Slashdot Mirror
11-year-old Proves Locks Not So Secure
An anonymous reader writes "A new security column at Engadget details the new 'old' threat of bumping locks. The article goes on to describe and demonstrate an 11-year-old girl bypassing a standard 5-pin lock at a recent DefCon Hacker Convention. The girl had no prior experience and didn't even understand the theory she was applying. Scary!"
. The girl had no prior experience and didn't even understand the theory she was applying.
Sign her up as a /. editor, quick!
A feeling of having made the same mistake before: Deja Foobar
So now we have to worry about the lockpicker's equivalent of a script kiddy.
Dont forget you can do the same with bike locks and a pen. It seems people find more obvious ways to break things every day.
Warhammer forums
The girl had no prior experience and didn't even understand the theory she was applying.
Reminds me of high school.
I believe most British insurers have insisted on deadlocks on doors for house insurance for many years because of lock bumping, they're also often easily bypassed with credit cards anyway.
It's certainly very uncommon for doors to be left with just that kind of lock in this country.
Locks are to honest people honest, and keep insurance companies satisfied.
The finest safes are only rated by how many minutes it will take a determined theif out.
"Prefiero morir de pie que vivir siempre arrodillado!"
The Kwikset that she opened is sold in every hardware and DIY store in the country, and is believed to be secure by the public.
As with any security measure, be it a physical lock, a cipher, encryption, anything, it only works if you know how to use it properly. A cheap cylinder lock is secure enough to deter a passing opportunist (eg, not someone who carries a bump) and should be used as such. To secure your house or office you shouldn't look at anything less than a Mortis or a deadlock, and you should have at least two on each entry point. Windows should lock from the inside, again with deadlocks.
A cylinder lock is the equivalent of using ROT13 to secure a password file. It'll stop someone who's not trying to get in, but that's about it.
http://twitter.com/onion2k
The concept of security is as much about perception as effectiveness.
This article's enlightening example just drives deeper a little concept I recently heard called security theater,
Human psychology is certainly interesting - because on one hand we have people scared of box cutters, but on the other hand we drive 70mph mere feet away from each other every day.
Maybe it could be argued that security is primarily about perception.
My Computer Music Tutorial Videos
I use to pick the lock to the computer room at home with duck tape and a paper clip, AND I LIKED IT?
P.S. I also use to walk up hill both ways in the snow to school.
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed H
Does that make her a door kiddy?
Would you kindly mod me +1 insightful?
Er... linking to one on the front page of /.?
It's WMV, which is both patented and trade-secreted. MPEG-4, by contrast, is only patented.
Here is a video of Key Bumping: http://www.youtube.com/watch?v=7Uv45y6vkcQ&search= bump%20key
Quite fascinating how easy it is, and in the end of the video they even show a 17-pin lock being bumped!
If you are interested in the guys in the video, here is their URL http://www.toool.nl/index-eng.php
Round and round we go.
Adam & Jamie on the Discovery Channel's MythBusters just had a show last night where they showed all sorts of ways to defeat some of the newer, high tech devices. Fingerprint scanners were pretty much busted, including one really high tech fingerprint scanner that the company said had never been broken into, EVER,. . . which Adam & Jamie broke into within about 10 minutes using three different techniques! They also found ways around heat sensors (a piece of glass), sonic motion detectors (a bedsheet, or walking really slowly), and breaking into a safe with an underwater explosion,... Quite an interesting episode,...
Yikes! The poor girl...she might get the wrong impression that this how she should make a living.
Age 11 - 5 pin lock with wrong key
Age 14 - 7 pin lock with picks
Age 18 - Safes
Age 21 - Bank Vaults
So many banks...so little time
2 cents,
QueenB
HDGary secures my bank
I've been reading about this a bit lately and found an interesting paper on bumping locks at http://www.toool.nl/bumping.pdf
They also have a section on locks that resist bumping:
There are mechanisms that do not allow for the two pins to separate except when slid sideways, such as used in the Emhart interlocking lock (which is not being produced anymore). As far as we can see, such a mechanism would successfully foil the bumping attack. Also some mechanisms which have a one-piece locking mechanism (such as a 'sidebar') may resist bumping. Locks that involve rotating discs (such as Abloy Protec) or magnets (such as Evva MCS and Anker) are also not susceptible to this attack. Klaus Noch sells modified standard Euro profile locks which lock up (i.e. 'broken but closed') upon most attempted manipulations, including bumping.
I found the Abloy Protec lock (with rotating discs) especially interesting and I'm going to get this for my own front door when I get the chance. On the same website they have an paper on the Abloy Protec as well: http://www.toool.nl/abloypart3.pdf
...than picking 'em.
Years ago I was at a tech flea market and - on a childish whim - bought a fairly nice set of lock picks (which are legal to sell in that state, unlike some). FYI - I am of the "Man from UNCLE", "T.H.E CAT", "The Prisoner", and "007" generation so I always wanted to be able to pick locks like the spies.
I even bought a lockpicking book ("Lock-picking Made Easy" by Lenny the Wire) I always liked that name.
I soon found out how incredibly easy it is! After picking my first lock (a random key lock I had laying around) I went to Home Depot and bought about a dozen key locks of various mfgrs and proceeded to pick 'em! I then did all the locks on all the doors on my house. Then I worked on my suitcases. I even did the lock on the li'l box I stored my 5 1/2 PC diskettes in. Then I did both cars.
What I learned was:
"No key lock is really secure. None are pick-proof."
"Most are ridiculously easy to pick. Even those circular-key vending machine ones."
"The bigger they are, the easier they are to open."
"Car locks are a lot harder."
The "skill" I developed has come in handy once or twice, but that's not the real virtue of it. It teaches you that locks are jokes. They keep out the already-honest, and the occasional lazy thief.
Cloned foods give the statement "We had that last week!" a whole new meaning.
This isn't news...
:)
Locksmiths can buy a pick gun from locksmith suppliers. It's looks like a handheld staple gun, and you slot the straight strenghtened steel tip (looks like a small metal cable tie) into the gun.
It works by bumping the whole steel tip up about a 16th of an inch, at which point you twist the entire gun anti-clockwise to open the lock while all the pins have been knocked just as the article describes.
This came as part of a back-of-the-magazine locksmith "diploma"
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
I used to use ROT13 to protect my files until I found out how unsecure it is. Now I ROT13 twice, just to make sure.
"Old man yells at systemd"
Insurance companies generally only honour your claim if there are signs of breaking and entering... A bumped lock will make it look like you left the door unlocked, and could lead to your insurance company not parting with the pennies... Scary.
- Frans.
The funny thing about doors is that there are no firmware updates on the internet...
Do you work for Microsoft's Linux Labs?
"Free software" is a matter of liberty, not price.
Sure it might be easy to bump a lock, but how many 11 year olds can afford a "kinetic energy tool"?
http://en.wikipedia.org/wiki/Hammer/
While your statement of "no lock is pickproof" is true, the rest really isn't. If you want a big lock that you probably won't be able to do anything to, try a Medeco. Your lockpicking knowledge is essentially worthless against it. Blank tricks don't work, since you can't get blanks unless you manage to compromise a dealer. Likewise normal pick tricks don't work because the pins aren't the right shape, they rely on being rotated as well as lifted to function.
That does not mean, of course, you can't pick one, but it's much harder, and requires a lot more training. They aren't a perfect system, but they sure aren't a joke. Also, despite being quite large, they are quite secure.
There's other brands of high security locks too, and they are similarly hard to deal with. It's just not more common because the construction needed for them is quite a bit more. A Medeco Maxium will run you like $200.
"Look, a real-life FBI agent!"
Starbucks, Harbuckle of Breath.
The average person locks their front door and goes to bed feeling secure.
They also probably have several windows, glass patio doors, and the like at easy-access level around their home. Most don't have bars on them.
Even those that do have bars probably live in framed out housing, where going through a wall is a trivial feat for a determened intruder with a simple sledgehammer.
But the reality is that locks are deamed necessary because they keep out the casual intruder. The person who will enter only if there is not the most minimal level of effort required to do so.
Beyond that, they are not a security device. They serve that one, minimal function well, but that's all they do.
For instances where a lock is actually protecting something of value, it is usually only one aspect of a much more sophisticated security system. In those instances, the lock serves as an authentication device "this person has a key, therefore they are authorized," and could just as easily be replaced by any other type of authentication system. As again, it can't provide protection on it's own.
That's something that any good locksmith will tell you -- if they can install it, they can bypass it. And so can any other person with access to the right tools and knowledge.
The most secure facility I've visited had a sergent in a green beret on the gate.
Deadbolts can use normal keys. A deadbolt is just a type of lock that throws a bolt in to the door jamb. It's a distinction aside from something like a handle lock that just stops the handle from turning. A deadbolt is more resistant against things like trying to kick the door in, but the locking mechanism can be anything.
Some deadbolts have no external component and can only be locked and unlocked inside. Totally pick proof, but only useful if you are home. Most have a normal pin lock on the outside. That makes them, pick and bump wise, no better than any other lock. There are high security deadbolts with better locking mechanisms, but you can get those better mechanisms on anything, including padlocks.
An 11 year old, with no prior experience in locks and clearly little interest in it not only attends the Defcon Hacker Convention, but takes the time to furnish us with a demonstration. The event took place from Friday 4th to Sunday 6th. Does she honestly have nowhere better to be?
Won't somebody please think of the children?
"No, no, no, don't tug on that! You never know what it might be attached to."
b) You can greatly mitigate the possibility of running into bad guys by going somewhere where they are not (if you can afford it).
c) Put better locks on your door.
d) Arm yourself in a appropriate fashion (if your municipality still allows this reasonable option.)
BTW. "bumping" a lock is nothing, compared to what a sledge hammer can do.
This issue is a bit more complicated than you think.
Are you serious about not undersanding why bumping might be preferable? It takes no more time, destroys nothing, makes very little noise if done right, doesn't require hammer, screwdriver, or pliers, and can be carried out while looking relatively inconspicuous if you've got some amount skill and coolness.
The lack of damage is key here (no pun)...passers-by don't see a busted lock, person coming home doesn't realize right away there's been a robbery, cops can't be sure if there's been a lock picked/bumped, door left open, or owner staging a crime. Insurance companies fight and claim there's no evidence of break-in.
What's simple about grunting and jerking and making a racket and leaving a door hanging open? If you're going that route, you can minimize the incriminating tools you're carrying and just use a sledgehammer to knock the door out of the frame. Or just pick up a cinder block and heave it through the front window. Or just burn the house down and sift through the ashes for coins and gems.
It didn't work, so I reached through the dog door and opened it from the other side.
Yeah, we're really secure around here.
The thing that is most scary about this attack is that it leaves no trace of the crime, unlike a broken window. This means that some unfortunate people won't be able to convince their insurance company to pay up because there is no evidence of forced entry. The insurance company will try to claim that you forgot to lock your door and refuse to pay up.
I'll probably be modded down for this...
Do 11 year old girls frequently wander into Hacker conventions with no prior experience or idea of how to hack and start picking locks?
In the 80's I read a BBS text file that described how to pick locks.
Made a set myself out of small allen keys.
They described the 'rake' technique where you put tension on the cylinder and just
zip a zig-zagged piece of metal against the pin.
With a little practice I opened many locks...didn't even have to bother going
pin by pin. As soon as you got one pin above that line, the upper pin
kinda 'snapped' over and stayed up.
Worked great on old worn out locks.
Blar.
Mom,
Can you take me with you this year? I want to see if I can win the wardriving contest! I promise to pretend being sweet, innocent, and clueless.
You will notice that the girl is wearing a white badge, which is $100, and otherwise dressed appropriately. Not the youngest person I saw there anyway.
Leonid S. Knyshov
Find me on Quora
We have three bigs dogs. Unlike a lock, they won't let anyone in who isn't authorized. Also, most burglars will move on to the next house if they think they'll have to deal with an unfriendly dog. I'm sure there are ways around dogs but it's a good deterent.
Insurance companies (at least on the west side of the pond) haven't required proof of forced entry in decades. Burglary coverage was changed to theft eons ago.
Plus, any half-decent residential insurance policy will insure you for straight loss of contents, anyway. No need to even file a police report.
Anyone who's had a claim denied because they forgot to lock their doors really needs to shop around for better coverage, and possibly talk with a lawyer.
Note: this doesn't apply to commercial entities. If you're running a business and all you've got is an easily defeated lock to protect your interests, well...
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Medeco uses special keys, and isn't available from just anywhere. So you've got to get a lock from the same dealer as your target, or at least a dealer that gets a key with the same sidebar code. They aren't consistent. For example we use Medeco locks at work (we are actually licensed by Medeco and have our own lock shop for campus) and I also have one at home that I bought form a local dealer. The keys, though the same shape, size and appearance, are not at all interchangeable. They won't even go in the lock at all.
So, assuming you get a lock with the correct key design, you then have an additional task. Medeco keys are biaxial, meaning they aren't just cut along the vertical. The pins must be lifted and rotated to open. The rotation is achieved by the correct horizontal angle of the cut. Without that, you can't move the pins. So one you have the correct design of key, you have to cut the correct angles in first before making a bump key. If not, you can't bump anything since the pins won't move.
Finally, you have to hope it's an older one, because with the newer sidebar interface, that doesn't work at all.
Given that the point of bumping is simple entry with minimal tools or experience, that doesn't sound at all practical or simple, which is my point. This "all locks are a joke" is oversimplified bragging. No, they aren't. Many, perhaps even most locks are a joke but there are some real good ones out there that are a real bitch to deal with.
Read the PDF linked from the article if you want some more info, it's fairly complete.
Firstly, most home insurance policies cover loss due to THEFT, not just burglary. The difference? Burglary requires proof of forced entry, whereas theft is simply someone taking your things. Theft claims are honoured even if you left your front door wide open.
Secondly, if you ever have a claim denied due to lack of proof of forced entry, talk to a lawyer. Next time, look around for some better insurance. A good insurance buzzword to look into is "All Risk". This sort of coverage even covers you if you do something stupid like drop your TV down the stairs "by accident". Available on most residential insurance policies.
Thirdly, advising people to commit insurance fraud is just about the stupidest thing you can do. Believe me, it's fairly easy to tell the difference between a legitimate break-in, and some stupid homeowner trying to make his claim look "worse". Insurance adjusters can spot this sort of thing a mile away, and you can go to jail for this sort of thing.
If you do actually find yourself in a situation where you only have coverage for buglary, it's better to suck it up and lose a bit of money, rather than risk very large fines, possible jail time - oh, and never being able to get insurance coverage again.
(Note: the above may not apply to non-western countries)
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Oh, absolutely. Auto insurance is a whole different ballgame - however the discussion seemed to revolve around breaking into your average house lock. Anti-theft systems on your average car are more than good enough to stop "bumping" these days, but I guess if you still have your 1984 K car and are worried your insurance company might not reimburse you the $500 you're out... :)
:)
Mostly I respond to posts like the GGP because it's a common insurance myth, based on what our grandparents faced. It's much like the ever-popular "Acts of God aren't covered!!!" Yes, 100 years ago proof of forced entry was required, and "Acts of God" was a legitimate exclusion clause. However, these days neither is really true. Hail, lightning, windstorm - these are all "Acts of God" that have been covered for decades. Catastrophic natural disasters aren't.
I used to be an insurance geek. So, much like 5,000 Slashdotters scream when CNN gets a tiny detail wrong about technology, I try to correct these decades-old insurance myths whenever I can. Especially when people start advocating insurance fraud
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Instead, it provided anecdotal evidence that, "in my [the authors'] own experience counselling victims of crime in recent years, there has also recently been a marked increase in the use or the threatened use of dangerous weapons in burglaries and common assaults". The author does not attribute this to the UK gun ban or any form of gun control whatsoever.
This is in comparison to a number of empirical academic studies including the following which support the gun control hypothesis:
- A. Chapdelaine and P. Maurice (1996) , "Firearms injury prevention and gun control in Canada", Canadian Medical Association Journal, Vol 155, Issue 9, p 1285-1289 - "The cost of the consequences of the improper use of firearms in Canada has been estimated at $6.6 billion per year. There is a correlation between access to guns and risk of death. The mere presence of a firearm in a home increases the risk of suicide, homicide and "accidental" death."
Get some REAL evidence and then make your claims.*shrug* I'm not sure what difficulty you are having. The whole reason you're reading an article about an 11-year-old doing this is not because she's a prodigy (that is orthogonal to this discussion), but because the vulunerability is so severe they can pick a random person out of a room and have her doing it in a couple of minutes.
If it had been me, I don't think the headline would've been as impressive, ``28-year-old Proves Locks Not So Secure.''
That's not picking, it's bumping. But yeah, she picked several locks (including a five pin that had one ``pick resistant'' spool driver in under a minute). I had only taught her to pick locks the day before.
Knowing one thing about something doesn't make you a hopeless nerd. Bumping a lock doesn't make her a thief. Skating the half at our local park doesn't make her a thug. Driving the WRX doesn't make her a sideshow kid. Getting an amateur radio license doesn't make her a 60 year-old man.
We can all do many interesting things if we stop worrying about labels and just try.
-- The world is watching America, and America is watching TV.
Well, it's sorta like this:
/. every day.
Short story: this is what you get when ivory-tower nerds get a glimpse of what everyone else knew all along.
Long story: As you said, yes, IRL everyone knew that locks aren't "secure", and won't keep a determined thief out. Locks aren't even a deterrent. They're a bit of a delay and mostly a "if we catch you past this point, we'll throw your sorry arse in jail" marker. The deterrent is the law. If you went through all the trouble of climbing over the fence (or lockpicking the gate) and lockpicking the door too, we have all the proof we need of intent, and we'll throw your arse in jail.
IRL it's not even possible to make something 100% burglar-proof. Even if you had a 100% burglar-proof lock, someone could break a window instead, or hack down the door, or whatever.
IRL that's our security concept, and it worked for maybe 10,000 years. People don't even expect anything to be more secure, computers included. See all the SF settings where people find it natural that a computer from 10,000 years in the future can be hacked by just shooting the keyboard, or that a high-tech computer-controlled door can be defeated with two wires and a PDA. Or by just shooting the control pannel, Star Wars style.
Now enter the ivory tower of OCPD computer nerds, and trying to apply boolean rules to a RL that's made of continuums, and to problems that are more of a min-max problem than if-then-else binary constructs. In their world, either you're 100% secure or you're 100% unprotected and not even trying. Either something is 100% lock, deterrent, judge and jurry rolled into one, or it's crap. And, oh, unless you 100% secured your property or computer or you're an idiot. You see the kind on
So now one of those basically just discovered, "whaaaat? you mean RL locks have exploits and can be hacked?? and people just put up with that and didn't patch them yet???" It runs contrary to their whole (utopic) mental model. So of course they'll make a big fuss out of it, and think they've discovered some secret that noone else knew.
A polar bear is a cartesian bear after a coordinate transform.
Thieves used a hydraulic ram to knock a section of wall down to get into my gran's house. This was they could do it hidden behind the house instead of having to go in the front door. All the windows and doors had steel bars on them, and the front door was seriously heavy with 3 different locks on it. They did it on bastille day (french holiday) when loads of fireworks going off so noone would be suspicious of a few bangs. Luckily, she's moved to a slightly less dodgy area now.
If they want to get in, they will.
http://www.frenchgeek.com/
My sister does exactly the oposite: she leaves the backdoor open all the time. Friends, neighbours, family know this. My nieces can always come home from school and they never have the door locked. They have a little old television set and an old DVD player and that's about it in terms of valuables you'll find there. Perhaps an few old computers upstairs, some kids toys...She and her husband think that too much TV is not good for the kids anyway. And they never get robbed, never had even the slightest issue with it. There is a morale in it somewhere, I'm not sure what it is though :-)
My uncle has left all of his cars open all the time everywhere he goes, and at home. Period. Every car he's owned. One story is he parked at the "really crappy/high crime" mall (they have signs that, to paraphrase, say your car is likely to be punked) in his city and the car BESIDE his got busted into. Broken windows, busted dashboard, the works...his truck? Nothing. His windows were down! He even does this with his new truck.
It's so crazy, it works. He says he thinks that the punks that would bust in probably think it's being watched or something, or...there's nothing of value in it...because he doesn't leave anything of value in it and if someone wants to check, he doesn't have to replace the busted window, if they take the truck, it's covered 100%...so, I agree with the other poster that says if you LOOK like you have something to protect, it might become more attractive.
Inject.