Slashdot Mirror
Kryptonite U-Lock Security Flaw
An anonymous reader writes "Once upon a time, a magic marker was able to defeat the Key2Audio copy protection scheme of older Sony CDs. Now, it has been shown that a Bic pen can easily open several models of Kryptonite U-locks. Please patch your systems, or install a tracking device on your bikes!"
sure this site will be /.ed soon....
$> man woman
$> Segmentation fault (core dumped)
Sound familiar?
Too bad we couldn't just live in a society where we wouldn't have to worry about theft! :(
From their home page:
"Canton, MA September 17, 2004 - Kryptonite today announced it will provide free product upgrades for certain locks purchased since September 2002, in response to consumer concerns about tubular cylinder lock technology. Consumers can visit the company's Website (www.kryptonitelock.com) on Wednesday afternoon, September 22, 2004, to learn how they can participate in the security upgrade program."
It could be worse, it could be Monday.
Those environmentalists in Neal Stephenson's Zodiac won't be very happy to learn this...
Do not look into laser with remaining eye.
They probably figured that would be theives wouldn't know how to write anyway. I'm sure it was found ver secure against a crayon.
Now if they'd only open-source these locks...
I do know for sure that this info has been out for at least two months, if not more.
Buy a pen.
Win a free bike.
Like Coke machines? Same vulnerability? Of course your pen barrel would need to be MUCH bigger
First I thought this story was a dupe, then I realized I was just remembering videos and comments from a previous discussion in the "Steel Bolt Hacking" story.
Does anyone else get the feeling that they are watching porn when they watch those videos with the guy wriggling the pen in the keyhole and then trying to pull the lock open? There is something inherently dirty in that...
Here is a video made by the gentleman who did it.e v_disc_web.mov
* http://thirdrate.com/misc/krypto.mov
Another movie, different lock.
* http://biginjapan.com/extranet/assets/ben/krypto_
Enjoy.
There is no patch for human stupidity.
Lockpick Video one
Lockpick Video two
Lockpick Video three
Lockpick Video four
Lockpick Video five
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
I tried it out with my own lock. 30 seconds and it was open. I called the Kryptonite company. At the time they were aware of the problem and are rushing their next generation of cylinders into production.
Interestingly enough, the problem was first reported in Britain in 1992. But it didn't go anywhere. Hurray for the age of fast information dissemination. And fast technology transfer to the bad guys.
The man who never alters his opinion is like the stagnant water and breeds Reptiles of the Mind -- William Blake
... with a Garmin GPS receiver, and a Cell phone, I am looking for a bit of hardware to interconnect them so that if the bike takes off it will call me and I can report it's tracks to the local constabulatory.
Of course with my luck the thief will think the cell phone and GPS are a more attractive theft item than the Bke...
-Rusty
You never know...
at least one person won't be able to open this lock: Superman.
I used to be a bike messenger and I would have always told you, use a New York
Lock, which by the way, isn't vunerable to this attack. It's the best lock in
the world, but at $50, only bike messengers seem to care enough/or know enough
to pay the money. Honestly, I can't count the number of times I've seen
expensive 1K and up bikes locked up with a $20 lock. If that.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
Buy a pen.
Win a free bike a week earlier than slashdot readers.
This is a flaw in the barrel style key system. I'm hardly a locksmith, but I've tried this on several of my locks and others just to prove the point, and the majority are not kryptonite locks. All of them have opened without more than 30 seconds of effort.
The sick part is the problem has been well known to manufacturers since 1992, and nothing has been done about it.
"Quando Omni Flunkus Moritati" -- Red Green
After all, this is slashdot.
...the DMCA will soon make pens illegal.
Normally the Oregonian is nothing to brag about, but damn if this wasn't the lead articlef ?/base/front_page/1095508748276280.xml
http://www.oregonlive.com/news/oregonian/index.ss
on Saturday morning.
Makes me feel good to live in this town (Portland, aka Stumptown, aka River City aka the Rose City aka "the city that works") where the most important news in the world is that the locks we all use to secure our bikes aren't technically "locks." at all.
PDX is one two wheelin' city.
For less than the cost of a decent bike lock, you can buy a bike that's not worth stealing.
Unknown host pong.
BoingBoing had it covered a long time ago.
Here're a couple of movies, too, with different locks - movie 1 and movie 2.
Tubular locks are usually designed so you have to turn it at least a quarter turn to open it, which would involve picking the lock several times. The Kryptonite they show releases the shackle in an intermediate position -- bad design there. A real tubular lock pick should open those locks; a simple plastic cylinder of the right diameter should not.
[blue] - The Ministry of Information approved this message...
I always thought that a bic pen should be on that list =)
If you are like me, you may own, say 3 kryptoloks, purchased over the last five years which you never bothered to register, and can't remember where you purchased them, or maybe you remember that you purchased them somewhere in Los Angeles and now you live in PDX... will this apply to unregistered locks? with no receipt? LIKE THOSE PROBABLY OWNED BY 90% OF FOLKS? ... and it sounds like they are only offering to let you spend more money on a new product by a company that sold you a defective product the first time around. "Please reward us for our mistake."
Unless they are willing to replace the defective product, maybe it's time for a class action law suit?
I used a bic to open some used pc caselocks the other day. Just cut if off with an exacto where it was the right diameter, and ground it in there until it grabbed. On a bike lock, definitely a bug. On a PC case, I consider it a feature... because somewhere, under the ground, there's a strange sweaty gnome with a high pitched voice who stashes them in a desk drawer right next to a pile of everyone's lost socks.
Someone had to do it.
While this is certainly something that lock manufacturers need to deal with, everyone needs to also keep one simple idea in mind.
The purpose of a lock is to keep honest and semi-honest people from taking your stuff. If someone is damned and determined to take your bike, he's going to get it, regardless of what lock you use.
I also have to nod in agreement with an earlier poster who pointed out that for the price of a fancy lock, you can get a bike that no one wants to steal. This is a perfect example of why my everyday driver car is an old beater that no one in their right mind would want to steal. If you're going to drive fancy stuff, then you have to accept that you are going to be a target.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Kryptonite today announced it will provide free product upgrades
From what I have read, the upgrade will replace the lock core with one of a smaller diameter. This isn't really a long term fix - someone will probably discover a different brand of pen that will open the new locks as well.
I have tried the Bic pen on my own Krypto lock - and it's really easy. The strange thing is, this isn't some design flaw with the lock. Everyone (hopefully) knows that all locks can be picked. But, it should be hard, requiring specialized tools and some skill. The Bic pen seems to have just the right magical combination of size, and balance of hard/soft plastic, that it makes an astonishingly effective lock pick. After opening my lock, the pen barrel had divots in it from the pins that looked just like my key. The plastic seems hard enough to push the pins down until they set, but then soft enough to hold the pin in that position.
Also, this isn't exactly breaking news.
No, locks just make a cost/benefit analysis necessary to the theif. True security is a dream, a myth. Any lock or security system can be broken, the question is how valuable is whatever's behind the security system to the assailant, and is it worth the risk/effort?
"Like fire and fusion, government is a dangerous servant and a terrible master."~RAH
Quick! Sue BIC under the DMCA as a device that can defeat a security lock
I remember Kryptonite locks have a manufacturer's guarantee against thief. Is this covered? If someone's bike gets stolen, would they replacec it still?
EvilCON - Made Famous by
You know slashdot's anti-Kryptonite bias. All these anti-kryptonite zealots here. Geeze, this place is becoming the free republic version for the anti-kryptonite zealots. You just know if a flaw like this was found in BSD or Linux, it'd be played down.
Yes, I am mocking all the MS sympathizing weenies who come out in full force to decry anything negative about MS at all, whether deserved or undeserved.
So how is this different? Somebody makes a supposedly secure product (which it is not) that is overpriced (which MS products ARE). Somebody else finds that the thing is a piece of crap, and disseminates this knowledge. Who's the bad guy? The big corporation that makes money from marketing garbage? Hah.
The pins in the lock are vunlerable to being raked because they're all set in roughly the same position. If they were disparate, you couldn't successfully rake them (except if you were very lucky and could bite chunks out of your bic pen to match the right key :)
The solution to the problem, THAT is the issue. Let's gather around and think of what the big organizations/individuals would do to solve a problem such as this.
US goverment: Liberate bike from thief using a squadron of B2 bombers. At one point or another, several brits die, even if Rhumself has to find them and kill them himself. Bic pens linked to Al-Qaida.
Australian goverment: Send in Steve Irwin. If he gets killed, it's a good thing. If catches the thief, it's a better thing.
Brittish goverment: Sod the thief, fancy a scone, dear chap?
United Nations: Convene in an emergency session, go into recess after 10 minutes for cookies and tea. In the end, they condemn the theft but none of them manages to do fuck all.
European Union: The French and the Brits start bitching at eachother about which country has superior Bic pens. Germany and Spain wonder since when the damn Brits are part of Europe. The rest of Europe tried to talk tough before getting bitchslapped into submission by Germany and France.
RIAA: Claim that people who open locks use it to fund terrorism. Randomly sue locksmiths.
Microsoft: Vehemently deny existence of faulty locks. Release hotfix for existing locks, which consists of pouring glue in keyhole.
SCO: Sue Bic, 3M, Canada, a random seagull and the tooth fairy for copyright infringement on their proprietary way of opening locks with ballpoints.
Richard Stallman: Proudly proclaim the bike simply wanted to be free.
Eric S Raymond: Something irrelevant that contains a plug for "The Cathedral and the Bazaar".
Larry Wall: Make all locks so confusing that thieves don't know how to open them. Nor do the owners. Or manufacturers, for that matter.
George Lucas: Make a movie about bikes being stolen with Bic pens. Milk this movie out until 2050.
Bruce Willis: Get a bunch of oil drillers to find the thief and shove a nuke up his ass. And for the love of Eris, someone PLEASE screw Liv Tyler!
Pass a law declaring Bic pens to be "burglary tools", which can only be carried by "licensed professionals", and arrest anyone found in possession of one without a license. It works so well for lock pick kits...
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
Still the best way to beat a U-lock. Aside from a lock with insurance and good documentation there isn't final protection. This as been true since the 80's.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
From TFA (Boston.com):
:)
"This is an extremely big deal. Kryptonite is the Microsoft of locks," said Brown, who estimates hundreds of thousands of the U-locks have been sold over the years. Kryptonite will not divulge sales numbers.
Well, they certainly are more like Microsoft now. Good for them
Thank you Mario! But our princess is in another castle!
I heard about the ease of Kryponite picking back in the mid-nineties. It was in the lockpicking FAQs. There's also an $150 pick that can open most of those barrel (?) type locks. Home (non-institutional) MasterLocks were also easy prey before the 1998 versions. The last number could be determined in seconds and then the rest of numbers would fall into this formula: n1 mod 4 = n2 mod 4 + 2 = n3 mod 4 This reduces 16,000 combinations to 100 (10*10*1) which can be brute forced.
It is even possible to build these 'unpickable' locks for a small multiple what a standard lock of the same mechanical quality would cost.
You can make it difficult enough that burning or drilling the core, or taking a fire-ax to the door, is much more feasible than any manipulation technique. When the locking mechanism is no longer the weakest link, then it no longer makes sense to spend more on an improved lock.
But jeez, a bic pen and 5 seconds...
"Many in the bike community fear drug addicts and high school pranksters will go wild with Bic pens this weekend, leading to a surge in the crime statistics"
Drug addicts and pranksters have places to go too.
You know, he's probably intending to ride it himself, if he's trying to protect it from theft.
----geppy -
Not quite a dupe, but close. Kensington Locks were found to have the same problem last month.
And the masses cried out, "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0!"
caveat - IANAL, but I'm reasonably clued up on consumer law
In the UK, the 1979 Sale of Goods Act says that items must be of 'Fit for Purpose' & 'Of Merchantable Quality' (ie it does what it's meant to without breaking). Your contract is with the shop not the end manufacturer, so you are entitled to walk into wherever you purchased it and demand a replacement or your money back. You needn't get fobbed off with claims such as 'take it up with the manufacturer' as your contract's with the shop. Kryponite can't even put a time limit on it as a lock that's opened using a biro's clearly not 'Fit for Purpose'. Any shop that doesn't comply can be reported to the trading standards authority who take a very dim view of people not complying to said act!
For those interested, it is available in Real or WMF format.
So keep on reloading, Slashdotters! Hundreds, nay - Thousands! - of cyclists' dreams are in your hands!
* Yeah, I know there are mirrors and the Google cache. Yeah, this is a joke.
This was discussed earlier in this article.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
In related news, Kryptonite has also come under fire from critics for killing Superman.
The warranty is only good if the lock is damaged/broken during the theft. If they cut the bike rack, and pick the lock later...no dice. If they pick the lock (BIC pen or whatever), no dice.
Don't get so cocky. Dictatorships are available in new crunchy Right-Wing Flavor (tm) as well.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
Kryptonite today announced it will provide free product upgrades for certain locks purchased since September 2002
What they don't mention is that the flaw was first documented in the trade publication "Bicycle Business" magazine in 1992. So they've been knowingly selling defective locks for 12 years since then hoping that this day would never come.
I've got five Krytonite locks:
Two KryptoLok ATB U-Locks, one of which was never taken out of the package.
One KryptoDisco-C motorcycle disc brake lock.
One 6' x 5/8" Kryptonite Flex Security cable lock.
One Kryptonie Flex Security U-Lock.
All of the locks are in very good to new condition and all of them are older than two years old. That means I get no replacement locks from Kryptonite nor do I get any upgrades. I hear tell that I might get coupons for rebates on new Kryptonite locks. But it will be a cold day in hell before I ever buy another Kryptonite product if they don't fix or replace the locks I have at no charge to me.
I am not being unreasonable. A lock, if well-cared for, is a lifetime investment. A well cared for lock that's five years old is no less useful than one which is 1 year old. Why should Kryptonite customers suffer because Kryptonite chose to knowinging, and deceptively, sell a defective product for over a decade? Anyone who bought a Krytonite lock with this flaw since the original article was published in 1992 should get a free upgrade/replacement.
I have a vending machine to try this on. It is a GIII Royal Vendors unit similar to all machines used by Coca Cola for about the past 10 years (though the faces have changed). First, The tumbler takes a 270 degree turn of the key to unlock. Every time you turn it past a set of pins, you'd have to re-pick the lock. To open this lock, you'd have to pick it proably upwards of 15 times -- Due to the design of the machine, it would be easier to physically pop or drill the cylinder itself. If you just want to steal the money out of it, you can just go through the lexan and use a crowbar to get at the coin changer and overflow box. Accessing the bill changer storage will require the lock to be removed.
Royal Vendors sells high security versions of these machines, though that put a large steel bar over the normal cylinder that can be locked with a padlock. They can also replace the lexan front with sheet steel and add plating around the front door to make it impossible to wedge a pry bar in there easily. My machine has the padlock bar and the side plating, but not the steel front.
Coke machines aren't really worth breaking into for the ~$100 or less that you could get out of them..
And as a side note, let me tell you that everything you've heard about Swedish women is absolutely true. I met more tall blonde women there than any other place on the planet. Blonde isn't quite right, though. Not like Marilyn Monroe blonde. It's more like dishwater blonde. And friendly...not like on this side of the world.
And they serve beer with lunch.
Let's see legions of tall blonde friendly women, beer with lunch, you can go like hell on the freeway and free bikes. Is that a great country or what? Throw in free broadband and you'd be right into /. nirvana.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I just leave a big hungry Rottweiler with an attitude problem tied to my bike. It's great because nobody will steal the bike, and when I need that extra boost going up the hills, I yell "Chopper, sic balls!" and point at someone up the street.
When stationed at Kunsan AB korea, circa 1993, the only transportation option open to enlisted people was a bicycle. You could buy one at the base BX for about $100 bucks. For an additional $4.oo dollars, you could buy a chain with a built in combination lock. The biggest problem with the entire system was this.......EVERYONE had the same model bike, and the same chain/lock. You could literally spend a half hour trying to find the bike and chain that belonged to you. This was quite a problem for some of us, untill we learned that with a bit of tension on the lock, and a bit of manual dexterity, you could open any of the locks in about 45 seconds. After that, we all adopted the idea that those of us that had purchased a bike, but couldnt find it anymore, could just go ahead and ride what ever bike was handy. After all, EVERYONE had the same bike and lock, so really...........all bikes were secretly the one you bought. Therefore, if you were able to pick the lock, you were entitled to ride the bike. This Utopia breaks down when you consider that in most cities, not everyone buys the same bike and lock. Therefore, it is incumbent on the government to provide everyone with a bike, thus insuring that there is no need for anyone to steal a bike. I will be putting this idea to my senator soon.....hopefully everyone will have a new bicycle in time for the novemeber elections
Today's show is brought to you by the number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0: 25
Dunno if this works against Kryptonite, but here's a tubular lock pick:p roduct=48
http://www.lock-depot.com/Scripts/prodView.asp?id
I use a Brompton folding bike http://bromptonbicycle.co.uk/ and don't use a lock. You don't need a lock when the bike can fit under your office chair. The bike comes with me wherever I go, e.g. underneath the shopping cart as I go grocery shopping, etc. I keep it in the trunk of my (compact) car --in fact, it folds small enough that I can fit my wife's Brompton as well as mine in the trunk-- and if I need to go somewhere were parking is a problem, I can park a few blocks away and zip to my destination on the bike.
b ike/
Here's a (coralized) link to my web site showing the bike as it unfolds:
http://dreaming.org.nyud.net:8090/~kwtam/folding/
(as usual, Slashdot has inserted a space into the text...)
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Which Sweden did you visit?
In the one I live in, taking a bike from the rack outside a train station will get you hauled to court, you can only go 65 on the freeway, blonde comes out of a bottle, the beer you get with lunch is weak and dull and broadband costs an arm and a leg.
I want to go to *your* Sweden!
I can't believe how expensive broadband is.
So far, I havn't been too impressed with Sweden or the apartment I am living in. After 4 weeks my new apartment is still without furniture, despite me paying 200 kr a month for furniture rental and talking to everyone I can who might have any power over that fact. I'm still sleeping on the floor in the corner of my empty room. Up until a week ago, I didn't even have light/electricity. And the apartment is supposed to have that all included.
Not to mention that it is a three room apartment (it is a family apartment that has been rented out by the studentbostad for students), yet they crammed three Pakistanis into one room, so now I am living with four other people, with no furniture, and no internet access.
If I didn't know any better, I might even think Sweden was a third world country.
WTF PEOPLE!!
This isn't a "known caveat", this is gross neglience on the part of a manufacturer.
While this is certainly something that lock manufacturers need to deal with, everyone needs to also keep one simple idea in mind.
The purpose of a lock is to keep honest and semi-honest people from taking your stuff. If someone is damned and determined to take your bike, he's going to get it, regardless of what lock you use.
People like you are totally missing the point. This is like an airbag company making airbags that don't work 90% of the time! Sure it's a better idea never to get in an accident, but that's not the frickin point.
The point is kryptonite's locks are billed as "highly secure". They are not. This has been known in select circles (and kryptonite was informed) since at least 1992, yet the manufacturer has done nothing with that information to fix the problem.
I also have to nod in agreement with an earlier poster who pointed out that for the price of a fancy lock, you can get a bike that no one wants to steal.
This is total nonsense. Increbile POS bikes get stolen all the time, see my post about my friend's bike.
Life is too short to proofread.
Sure---any Communist nation. Cuba, North Korea, China, the former Soviet Union and its satellite states.
The political 'spectrum' is more of a circle. Farthest left and farthest right meet in a fusion of totalitarianism. Because what they want, even more than their own ideologies, is control. And that's what dictatorships are about.
--grendel drago
Laws do not persuade just because they threaten. --Seneca