This past weekend several of us attended an excellent two-day training session on lock security offered by Schuyler Towne of Open Locksport. Two full days of picking locks, impressioning keys, and opening handcuffs brought physical security to the forefront for me. It seemed like the perfect time to do an overview of some of the popular non-destructive lock bypass techniques, and the ways we can mitigate them.
To better understand how some of these attacks and defenses work you’ll want to be familiar with the various parts of the lock:
- Springs – These apply constant downward pressure on the pins. To open a lock the key (or a pick) must push the spring upwards.
- Driver Pins – These are the pins in direct contact with the springs, these must be raised to the shear line for the lock to open.
- Key Pins – These are the pins in direct contact with the key (or a pick). When attempting to bypass a lock, it is the key pins that you have direct contact with.
- Shear Line – This is the dividing line between the plug of the lock and the surrounding cylinder in which it is mounted. For the lock to open, the driver pins must all be raised to the shear line at the same time.
- Plug – This is the central part of the lock in which the key (or pick) is placed. The plug must be turned to open the lock.
Now that we understand the parts of the lock, let’s discuss some of the more common techniques for non-destructively bypassing them:
- Picking – This involves an attacker binding each pin within the lock one at a time, until they are able to turn the cylinder and open the lock. It takes a bit of practice and skill to be able to do this consistently.
- Raking – This involves an attacker repeatedly passing a specialized tool back and forth within the lock until the pins all bind and the attacker is able to open the lock. This requires far less skill than picking, but works best on cheaper, less complicated locks.
- Bumping – To “bump” a lock an attacker uses a bump key which they have either purchased or made. This key isn’t particularly special; it’s simply a key blank for the targeted lock which has been filed down to the lowest point for each pin. For most locks, everything you need to make one can be found at the local hardware store. Like raking, bumping requires little skill and has a high success rate on cheap, uncomplicated locks. The attacker places the bump key nearly all the way inside the lock’s keyway, and gives it a light tap with a mallet. This causes all of the pins inside the lock to fly upward rapidly, bouncing all over the inside of the lock. With the right timing, this lets the attacker bind all of the pins at once and open the lock.
- Shimming – Shimming is a bypass technique where the attacker attacks the shackle on a padlock. Commercial shims can be purchased; however, the traditional tool here is a chopped up beer can. A thin piece of aluminum from the can, folded over to add more strength, can be slid into the shackle of the lock. Once inside, the attacker turns it, applying pressure to the latch within the shackle, and with a little bit of effort forces it open. This same technique also can be applied with great success to the latch mechanism within handcuffs.
- Door Shimming – This is the popular “credit card trick” you likely are familiar with already. The attacker slides a credit card or sturdy piece of poster board into the latch of the door. Once this has been worked between the latch and the doorframe, it often is possible to disengage the latch without actually opening the lock.
Now that we understand some of the different attacks, what are some of the methods lock manufacturers have come up with to prevent them? The first is simply increasing the number of pins. Many common padlocks and deadbolts have 4 – 5 pins; more expensive ones may have 6 or even 7 pins. Each added pin increases the work needed to pick the lock, as well as increasing the complexity of raking.
Lock manufacturers also have created several different types of “security pins.” The typical lock pin is a smooth cylinder which moves easily through the lock and can be manipulated with a pick. The goal of each type of security pin is the same: make it more difficult for the attacker to detect if a pin has set or not, and make it more difficult to set the pin by using something other than a smooth, cylindrical shape. We have “spool” pins (pictured left) which have a lip at both the top and bottom of the pin, “mushroom” pins which have a lip on one site and gradually flare out at the other, and “serrated” pins (pictured right) which have a series of ridges covering part or all of the pin.
To prevent bumping, lock manufacturers have come up with several different countermeasures, with varying degrees of effectiveness. Many manufacturers will offer “anti-bumping fluid” which purports to prevent bumping by basically gumming up the lock. This countermeasure relies on earlier, flawed research on lock bumping. It has a limited amount of effectiveness, and has to be reapplied regularly…something no residential user is going to do.
Because bumping works by rapidly forcing the pins past the shear line, many of these countermeasures work by requiring constant pressure on the key pins. One example of this is “trap pins,” which are additional pins set to the side of the keyway. Without constant pressure on the key pins, these “trap pins” will fall downward and catch the lock cylinder as it is turned. Another great technique is “top gapping,” where an air gap is left between the key pin and the driver pin. With the key in place, the driver pin is moved in place beyond the shear line and the lock opens. With a bumping attempt it becomes difficult to force the key pin into the driver pin with enough force to overcome the spring and push the driver pin past the shear line. Another option is “joining pins,” in which the key pin and driver pin fit together like puzzle pieces. Because they interlock, a bumping attack will move both pins together, which makes it nearly impossible for a bump to align them with the shear line. The final way to make a lock bump proof is to select a locking mechanism which does not use the classic pin tumbler design. Disc, lever and wafer locks are all bump proof.
Padlock shimming can be prevented in a number of ways. First you can prevent the attacker from gaining access to the shackle by using a hockey puck style lock such as the Mul-T-Lock TR100 or a disk lock such as the Abus Diskus 28/70 (pictured left) or Brinks R70. However using this type of lock will require you also get a compatible hasp. The second way you can prevent this is getting a padlock with a protected shackle. This will make it difficult for an attacker to get the shims into the lock body. Examples of padlocks with protected shackles are the Abus 37/80 and Mul-T-Lock C35SB.
Finally you can purchase a padlock with a shim proof locking mechanism. Padlocks with shim proof locking mechanisms are usually key retaining meaning the key cannot be removed until the lock is relocked. Examples of padlocks with shim proof locking mechanisms are American A1100 (pictured right) and the Abus DN381.
The classic “credit card attack” relies on an attacker having access to the latch mechanism, and being able to force this latch open. The obvious, fairly inexpensive way to mitigate this attack is simply to place a striker plate over the latch mechanism. Another good method is to purchase door locks with “dead latches” (pictured left) which are designed to prevent shimming.
So, how do we pick the right lock? For Low-Risk situations such as internal doors for non-sensitive areas, filing cabinets containing non-sensitive information, and even some residential environments, a cheap pin tumbler lock may be good enough. This includes most of the inexpensive locks you’ll find at your local hardware store from brands like Master, Kwikset, and Schlage. The Master Speeddial (pictured left) in particular is a relatively cheap padlock which can’t be picked or shimmed, although it remains vulnerable to destructive attacks.
For more Moderate-Risk environments you should look for a lock with additional security features, like security pins. These can be found in your local hardware store with labels like “pick resistant” and perhaps even “bump resistant.” The Kwikset Smartkey (pictured right) is one fairly inexpensive lock with both of these features which can be found in big-box hardware stores and is a good fit for residential use. It’s recommended to pick up this one at a big-box store; older versions of the Smartkey had some vulnerabilities which have been addressed in newer versions of the lock. Many of the smaller mom-and-pop hardware stores still will have inventory of the older versions, while most big-box stores have replaced their inventory. For Moderate-Risk environments that need a padlock, the disk locks from Brinks and Abus we mentioned earlier provide good protection against shimming, have security pins to make picking more difficult, and are fairly resistant to destructive attack.
Finally, for High-Risk environments, we need to look for high security locks. Providers of these include companies like Medeco, Multilock, and Assa Abloy. Most of the well-known residential and commercial lock brands in the US do not offer many high-security locks with robust anti-picking and bypass countermeasures. One very notable exception is the Primus line of locks produced by Schlage. Lock cylinders alone for most of these brands start at $70 and go up from there, twice what even a moderately good lock like the Kwikset Smartkey will cost. Because of the extra cost, it’s unlikely you will put Medeco locks on all of your interior doors. However, high-security locks are an excellent and fairly cost-effective way to add extra security to your external doors, or specific sensitive areas like a datacenter or records storage room.
There are many great resources out there if you’re interested in learning more about lockpicking and physical security:
- Toool.us (http://toool.us)
- Blackbag (http://blackbag.nl)
- Lockpicking 101 (http://www.lockpicking101.com)
To get picks, locks, and other bypass tools, I recommend
- Southord (http://southord.com)
- Serepick (http://serepick.com)
- Peterson (http://www.peterson-international.com)
And finally, if you’re in the Cleveland area and want to meet up with some lockpicking enthusiasts, Matt Neely (@matthewneely) and I (@chrisclymer) run a local TOOOL chapter which meets the 3rd Saturday of every month here in Cleveland. You can find more information on that group here: http://toool-cleveland.com/