Flaw in Pin-Tumbler Locks

This paper by Barry Wels and Rop Gonggrijp describes a security flaw in pin tumbler locks. The so called "bump-key" method will open a wide range of high security locks in little time, without damaging them.

It's about time physical locks be subjected to the same open security analysis that computer security systems have been. I would expect some major advances in technology as a result of all this work.

Posted on March 7, 2005 at 7:27 AM • 24 Comments

Comments

ArtaMarch 7, 2005 8:45 AM

The video that Bruce linked to in "Flaw in Winkhaus Blue Chip Lock" is mostly a demonstration and explanation of the bump-key method: it's very interesting and informative, and well worth the (large) download.

Israel TorresMarch 7, 2005 9:32 AM

The largest setback in applying this technique when picking a target is that you require the "bump key". ("A bump key is a key in which all the cuts are at maximum depth"). This does not allow the exploiter to use the usual barrage of tools, and is more susceptible to being caught with a box full of bump keys and a plastic mallet. The demonstration is clear that bumping will open locks deemed "unpickable", but also explains that it is very simple to damage the lock and/or bump key permanently (downplayed by bruce in his blog entry above).

One thing that I would have liked to see in the demo is the application of bumping on a standard height door in a door well. As usual it becomes increasingly difficult to apply a theory when attempting to apply it in a real life scenario. Normally one wouldn't be able to grip the lock as is done in the demonstration, and in reality has very little control other than inserting and attacking.

Lastly, we all know locks are nothing more than devices to slow attackers down and were never really meant to be designed to perpetually stop an attacker from gaining entry.

Israel Torres

GregMarch 7, 2005 11:04 AM

>> Normally one wouldn't be able to grip the lock as is done in the demonstration...


Fortuntely this isn't generally necessary in practice, unless you subscribe to the "one person to hold the light bulb and a hundred to turn the room" viewpoint.


>> we all know locks are nothing more than devices to slow attackers down...


Under the UK Trade Descriptions Act I will therefore now demand that vunerable �250 locks carry the warning: "Will not delay entry of an educated burglar by more than 30 seconds".

Davi OttenheimerMarch 7, 2005 11:18 AM

The presenter in the video did say that the locks will show marks from repeated hammering, although he picked a couple in only a few seconds. The amount of marking probably depends on luck and skill.

I agree with Bruce that the locks are not "damaged" per se as they continue to function as designed even after being picked open.

Speaking of hammering for vulnerabilities, any news on Serge Mister and Robert Zuccherato's recent attack against OpenPGP symmetric encryption?
http://www.pgp.com/library/ctocorner/openpgp.html

Francois KashyMarch 7, 2005 12:27 PM

This was demonstrated at Defcon in 2004. Even one attack against the lock can apply permanent damage, and obvious signs of tampering if you know what to look for. Works the same way as jigglers and lock pick guns, only a lot faster, louder, and does more damage. There's a faster method: break the lock. There are quieter and more reliable methods: jigglers, guns, and regular picks. It's interesting and smart, but I'm not sure why anyone would use this technique.

Nicholas WeaverMarch 7, 2005 12:39 PM

Because it can work as a lock-pick gun on a lot of locks which resist the lock-pick gun, including those with complicated key-ways and dimple-pin locks.

EG, bump-keying should work on my motorcycle's disk lock, which uses a double-sided dimple key. (However, the disk-lock also has a rather loud vibration alarm).

ZwackMarch 7, 2005 1:36 PM

Greetings,


Having met Rop Gonggripp (at HIP in 97) I can only say that I am glad he is still pushing the boundaries.

A bump key is definitely an interesting technique, and definitely has its place in breaching physical security. As interested parties we should pay attention to Physical security as well as electronic (network/host) security. It doesn't matter how secure your system is if someone can walk up to it and steal it. Even if they don't steal it, if they gain access to the system and make it look like they were after something else will you find what they might have done?

Yes, this isn't the cleanest technique, it causes visible damage to the lock but it is fast and may not require as much skill as other techniques. Also there are some locks that are harder to pick with other, more sophisticated, techniques.

Z.

Juergen R. PlasserMarch 7, 2005 4:41 PM

@Ben:
Bruce's blog entry reminded me of this paper (and that I did not bookmark it ...). Thank you for restoring the URL to my mind, I have just started googling for it when I spotted you comment.

ScateMarch 8, 2005 4:00 AM

What is fascinating about bump keys is how brilliant ideas seem obvious once someone shows them to you, but they weren't obvious enough to have been thought of earlier. It seems odd that this fundamental idea is new.

I also wonder how pick guns and bump keys fit into the Underwriter's Laboratory pick tests. I would hope that UL will adopt realistic, newer techniques in their tests. Otherwise, their tests will be highly deceptive and give people a very false sense of security.

RogerMarch 13, 2005 7:45 PM

A couple of comments on other reader's comments, after reading Wels' and Gonggrijp's paper:

1. The basic attack is not new at all. What W&G have done is greatly improve it. The original version didn't always work, didn't work well on high quality locks, and carried a high risk of marking or damaging the lock. The W&G version is superior in all hese respects.

2. The original version is likely to mark a lock and may damage it. The new version rarely does so, and any marks it does leave look very similar to those of normal wear and tear.

3. The really interesting aspect is that it is kind of complementary to more conventional techniques. Current lock designs that are more resistant to pick guns and hand picking are *easier* to bump, and vice versa. Unless lock manufacturers come up with some fundamentally different approach, they would appear to be in real trouble; but fortunately W&G also point out an approach which is resistant to both classes of attack.

4. Yes, a disadvantage is that the intruder needs to carry around an identifiable burglary tool. Which is why I have just showed this paper to our (physical) security officers 8^)

AnonymousDecember 16, 2005 10:54 AM

vreau sa fac comanda de protarca ca vreau sa particip si eu la concurs cum iau sau de unde iau potoarca

JonFebruary 5, 2006 11:58 AM

I was wondering if somebody could PLEASE take the time and write a tutorial on the bumping method. I have been so interested in it lately, but my computer is too slow to run the vids. In return, I have several interesting methods of lock picking used for MasterLock locks I would be willing to share with anyone kind enough to help me out. please send me an e-mail to duck_in_box@hotmail.com. Thanks yo.
-J

p[March 6, 2006 8:54 PM

mmmm this brings me back. bumping is the easiest way to get into pin-tumblers... what you do is take any key for a specific brand of lock, even if it's pre-cut. take a file, put the key in a vicegrip, and file all the gaps so they're a little deeper than the deepest pre-cut gap, then file down the last gap to make them equal. the beauty of it is that you don't need to be exact. you can file down a mm off of the front of the key, and half a mm off of the part where you hold onto the key so theres a gap in between the lock and the key handle when the key is inserted. put the key in, give it a little whack and let the kinetic energy do the work on the pins as you give A LITTLE torque to the lock. voila, instant door opener! you can put a big elastic band near the part that you hold onto, as to not dent the lock when you give the key a whack.one brand of key opens one brand of lock, so an arsenal of 10 or so popular brand keys should open 80-90% of the doors in your area. now be good :) and Jon, pleeeease don't post the beercan shim method for masterlocks. the protective steel from floppy diskettes work better :D

AnonymousFebruary 12, 2007 2:54 PM

There are many videos on YouTube about bumping locks at the minute. It appears to be distressingly easy to bump a lot of locks with a little practice. I am surprised that this is not getting more attention.

MichelleMarch 15, 2007 8:26 PM

I am sending you a partial article we have written regarding lock bumping and prevention. If you would like to receive the full article for posting to your site, please let me know.

Sincerely,
Michelle

Safeguard Your Home and Business against Lock Bumping

The videos on lock bumping are all over the Internet and on local news stations throughout the country. It is becoming common knowledge how to bypass a lock using the method called lock bumping. The spread of this information is causing great concern for individual safety and security for home and business.

As a security professional, I am often asked, “Can people really open locks that easy?��? “Should I be concerned?��? “What can I do about it?��? and “What do you recommend?��?

The method of lock bumping using bump keys has been around for many years. The recent spread of this information on lock bumping across the Internet and the news has increased the use of this technique for illegal purposes, and now requires individuals to take precautionary action to protect themselves and their property...
Copyright 2006 Wholesale Locks

Still A LADYMarch 21, 2007 5:02 PM

HELP! What is your take and recommendation regarding "bumping"? Do you suggest a type or brand of lock that is most secure? INFORMATION...PLEASE!!!

~ A LADY who still wants and needs a gentleman's wisdom & touch

PhilJune 25, 2007 12:37 AM

Use Medeco locks. They have two sidebars, which rotate the pins slightly, making it possible for them to be used. Also, their keys are almost impossible to obtain blanks for -- they are tied to a specific locksmith (all the sidebars are different) and he'll only make replacement keys for the registered owner of a given lock.

Of course, they cost 220 bucks per deadbolt.

wabidouxAugust 8, 2007 12:52 PM

Can a "generic" chinese-made dimple key disc lock be easily picked/bumped? The keys have room for 4 dimple points on each side. My keys have 1 lrg. dimple on one side and 2 sm. and 1 lrg. dimples on the other side.
Any help will begreatly appreciated!! . . Thank You!
wabidoux
<wabidoux2@mac.com

Safe at homeOctober 30, 2007 9:00 PM

I use matlock at my house. You can buy them for about $15.00, they are easy to use, they look good on the door, you can take them with you if you move. www.matlockllc.com

lock DOCTORApril 4, 2008 3:53 AM

I am a professional locksmith of 29 years...Bumping has been around since the development of pin tumbler locks...It's not used by professionals because it can do major damage to the pinstacks(which you cant see) and easily cause a lockout without warning. Also, it's hit or miss (no pun intended), picks and other bypass methods are much more reliable. There has been a lot of discussion about bumping and changing lock design, but to date, there has been NO outbreak of bumping any where in the country...If your opening it leagally, you would be a fool to use bumping...and if your opening it illeaglly,,,your a fool to be on your knees, at a door, with a set of bump keys, hammering away....A cordless drill does fine in about 20 seconds!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..