is not and in my opinion, and should not be solely relied upon as the gauge to security. UL 437 does provide a minimum standard with regard to forced entry and protection against picking and impressioning. Neither UL or the ANSI standard addresses bumping even though it has been shown to be a real threat. Forced entry is the most common method of attack in residential and business burglaries and for that reason, a detailed discussion of common methods of forced entry has been prepared together with videos that demonstrate certain methods of attack so you can better assess your risks. See here for more.

Sorting fact from hype

There is a lot of hype by lock manufacturers, especially those that sell "high security" cylinders. After our alert in the national media about bumping last August, some manufacturers jumped on the bandwagon figuring it was a marketing bonanza. They confidently announced that their locks were absolutely secure against bumping attacks or that bumping posed no threat to their products because of internal designs. Not quite, according to our research. The fact is that some manufacturers were not even aware of the technique prior to the media coverage on bumping!

So don't believe everything you read; these statements by lock makers need to be taken in context. The top four UL or BHMA / ANSI rated cylinders in the United States (Medeco, Assa, Mul-T-Lock, and Schlage Primus) are highly bump resistant and for consumer applications are quite adequate to prevent bumping, picking and other forms of attack. But those that claim they are "bump proof" are not telling the whole story, and if you are a facilities manager or government agency, you need to understand the larger picture.

Protecting a residence is vastly different than securing a commercial or government facility. Forced entry specifications for locks can be largely irrelevant for homes because there is glass everywhere and most doors are of inferior quality and can be quickly compromised. Key control is generally not important either. The use of protected keyways for a residence is not really necessary or practical if high security locks are used, although it can offer added protection against bumping if blanks are difficult to obtain.

A UL 437 rated cylinder is supposed to provide at least ten minutes of protection against common methods of covert entry (picking and impressioning). The ANSI standard requires a minimum of fifteen minutes. Some of these high security locks may be compromised in significantly less time, notwithstanding the implied representations by UL or ANSI that are specified in their standards. Unfortunately, neither UL or ANSI or BHMA address bumping and that may be your greatest threat from a covert attack as our report will detail later this year.

If your intent is to protect your home then I can assure you that a lock that carries a UL 437 or ANSI rating is quite sufficient. Any of the four locks that I mentioned will stop most burglars, assuming that the accompanying hardware (doors, frames, and strikes) is also secure. Medeco, Primus, Assa and the latest Mul-T-Lock utilize what is called a sidebar, which is a secondary locking system that cannot ordinarily be bumped. Unless advanced attack procedures are employed these locks are quite secure.

The rules change if you are going to rely upon locks to protect high value targets such as cash, drugs (no comment!), information, munitions, or critical infrastructure. Then you might want to do a bit more research into what really constitutes a high security lock and how they can be compromised in the real world (the one I work in). Covert bypass methods of picking, bumping, and certain other techniques can be employed by determined criminals and may allow even the highest rated cylinders to be compromised in well under ten minutes. This topic is addressed in detail in the new edition of Locks, Safes, and Security.

UL 437 and ANSI 156.30 will guarantee minimum security standards which are more than sufficient for most commercial applications. But don't be misled by all the advertising hype. These locks can be compromised, which is why security in depth is an absolute requirement. That means proper locks and associated hardware, alarm systems and other layers of security.

If you are a commercial or government entity contemplating any large expenditure for locking hardware you might want to stay tuned. We will be releasing a major security alert and detailed analysis and evaluation regarding the key control, covert entry of, and compromise of some of the most popular high security locks in the United States. What Underwriters Laboratories, BHMA and ANSI do not address in their standards may be exposing your facility to risks that you are not aware of nor protected against. In this case, knowledge is definitely power -- and security.


Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.

Marc Webber Tobias will be in Dubai next month presenting a paper at the UAE's first deep-knowledge network security conference; HITBSecConf2007 – Dubai. His paper is entitled "Opened in Ten Seconds: The Insecurity of Mechanical Locks" and discusses the compromise of mechanical pin tumbler locks and how their weaknesses can affect the security of almost every physical facility. This conference is directed at IT professionals, security managers and law enforcement agencies with a view to provide detailed information about physical security vulnerabilities and the protection of information technology infrastructure and the investigation of criminal attacks by the compromise of locks. For more details and to register, please see the official conference website, or call +603-20394724.

About HITBSecConf2007 – Dubai

HITBSecConf2007 – Dubai is the 7th conference in our deep-knowledge series and the second time that an event is being organized in the Middle East (previous event was HITBSecConf2005 – Bahrain). The HITBSecConf series is a 100% Malaysian initiative and has been supported and endorsed by the Malaysian Communications and Multimedia Commission (MCMC) and Malaysia Administrative Modernisation & Management Planning Unit (MAMPU) for the past 3 years. For further details, call Hack In The Box (M) Sdn. Bhd. at +603-20394724.

0 Comments

The Lockdown: Locked, but maybe secure (part 2)