Schneier on Security
A blog covering security and security technology.
« New Computer Snooping Tool |
| Imagining Threats »
June 18, 2009
Great article from Wired about the lockpicker Marc Tobias.
Related: "Ten Things Everyone Should Know About Lockpicking & Physical Security."
Posted on June 18, 2009 at 12:59 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Its unamerican to admit you have a weakness. Instead you should attack the messenger while pretending nothing is wrong. And the Emperor's new clothes are marvelous!
I saw that article a bit back. It's light on facts about actual lockpicking, but the story is entertaining!
I suspect many hackers have learned how to pick locks at some point in their life, probably at a young age.
I recall at some point when I must have been only 12 or 13 years old I credit-carded the door to our home when my mother misplaced her keys, which came as a surprise to her since she didn't know that such a simple trick worked to defeat locks. Some time later on, I manufactured my own picks with nothing more than a file and some coping saw blades and learned to pick the tumblers and taught myself to rake the wafer locks on desk drawers. Learning to hack computers wasn't all that far behind.
I wonder now if my parents then had entertained any suspicions that I might end up a criminal. I learned all of those things for no other reason than to obtain understanding how things work and to treat them as puzzles - not unsolvable but simply intended to be difficult.
Like Tobias, I have an intrinsic mistrust of anyone who tells me their product is unbreakable.
The referenced article makes several allusions to European locks being more secure. My own experience bears witness to this; after several vacatia in Germany, my wife and I agreed that American burglars would starve in Germany (and presumably German burglars would thrive in the US; although they'd probably still starve because the food portions in restaurants in the US are so much smaller than in Germany).
I'm wondering about something. I might be mistaken, but it looks like the locks in these Wired videos have keys with "ridges" on one edge which push up the individual pins to open the locks. I live in Switzerland, and I've never seen such keys used for door locks, only for cheaper bike chains and similar locks. Instead, for door locks, we have keys which have little differently-shaped and sized dents or holes on both flat surfaces. It seems like "our" system should be more secure, as it seems it can't easily be broken by pushing up the individual pins.
So I guess my question is, why is anyone using the types of keys shown in the Wired video for door locks? Are they as secure as other key systems?
All it takes to pick a lock is practice and the desire to do so. The only affect high-security locks have is to increase the amount of practice required. Apparently, this gentleman has quite a bit of time on his hands!
LKM - these locks are the Medeco3, and they look very similar to normal pin tumbler locks, but have a number of features to make them more secure. The basis of this is that you also need to rotate the pins the correct amount to open the locks. They are really quite hard to pick.
Dimple locks that you describe are also hard to pick, but probably slightly easier than the Medeco3. An example is the fairly common Mul-T-Lock.
No decent door, lock, or safe will claim to be unpickable. They will have a rating, generally based on the minimum time, with given tools, that the lock can be opened in. These locks meet UL437, which says they should be pick or impression proof for at least 10 minutes. There's also specifications that deal with attack by power tools - e.g. drilling out the lock. The Medeco3 has a number of features to resist these attacks as well.
Nonetheless, it can be picked very quickly. These guys are good lock pickers, but probably not the best. Others can do what they can in this video.
I'm not sure this is really about this particular lock - it's more that the attitude of lock manufacturers is to keep going with security through obscurity...
A tale I have told on this blog before is about "fake IBM offices" and Israel.
Back in the last century I used to design electronic locks for the hotel and other industries.
Whilst involved with this activity for a few companies I noticed something.
When a new product was anounced the company would get an enquiry about a "big contract" that IBM had for a hospitality or other integarated system. But an evaluation system would have to be supplied...
When a system was supplied for evaluation invariably it would come back with some comments about it being unsuitable for some obscure reason.
I also noticed that the IBM office address changed each time and was allways in an office building shared with other companies.
It was only after reading a book by an ex Mossad person that I realised what might be happening.
And a little checking tended to confirm the possability.
It would appear that Mossad don't belive any mechanical lock is pick proof (which if you think about it is a reasonable assumption).
However electronic locks in hotels had given them the "spooks" as they where effectivly pick proof in the mechanical sense, and the "card keys" where useless after the check out time.
However I can assure you that just as mechanical locks have failings so do most electronic locks.
In the case of locks designed to be mounted on ordinary doors the failing arises simply because they are regarded as too expensive to drill but unreliable due to having batteries.
Likewise those that are powered from an external source have design failings due to having to meet building and fire codes.
Therfore the majority of electronic locks invariably have a backup or bypass system built in. And this is usually the lock systems Achillies heal...
So I have very good reason to belive that Tobias is going to be successful against the locks with in built electronics.
Oh and one thing to remember it's a competative and therefore cost sensitive market which gives rise to the old question,
"What price for security?"
I just shoot the lock out using the mil-surplus M16 I stole from a cop car.
i really liked tobias's attitude. he's 'helping' the security industry secure things properly. they should say thank you.
This is all academic. Every residential breakin I've seen involved a kicked-in door or some other brute force method. Crackheads don't pick locks.
Now we know that Sgt. Schultz works for Medeco.
One of my colleagues was a locksmith and told me about Abloy locks in the early 90s. He was so convinced that he had changed all the locks on his motorcycle to Abloy. Good to see that his opinions are shared by other lock experts.
Thanks for the infos! The locks we have are not Mul-T-Locks, but they seem to use a similar system. Cybergibbons' explanation that the Medeco3 has additional security features compared to normal tumbler locks makes sense to me.
David - I wouldn't say it is academic. I agree that home security is weak anyway.
In the UK you generally need to have a door made of a certain material, of a certain thickness, fitted with both a 5-lever BS (British Standard) mortice lock and pin tumbler lock. You'll often find that there is a reinforced lock strike (a long metal bar running the length of the frame to prevent the door being kicked in) and also pinned hinges to hold the other side when the door is locked. You will have a tough time getting through a door like this using your foot. Carefully applied force with a "persuader" (battering ram) will get a door like this open though.
But for some reason, so many houses will have a front door like this, and people will do things like leave the key in the backdoor (you just insert a small tool to turn it from the outside), leave windows open, don't use window locks etc.
From a picking perspective, most pin tumbler locks can be opened in seconds with a bump key, and most common BS lever locks in a couple of minutes (there is one particularly common lock which can be opened in seconds using a clever bypass). However, try to find a domestic burglary where picking was involved, and you will struggle.
I think the real application of these locks is for the government and military. Here they have adopted a defence in depth strategy. It has to hold the intruder out for a length of time, until one of the other layers of security catches them out.
Same thing here in Sweden, ridges-on-the-edge type keys/locks is the only thing in use. (Well actually, a friend of mine has a bumps-and-dents type lock in his front door. But apart from that one building, never seen them.)
Then again, Assa Abloy is Swedish, and is pretty much the default option when you build a house, I suppose. Perhaps the situation is similar in Switzerland, with one dominant brand that just happens to use a certain type of lock.
The case of a domestic burglar who is smart and patient enough to practice do lock-picking does get me thinking of an "old" joke:
There are no smart criminals because really smart criminals work as investment bankers: The risks are lower and you can keep the loot when caught.
@Ward S. Denker
Go to jail, do not pass go, do not collect $200. ;)
'Section 10 Security in the Real World' You can have the best locks in the world, but if you give the keys to the wrong people....
So a lock only keeps an honest man out. Isn't that right Ward S. Denker? ;)
Claims of unbreakability have a dangerous appeal to people not in the know; and companies who honestly acknowledge risks can suffer for it.
My manager objected to using PGP because of the name... "we don't want pretty good privacy, we want super duper unbreakable privacy." In fact he had a point, because selecting PGP would have meant having exactly this conversation with every manager above him.
Hacker interest in lockpicking is a documented historical fact. You can find record of it as far back as pre-pc at MIT. And for the same express reason that Ward gives - to see how things work. (MIT finally took down the MIT lockpicking guide out of embarassment)
I speculate that why hackers attack locks is that it's a transferable skill/habit of mind. You have an access control mechanism that accepts a particular credential and a very narrow vector to attack.
Yes 90% of break ins use a foot or brick through the front door, but that's not the hacker's point. Sure of course that'll work but they ACCEPT the restriction and rules of the control and through manipulation learn to bypass them.
Narrow vector of attack
can = port 80
can = SQL queries that execute behind the web interface
can = packet manipulation to bypass some firewall rules.
By generalizing the attack target qualities and their methods they can apply them to broader classes of specfic instances.
p.s. Deviant is an excellent speaker and explainer of the technology and methods why they do and don't work. And if you know why he chose Ollam as a nym you can get good swag at a conference.
"So a lock only keeps an honest man out. Isn't that right Ward S. Denker? ;)"
Probably, or an inquisitive one. I suppose it's all about the nature of the lock's installation. If you give someone a key, they can probably duplicate it. I've gone to a local hardware store before and they made copies of a key stamped 'DO NOT DUPLICATE.' The guy looked at me funny, but made the copy anyway. (I was intended to have a copy. Why the only one they had to copy was stamped that way - or why anyone would duplicate it with such an obvious warning on it - is beyond me).
I've known people who taped index cards (or a wad of duct tape) over the hole which the bolt typically descends into so that they could easily grab a smoke without getting locked out of self-locking office doors. Even honest people can't be kept from defeating security for otherwise honest (but ill-conceved) purposes.
I think that what one considers when installing a lock is exactly who one intends to keep out with it. If the door is kicked open, or a window broken instead, then the lock is merely a precaution against a more casual type of burglary. Most obviously don't keep out determined folks who intend not to leave evidence of their crime - but how many homes are offices are vulnerable to people with such a motivation? It's not like everyone has top secret documents stashed somewhere.
That should have read as 'un-inquisitive' For the other anal retentive types (I am one of you), please forgive the various typos. I'm off to prepare my coffee. ;)
P.S. There's a typo in there which masquerades as a common mistake. There's a particularly odd reason why it's actually a typo for me but would not be for a majority of people. May the inquisitive among you enjoy the sport of puzzling that out.
I've never failed to have a locksmith dupe a key marked "DO NOT DUPLICATE" as long as I asked him, "Could you stamp DO NOT DUPLICATE on the new key for me?" (Social engineering?)
@pegr: that's brilliant. Elegant, even.
> I've never failed to have a locksmith dupe a key marked "DO NOT DUPLICATE" as long as I asked him, "Could you stamp DO NOT DUPLICATE on the new key for me?" (Social engineering?)
I suspect it is not social engineering so much as simple venality. Quite simply, there is very little reason for the locksmith to obey the instruction, whereas he will get paid if he ignores it. Hence a tissue-thin pretext suffices to assuage his professional ethics.
There's a reasonably simple mechanism that has widely been used to stop this practice. The lock company designs and patents an unusual keyway. Small numbers of key blanks are then sold to accredited locksmiths *under license*, and the locksmiths have to account for the ones they used when re-ordering. The license conditions stipulate what rules must be followed before duplicating a key (typically using the key serial number to look up the authorised holder of the key, and contacting that person to verify that duplication is authorised.)
The interesting thing about this system is that it removes the "externalities" which Bruce has pointed out are often a reason for security systems failures: with this system, it is in the economic best interests of the lock company to ensure that only accredited locksmiths receive key blanks, and it is in the economic best interests of the accredited locksmiths to play by the rules.
Of course a genuinely skilled locksmith may well be able to duplicate the key without access to blanks, but the considerably greater skill this requires means that both his professional reputation and his time are worth more; the violation of patent law means it is actually a crime (at least in some jurisdictions) rather than merely dishonest, so in some jurisdictions he may be prohibited from his profession if caught; and together with the considerably greater amount of work it will require, means that if he will do it at all, it will cost a lot of money.
> I just shoot the lock out using the mil-surplus M16 I stole from a cop car.
Despite the Hollywood myths, this is a surprisingly ineffective method. I have seen a website somewhere where they tried it with a variety of calibres, and up to 7.62 mm NATO FMJ, it failed to open the lock. The test locks shot by heavier calibres were ruined, but wouldn't open: the working parts were jammed and impact welded together, but the bolts hadn't budged enough to open. (Locks shot with .45 ACP and 9 mm JHP were largely undamaged and still worked.)
It also is not an easy shot (unless you fire at point blank range, in which case you are likely to injure yourself with flying metal fragments.) Not fantastically hard, but unless you are a well practised shooter, you could easily use up a lot of ammo without hitting it -- and if you are well practised, you probably have your own rifle without needing to steal one!
You are actually more likely to be able to open a door with sledgehammer. They are also cheaper, quieter (albeit still quite noisy), and legally unrestricted (at least up to the point you turn it into a burglarious tool!)
@ Ward "P.S. There's a typo in there which masquerades as a common mistake. There's a particularly odd reason why it's actually a typo for me but would not be for a majority of people. May the inquisitive among you enjoy the sport of puzzling that out."
My guess is a slightly shortened middle finger of the right hand? I had a similar problem with 'b's before I learned to stretch the left pointer a wee bit more. Electronic keyboards actually helped.
Not incidently, I learned the a sharp rap on the shackle of a common padlock manufacturer's product would cause the lock to drop open. (Needed to get into the school's light cage and the teacher wasn't available.)
A fellow with me was heard to remark: "I've just lost all respect for XYZ locks!"
Use a 12ga shotgun with a slug round (or, better yet, with special breaching (M1030 or Hatton) round) if you want to shoot out a lock. Breaching rounds are much safer since they disintegrate into dust on impact.
Handguns are usually ineffective, and rifle rounds over-penetrate (so they fail to transfer all energy to the target). A few well-placed rifle rounds will do the trick, though.
@ averros, Bostoned,
"... if you want to shoot out a lock"
I've never understood "shooting out locks" it is generaly ineffective and actually quite dangerous (as Roger above has noted).
There are several better ways, first off why the lock most times the hinges would be a better place to attack, you would be amazed at how many outward opening "security doors" I have seen with exposed hinge pins that take very little work to remove and the door then just opens outward on that hinge side...
But if you must go for the "applied energy" methods the first and most obvious is the use of a purpose made battering ram or decent 14lb lump/sledge hammer, usually three or four well placed hits is enough even with security locks and strikes protected by plates.
Then there is the simple appliance of a car jack to the door frame or door it's self.
However if you realy must get through a door in a real hurry and don't care if somebody is on the other side then 18 ft of "det cord" stuck with putty to the door generaly punches a nice man sized hole straight through with the minimum of warning and effort.
Oh and of course there is the old safe breaker way (19th Century) where you dribble "blasting oil" into the lock through the key hole and then pop a det cap in and blow the lock out (oddly although safes doors have protection against this most security doors don't...).
Mind you if you'r not in a hurry and the door is only moderatly secure a simple mallet and good wood chissel to the door frame at the hinges usuall opens the door with little effort and five to ten minutes work.
For some reason there is usually a very myopic view of how to secure a room / building therefore most times it's way quicker to go in via another route such as through a window or over a partition wall or through the roof or ceiling space...
An interesting little trick house breakers are using in the UK is a fishing bait catapult and a large pebble through a window. Unlike other methods of breaking the glass it does not produce they typical crashing noise that most people acossiate with thowing a brick etc through a window.
Being lazy and a little thoughtfull can make life a whole lot easier ;)
One should check, but I think there are shotgun rounds for shooting out locks.
The rounds use super hot metal, almost like a thermite lance, but one that can be easily used.
One might be able to make rounds like this for guns, helps to be prepared.
Clive - don't ask me why people want to use guns as lockpicks:) I guess it's military/LE proclivity to seeing a gun as a solution to any problem.
@averros "I guess it's a military/LE proclivity to seeing a gun used as a solution to any problem"
I liked all of the comments averros made right up until this. This is a blatently stereotyping mentality. No, the military does NOT have an automatic reflex to "use a gun as a solution to any problem", but the circumstances where we need to enter a locked door generally come when there may be people with weapons on the other side of it, thus neccessitating a need for great speed and little to no warning. This is also many times on foot patrol when carring a small battering ram is not a viable option. When no one's trying to kill us or blow us up, we do not just go around shooting things for no reason, despite what so many university professors or simpletons in Hollywood would have you believe. Your technical commentary seems smart and right on the money; your social commentary is badly misguided.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.