Slashdot Mirror
11-year-old Proves Locks Not So Secure
An anonymous reader writes "A new security column at Engadget details the new 'old' threat of bumping locks. The article goes on to describe and demonstrate an 11-year-old girl bypassing a standard 5-pin lock at a recent DefCon Hacker Convention. The girl had no prior experience and didn't even understand the theory she was applying. Scary!"
I believe most British insurers have insisted on deadlocks on doors for house insurance for many years because of lock bumping, they're also often easily bypassed with credit cards anyway.
It's certainly very uncommon for doors to be left with just that kind of lock in this country.
why do we have to worry now?? this has been known for ages..it just took a dumbass to stumble across it(and think its something new) and alert the media, which in turn got videos of it on the net, and now everyone and thier sister wants to try it.
Here is a video of Key Bumping: http://www.youtube.com/watch?v=7Uv45y6vkcQ&search= bump%20key
Quite fascinating how easy it is, and in the end of the video they even show a 17-pin lock being bumped!
If you are interested in the guys in the video, here is their URL http://www.toool.nl/index-eng.php
Round and round we go.
this is not funny, this attack has been arround for a very long time. during my time as a moderator of lockpicking101.com (and of course a lockpicking hobyist myself) we had our work cut out attempting to knock some sense into kids that came on the site asking for bump keys and "guides" on how to bump locks. It's become more prevelant over the net recently due to articles from TOOOL containing demonstrations from barry of some very "high security" locks being bumped and also a notification at http://www.security.org/ (still there). but the technique itself has been arround for ages. we can only hope that someone makes a better lock (*cough* www.abloy.com *cough*)
Adam & Jamie on the Discovery Channel's MythBusters just had a show last night where they showed all sorts of ways to defeat some of the newer, high tech devices. Fingerprint scanners were pretty much busted, including one really high tech fingerprint scanner that the company said had never been broken into, EVER,. . . which Adam & Jamie broke into within about 10 minutes using three different techniques! They also found ways around heat sensors (a piece of glass), sonic motion detectors (a bedsheet, or walking really slowly), and breaking into a safe with an underwater explosion,... Quite an interesting episode,...
I've been reading about this a bit lately and found an interesting paper on bumping locks at http://www.toool.nl/bumping.pdf
They also have a section on locks that resist bumping:
There are mechanisms that do not allow for the two pins to separate except when slid sideways, such as used in the Emhart interlocking lock (which is not being produced anymore). As far as we can see, such a mechanism would successfully foil the bumping attack. Also some mechanisms which have a one-piece locking mechanism (such as a 'sidebar') may resist bumping. Locks that involve rotating discs (such as Abloy Protec) or magnets (such as Evva MCS and Anker) are also not susceptible to this attack. Klaus Noch sells modified standard Euro profile locks which lock up (i.e. 'broken but closed') upon most attempted manipulations, including bumping.
I found the Abloy Protec lock (with rotating discs) especially interesting and I'm going to get this for my own front door when I get the chance. On the same website they have an paper on the Abloy Protec as well: http://www.toool.nl/abloypart3.pdf
This isn't news...
:)
Locksmiths can buy a pick gun from locksmith suppliers. It's looks like a handheld staple gun, and you slot the straight strenghtened steel tip (looks like a small metal cable tie) into the gun.
It works by bumping the whole steel tip up about a 16th of an inch, at which point you twist the entire gun anti-clockwise to open the lock while all the pins have been knocked just as the article describes.
This came as part of a back-of-the-magazine locksmith "diploma"
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
While your statement of "no lock is pickproof" is true, the rest really isn't. If you want a big lock that you probably won't be able to do anything to, try a Medeco. Your lockpicking knowledge is essentially worthless against it. Blank tricks don't work, since you can't get blanks unless you manage to compromise a dealer. Likewise normal pick tricks don't work because the pins aren't the right shape, they rely on being rotated as well as lifted to function.
That does not mean, of course, you can't pick one, but it's much harder, and requires a lot more training. They aren't a perfect system, but they sure aren't a joke. Also, despite being quite large, they are quite secure.
There's other brands of high security locks too, and they are similarly hard to deal with. It's just not more common because the construction needed for them is quite a bit more. A Medeco Maxium will run you like $200.
Most interior "locks" I've seen are of the push and twist variety. They don't take anything more than a paperclip or other similar thing to open. I'd say they're expressly designed to keep kids out of places they shouldn't be and prevent accidents, and not at all about security.
The ones in the house I grew up in even had the endcap easily popped off, allowing direct access to the plunger.
The trunk one is a bit more surprising since that should be a proper key, but I've often wondered just how effective car locks are. I remember I discovered my old '83 Firebird's door key would start a friend's GM truck (remember GM cars at the time had two keys, door and ignition). She got a kick out of it but it made me wonder.
Deadbolts can use normal keys. A deadbolt is just a type of lock that throws a bolt in to the door jamb. It's a distinction aside from something like a handle lock that just stops the handle from turning. A deadbolt is more resistant against things like trying to kick the door in, but the locking mechanism can be anything.
Some deadbolts have no external component and can only be locked and unlocked inside. Totally pick proof, but only useful if you are home. Most have a normal pin lock on the outside. That makes them, pick and bump wise, no better than any other lock. There are high security deadbolts with better locking mechanisms, but you can get those better mechanisms on anything, including padlocks.
A cheap cylinder lock is secure enough to deter a passing opportunist (eg, not someone who carries a bump) and should be used as such.
7 _e.pdf
Actually it seems to work against just about anything with split pins, regardless of its price. That's a helluva lot of locks.
To secure your house or office you shouldn't look at anything less than a Mortis or a deadlock, and you should have at least two on each entry point. Windows should lock from the inside, again with deadlocks.
I was intrigued by your statement, so I did some quick research. What I discovered is as follows:
Deadbolt locks* are cylinder locks; they just have the weight of a bolt holding the pins down instead of just springs. There's no reason why bump attacks shouldn't still be successful against this type of lock since the principle of bumping is somewhat different than pin scraping.
Mortise locks are just locks which are inserted into a hollowed out portion of the door -- it has nothing to do with the mechanism inside, and from what I was able to find out, most modern mortise locks contain cylinders.
* Which is what I assume you meant, since the only definition of a deadlock I can find is a situation wherein two or more competing actions are waiting for the other to finish, and thus neither ever does. I have no idea how you propose putting a deadbolt on a window, but maybe you meant something else.
References:
http://images.google.com/images?q=mortise%20locks
http://www.rcmp-grc.gc.ca/tsb/pubs/phys_sec/g1-01
http://en.wikipedia.org/wiki/Deadbolt
https://www.eff.org/https-everywhere
For what it's worth, there's some Abloy information at tool.nl for the curious.
your basic break and enter guys don't use these tools because rocks through windows are just as convinient. Being caught in possesion of these tools would arouse suspicion. Better to be caught with nothing.
In the 80's I read a BBS text file that described how to pick locks.
Made a set myself out of small allen keys.
They described the 'rake' technique where you put tension on the cylinder and just
zip a zig-zagged piece of metal against the pin.
With a little practice I opened many locks...didn't even have to bother going
pin by pin. As soon as you got one pin above that line, the upper pin
kinda 'snapped' over and stayed up.
Worked great on old worn out locks.
Blar.
Mom,
Can you take me with you this year? I want to see if I can win the wardriving contest! I promise to pretend being sweet, innocent, and clueless.
You will notice that the girl is wearing a white badge, which is $100, and otherwise dressed appropriately. Not the youngest person I saw there anyway.
Leonid S. Knyshov
Find me on Quora
But I don't buy the whole "2nd amendment is my God-given right, guns solve everything and make the world a perfect place" argument either.
How about the huge spike in home invasions that followed the UK gun ban?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Here ya go. Guilt-free diamonds.
http://www.diamondnexuslabs.com/jewelry/index.php
Locks? Locks mean nothing even if they can't be bumped or picked (although so many can, this is trivial).
If the door is locked, you make a hole in the cheap-ass low bidder drywall and either reach in and open the door from the other side or hell, just rip a big hole in the wall and walk right in. The door and all it's locks and alarms is happy to stand there doing nothing. Even if the alarm does go off, you usually have several minutes to do your work.
Fences? Hop over. Chainlink fences can be unbolted and taken apart, or cut. The best actors can cut the fence and put it back so it appears to be whole. Most junkies don't care. They steal a car and ram down the fence or the gate, or the house garage door.
Gated community? Not hard to get in, and generally a good hit because everyone inside thinks they're safe so they don't even bother with stuff everyone else would do to protect themselves.
Car club devices? Easy to defeat with the bump or several other extremely simple methods. Clubs are absolutely useless.
Car alarms? Most of them look for door openings as the trigger. Very few have motion detection. So you bust the window and crawl in like the Duke boys. No alarm.
Put valuables in the trunk/boot? Most trunks are not even part of the alarm. Not sure? Cut the horn wires, usually easy to reach under the radiator. Cut the battery cables for those cars where the battery is in the fender well. Tow the whole thing if it's a valuable car. Pop into a shipping container and off to China before anyone knows it's even been taken.
Junkies just want the radio to fence or the checkbook you left in the door pocket. Even they know how to avoid setting off the alarm. BTW, this is why most car break-ins are broken windows. It doesn't set off the alarm unless you open the door. This goes right back to the problem with house burglar alarms and the drywall. You just go around the protected area, i.e. the doors.
But hey, if it makes you feel better, put more and more and more locks on that door. It just makes the drywall look like an even better target.:)
BTW, on that safe? I bet the walls are thin. If not that, then there is some sort of physical weakness and a pro would have it open faster than the police would show up, but as you did note, the grab and run burglars wouldn't bother. But remember this: if someone wanted into that safe, BY FAR the easy way is to make you or your wife open it. YOU are your own weakness.
Insurance companies (at least on the west side of the pond) haven't required proof of forced entry in decades. Burglary coverage was changed to theft eons ago.
Plus, any half-decent residential insurance policy will insure you for straight loss of contents, anyway. No need to even file a police report.
Anyone who's had a claim denied because they forgot to lock their doors really needs to shop around for better coverage, and possibly talk with a lawyer.
Note: this doesn't apply to commercial entities. If you're running a business and all you've got is an easily defeated lock to protect your interests, well...
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Oh, absolutely. Auto insurance is a whole different ballgame - however the discussion seemed to revolve around breaking into your average house lock. Anti-theft systems on your average car are more than good enough to stop "bumping" these days, but I guess if you still have your 1984 K car and are worried your insurance company might not reimburse you the $500 you're out... :)
:)
Mostly I respond to posts like the GGP because it's a common insurance myth, based on what our grandparents faced. It's much like the ever-popular "Acts of God aren't covered!!!" Yes, 100 years ago proof of forced entry was required, and "Acts of God" was a legitimate exclusion clause. However, these days neither is really true. Hail, lightning, windstorm - these are all "Acts of God" that have been covered for decades. Catastrophic natural disasters aren't.
I used to be an insurance geek. So, much like 5,000 Slashdotters scream when CNN gets a tiny detail wrong about technology, I try to correct these decades-old insurance myths whenever I can. Especially when people start advocating insurance fraud
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Instead, it provided anecdotal evidence that, "in my [the authors'] own experience counselling victims of crime in recent years, there has also recently been a marked increase in the use or the threatened use of dangerous weapons in burglaries and common assaults". The author does not attribute this to the UK gun ban or any form of gun control whatsoever.
This is in comparison to a number of empirical academic studies including the following which support the gun control hypothesis:
- A. Chapdelaine and P. Maurice (1996) , "Firearms injury prevention and gun control in Canada", Canadian Medical Association Journal, Vol 155, Issue 9, p 1285-1289 - "The cost of the consequences of the improper use of firearms in Canada has been estimated at $6.6 billion per year. There is a correlation between access to guns and risk of death. The mere presence of a firearm in a home increases the risk of suicide, homicide and "accidental" death."
Get some REAL evidence and then make your claims.She actually had quite a bit of interest in locks. I taught her how to pick locks the day before. Matt Fiddler taught her how to bump them the day that video was taken, and Mark Weber Tobias thought it was really cool to see. She enjoyed picking way more than bumping (it's more of an intellectual challenge).
Now, she didn't seem to be that interested in the interviews (yes, there was more than one)... She wanted to get back to the locks.
What do you believe is a better place my daughter could've been that weekend? The mall?
She wasn't too happy when we mentioned getting someone to watch her for Defcon 15, so I think we all had quite a good time there.
-- The world is watching America, and America is watching TV.
Recommendations: Abloy classic or Abloy Exec. Notice that both of these have discs, that need to be rotated to the proper position by tilted slots in the key, before the key can be fully turned. No springs to fool around with that wear out. Here's a detailed lockpicker's writeup: part 1, part 2. (pdf)
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
Yep, ABLOY (pr ASSA-ABLOY as they are called now) locks are near impossible to pick, even though they are normal domestic locks quite usual in this area (Nordic countries).
:D
:O
We lost a keychain and had a professional pick all the doors, even doors costing a fortune with some really odd-looking keys. But when the locksmith saw the Abloy locks, he laughed, gave us a long stick, and told us to use it to get in. Stood there dumbfounded until he pointed at the window
When we got in after breaking the window, I just remembered that the lock is a double-side one, with a key needed on both sides... DOH! They had to disassemble the door frame to be able to get the door to open. Luckily it was the type of Abloy lock that has a "hook" that wraps around a metal pin in the door frame, or we would have had to break parts of the wall
That was an expensive boat trip (dropped the keychain into the sea)
Thieves used a hydraulic ram to knock a section of wall down to get into my gran's house. This was they could do it hidden behind the house instead of having to go in the front door. All the windows and doors had steel bars on them, and the front door was seriously heavy with 3 different locks on it. They did it on bastille day (french holiday) when loads of fireworks going off so noone would be suspicious of a few bangs. Luckily, she's moved to a slightly less dodgy area now.
If they want to get in, they will.
http://www.frenchgeek.com/
They probably also look like scared kittens to the people looking for what to steal and who to steal it from.
I live in *the ghetto* in Chicago. Not 1979 Cabrini Green-level ghetto, but not too far from that. If you're from the Chicago area (other cities have this technology, too), you know how in the "really bad" areas they have the flashy blue lights on the telephone poles with the cameras in the bullet-proof shells that auto-home/focus on the sound of gunfire? We have lots of those.
We're talking crack dealers around the corner, having to run off the meth addicts in the alley, occasional gunfire (on the next block).
I do live on "a good street" but back up against a very "bad street". I keep an eye on the police blotter for my area, and there is not insignificant burglary events around my area (as well as a few homicides each year).
I've lived here for about 2 and a half years. I'll be here at least one year more, maybe two.
I have a nice house with a nice yard. I drive a new truck and ride a Harley. I'm white (the neighborhood is about 99% black), I grew up in suburban Ohio. I'm sure anyone can see my big screen TV from the street (there's no way to arrange the front room without making it visible).
However, my home has never once been bothered, much less burgled.
How is this?
1. I have two big fucking dogs.
The little one (86 lb pound dog - probably an American Bulldog or a mix of one) is as sweet as can be. But people tend to be more afraid of him. I've heard along the lines of "you have to watch out for the silent ones" more than twice. People think he's charging them at the fence, but he really is running up so he can lean against it so they can pet him. The little kids know this - apparently this perception is lost at about the pre-teen years (based on observed reactions).
The big one (130lb Boerboel, heavy growl and bark) doesn't like people near her stuff (yard, humans, other dog, etc). When people ask if she bites, I tell them "Yes. Please watch your hands near the fence." I'm not being exactly disingenuous, here, but I don't think she'd lunge or snap. She just acts really mean, and she will try to "get at" something she feels is really threatening (like a person on a skateboard or bicycle, or a cat she doesn't know in or near her yard. We have cats in the house that she protects, too).
I make a point of playing with the dogs in the front yard (we have a double lot, and the yard wraps around the house) to make myself as visible as possible. Playing tug (either with me or each other) makes for some excellent growling noises that illustrate the "danger".
2. I'm not afraid to yell at people who are being assholes. Like "Hey, you guys are welcome to hang out on the sidewalk, but *stop* leaning on my car. Thanks." I call the cops a lot for bigger issues (playing "dice" on the sidewalk near where little kids live, drug dealing and consumption, mostly), and leave my name so they can follow up for a report. Anonymous is appropriate sometimes (like for gang activity, of which we have little - we're well within a gang border, so they mostly just have hired footsoldiers dealing drugs, and those dealers have no real rank or anything), but a lot of times it helps more to show "I live here, I am not afraid, and I am sick of this shit!" If you don't have a "city face", people are going to take advantage of you.
Along those lines, if a "shady" person talks to you, you have to talk back (and be polite). Some will try to be loud and walk up on you, apparently just to see if you'll back down/away. You *can't*. You have to stand your ground and I even step forward as they're walking up to me. To back away just illustrates "I'm uncomfortable here" and word will get around. You really don't want that.
But you can't be a flaming asshole, either. You just have to be "solid" is how I think of it. Then you at least have respect of the people in the area.
3. I am friends with all of my [good] neighbors,
The MIT Lockpicking Guide has three occurances of the word "bump", and none are talking about bumping. In addition, nothing I saw in it (before or now) talks about bumping in another name.
Picking and bumping are totally different animals. Lockpicking requires a couple weeks of steady practice to be able to break reasonably strong locks (like those that appear on a house) reliably, and I don't know how much more to be able to pick them reliably and quickly*. (Remember, you don't want to be standing on someone's porch for five minutes trying to pick the lock. Better to just break a window. It'll attract less attention.)
Bumping by contrast, if the information I've seen about it is to be believed, takes essentially no practice and reliably opens locks in about the same time you can with a key. Totally different animal.
* I never got to that point. I practiced for about two weeks and got to the point where I could: almost always pick a modified deadbolt (I removed a pin) in about 30 seconds; usually pick an unmodified, cheap deadbolt after several minutes of trying (though one attempt I got very lucky and opened it in under a minute); pick one specific three-pin padlock in about 10 seconds; rarely pick a four-pin padlock. I had yet to crack a five-pin padlock. These skills are probably not yet at the level where I could go up to a random house and break in even given plenty of time, and FAR from the point where I could do it quick enough that I would consider that it would be a reasonable entry method.