Slashdot Mirror
11-year-old Proves Locks Not So Secure
An anonymous reader writes "A new security column at Engadget details the new 'old' threat of bumping locks. The article goes on to describe and demonstrate an 11-year-old girl bypassing a standard 5-pin lock at a recent DefCon Hacker Convention. The girl had no prior experience and didn't even understand the theory she was applying. Scary!"
why do we have to worry now?? this has been known for ages..it just took a dumbass to stumble across it(and think its something new) and alert the media, which in turn got videos of it on the net, and now everyone and thier sister wants to try it.
Here is a video of Key Bumping: http://www.youtube.com/watch?v=7Uv45y6vkcQ&search= bump%20key
Quite fascinating how easy it is, and in the end of the video they even show a 17-pin lock being bumped!
If you are interested in the guys in the video, here is their URL http://www.toool.nl/index-eng.php
Round and round we go.
this is not funny, this attack has been arround for a very long time. during my time as a moderator of lockpicking101.com (and of course a lockpicking hobyist myself) we had our work cut out attempting to knock some sense into kids that came on the site asking for bump keys and "guides" on how to bump locks. It's become more prevelant over the net recently due to articles from TOOOL containing demonstrations from barry of some very "high security" locks being bumped and also a notification at http://www.security.org/ (still there). but the technique itself has been arround for ages. we can only hope that someone makes a better lock (*cough* www.abloy.com *cough*)
Adam & Jamie on the Discovery Channel's MythBusters just had a show last night where they showed all sorts of ways to defeat some of the newer, high tech devices. Fingerprint scanners were pretty much busted, including one really high tech fingerprint scanner that the company said had never been broken into, EVER,. . . which Adam & Jamie broke into within about 10 minutes using three different techniques! They also found ways around heat sensors (a piece of glass), sonic motion detectors (a bedsheet, or walking really slowly), and breaking into a safe with an underwater explosion,... Quite an interesting episode,...
I've been reading about this a bit lately and found an interesting paper on bumping locks at http://www.toool.nl/bumping.pdf
They also have a section on locks that resist bumping:
There are mechanisms that do not allow for the two pins to separate except when slid sideways, such as used in the Emhart interlocking lock (which is not being produced anymore). As far as we can see, such a mechanism would successfully foil the bumping attack. Also some mechanisms which have a one-piece locking mechanism (such as a 'sidebar') may resist bumping. Locks that involve rotating discs (such as Abloy Protec) or magnets (such as Evva MCS and Anker) are also not susceptible to this attack. Klaus Noch sells modified standard Euro profile locks which lock up (i.e. 'broken but closed') upon most attempted manipulations, including bumping.
I found the Abloy Protec lock (with rotating discs) especially interesting and I'm going to get this for my own front door when I get the chance. On the same website they have an paper on the Abloy Protec as well: http://www.toool.nl/abloypart3.pdf
While your statement of "no lock is pickproof" is true, the rest really isn't. If you want a big lock that you probably won't be able to do anything to, try a Medeco. Your lockpicking knowledge is essentially worthless against it. Blank tricks don't work, since you can't get blanks unless you manage to compromise a dealer. Likewise normal pick tricks don't work because the pins aren't the right shape, they rely on being rotated as well as lifted to function.
That does not mean, of course, you can't pick one, but it's much harder, and requires a lot more training. They aren't a perfect system, but they sure aren't a joke. Also, despite being quite large, they are quite secure.
There's other brands of high security locks too, and they are similarly hard to deal with. It's just not more common because the construction needed for them is quite a bit more. A Medeco Maxium will run you like $200.
Most interior "locks" I've seen are of the push and twist variety. They don't take anything more than a paperclip or other similar thing to open. I'd say they're expressly designed to keep kids out of places they shouldn't be and prevent accidents, and not at all about security.
The ones in the house I grew up in even had the endcap easily popped off, allowing direct access to the plunger.
The trunk one is a bit more surprising since that should be a proper key, but I've often wondered just how effective car locks are. I remember I discovered my old '83 Firebird's door key would start a friend's GM truck (remember GM cars at the time had two keys, door and ignition). She got a kick out of it but it made me wonder.
Deadbolts can use normal keys. A deadbolt is just a type of lock that throws a bolt in to the door jamb. It's a distinction aside from something like a handle lock that just stops the handle from turning. A deadbolt is more resistant against things like trying to kick the door in, but the locking mechanism can be anything.
Some deadbolts have no external component and can only be locked and unlocked inside. Totally pick proof, but only useful if you are home. Most have a normal pin lock on the outside. That makes them, pick and bump wise, no better than any other lock. There are high security deadbolts with better locking mechanisms, but you can get those better mechanisms on anything, including padlocks.
A cheap cylinder lock is secure enough to deter a passing opportunist (eg, not someone who carries a bump) and should be used as such.
7 _e.pdf
Actually it seems to work against just about anything with split pins, regardless of its price. That's a helluva lot of locks.
To secure your house or office you shouldn't look at anything less than a Mortis or a deadlock, and you should have at least two on each entry point. Windows should lock from the inside, again with deadlocks.
I was intrigued by your statement, so I did some quick research. What I discovered is as follows:
Deadbolt locks* are cylinder locks; they just have the weight of a bolt holding the pins down instead of just springs. There's no reason why bump attacks shouldn't still be successful against this type of lock since the principle of bumping is somewhat different than pin scraping.
Mortise locks are just locks which are inserted into a hollowed out portion of the door -- it has nothing to do with the mechanism inside, and from what I was able to find out, most modern mortise locks contain cylinders.
* Which is what I assume you meant, since the only definition of a deadlock I can find is a situation wherein two or more competing actions are waiting for the other to finish, and thus neither ever does. I have no idea how you propose putting a deadbolt on a window, but maybe you meant something else.
References:
http://images.google.com/images?q=mortise%20locks
http://www.rcmp-grc.gc.ca/tsb/pubs/phys_sec/g1-01
http://en.wikipedia.org/wiki/Deadbolt
https://www.eff.org/https-everywhere
your basic break and enter guys don't use these tools because rocks through windows are just as convinient. Being caught in possesion of these tools would arouse suspicion. Better to be caught with nothing.
In the 80's I read a BBS text file that described how to pick locks.
Made a set myself out of small allen keys.
They described the 'rake' technique where you put tension on the cylinder and just
zip a zig-zagged piece of metal against the pin.
With a little practice I opened many locks...didn't even have to bother going
pin by pin. As soon as you got one pin above that line, the upper pin
kinda 'snapped' over and stayed up.
Worked great on old worn out locks.
Blar.
Locks? Locks mean nothing even if they can't be bumped or picked (although so many can, this is trivial).
If the door is locked, you make a hole in the cheap-ass low bidder drywall and either reach in and open the door from the other side or hell, just rip a big hole in the wall and walk right in. The door and all it's locks and alarms is happy to stand there doing nothing. Even if the alarm does go off, you usually have several minutes to do your work.
Fences? Hop over. Chainlink fences can be unbolted and taken apart, or cut. The best actors can cut the fence and put it back so it appears to be whole. Most junkies don't care. They steal a car and ram down the fence or the gate, or the house garage door.
Gated community? Not hard to get in, and generally a good hit because everyone inside thinks they're safe so they don't even bother with stuff everyone else would do to protect themselves.
Car club devices? Easy to defeat with the bump or several other extremely simple methods. Clubs are absolutely useless.
Car alarms? Most of them look for door openings as the trigger. Very few have motion detection. So you bust the window and crawl in like the Duke boys. No alarm.
Put valuables in the trunk/boot? Most trunks are not even part of the alarm. Not sure? Cut the horn wires, usually easy to reach under the radiator. Cut the battery cables for those cars where the battery is in the fender well. Tow the whole thing if it's a valuable car. Pop into a shipping container and off to China before anyone knows it's even been taken.
Junkies just want the radio to fence or the checkbook you left in the door pocket. Even they know how to avoid setting off the alarm. BTW, this is why most car break-ins are broken windows. It doesn't set off the alarm unless you open the door. This goes right back to the problem with house burglar alarms and the drywall. You just go around the protected area, i.e. the doors.
But hey, if it makes you feel better, put more and more and more locks on that door. It just makes the drywall look like an even better target.:)
BTW, on that safe? I bet the walls are thin. If not that, then there is some sort of physical weakness and a pro would have it open faster than the police would show up, but as you did note, the grab and run burglars wouldn't bother. But remember this: if someone wanted into that safe, BY FAR the easy way is to make you or your wife open it. YOU are your own weakness.
Insurance companies (at least on the west side of the pond) haven't required proof of forced entry in decades. Burglary coverage was changed to theft eons ago.
Plus, any half-decent residential insurance policy will insure you for straight loss of contents, anyway. No need to even file a police report.
Anyone who's had a claim denied because they forgot to lock their doors really needs to shop around for better coverage, and possibly talk with a lawyer.
Note: this doesn't apply to commercial entities. If you're running a business and all you've got is an easily defeated lock to protect your interests, well...
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Oh, absolutely. Auto insurance is a whole different ballgame - however the discussion seemed to revolve around breaking into your average house lock. Anti-theft systems on your average car are more than good enough to stop "bumping" these days, but I guess if you still have your 1984 K car and are worried your insurance company might not reimburse you the $500 you're out... :)
:)
Mostly I respond to posts like the GGP because it's a common insurance myth, based on what our grandparents faced. It's much like the ever-popular "Acts of God aren't covered!!!" Yes, 100 years ago proof of forced entry was required, and "Acts of God" was a legitimate exclusion clause. However, these days neither is really true. Hail, lightning, windstorm - these are all "Acts of God" that have been covered for decades. Catastrophic natural disasters aren't.
I used to be an insurance geek. So, much like 5,000 Slashdotters scream when CNN gets a tiny detail wrong about technology, I try to correct these decades-old insurance myths whenever I can. Especially when people start advocating insurance fraud
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
She actually had quite a bit of interest in locks. I taught her how to pick locks the day before. Matt Fiddler taught her how to bump them the day that video was taken, and Mark Weber Tobias thought it was really cool to see. She enjoyed picking way more than bumping (it's more of an intellectual challenge).
Now, she didn't seem to be that interested in the interviews (yes, there was more than one)... She wanted to get back to the locks.
What do you believe is a better place my daughter could've been that weekend? The mall?
She wasn't too happy when we mentioned getting someone to watch her for Defcon 15, so I think we all had quite a good time there.
-- The world is watching America, and America is watching TV.