11-year-old Proves Locks Not So Secure 454
An anonymous reader writes "A new security column at Engadget details the new 'old' threat of bumping locks. The article goes on to describe and demonstrate an 11-year-old girl bypassing a standard 5-pin lock at a recent DefCon Hacker Convention. The girl had no prior experience and didn't even understand the theory she was applying. Scary!"
pen lock picking (Score:5, Interesting)
Locks don't need to be pick-proof. (Score:5, Interesting)
This article's enlightening example just drives deeper a little concept I recently heard called security theater, [wikipedia.org]
Human psychology is certainly interesting - because on one hand we have people scared of box cutters, but on the other hand we drive 70mph mere feet away from each other every day.
Maybe it could be argued that security is primarily about perception.
Scary when it comes to insurance... (Score:3, Interesting)
Re:Great... (Score:4, Interesting)
Re:deadlocks (Score:2, Interesting)
Re:High-tech locks foiled (Score:3, Interesting)
Even funnier is that they had more trouble bypassing the cheapo USB fingertip reader.. it only finally gave in to the most sophisticated of their duplications.
Re:pen lock picking (Score:2, Interesting)
Locks are meaningless for average people (Score:5, Interesting)
They also probably have several windows, glass patio doors, and the like at easy-access level around their home. Most don't have bars on them.
Even those that do have bars probably live in framed out housing, where going through a wall is a trivial feat for a determened intruder with a simple sledgehammer.
But the reality is that locks are deamed necessary because they keep out the casual intruder. The person who will enter only if there is not the most minimal level of effort required to do so.
Beyond that, they are not a security device. They serve that one, minimal function well, but that's all they do.
For instances where a lock is actually protecting something of value, it is usually only one aspect of a much more sophisticated security system. In those instances, the lock serves as an authentication device "this person has a key, therefore they are authorized," and could just as easily be replaced by any other type of authentication system. As again, it can't provide protection on it's own.
That's something that any good locksmith will tell you -- if they can install it, they can bypass it. And so can any other person with access to the right tools and knowledge.
Re:Great... (Score:3, Interesting)
Cheap house interior locks could also be picked by me in that manner. I don't think they're meant to keep out more than a curious ten-year old, but they didn't do that, even
Re:Great... (Score:3, Interesting)
The second possible reason is that perhaps you feel that it has *always* been something to worry about, but you didn't know better before recently.
Re:Great... (Score:5, Interesting)
Oh please. Has anybody ever put complete blind faith in the fact that they have locks on their doors as a guarantee that robbers can never get in to their house?
There is a lot of fear-mongering going on right now about this technique (and this is the second article posted on Slashdot about it in the past couple weeks). But all of this misses the fundamental point: locks have never been enough to keep thieves out.
What is generally enough to keep thieves out is a) basic human morality, and b) the law. Otherwise we'd all be getting robbed every single night - after all, most of us live within earshot of hundreds of other human beings.
Now, if this technique has suddenly caused you to lose faith in both of those things, then I don't know what to tell you - most people don't rest their entire faith in humanity on the sanctity of a door lock. And if you didn't have faith in those things before, then why did you think a lock was going to protect you in the first place? I would think a loaded shotgun under your pillow would be more your style.
The bottom line is this. If you've been robbed before, your locks didn't do you a hell of a lot of good even before this. And if you haven't been robbed before, there's no more chance that you will now. Because the reason you haven't been robbed isn't because thieves didn't think they could get past your door lock - there are a myriad of ways to get into a house for someone that wants to. The reason you haven't been robbed is because the law forbids it and basic human decency says people shouldn't do it.
Yes, there are thieves out there, and I'm not saying you shouldn't bother to have locks - if for no other reason than to keep snooping mailmen or nosy neighbors out. But knowing how to bump and actually breaking into a house are two totally different things. And unlike "script kiddies", breaking and entering is a crime that's taken very seriously - it is usually a felony - and the physical evidence is usually easy enough to trace, especially for an inexperienced thief.
Right Place Right Time? (Score:3, Interesting)
Interesting... (Score:1, Interesting)
I'm not sure if the technique is similar to the one being described here, but what I used to do was insert a file --- or even a bent paperclip --- and "jiggle" it until all of the pins had cleared the the shear line.
At that point, the lock opened. I did the same to my friend's dad's RVs that he had at a campsite. The idea was to jiggle the pins while putting pressure
on the plug so that when one pin had cleared the shearing point its edge would get caught on the plug and not be able to move downward again. After enough jiggling, all of the pins would get bound up in the same
manner and the lock would eventually open.
A few years ago someone had entered my apartment and taken my bookbag. Granted, I had left the lock unlocked since I was home and awake. It had never crossed my mind that someone would enter
my apartment while I was home and wide awake. With a "That does it!" attitude I then bought some hardware (electronic keypad, LCD display, miscellaneous electronics components, etc.) and built my own Linux-powered security
system that required a key code in order to unlock the door. It featured an intrusion detection and alarm system, sentry light, automatic lock-out, and a TCP/IP-based paging/doorbell system. It worked beautifully during the time that I
had it running. I no longer needed to fumble with keys, which was especially nice when coming home with my arms full of groceries.
I'm inspired again to try picking a few locks. Maybe one of these days.
Looking at it the wrong way (Score:4, Interesting)
Re:No evidence of forced entry (Score:2, Interesting)
The thing that is most scary about this attack is that it leaves no trace of the crime, unlike a broken window. This means that some unfortunate people won't be able to convince their insurance company to pay up because there is no evidence of forced entry. The insurance company will try to claim that you forgot to lock your door and refuse to pay up.
Or worse. In my part of the world, we've recently had a lot of restrictions taken off gambling laws. So a lot of people were getting into trouble, quietly selling stuff, them claiming to have been robbed. End result, you'd better have convincing evidence of a burglary now, or you'll find your insurance company having you charged with fraud.
Ahh but (Score:3, Interesting)
So, assuming you get a lock with the correct key design, you then have an additional task. Medeco keys are biaxial, meaning they aren't just cut along the vertical. The pins must be lifted and rotated to open. The rotation is achieved by the correct horizontal angle of the cut. Without that, you can't move the pins. So one you have the correct design of key, you have to cut the correct angles in first before making a bump key. If not, you can't bump anything since the pins won't move.
Finally, you have to hope it's an older one, because with the newer sidebar interface, that doesn't work at all.
Given that the point of bumping is simple entry with minimal tools or experience, that doesn't sound at all practical or simple, which is my point. This "all locks are a joke" is oversimplified bragging. No, they aren't. Many, perhaps even most locks are a joke but there are some real good ones out there that are a real bitch to deal with.
Read the PDF linked from the article if you want some more info, it's fairly complete.
Re:Great... (Score:5, Interesting)
However, each layer of security, the locks, the security system, and the safe, adds a deterrant.
I have a friend whose parents' house has every security system I can think of. Big spiky locked gates, CCTV, the works. They get burgled more frequently than any other house on their street: it looks a lot like they have things worth protecting, and things worth protecting are worth stealing. Security != deterrant always.
Re:Great... (Score:4, Interesting)
Re:Great... (Score:2, Interesting)
I think the reason people break car windows is it's easy.
Also, if someone wants to rip a hole in my hous'es dry wall they can have fun. I live in an all brick house, and I think the drilling/cutting required with power tools will wake someone(probably the whole neighborhood).
I really think you overesitmate "junkies". Most of them just throw a brick through the window. When was the last time you heard of a house getting robbed by cutting down the fence, and tearing a person sized hole in the wall. All my neighbors who have been robbed were bricked.
Someone can always get in if they truly want to, but if all that is truly worthless to you, why don't you leave your money in a paper bag on the porch? I mean after all, the doors, locks, security systems, fences and safes are useless right? So, just leave all your valuables outside and save the theives the trouble; I mean they are gonna get it anyway right?
Re:Great... (Score:3, Interesting)
I also get a kick out of all this security stuff. My house is *never* locked. I don't even think the locks work, but then again, I've never tried them. My Jeep is sitting outside in the driveway of my office right now - the keys are in the ignition. I have no windows in my office - the Jeep could have been stolen 45min ago, but I know it's still there. If its a nice day out, it has no doors or top on, and they keys are still in the ignition. My friends the same way.
If you were a thief, you could come to our house in the middle of the night, and have your pick of 4 vehicles to drive away in, or anything you want in the house.
I dig the fact that we don't have many thieves around here.
Re:leaving crap open (Score:2, Interesting)
My uncle has left all of his cars open all the time everywhere he goes, and at home. Period. Every car he's owned. One story is he parked at the "really crappy/high crime" mall (they have signs that, to paraphrase, say your car is likely to be punked) in his city and the car BESIDE his got busted into. Broken windows, busted dashboard, the works...his truck? Nothing. His windows were down! He even does this with his new truck.
It's so crazy, it works. He says he thinks that the punks that would bust in probably think it's being watched or something, or...there's nothing of value in it...because he doesn't leave anything of value in it and if someone wants to check, he doesn't have to replace the busted window, if they take the truck, it's covered 100%...so, I agree with the other poster that says if you LOOK like you have something to protect, it might become more attractive.
Inject.