11-year-old Proves Locks Not So Secure 454
An anonymous reader writes "A new security column at Engadget details the new 'old' threat of bumping locks. The article goes on to describe and demonstrate an 11-year-old girl bypassing a standard 5-pin lock at a recent DefCon Hacker Convention. The girl had no prior experience and didn't even understand the theory she was applying. Scary!"
deadlocks (Score:2, Informative)
It's certainly very uncommon for doors to be left with just that kind of lock in this country.
Re:Great... (Score:5, Informative)
Re:deadlocks (Score:3, Informative)
They are thus immune to bumping.
Video of Key Bumping (Score:5, Informative)
Quite fascinating how easy it is, and in the end of the video they even show a 17-pin lock being bumped!
If you are interested in the guys in the video, here is their URL http://www.toool.nl/index-eng.php [toool.nl]
Re:Great... (Score:5, Informative)
High-tech locks foiled (Score:4, Informative)
Locks that resist bumping (Score:3, Informative)
They also have a section on locks that resist bumping:
There are mechanisms that do not allow for the two pins to separate except when slid sideways, such as used in the Emhart interlocking lock (which is not being produced anymore). As far as we can see, such a mechanism would successfully foil the bumping attack. Also some mechanisms which have a one-piece locking mechanism (such as a 'sidebar') may resist bumping. Locks that involve rotating discs (such as Abloy Protec) or magnets (such as Evva MCS and Anker) are also not susceptible to this attack. Klaus Noch sells modified standard Euro profile locks which lock up (i.e. 'broken but closed') upon most attempted manipulations, including bumping.
I found the Abloy Protec lock (with rotating discs) especially interesting and I'm going to get this for my own front door when I get the chance. On the same website they have an paper on the Abloy Protec as well: http://www.toool.nl/abloypart3.pdf [toool.nl]
Zzz ZZzz ZZzz (Score:3, Informative)
Locksmiths can buy a pick gun from locksmith suppliers. It's looks like a handheld staple gun, and you slot the straight strenghtened steel tip (looks like a small metal cable tie) into the gun.
It works by bumping the whole steel tip up about a 16th of an inch, at which point you twist the entire gun anti-clockwise to open the lock while all the pins have been knocked just as the article describes.
This came as part of a back-of-the-magazine locksmith "diploma"
That's not realy true (Score:4, Informative)
That does not mean, of course, you can't pick one, but it's much harder, and requires a lot more training. They aren't a perfect system, but they sure aren't a joke. Also, despite being quite large, they are quite secure.
There's other brands of high security locks too, and they are similarly hard to deal with. It's just not more common because the construction needed for them is quite a bit more. A Medeco Maxium will run you like $200.
Re:Great... (Score:4, Informative)
The ones in the house I grew up in even had the endcap easily popped off, allowing direct access to the plunger.
The trunk one is a bit more surprising since that should be a proper key, but I've often wondered just how effective car locks are. I remember I discovered my old '83 Firebird's door key would start a friend's GM truck (remember GM cars at the time had two keys, door and ignition). She got a kick out of it but it made me wonder.
Not so much (Score:5, Informative)
Some deadbolts have no external component and can only be locked and unlocked inside. Totally pick proof, but only useful if you are home. Most have a normal pin lock on the outside. That makes them, pick and bump wise, no better than any other lock. There are high security deadbolts with better locking mechanisms, but you can get those better mechanisms on anything, including padlocks.
Re:As with any security measure.. (Score:5, Informative)
Actually it seems to work against just about anything with split pins, regardless of its price. That's a helluva lot of locks.
To secure your house or office you shouldn't look at anything less than a Mortis or a deadlock, and you should have at least two on each entry point. Windows should lock from the inside, again with deadlocks.
I was intrigued by your statement, so I did some quick research. What I discovered is as follows:
Deadbolt locks* are cylinder locks; they just have the weight of a bolt holding the pins down instead of just springs. There's no reason why bump attacks shouldn't still be successful against this type of lock since the principle of bumping is somewhat different than pin scraping.
Mortise locks are just locks which are inserted into a hollowed out portion of the door -- it has nothing to do with the mechanism inside, and from what I was able to find out, most modern mortise locks contain cylinders.
* Which is what I assume you meant, since the only definition of a deadlock I can find is a situation wherein two or more competing actions are waiting for the other to finish, and thus neither ever does. I have no idea how you propose putting a deadbolt on a window, but maybe you meant something else.
References:
http://images.google.com/images?q=mortise%20locks [google.com]
http://www.rcmp-grc.gc.ca/tsb/pubs/phys_sec/g1-01
http://en.wikipedia.org/wiki/Deadbolt [wikipedia.org]
Re:Great... (Score:3, Informative)
Re:That's not realy true (Score:3, Informative)
Re:Great... (Score:5, Informative)
Tension Wrench and Rake? (Score:4, Informative)
Made a set myself out of small allen keys.
They described the 'rake' technique where you put tension on the cylinder and just
zip a zig-zagged piece of metal against the pin.
With a little practice I opened many locks...didn't even have to bother going
pin by pin. As soon as you got one pin above that line, the upper pin
kinda 'snapped' over and stayed up.
Worked great on old worn out locks.
Re:11 year old at DefCon??? WTF? (Score:3, Informative)
Can you take me with you this year? I want to see if I can win the wardriving contest! I promise to pretend being sweet, innocent, and clueless.
You will notice that the girl is wearing a white badge, which is $100, and otherwise dressed appropriately. Not the youngest person I saw there anyway.
Re:Robberies versus assaults? (Score:1, Informative)
But I don't buy the whole "2nd amendment is my God-given right, guns solve everything and make the world a perfect place" argument either.
How about the huge spike in home invasions that followed the UK gun ban?
Re:pen lock picking (Score:1, Informative)
http://www.diamondnexuslabs.com/jewelry/index.php [diamondnexuslabs.com]
Re:Locks that resist bumping (Score:5, Informative)
A number of systems will resist this type of attack. Probably the best is the Abloy, which I understand was bought out along with ASSA by Medeco. Alboy relies upon a sidebar; the discs need to be aligned, a sidebar drops into place, and the lock opens. I also understand there is a way to bypass this system, although the tools are pricey, resticted, and since Abloy locks are relatively rare in the United States, they remain relatively secure.
ASSA also relies upon a sidebar, with the code being cut into the side of the blank. The blanks are heavily restricted, and locksmiths have to account for all of them- even ones that are mis-cut. Of course, a sidebar can be regional, which is its biggest flaw; apparently they are more popular in Europe. If a local locksmith uses a given key profile, then it is simple enough to turn a given cut key into a "bump" key.
It would seem- although I have not tested it- that Medeco locks are immune; they require that the pins be brought to the correct height and that they be rotated (left, center, right- only three possible combinations) before the lock will open. Last I checked, it was still much easier to grind a Medeco out of existance than it was to pick it; they *can* be picked, but it takes many hours. I never liked Medeco, but since Abloy and other types of locks that offer higher security than hardware-store junk were either insanely expensive or no longer available, as their keys tend to be brittle and break right at the bow. But that's what I installed on the house; each door cost me $160 for a single-cylinder lock, but at least I know the lock is secure. Entry would have to be made in some other way than bumping or picking; further, high end locks also offer crush-resistant collars (to avoid "pipe wrench" attacks), better bolts (to prevent icepick and cutting attacks), and so forth. They just *weigh* more- it's not pot metal and good intentions in every box, unlike some makes.
True story: in the early 1990's, some genius figured out that every high-security door lock on the market could be attacked in seconds- sometimes faster than using the key- with an ice pick or a bit of wire or welding rod. Pierce the door in the right way that the tool can be used to push back part of the bolt, and you're in. Ice pick attacks were popularized, but the wave of thefts never manifested. Newer generations of bolts were issued that prevent this type of attack.
"Bumping" presents a somewhat higher threat level given that it works on more commonly available locks, which are used on probably 95-99% of homes in the United States. Given that a "Kwikset" can be bypassed with a sheet metal screw, a screwdriver, and a pair of "Vice Grips," it's a wonder more homes don't succumb to this sort of stuff every day. Fortunately (?), thieves rarely look at a home the same way we do; a good burglar or a drug addict desperate for a $20 fix will use whatever tools and techniques are handy, at great expense to society. Given that these individuals might be able to sell their gains for perhaps 10% of their value, the amount that either has to steal and re-sell to get by is quite remarkable. They don't pick locks, and they probably won't use "bump" keys.
Re:Great... (Score:5, Informative)
If the door is locked, you make a hole in the cheap-ass low bidder drywall and either reach in and open the door from the other side or hell, just rip a big hole in the wall and walk right in. The door and all it's locks and alarms is happy to stand there doing nothing. Even if the alarm does go off, you usually have several minutes to do your work.
Fences? Hop over. Chainlink fences can be unbolted and taken apart, or cut. The best actors can cut the fence and put it back so it appears to be whole. Most junkies don't care. They steal a car and ram down the fence or the gate, or the house garage door.
Gated community? Not hard to get in, and generally a good hit because everyone inside thinks they're safe so they don't even bother with stuff everyone else would do to protect themselves.
Car club devices? Easy to defeat with the bump or several other extremely simple methods. Clubs are absolutely useless.
Car alarms? Most of them look for door openings as the trigger. Very few have motion detection. So you bust the window and crawl in like the Duke boys. No alarm.
Put valuables in the trunk/boot? Most trunks are not even part of the alarm. Not sure? Cut the horn wires, usually easy to reach under the radiator. Cut the battery cables for those cars where the battery is in the fender well. Tow the whole thing if it's a valuable car. Pop into a shipping container and off to China before anyone knows it's even been taken.
Junkies just want the radio to fence or the checkbook you left in the door pocket. Even they know how to avoid setting off the alarm. BTW, this is why most car break-ins are broken windows. It doesn't set off the alarm unless you open the door. This goes right back to the problem with house burglar alarms and the drywall. You just go around the protected area, i.e. the doors.
But hey, if it makes you feel better, put more and more and more locks on that door. It just makes the drywall look like an even better target.:)
BTW, on that safe? I bet the walls are thin. If not that, then there is some sort of physical weakness and a pro would have it open faster than the police would show up, but as you did note, the grab and run burglars wouldn't bother. But remember this: if someone wanted into that safe, BY FAR the easy way is to make you or your wife open it. YOU are your own weakness.
Evidence of forced entry not needed (Score:5, Informative)
Plus, any half-decent residential insurance policy will insure you for straight loss of contents, anyway. No need to even file a police report.
Anyone who's had a claim denied because they forgot to lock their doors really needs to shop around for better coverage, and possibly talk with a lawyer.
Note: this doesn't apply to commercial entities. If you're running a business and all you've got is an easily defeated lock to protect your interests, well...
Re:I think concern stems from auto policies (Score:5, Informative)
Mostly I respond to posts like the GGP because it's a common insurance myth, based on what our grandparents faced. It's much like the ever-popular "Acts of God aren't covered!!!" Yes, 100 years ago proof of forced entry was required, and "Acts of God" was a legitimate exclusion clause. However, these days neither is really true. Hail, lightning, windstorm - these are all "Acts of God" that have been covered for decades. Catastrophic natural disasters aren't.
I used to be an insurance geek. So, much like 5,000 Slashdotters scream when CNN gets a tiny detail wrong about technology, I try to correct these decades-old insurance myths whenever I can. Especially when people start advocating insurance fraud
Re:Robberies versus assaults? (Score:2, Informative)
Instead, it provided anecdotal evidence that, "in my [the authors'] own experience counselling victims of crime in recent years, there has also recently been a marked increase in the use or the threatened use of dangerous weapons in burglaries and common assaults". The author does not attribute this to the UK gun ban or any form of gun control whatsoever.
This is in comparison to a number of empirical academic studies including the following which support the gun control hypothesis:
- A. Chapdelaine and P. Maurice (1996) , "Firearms injury prevention and gun control in Canada", Canadian Medical Association Journal, Vol 155, Issue 9, p 1285-1289 - "The cost of the consequences of the improper use of firearms in Canada has been estimated at $6.6 billion per year. There is a correlation between access to guns and risk of death. The mere presence of a firearm in a home increases the risk of suicide, homicide and "accidental" death."
Get some REAL evidence and then make your claims.Re:Why on earth is she there? (Score:5, Informative)
She actually had quite a bit of interest in locks. I taught her how to pick locks the day before. Matt Fiddler taught her how to bump them the day that video was taken, and Mark Weber Tobias thought it was really cool to see. She enjoyed picking way more than bumping (it's more of an intellectual challenge).
Now, she didn't seem to be that interested in the interviews (yes, there was more than one)... She wanted to get back to the locks.
What do you believe is a better place my daughter could've been that weekend? The mall?
She wasn't too happy when we mentioned getting someone to watch her for Defcon 15, so I think we all had quite a good time there.
Re:Great... (Score:3, Informative)
Recommendations: Abloy classic [abloy.ua] or Abloy Exec [padlockpeople.com]. Notice that both of these have discs, that need to be rotated to the proper position by tilted slots in the key, before the key can be fully turned. No springs to fool around with that wear out. Here's a detailed lockpicker's writeup: part 1 [toool.nl], part 2 [toool.nl]. (pdf)
Re:Great... (Score:3, Informative)
We lost a keychain and had a professional pick all the doors, even doors costing a fortune with some really odd-looking keys. But when the locksmith saw the Abloy locks, he laughed, gave us a long stick, and told us to use it to get in. Stood there dumbfounded until he pointed at the window
When we got in after breaking the window, I just remembered that the lock is a double-side one, with a key needed on both sides... DOH! They had to disassemble the door frame to be able to get the door to open. Luckily it was the type of Abloy lock that has a "hook" that wraps around a metal pin in the door frame, or we would have had to break parts of the wall
That was an expensive boat trip (dropped the keychain into the sea)
How secure are your walls, though? (Score:2, Informative)
If they want to get in, they will.
Re:Great... (Score:2, Informative)
I live in *the ghetto* in Chicago. Not 1979 Cabrini Green-level ghetto, but not too far from that. If you're from the Chicago area (other cities have this technology, too), you know how in the "really bad" areas they have the flashy blue lights on the telephone poles with the cameras in the bullet-proof shells that auto-home/focus on the sound of gunfire? We have lots of those.
We're talking crack dealers around the corner, having to run off the meth addicts in the alley, occasional gunfire (on the next block).
I do live on "a good street" but back up against a very "bad street". I keep an eye on the police blotter for my area, and there is not insignificant burglary events around my area (as well as a few homicides each year).
I've lived here for about 2 and a half years. I'll be here at least one year more, maybe two.
I have a nice house with a nice yard. I drive a new truck and ride a Harley. I'm white (the neighborhood is about 99% black), I grew up in suburban Ohio. I'm sure anyone can see my big screen TV from the street (there's no way to arrange the front room without making it visible).
However, my home has never once been bothered, much less burgled.
How is this?
1. I have two big fucking dogs.
The little one (86 lb pound dog - probably an American Bulldog or a mix of one) is as sweet as can be. But people tend to be more afraid of him. I've heard along the lines of "you have to watch out for the silent ones" more than twice. People think he's charging them at the fence, but he really is running up so he can lean against it so they can pet him. The little kids know this - apparently this perception is lost at about the pre-teen years (based on observed reactions).
The big one (130lb Boerboel, heavy growl and bark) doesn't like people near her stuff (yard, humans, other dog, etc). When people ask if she bites, I tell them "Yes. Please watch your hands near the fence." I'm not being exactly disingenuous, here, but I don't think she'd lunge or snap. She just acts really mean, and she will try to "get at" something she feels is really threatening (like a person on a skateboard or bicycle, or a cat she doesn't know in or near her yard. We have cats in the house that she protects, too).
I make a point of playing with the dogs in the front yard (we have a double lot, and the yard wraps around the house) to make myself as visible as possible. Playing tug (either with me or each other) makes for some excellent growling noises that illustrate the "danger".
2. I'm not afraid to yell at people who are being assholes. Like "Hey, you guys are welcome to hang out on the sidewalk, but *stop* leaning on my car. Thanks." I call the cops a lot for bigger issues (playing "dice" on the sidewalk near where little kids live, drug dealing and consumption, mostly), and leave my name so they can follow up for a report. Anonymous is appropriate sometimes (like for gang activity, of which we have little - we're well within a gang border, so they mostly just have hired footsoldiers dealing drugs, and those dealers have no real rank or anything), but a lot of times it helps more to show "I live here, I am not afraid, and I am sick of this shit!" If you don't have a "city face", people are going to take advantage of you.
Along those lines, if a "shady" person talks to you, you have to talk back (and be polite). Some will try to be loud and walk up on you, apparently just to see if you'll back down/away. You *can't*. You have to stand your ground and I even step forward as they're walking up to me. To back away just illustrates "I'm uncomfortable here" and word will get around. You really don't want that.
But you can't be a flaming asshole, either. You just have to be "solid" is how I think of it. Then you at least have respect of the people in the area.
3. I am friends with all of my [good] neighbors,
Re:Great... (Score:2, Informative)
Picking and bumping are totally different animals. Lockpicking requires a couple weeks of steady practice to be able to break reasonably strong locks (like those that appear on a house) reliably, and I don't know how much more to be able to pick them reliably and quickly*. (Remember, you don't want to be standing on someone's porch for five minutes trying to pick the lock. Better to just break a window. It'll attract less attention.)
Bumping by contrast, if the information I've seen about it is to be believed, takes essentially no practice and reliably opens locks in about the same time you can with a key. Totally different animal.
* I never got to that point. I practiced for about two weeks and got to the point where I could: almost always pick a modified deadbolt (I removed a pin) in about 30 seconds; usually pick an unmodified, cheap deadbolt after several minutes of trying (though one attempt I got very lucky and opened it in under a minute); pick one specific three-pin padlock in about 10 seconds; rarely pick a four-pin padlock. I had yet to crack a five-pin padlock. These skills are probably not yet at the level where I could go up to a random house and break in even given plenty of time, and FAR from the point where I could do it quick enough that I would consider that it would be a reasonable entry method.