Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kryptonite U-Lock Security Flaw

Posted by ryuzaki0 on from the new-york-bike-thieves-not-impressed dept.

An anonymous reader writes "Once upon a time, a magic marker was able to defeat the Key2Audio copy protection scheme of older Sony CDs. Now, it has been shown that a Bic pen can easily open several models of Kryptonite U-locks. Please patch your systems, or install a tracking device on your bikes!"

41 of 554 comments (clear)

  1. hmmm by crtfdgk · · Score: 5, Funny

    sure this site will be /.ed soon....

    --

    $> man woman
    $> Segmentation fault (core dumped)
  2. people suck. by mstich · · Score: 4, Insightful

    Too bad we couldn't just live in a society where we wouldn't have to worry about theft! :(

    1. Re:people suck. by clifyt · · Score: 5, Insightful

      " Unless we really want to live in a society where equality is enforced and nobody is allowed to have anymore than anyone else, the presence of thieves and other criminals is something we will always need to deal with."

      I doubt it. There will always be a percentage of the population that is not happy with having the status quo. For instance, the crack dealers down the street from me have sent their friends to try to break into my house -- I know the one guy the police have caught is someone I'd seen hanging out in their den.

      Sadly, they have better shit than I do. They think since I'm white and a home owner I'm fair target. One of the kids that lives there asked me to help him with his computer because someone told him I was good with these things (I generally don't tell folks what I do in this neighborhood) and it was a better laptop than I had for work -- and this is a 12 year old boy. Not his dads laptop, *HIS*.

      Seems there was some sort of bios lock on the machine that was enacted after not signing it in after so many sessions (I'm not up with all the CompuTrace kinda shit that my work is always telling us we need to have on our machines).

      So, no matter how much one person has in comparison to those around him, it will never be enough for some people. Its good to think that some magic hippy star trek future would eliminate hunger and greed, and as this kind of future will never happen, it doesn't really harm anyone to believe in this -- at least until you start an economical ideology based around this and then start realizing that the common laborer doesn't need the same equipment that a research scientist does and you start to pass out equipment based on need, and you realize you have just created an unequal society once again and need to set up a draconian society to ensure everyone is equally unhappy in one way or another.

      Thieves are thieves and there will always be someone that wants something for nothing and wants to have more than those around him...

    2. Re:people suck. by ThatsNotFunny · · Score: 5, Funny

      I would agree, but since I'm typing this on my stolen copy of Windows. I'd better not.

      --
      "Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
    3. Re:people suck. by alcmena · · Score: 4, Funny

      When I lived on OSU campus, I had someone try to steal my bike. The odd thing is that the bike was over 14 years old, had the brakes hanging off of the handle bars, and was missing the chain for the wheels. Still, someone went through the effort of cutting my bike lock to take it. I found the bike about 20 feet away from where I locked it, probably where the person first noticed it had no chain to ride away with.

    4. Re:people suck. by clifyt · · Score: 4, Insightful

      The kids have done nothing wrong. The sins of the father do not equate to the sins of the son.

      Neighborhood kids come over to my place and hang out -- outside, never inside near my shit. I keep it clean and they have a nice front yard they can play in. And I bribe them with a coke or a dollar to clean up the neighborhood. A few weekends ago, I was mowing the lawn, and we ended up mowing 6 yards and they picked up all the trash from the streets and for this, I was out a case of coke and $20. This was about 6 or 7 kids from a few families.

      Maybe if the kids learn to take care of shit and work for stuff, they will not live the same life their father does. Half the kids around here are on welfare and I hope I'm helping them see how it is to do something for a living...

    5. Re:people suck. by spacecowboy420 · · Score: 5, Insightful

      That's bullshit. When I was a juvenile, I would do some stupid shit just because it was illegal - just to challenge fate. Do you think vandals, not those that spray paint their names or make a pretty pictures, but those that break shit - do it for fame, fortune or otherwise? What do serial arsonists gain? Nothing. Just the satisfaction of decadence - it is easier to destroy than to create.

      --
      ymmv
    6. Re:people suck. by blake182 · · Score: 4, Funny
      For the record: the number of bicycle thefts per 100 people in America in the year 2000: 2.7. In Sweden: 9.4.

      Number of bicycles per 100 people in America in the year 2000: 4. In Sweeden: 90.

      The point is that I imagine that the number of bikes per hundred in other countries is probably a lot higher than in the US. The relevant thing here would probably be the number of bikes stolen as a percentage of total bikes.

      Man up and get yourself a goddam SUV! Only a damn clog-wearing fairy would ride a bike anyway! And how do you ride a bike with clogs on, anyway?!?

    7. Re:people suck. by mgv · · Score: 4, Insightful

      Crime for crime's sake? Any psychologist will tell you there is no such thing. After all, crime is risky. Why make a risk if there is no gain? There is always some reason, even if it's small or obscure.

      That assumes that the person has a reason. Or has reason. 1% of the world's population gets mania, a similar percentage schizophrenia, 20% get depressed, and there are other conditions which aren't well defined yet in terms of population incidence or effect (eg post traumatic stress disorder).

      Yet in some studies, 50% of prison populations have major psychiatric disorders. You could say that these were crimes committed in sane periods (certainly, the judges did say that), but you cant get around the number of "criminals" that have a history of major psychiatric disorders.

      Then there is the "sociopathic" personality, which can be born that way or become that way with certain brain injuries. People who just can't feel or see things from another person's perspective. Humans do this alot as a survival tactic - how else do you drive a tank around Iraq and shoot at people and not want to suicide? You do it for the greater good, or whatever, maybe. But you still sit in relative safety and point weapons of minor distruction (like your cannon) at real people who will feel pain or die. Its a trait most of us have, and it has survival value.

      But some people just are like this all the time. So they are good on the battle field, and never get stress disorders from hurting others.

      Doesn't mean that they are all homicidal maniac's - in fact many of them are just nasty people, and we have all met a few of them. Self centred. Whatever. You see actors play that role on most soapies - the office bitch type of role - and its based on real life personalities who aren't that uncommon. We have all met them.

      Some people don't percieve risk the same way you do, either. Some people have to jump out of airplanes with parachutes just to feel alive.

      And some people don't know that they are commiting a crime - Taping your TV show's to watch later is a crime in some countries (like Australia).

      In essence - its not that simple. There are lots of reasons for crime, lots of motiviations, and lots of times where the person didn't really understand the risk/reward relationship for crime the same way you do.

      Michael

      --
      There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
    8. Re:people suck. by clifyt · · Score: 5, Insightful

      I don't know why anyone rated your post as flamebait, just another reason the realize the fuckwads on Slashdot don't fucking know shit. Hell, most of my posts are far more flamebait that yours.

      But you are right. Most likely they won't amount to anything, but thats not my problem. I will do whats right while they are around me and hope that something wears off.

      By day, I work for an educational facility...I generally hire folks in the tech world that have no knowledge of the area -- but want the jobs much more than the ones that do know the area and interview with me -- these guys sound bored and one actually threatened me that if I didn't hire him it would only be because I thought he would take my job. Please -- no one gets fired or promoted in academia no matter how good or bad you are.

      Kids that were probably looking at getting out with a mid $20k job are finding out that working for me after 3 years, they were getting jobs worth almost double that. I've got one employer that calls me all the time because he's never been dissatisfied with one of my students. Interestingly, most of the kids weren't even pursuing tech degrees but wanted my jobs because I paid the highest for student work on campus -- which is actually how I got my first job in the tech field -- I went for the highest paying one which happened to be a geek position.

      So I have made a change in some folks lives. If people are exposed to situations like this where they are given a chance to be around positive situations, they will change somewhat. It might mean hesitating before pulling the trigger one night and deciding not to kill someone and walking away after robbing him. One of the kids in the neighborhood has violent tendencies where he picks up rocks or sticks and attacks animals. His father has taught him that animals are worthless and one can hurt or kill them without thinking. I've let him play with my animals and he actually seems to like them now. I saw him a few days ago with a leash walking my next door neighbors dog. Its not a big jump from saying that animals are worthless and need to be beat down than saying humans are worthless and need beat down.

      Most of the time, I feel just the opposite -- I'd never hurt an animal, but I'd beat the shit out of a person in a heartbeat.

      So changes happen. Its not seismic changes, but little ones.

      As for the batman costume -- who needs the suit? I was thrown out of my first colleges dorm because I threw a dealer out of a 3rd story window after he kicked in the wrong (slightly open) door with a gun pointed. I beat the shit out of some homophobic racists that were slipping notes under black folks doors as well as the little gay kid that lived across the hall. I caught them laughing about it on the other side, and after seeing the kid come to my room every other night crying and asking why folks hated him, I took action. They never proved that I was the one that threw the guy out the window (or my buddy Mike or our friend that was in the room that was a state police officer there to play Doom I) -- he never pressed charges. They did note that I single handedly beat the shit out of 3 guys and kicked on in the nuts so hard he lost a testicle. Never mind that one of them threw the first punch after I said I was calling to police, never mind that the noted had been saved and the fingerprints matched theirs, nevermind the ringleader was ordered to stay away from several women in the dorm because he was accused of stalking them, but they said I was overly violent because there was no way that anyone could have beaten the shit out of 3 guys and left them in the condition I did if I wasn't slightly nuts -- I ended up going to jail that night, not them. We all got kicked out of the dorm, but I was the one that was almost kicked out of the university (actually I was for a while...a judge reinstated me and reprimanded the officials involved).

      What did I learn from all of this? Sometimes you do need to crack heads. but more importantl

  3. They are offering a replacement by lecithin · · Score: 4, Informative

    From their home page:

    "Canton, MA September 17, 2004 - Kryptonite today announced it will provide free product upgrades for certain locks purchased since September 2002, in response to consumer concerns about tubular cylinder lock technology. Consumers can visit the company's Website (www.kryptonitelock.com) on Wednesday afternoon, September 22, 2004, to learn how they can participate in the security upgrade program."

    --
    It could be worse, it could be Monday.
    1. Re:They are offering a replacement by mm0mm · · Score: 4, Funny
      "Replacement"?

      Wow, that sounds great. I was expecting to see a free Service Patch on their website to fix the security flaws. As far as I know that's how businesses take care of flawed products nowadays.

    2. Re:They are offering a replacement by clambake · · Score: 5, Funny

      I was expecting to see a free Service Patch on their website to fix the security flaws. As far as I know that's how businesses take care of flawed products nowadays.

      That's SO pre-DMCA. The way companies deal with it *nowadays* is attempt to sue the pen manufaturers.

  4. They probably by cpt_rhetoric · · Score: 5, Funny

    They probably figured that would be theives wouldn't know how to write anyway. I'm sure it was found ver secure against a crayon.

  5. Read slashdot. by dtfinch · · Score: 5, Funny

    Buy a pen.
    Win a free bike.

  6. Previous Discussion by sahrss · · Score: 4, Informative

    First I thought this story was a dupe, then I realized I was just remembering videos and comments from a previous discussion in the "Steel Bolt Hacking" story.

  7. The videos by BReflection · · Score: 5, Informative

    Lockpick Video one

    Lockpick Video two

    Lockpick Video three

    Lockpick Video four

    Lockpick Video five

    --
    python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
  8. It's twue! It's twue! by Walter+Wart · · Score: 5, Informative

    I tried it out with my own lock. 30 seconds and it was open. I called the Kryptonite company. At the time they were aware of the problem and are rushing their next generation of cylinders into production.

    Interestingly enough, the problem was first reported in Britain in 1992. But it didn't go anywhere. Hurray for the age of fast information dissemination. And fast technology transfer to the bad guys.

    --
    The man who never alters his opinion is like the stagnant water and breeds Reptiles of the Mind -- William Blake
  9. Having equiped my bike... by rusty0101 · · Score: 4, Funny

    ... with a Garmin GPS receiver, and a Cell phone, I am looking for a bit of hardware to interconnect them so that if the bike takes off it will call me and I can report it's tracks to the local constabulatory.

    Of course with my luck the thief will think the cell phone and GPS are a more attractive theft item than the Bke...

    -Rusty

    --
    You never know...
  10. Well... by zhiwenchong · · Score: 4, Funny

    at least one person won't be able to open this lock: Superman.

    1. Re:Well... by Kristoffer+Lunden · · Score: 5, Funny

      But I bet Bicycle Repair Man could fix it!

      --
      Spine World
    2. Re:Well... by Dirtside · · Score: 4, Funny
      at least one person won't be able to open this lock: Superman.
      Ah, yes, his well-known vulnerability to Bic pens. Poor bastard.
      --
      "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
  11. New York Lock... by SealBeater · · Score: 4, Interesting

    I used to be a bike messenger and I would have always told you, use a New York
    Lock, which by the way, isn't vunerable to this attack. It's the best lock in
    the world, but at $50, only bike messengers seem to care enough/or know enough
    to pay the money. Honestly, I can't count the number of times I've seen
    expensive 1K and up bikes locked up with a $20 lock. If that.

    SealBeater

    --
    -- Its survival of the fittest...and we got the fucking guns!!!
  12. This doesn't just affect Kryptonite locks by GuruHal · · Score: 5, Informative

    This is a flaw in the barrel style key system. I'm hardly a locksmith, but I've tried this on several of my locks and others just to prove the point, and the majority are not kryptonite locks. All of them have opened without more than 30 seconds of effort.

    The sick part is the problem has been well known to manufacturers since 1992, and nothing has been done about it.

    --
    "Quando Omni Flunkus Moritati" -- Red Green
    1. Re:This doesn't just affect Kryptonite locks by Witchblade · · Score: 5, Informative

      At my freshman orientation at Ohio State in 1993 we we told about this on the first day by the RAs. I'm really surprised at seeing the cycling community react with total shock to this. I also can't believe the manufacturers weren't aware of the problem a decade ago, since it seemed to be pretty well known then.

    2. Re:This doesn't just affect Kryptonite locks by evilviper · · Score: 4, Interesting
      This is a flaw in the barrel style key system.

      No it isn't. It's a flaw in any cheap locks. You can open filling cabinets with a popsicle stick as well, and they aren't barrel locks.

      This is a problem with any lock.

      There are 2 things that a lock needs to prevent picking.

      1) A system that will prevent it from unlocking if any tumbler is pushed even slightly further than it should have been. If this isn't in-place, even a blank-key that fits the lock will open it.

      2) A system that prevents the tumblers from contacting with the locking mechanism. Otherwise, it's trivially easy to pick.

      And that's only to impliment basic security. I don't have any format training, but I can open 90+% of locks I see...

      Amazing as it may seem, quite a few safes don't follow rule #2. That means you can find the combination as fast as you could open it if you knew the combination. Also, it doesn't require any suspicious activity, as you just have a hand on the dial and a hand on the handle like you're someone that should be there...
      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  13. Somehow Microsoft is Behind This by iCharles · · Score: 4, Funny

    After all, this is slashdot.

  14. Your bike is safe... by ericpi · · Score: 4, Funny

    ...the DMCA will soon make pens illegal.

  15. Remember... by k4_pacific · · Score: 5, Insightful

    For less than the cost of a decent bike lock, you can buy a bike that's not worth stealing.

    --
    Unknown host pong.
    1. Re:Remember... by SealBeater · · Score: 4, Insightful

      There's no such thing. You'll be surprised how many crackheads and kids will
      steal a bike.

      SealBeater

      --
      -- Its survival of the fittest...and we got the fucking guns!!!
  16. Problems with the lock by bluewee · · Score: 4, Informative

    Tubular locks are usually designed so you have to turn it at least a quarter turn to open it, which would involve picking the lock several times. The Kryptonite they show releases the shackle in an intermediate position -- bad design there. A real tubular lock pick should open those locks; a simple plastic cylinder of the right diameter should not.

    --
    [blue] - The Ministry of Information approved this message...
  17. upgrade won't fix it by djtack · · Score: 4, Informative

    Kryptonite today announced it will provide free product upgrades

    From what I have read, the upgrade will replace the lock core with one of a smaller diameter. This isn't really a long term fix - someone will probably discover a different brand of pen that will open the new locks as well.

    I have tried the Bic pen on my own Krypto lock - and it's really easy. The strange thing is, this isn't some design flaw with the lock. Everyone (hopefully) knows that all locks can be picked. But, it should be hard, requiring specialized tools and some skill. The Bic pen seems to have just the right magical combination of size, and balance of hard/soft plastic, that it makes an astonishingly effective lock pick. After opening my lock, the pen barrel had divots in it from the pins that looked just like my key. The plastic seems hard enough to push the pins down until they set, but then soft enough to hold the pin in that position.

    Also, this isn't exactly breaking news.

  18. Quick sue them with DMCA! by rsletten · · Score: 5, Funny

    Quick! Sue BIC under the DMCA as a device that can defeat a security lock

  19. It _IS_ a design flaw. by Anonymous Coward · · Score: 5, Interesting

    The pins in the lock are vunlerable to being raked because they're all set in roughly the same position. If they were disparate, you couldn't successfully rake them (except if you were very lucky and could bite chunks out of your bic pen to match the right key :)

  20. The problem is not the issue. by Anonymous Coward · · Score: 5, Funny

    The solution to the problem, THAT is the issue. Let's gather around and think of what the big organizations/individuals would do to solve a problem such as this.

    US goverment: Liberate bike from thief using a squadron of B2 bombers. At one point or another, several brits die, even if Rhumself has to find them and kill them himself. Bic pens linked to Al-Qaida.
    Australian goverment: Send in Steve Irwin. If he gets killed, it's a good thing. If catches the thief, it's a better thing.
    Brittish goverment: Sod the thief, fancy a scone, dear chap?
    United Nations: Convene in an emergency session, go into recess after 10 minutes for cookies and tea. In the end, they condemn the theft but none of them manages to do fuck all.
    European Union: The French and the Brits start bitching at eachother about which country has superior Bic pens. Germany and Spain wonder since when the damn Brits are part of Europe. The rest of Europe tried to talk tough before getting bitchslapped into submission by Germany and France.

    RIAA: Claim that people who open locks use it to fund terrorism. Randomly sue locksmiths.
    Microsoft: Vehemently deny existence of faulty locks. Release hotfix for existing locks, which consists of pouring glue in keyhole.
    SCO: Sue Bic, 3M, Canada, a random seagull and the tooth fairy for copyright infringement on their proprietary way of opening locks with ballpoints.

    Richard Stallman: Proudly proclaim the bike simply wanted to be free.
    Eric S Raymond: Something irrelevant that contains a plug for "The Cathedral and the Bazaar".
    Larry Wall: Make all locks so confusing that thieves don't know how to open them. Nor do the owners. Or manufacturers, for that matter.
    George Lucas: Make a movie about bikes being stolen with Bic pens. Milk this movie out until 2050.
    Bruce Willis: Get a bunch of oil drillers to find the thief and shove a nuke up his ass. And for the love of Eris, someone PLEASE screw Liv Tyler!

  21. Simple solution... by emag · · Score: 5, Insightful

    Pass a law declaring Bic pens to be "burglary tools", which can only be carried by "licensed professionals", and arrest anyone found in possession of one without a license. It works so well for lock pick kits...

    --
    "The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
  22. The Microsoft of Locks by hng_rval · · Score: 4, Funny

    From TFA (Boston.com):
    "This is an extremely big deal. Kryptonite is the Microsoft of locks," said Brown, who estimates hundreds of thousands of the U-locks have been sold over the years. Kryptonite will not divulge sales numbers.

    Well, they certainly are more like Microsoft now. Good for them :)

    --
    Thank you Mario! But our princess is in another castle!
  23. Equal opportunity. by Grendel+Drago · · Score: 4, Insightful

    Don't get so cocky. Dictatorships are available in new crunchy Right-Wing Flavor (tm) as well.

    --grendel drago

    --
    Laws do not persuade just because they threaten. --Seneca
  24. Only to "special" customers by fmaxwell · · Score: 5, Insightful

    Kryptonite today announced it will provide free product upgrades for certain locks purchased since September 2002

    What they don't mention is that the flaw was first documented in the trade publication "Bicycle Business" magazine in 1992. So they've been knowingly selling defective locks for 12 years since then hoping that this day would never come.

    I've got five Krytonite locks:

    Two KryptoLok ATB U-Locks, one of which was never taken out of the package.
    One KryptoDisco-C motorcycle disc brake lock.
    One 6' x 5/8" Kryptonite Flex Security cable lock.
    One Kryptonie Flex Security U-Lock.

    All of the locks are in very good to new condition and all of them are older than two years old. That means I get no replacement locks from Kryptonite nor do I get any upgrades. I hear tell that I might get coupons for rebates on new Kryptonite locks. But it will be a cold day in hell before I ever buy another Kryptonite product if they don't fix or replace the locks I have at no charge to me.

    I am not being unreasonable. A lock, if well-cared for, is a lifetime investment. A well cared for lock that's five years old is no less useful than one which is 1 year old. Why should Kryptonite customers suffer because Kryptonite chose to knowinging, and deceptively, sell a defective product for over a decade? Anyone who bought a Krytonite lock with this flaw since the original article was published in 1992 should get a free upgrade/replacement.

  25. Re:More free prizes? by GoRK · · Score: 4, Informative

    I have a vending machine to try this on. It is a GIII Royal Vendors unit similar to all machines used by Coca Cola for about the past 10 years (though the faces have changed). First, The tumbler takes a 270 degree turn of the key to unlock. Every time you turn it past a set of pins, you'd have to re-pick the lock. To open this lock, you'd have to pick it proably upwards of 15 times -- Due to the design of the machine, it would be easier to physically pop or drill the cylinder itself. If you just want to steal the money out of it, you can just go through the lexan and use a crowbar to get at the coin changer and overflow box. Accessing the bill changer storage will require the lock to be removed.

    Royal Vendors sells high security versions of these machines, though that put a large steel bar over the normal cylinder that can be locked with a padlock. They can also replace the lexan front with sheet steel and add plating around the front door to make it impossible to wedge a pry bar in there easily. My machine has the padlock bar and the side plating, but not the steel front.

    Coke machines aren't really worth breaking into for the ~$100 or less that you could get out of them..

  26. Socialism is the only hope by Rank_Tyro · · Score: 5, Funny

    When stationed at Kunsan AB korea, circa 1993, the only transportation option open to enlisted people was a bicycle. You could buy one at the base BX for about $100 bucks. For an additional $4.oo dollars, you could buy a chain with a built in combination lock. The biggest problem with the entire system was this.......EVERYONE had the same model bike, and the same chain/lock. You could literally spend a half hour trying to find the bike and chain that belonged to you. This was quite a problem for some of us, untill we learned that with a bit of tension on the lock, and a bit of manual dexterity, you could open any of the locks in about 45 seconds. After that, we all adopted the idea that those of us that had purchased a bike, but couldnt find it anymore, could just go ahead and ride what ever bike was handy. After all, EVERYONE had the same bike and lock, so really...........all bikes were secretly the one you bought. Therefore, if you were able to pick the lock, you were entitled to ride the bike. This Utopia breaks down when you consider that in most cities, not everyone buys the same bike and lock. Therefore, it is incumbent on the government to provide everyone with a bike, thus insuring that there is no need for anyone to steal a bike. I will be putting this idea to my senator soon.....hopefully everyone will have a new bicycle in time for the novemeber elections

    --
    Today's show is brought to you by the number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0: 25