Kryptonite U-Lock Security Flaw

An anonymous reader writes "Once upon a time, a magic marker was able to defeat the Key2Audio copy protection scheme of older Sony CDs. Now, it has been shown that a Bic pen can easily open several models of Kryptonite U-locks. Please patch your systems, or install a tracking device on your bikes!"

Dupe of a comment...

Sound familiar?

They are offering a replacement

[lecithin]

From their home page:

"Canton, MA September 17, 2004 - Kryptonite today announced it will provide free product upgrades for certain locks purchased since September 2002, in response to consumer concerns about tubular cylinder lock technology. Consumers can visit the company's Website (www.kryptonitelock.com) on Wednesday afternoon, September 22, 2004, to learn how they can participate in the security upgrade program."

Hasn't this been posted before, like 2 months ago?

[lanebob]

I do know for sure that this info has been out for at least two months, if not more.

Previous Discussion

[sahrss]

First I thought this story was a dupe, then I realized I was just remembering videos and comments from a previous discussion in the "Steel Bolt Hacking" story.

Re:Previous Discussion

[Meowing]

Yeah, it is kind of a dup. This is pretty much the same technique covered in the recent story on Kensington locks.

video of

[crazybelgium]

Here is a video made by the gentleman who did it.
* http://thirdrate.com/misc/krypto.mov
Another movie, different lock.
* http://biginjapan.com/extranet/assets/ben/krypto_e v_disc_web.mov

Enjoy.

The videos

[BReflection]

Lockpick Video one

Lockpick Video two

Lockpick Video three

Lockpick Video four

Lockpick Video five

Re:The videos

[yroJJory]

4.wmv
5.mpg

It's twue! It's twue!

[Walter+Wart]

I tried it out with my own lock. 30 seconds and it was open. I called the Kryptonite company. At the time they were aware of the problem and are rushing their next generation of cylinders into production.

Interestingly enough, the problem was first reported in Britain in 1992. But it didn't go anywhere. Hurray for the age of fast information dissemination. And fast technology transfer to the bad guys.

This doesn't just affect Kryptonite locks

[GuruHal]

This is a flaw in the barrel style key system. I'm hardly a locksmith, but I've tried this on several of my locks and others just to prove the point, and the majority are not kryptonite locks. All of them have opened without more than 30 seconds of effort.

The sick part is the problem has been well known to manufacturers since 1992, and nothing has been done about it.

Re:This doesn't just affect Kryptonite locks

[yppiz]

The Kryptonite locks use the Ace or Ace II barrel, according to the forums I've been following. The former mechanism is somewhat easier to open using the pen exploit than the latter, but there are multiple reports of both types of mechanisms being opened. Same goes for the Kryptonite EV Disc lock.

Further, even Kryptonite's (and other lock companys') New York models have been reported vulnerable to this attack.

For readers who aren't aware, Kryptonite and other companies have special New York models to thwart the mutant underground-dwelling cannibalistic bike thieves common to Manhattan and surrounding boroughs. Kryptonite does not warrantee most of its locks for use in New York.

--Pat / zippy@cs.brandeis.edu

Re:This doesn't just affect Kryptonite locks

[Witchblade]

At my freshman orientation at Ohio State in 1993 we we told about this on the first day by the RAs. I'm really surprised at seeing the cycling community react with total shock to this. I also can't believe the manufacturers weren't aware of the problem a decade ago, since it seemed to be pretty well known then.

Re:This doesn't just affect Kryptonite locks

Here's a Usenet post from 1992 that talks about the problem and refers to an article in "New Cyclist".

Re:New York Lock...

[lantius]

Actually, the standard u-lock portion of the New York Lock is suceptible to this attack. Fortunately alot of messengers ditch that part and instead use normal flat-keyed padlocks.

Regardless, the worst part of this vulnerability is that it apparently even works against a number of the higher end, $80+ Kryptonite u-lock models. So it's just not a matter of cheap locks.

I would never lock up my 1k+ bike anymore; if it is outside my house I am within arms length of it. I even use sturdy locks on my junk-built singlespeeds, after one of them got stolen.

Boingboing covered this

[metlin]

BoingBoing had it covered a long time ago.

Here're a couple of movies, too, with different locks - movie 1 and movie 2.

Problems with the lock

[bluewee]

Tubular locks are usually designed so you have to turn it at least a quarter turn to open it, which would involve picking the lock several times. The Kryptonite they show releases the shackle in an intermediate position -- bad design there. A real tubular lock pick should open those locks; a simple plastic cylinder of the right diameter should not.

Re:Problems with the lock

[theonetruekeebler]

Here's an oversimlification: To turn the lock, the tumblers must be pushed just far enough to slide around a groove. Tumblers actually have a top and a bottom half, and turning the lock generates new pairs, each of which must be repicked. Thus these locks have the advantage of being very tedious to pick using conventional methods.

They also have the advantage of being invulnerable to another popular method of defeating conventional locks: hammering in a flat-blade screwdriver and twisting like hell.

I find the Bic solution very elegant because I admire simple hacks that solve intricate problems (like holding down the shift key to defeat CD copy protection). Bummer that this affects me, though.

upgrade won't fix it

[djtack]

Kryptonite today announced it will provide free product upgrades

From what I have read, the upgrade will replace the lock core with one of a smaller diameter. This isn't really a long term fix - someone will probably discover a different brand of pen that will open the new locks as well.

I have tried the Bic pen on my own Krypto lock - and it's really easy. The strange thing is, this isn't some design flaw with the lock. Everyone (hopefully) knows that all locks can be picked. But, it should be hard, requiring specialized tools and some skill. The Bic pen seems to have just the right magical combination of size, and balance of hard/soft plastic, that it makes an astonishingly effective lock pick. After opening my lock, the pen barrel had divots in it from the pins that looked just like my key. The plastic seems hard enough to push the pins down until they set, but then soft enough to hold the pin in that position.

Also, this isn't exactly breaking news.

Microsoft and Virus-writers

[glomph]

So how is this different? Somebody makes a supposedly secure product (which it is not) that is overpriced (which MS products ARE). Somebody else finds that the thing is a piece of crap, and disseminates this knowledge. Who's the bad guy? The big corporation that makes money from marketing garbage? Hah.

Re:New York Lock...

[SealBeater]

A seat is easily replaced, and I as well as any number of people, can ride a
bike for a long time without having to sit.

SealBeater

Volvo Jacks ---- U-locks are worthless

[infonography]

Still the best way to beat a U-lock. Aside from a lock with insurance and good documentation there isn't final protection. This as been true since the 80's.

picking locks

[xmp_phrack]

I heard about the ease of Kryponite picking back in the mid-nineties. It was in the lockpicking FAQs. There's also an $150 pick that can open most of those barrel (?) type locks. Home (non-institutional) MasterLocks were also easy prey before the 1998 versions. The last number could be determined in seconds and then the rest of numbers would fall into this formula: n1 mod 4 = n2 mod 4 + 2 = n3 mod 4 This reduces 16,000 combinations to 100 (10*10*1) which can be brute forced.

Ignorance is Bliss

[tsunamifirestorm]

Great. Now everyone at my university (from /. and my university website) knows how to break into my bike lock and there's little I can do.

Almost

[TitusC3v5]

Not quite a dupe, but close. Kensington Locks were found to have the same problem last month.

For those in the UK

[PhatAir]

caveat - IANAL, but I'm reasonably clued up on consumer law

In the UK, the 1979 Sale of Goods Act says that items must be of 'Fit for Purpose' & 'Of Merchantable Quality' (ie it does what it's meant to without breaking). Your contract is with the shop not the end manufacturer, so you are entitled to walk into wherever you purchased it and demand a replacement or your money back. You needn't get fobbed off with claims such as 'take it up with the manufacturer' as your contract's with the shop. Kryponite can't even put a time limit on it as a lock that's opened using a biro's clearly not 'Fit for Purpose'. Any shop that doesn't comply can be reported to the trading standards authority who take a very dim view of people not complying to said act!

NPR story

[CrkHead]

All Thing s Considered on NPR had a story about this last night.

For those interested, it is available in Real or WMF format.

Didn't we already go over this.

[Holi]

This was discussed earlier in this article.

Nope

[YrWrstNtmr]

The warranty is only good if the lock is damaged/broken during the theft. If they cut the bike rack, and pick the lock later...no dice. If they pick the lock (BIC pen or whatever), no dice.

Re:people suck.

[clifyt]

No, I'm suggesting it was stolen.

I'm suggesting that this guy had stolen far more than others, and he still wasn't satisfied with the fact the had more shit than most people and still didn't know how to deal with it.

I could have easily unscrewed the case, pulled the bios battery or hit the reset jumpers and looked up the default supervisor password through google. I can't prove it was stolen, its most likely it is, but then again, one can't go around calling the police simply because you think something is stolen.

Trolling? No. Why does every stupid motherfucker on Slashdot claim trolling just because they can't understand what the poster is saying. Its called fucking English. Thats what this forum is written in. Learn it.

Now that too was not a troll. I put it in there so that you can understand the difference between a flame and a troll. Generally used by the same individuals, but in this case it is posted by a separate group.

Re:More free prizes?

[GoRK]

I have a vending machine to try this on. It is a GIII Royal Vendors unit similar to all machines used by Coca Cola for about the past 10 years (though the faces have changed). First, The tumbler takes a 270 degree turn of the key to unlock. Every time you turn it past a set of pins, you'd have to re-pick the lock. To open this lock, you'd have to pick it proably upwards of 15 times -- Due to the design of the machine, it would be easier to physically pop or drill the cylinder itself. If you just want to steal the money out of it, you can just go through the lexan and use a crowbar to get at the coin changer and overflow box. Accessing the bill changer storage will require the lock to be removed.

Royal Vendors sells high security versions of these machines, though that put a large steel bar over the normal cylinder that can be locked with a padlock. They can also replace the lexan front with sheet steel and add plating around the front door to make it impossible to wedge a pry bar in there easily. My machine has the padlock bar and the side plating, but not the steel front.

Coke machines aren't really worth breaking into for the ~$100 or less that you could get out of them..

Re:people suck.

[Hobbex]

Yes, up here in Scandinavia all we do is where clogs and dance in circle, and nobody ever takes anything. Why the hell does bullshit like this even get moderated up?

If you leave a bicycle unlocked in Sweden, it will get stolen. If you don't believe me, I suggest you come here and try.

For the record: the number of bicycle thefts per 100 people in America in the year 2000: 2.7. In Sweden: 9.4.

Re:people suck.

[Hobbex]

It is funny how like ten people replied like this, but nobody bothered to look up that stat. It was hard with google: there are 100 bicycles bicycles in the USA, and 6 million in Sweden.

So the number of thefts in the USA is approx 300,000,000 * 0.027 = 8,100,000 per year.

The number of thefts in Sweden is approx 9,000,000 * 0.094 = 846,000.

Thefts / bicycle and year:

USA = 0.081
Sweden = 0.141

So clearly, Swedish bicycle owners have absolutely no need to worry about theft!

Jesus, I am so sick of the patronizing American mythology that crime is something only you have and that Europe is some lala land where everybody is nice to one another. In fact, crime rates are higher in most of Europe than in the US, and yes, that include the mythical land of Sweden.

Re:It's true -- NOT!

[David+Byers]

Which Sweden did you visit?

In the one I live in, taking a bike from the rack outside a train station will get you hauled to court, you can only go 65 on the freeway, blonde comes out of a bottle, the beer you get with lunch is weak and dull and broadband costs an arm and a leg.

I want to go to *your* Sweden!

Re:Socialism is the only hope

[Monoman]

Similar to Portland's Yellow Bike Program years ago.

Sure.

[Grendel+Drago]

Sure---any Communist nation. Cuba, North Korea, China, the former Soviet Union and its satellite states.

The political 'spectrum' is more of a circle. Farthest left and farthest right meet in a fusion of totalitarianism. Because what they want, even more than their own ideologies, is control. And that's what dictatorships are about.

--grendel drago