Slashdot Mirror
Kensington Laptop Locks Not So Secure
eric434 writes "According to a security alert released by Security.Org, the Kensington laptop lock that many of us use and love isn't secure. In fact, it can be opened in 30 seconds after about a minute of practice with a $1 worth of equipment. (A Bic pen, and a pair of scissors. In the interest of giving people some time to stop using the locks, the actual method of opening the lock is left up to the reader.)
To make matters worse, Kensington's 'We'll give you $1500 if someone steals your laptop' guarantee doesn't apply -- because the process of opening the lock doesn't damage the lock or cable." Mind the source, though -- security.org wouldn't mind selling you a book on locks and safes.
For the sake of those who thought to RTFA, the article gets you to email the author regarding the details of the exploit.
Extract from article:
You may contact the author for further details as to the method of entry. All computer owners and administrators should be aware of the potential for theft if you utilize this device. The full details of how to compromise this device are contained in LSS+ Version 5.0 Multimedia edition of Locks, Safes, and Security. Kensington may be contacted for further information at 800-535-4242. The company was notified of the problem by the author on July 13, 2004 and has refused to comment on or acknowledge the problem, or to return any telephone calls or e-mails. The author believes that the manufacturer can remedy the problem and should be required to do so. All purchasers of this device may wish to request a replacement from the manufacturer that prevents this form of bypass.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World" 1 John 4:14
A simple pair of wirecutters would not remove the locking cylinder.
The point of the Kensington lock is not so much to secure the laptop to something as to ruin the resale value of it by virtue of the damage likely to occur to the laptop if the lock is forcibly removed.
This hack apparently allows the lock cylinder itself to be cleanly removed, rendering the lock useless and giving the thief a laptop to sell that doesn't scream out "Look at this torn-off case plastic! I was stolen!"
A lot of product insurance contracts, notably cell phone replacement plans, require the filing of a police report but one can usually get past this by simply being stubborn and simply demanding your refund/replacement. I find that the long pause on the phone after they remind you of the police report requirement is often effective in getting them to drop the troublesome requirement in the name of "better customer service". After all if they get a reputation for hassling claimants then nobody will buy those warranty replacement plans anymore because "it isn't worth the hassle." With warranty replacement plans everything can be negotiated if you are persistent enough.
Parent's "Doom Tweak Guide" link is nasty-fake. Don't click. :)
I got it, I think! It's a tubular lock, but a damn big one with weak springs. Use the scissors as a torque wrench to apply constant turning pressure. Use the pen to push in the individual pins. Very weak lock.
Since when has this country used intellectual elite as a pejorative term?
Not to mention that steering wheels are actually pretty soft. If you've ever seen one of the crash-tests in slow-motion, the steering wheel looks like a rubber band during the impact. They're designed to be soft so as not to impale you when you're in an accident.
If a crook wants past your club, they can just cut through the steering wheel and remove the club.
I've seen a different sort of club-type device on TV that hooks around the brake pedal. Looks like a better product to use anyway.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
"If theft of your laptop computer results from the Kensington Guaranteed Notebook Replacement MicroSaver computer lock being broken or opened by forceful means Kensington Technology Group will pay you the replacement value of your laptop up to US $1,500.00." Sounds like depending on the method employed it could fall under "forcefull means"...
The tool *is* available, you can probably find it for under $20. Most every hardware store will have one. They're used in construction to do exactly what the name implies; cut bolts :)
Actually, bolt cutters aren't very good at cutting cables. What you need are cable cutters, which have more of a hooked scissors or shears type of head. The head of a cable cutter resembles the beak of a predator bird, actually; probably for a good reason.
Bolt cutters are designed to cut a single solid piece of metal, so they are not effective at cutting the many strands of a cable. The cable kinda squashes and the individual strands are too flexible for a bolt cutter.
Bolt cutters will work, eventually, but the right tool for the job is a cable cutter.
Send lawyers, guns, and money. Dad, get me out of this.
I have two ideas on it.
:)
:)
The first is what you're implying, using common tools like a lockpick set.
The other, which may be more likely in this case is the way I "encourage" doors open when some fool locks themselves out.
I'd be willing to bet that this lock sets itself when you slide the end of the cable in. Kinda like a door latch. It slides over the angled bolt, and once it's over it is trapped til you use the key.
If the pen was a common white bic, and you removed the tip, ink, and back, you'd have a thin plastic white tube. If you used the scissors to cut the tube in half, even for just an inch or two, you'd halve a half-pipe roughly the size of the cable. Slide that down between the cable and the lock, and it would push the lock's bolt out of the way, and allow the cable to come free.
It's a little harder to do with a common home or office door, but can be done with a credit card.
This doesn't work for dead bolts (obviously). It also don't work on most padlocks, because the space is too small to slide something in.
Personally, I believe locks to be a tool to make people feel safe, and to keep 'honest' people honest.
A locked office in most office buildings can be accessed through the drop ceilings, or with the "assistance" of the janitorial staff.
A locked door on a house can be circumvented by going through a window, locked or not.
But, seeing a lock on a laptop, or a locked door on a room or building, makes a person think twice. The next one they find may be that much easier. Why go for the one with the Kensington lock that takes 30 seconds to steal, when you can just pick up the next guy's laptop bag with everything in it when he's not looking? You could tie your laptop off with a length of rope and be just as secure.
Kinda like 802.11b encryption. It's easy enough to crack, but most people will move on to the unencrypted network.
Serious? Seriousness is well above my pay grade.
Might as well post a link to some handy denver boot removal advice. Some boots are so poorly constructed that a hammer and chisel can dislodge the various spot welds.
So you want to know about lock picking?
There is this wonderful site that has a great article about it: http://home.howstuffworks.com/lock-picking.htm
Make America grate again!
After all, it's not a really secure lock like a cylinder, the number of combinations of the impressions on the rim of a key is limited so I guess there are only a few different lock combinations. Anyone could buy a Kensington and get one with the same key as yours.
Hmm... I can't believe it took this long for this 'exploit' to surface. Any geek with a laptop, some boredom and a paperclip should have figured this out already.
Anyhoo: what you need is a pair of scissors and a paperclip. if you have no scissors, a second paperclip will work, if not so well.
Jam one point of the scissors into the rectangular hole on the circumference of the circular key slot. Twist the scissors so that the inner part of the lock turns into the 'open' direction. Keep applying a gentle pressure, and use the paperclip to push in the little pins in the circular groove, one by one. Push down lightly and slowly until you feel the pin 'snap'. If you release the pin, it should be held in place and not spring back up again. If it does, just try first with another pin. Eventually you'll get them all and the lock will turn open. You can close the lock again in the same way.
Some of these locks have a security feature... when you've twisted the cilinder halfway to the 'open' position, it will lock again. In this case you'll need both points of the scissor to apply torque to the lock cilinder.
This isn't hard... with some practice, you can open these locks in a minute or 2. We used to do this at the office, going around during luch break to swap everyone's Kensington locks around, then watch the frustration at the end of the day, as everyone discovered that their key did not fit anymore. I know, it's lame, but we were bored okay?
I don't have any qualms about revealing the 'secret' of Kensington lock picking, as I would have with revealing a hot new exploit. This trick is years old, and asa I said: any bored person with a paper clip can figure this out for himself.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
If you want to be reimbursed for your laptop if it is stolen, buy an insurance policy to cover it.
Yes, it might cost a bit more than a "good" lock, but not a lot more (my girlfriend insured her PowerBook for two years for $90), and you're guaranteed to get your laptop back if it is stolen. Or if it burns in a fire -- let's see your Kensington warranty cover that. Just make sure your policy gives you "replacement cost," not just "market value." And back up your friggin' data!
Seriously, why bother with a lock?