Slashdot Mirror

← Back to Stories (view on slashdot.org)

11-year-old Proves Locks Not So Secure

Posted by ryuzaki0 on from the from-the-hands-of-babes dept.

An anonymous reader writes "A new security column at Engadget details the new 'old' threat of bumping locks. The article goes on to describe and demonstrate an 11-year-old girl bypassing a standard 5-pin lock at a recent DefCon Hacker Convention. The girl had no prior experience and didn't even understand the theory she was applying. Scary!"

21 of 454 comments (clear)

  1. Talent is where you find it by ackthpt · · Score: 5, Funny

    . The girl had no prior experience and didn't even understand the theory she was applying.

    Sign her up as a /. editor, quick!

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Talent is where you find it by gardyloo · · Score: 5, Funny

      *clap* *clap* *clap*

      Wish I had mod points.

          I dunno. The ability to give the clap seems a lot more meaningful.

    2. Re:Talent is where you find it by drinkypoo · · Score: 5, Funny
      Someone gave the clap to me once. It meant a painful shot in the ass!

      Oh yeah? So how did you get rid of it?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Great... by dan828 · · Score: 5, Funny

    So now we have to worry about the lockpicker's equivalent of a script kiddy.

    1. Re:Great... by Anonymous Coward · · Score: 5, Informative

      why do we have to worry now?? this has been known for ages..it just took a dumbass to stumble across it(and think its something new) and alert the media, which in turn got videos of it on the net, and now everyone and thier sister wants to try it.

    2. Re:Great... by JesseL · · Score: 5, Funny

      I thought professional thieves ran for public office.

      --
      "Prefiero morir de pie que vivir siempre arrodillado!"
    3. Re:Great... by whitehatnetizen · · Score: 5, Informative

      this is not funny, this attack has been arround for a very long time. during my time as a moderator of lockpicking101.com (and of course a lockpicking hobyist myself) we had our work cut out attempting to knock some sense into kids that came on the site asking for bump keys and "guides" on how to bump locks. It's become more prevelant over the net recently due to articles from TOOOL containing demonstrations from barry of some very "high security" locks being bumped and also a notification at http://www.security.org/ (still there). but the technique itself has been arround for ages. we can only hope that someone makes a better lock (*cough* www.abloy.com *cough*)

    4. Re:Great... by badasscat · · Score: 5, Interesting

      Um, which is [one reason] why we have to worry more. More people know about it.

      Oh please. Has anybody ever put complete blind faith in the fact that they have locks on their doors as a guarantee that robbers can never get in to their house?

      There is a lot of fear-mongering going on right now about this technique (and this is the second article posted on Slashdot about it in the past couple weeks). But all of this misses the fundamental point: locks have never been enough to keep thieves out.

      What is generally enough to keep thieves out is a) basic human morality, and b) the law. Otherwise we'd all be getting robbed every single night - after all, most of us live within earshot of hundreds of other human beings.

      Now, if this technique has suddenly caused you to lose faith in both of those things, then I don't know what to tell you - most people don't rest their entire faith in humanity on the sanctity of a door lock. And if you didn't have faith in those things before, then why did you think a lock was going to protect you in the first place? I would think a loaded shotgun under your pillow would be more your style.

      The bottom line is this. If you've been robbed before, your locks didn't do you a hell of a lot of good even before this. And if you haven't been robbed before, there's no more chance that you will now. Because the reason you haven't been robbed isn't because thieves didn't think they could get past your door lock - there are a myriad of ways to get into a house for someone that wants to. The reason you haven't been robbed is because the law forbids it and basic human decency says people shouldn't do it.

      Yes, there are thieves out there, and I'm not saying you shouldn't bother to have locks - if for no other reason than to keep snooping mailmen or nosy neighbors out. But knowing how to bump and actually breaking into a house are two totally different things. And unlike "script kiddies", breaking and entering is a crime that's taken very seriously - it is usually a felony - and the physical evidence is usually easy enough to trace, especially for an inexperienced thief.

    5. Re:Great... by StaticEngine · · Score: 5, Insightful

      Mod Parent Up.

      I just bought a house a few months ago, and as one does when one buys a house, the first thing I did was to change all the locks, and throw some padlocks on the gates to the back yard. Then I had a security monitoring system installed (Brinks, recommended for their professionalism), and finally, the wife and I bought a small fireproof safe to store some documents and valuables in.

      This whole process sparked off a discussion about security with a coworker who lives in a house valued at approximately four times my own, his house also being located in a gated community. The gist of the discussion was that there's no way to make your house totally secure, all you can do is add enough deterrants to make it less desirable for the common theif to break into your home. If someone really wanted to get into my place, they could, and if they knew exactly where to go and what to grab, they could really screw me and probably get away before the police were notified and showed up.

      However, each layer of security, the locks, the security system, and the safe, adds a deterrant. There's the time that has to be invested getting in, the fear of someone hearing the alarm going off and the ticking clock of the authorities being notified and dispatched, not to mention the hassle of locating and gaining access to the inside of the safe. Only someone who invested some serious research time and effort could gain access to my valuables and get away with it. And for what? My passport, some petty cash, and copies of my legal documents?

      The level of security has to match the value of what the security is trying to protect, and the common door lock is probably plenty of security for 90% of the people who have one. Only the truly paranoid, or those with something really valuable (or irreplacable), need more, and even in that case, not that much more.

      In the end, my wife and I joke every time we set our alarm and lock our door that we hope no one steals our Fabrige Egg or Hope Diamond.

    6. Re:Great... by Anonymous Coward · · Score: 5, Informative

      Locks? Locks mean nothing even if they can't be bumped or picked (although so many can, this is trivial).

      If the door is locked, you make a hole in the cheap-ass low bidder drywall and either reach in and open the door from the other side or hell, just rip a big hole in the wall and walk right in. The door and all it's locks and alarms is happy to stand there doing nothing. Even if the alarm does go off, you usually have several minutes to do your work.

      Fences? Hop over. Chainlink fences can be unbolted and taken apart, or cut. The best actors can cut the fence and put it back so it appears to be whole. Most junkies don't care. They steal a car and ram down the fence or the gate, or the house garage door.

      Gated community? Not hard to get in, and generally a good hit because everyone inside thinks they're safe so they don't even bother with stuff everyone else would do to protect themselves.

      Car club devices? Easy to defeat with the bump or several other extremely simple methods. Clubs are absolutely useless.

      Car alarms? Most of them look for door openings as the trigger. Very few have motion detection. So you bust the window and crawl in like the Duke boys. No alarm.

      Put valuables in the trunk/boot? Most trunks are not even part of the alarm. Not sure? Cut the horn wires, usually easy to reach under the radiator. Cut the battery cables for those cars where the battery is in the fender well. Tow the whole thing if it's a valuable car. Pop into a shipping container and off to China before anyone knows it's even been taken.

      Junkies just want the radio to fence or the checkbook you left in the door pocket. Even they know how to avoid setting off the alarm. BTW, this is why most car break-ins are broken windows. It doesn't set off the alarm unless you open the door. This goes right back to the problem with house burglar alarms and the drywall. You just go around the protected area, i.e. the doors.

      But hey, if it makes you feel better, put more and more and more locks on that door. It just makes the drywall look like an even better target.:)

      BTW, on that safe? I bet the walls are thin. If not that, then there is some sort of physical weakness and a pro would have it open faster than the police would show up, but as you did note, the grab and run burglars wouldn't bother. But remember this: if someone wanted into that safe, BY FAR the easy way is to make you or your wife open it. YOU are your own weakness.

    7. Re:Great... by dcturner · · Score: 5, Interesting

      However, each layer of security, the locks, the security system, and the safe, adds a deterrant.

      I have a friend whose parents' house has every security system I can think of. Big spiky locked gates, CCTV, the works. They get burgled more frequently than any other house on their street: it looks a lot like they have things worth protecting, and things worth protecting are worth stealing. Security != deterrant always.

  3. memories by Anonymous Coward · · Score: 5, Funny

    The girl had no prior experience and didn't even understand the theory she was applying.

    Reminds me of high school.

    1. Re:memories by agent+dero · · Score: 5, Funny

      this is slashdot, no it doesn't

      --
      Error 407 - No creative sig found
  4. Locks don't need to be pick-proof. by w33t · · Score: 5, Interesting

    The concept of security is as much about perception as effectiveness.

    This article's enlightening example just drives deeper a little concept I recently heard called security theater,

    Human psychology is certainly interesting - because on one hand we have people scared of box cutters, but on the other hand we drive 70mph mere feet away from each other every day.

    Maybe it could be argued that security is primarily about perception.

    --
    My Computer Music Tutorial Videos
  5. Video of Key Bumping by GnomeCarousel · · Score: 5, Informative

    Here is a video of Key Bumping: http://www.youtube.com/watch?v=7Uv45y6vkcQ&search= bump%20key
    Quite fascinating how easy it is, and in the end of the video they even show a 17-pin lock being bumped!

    If you are interested in the guys in the video, here is their URL http://www.toool.nl/index-eng.php

    --
    Round and round we go.
  6. Re:deadlocks by omega9 · · Score: 5, Funny

    Either way, Windows are still vulnerable.

    Look. There's no reason to bring Microsoft into this.

    --
    I'm against picketing, but I don't know how to show it.
  7. No evidence of forced entry by MarkByers · · Score: 5, Insightful

    The thing that is most scary about this attack is that it leaves no trace of the crime, unlike a broken window. This means that some unfortunate people won't be able to convince their insurance company to pay up because there is no evidence of forced entry. The insurance company will try to claim that you forgot to lock your door and refuse to pay up.

    --
    I'll probably be modded down for this...
  8. Re:Locks that resist bumping by Big+Bob+the+Finder · · Score: 5, Informative
    As a locksmith (trained- not currently practicing), I gotta comment on locks that will resist this type of attack. The Corbin Emhart (System 70) really was very good, but not good enough to keep up with things; like other clever, creative systems, it went away because not enough people used it.

    A number of systems will resist this type of attack. Probably the best is the Abloy, which I understand was bought out along with ASSA by Medeco. Alboy relies upon a sidebar; the discs need to be aligned, a sidebar drops into place, and the lock opens. I also understand there is a way to bypass this system, although the tools are pricey, resticted, and since Abloy locks are relatively rare in the United States, they remain relatively secure.

    ASSA also relies upon a sidebar, with the code being cut into the side of the blank. The blanks are heavily restricted, and locksmiths have to account for all of them- even ones that are mis-cut. Of course, a sidebar can be regional, which is its biggest flaw; apparently they are more popular in Europe. If a local locksmith uses a given key profile, then it is simple enough to turn a given cut key into a "bump" key.

    It would seem- although I have not tested it- that Medeco locks are immune; they require that the pins be brought to the correct height and that they be rotated (left, center, right- only three possible combinations) before the lock will open. Last I checked, it was still much easier to grind a Medeco out of existance than it was to pick it; they *can* be picked, but it takes many hours. I never liked Medeco, but since Abloy and other types of locks that offer higher security than hardware-store junk were either insanely expensive or no longer available, as their keys tend to be brittle and break right at the bow. But that's what I installed on the house; each door cost me $160 for a single-cylinder lock, but at least I know the lock is secure. Entry would have to be made in some other way than bumping or picking; further, high end locks also offer crush-resistant collars (to avoid "pipe wrench" attacks), better bolts (to prevent icepick and cutting attacks), and so forth. They just *weigh* more- it's not pot metal and good intentions in every box, unlike some makes.

    True story: in the early 1990's, some genius figured out that every high-security door lock on the market could be attacked in seconds- sometimes faster than using the key- with an ice pick or a bit of wire or welding rod. Pierce the door in the right way that the tool can be used to push back part of the bolt, and you're in. Ice pick attacks were popularized, but the wave of thefts never manifested. Newer generations of bolts were issued that prevent this type of attack.

    "Bumping" presents a somewhat higher threat level given that it works on more commonly available locks, which are used on probably 95-99% of homes in the United States. Given that a "Kwikset" can be bypassed with a sheet metal screw, a screwdriver, and a pair of "Vice Grips," it's a wonder more homes don't succumb to this sort of stuff every day. Fortunately (?), thieves rarely look at a home the same way we do; a good burglar or a drug addict desperate for a $20 fix will use whatever tools and techniques are handy, at great expense to society. Given that these individuals might be able to sell their gains for perhaps 10% of their value, the amount that either has to steal and re-sell to get by is quite remarkable. They don't pick locks, and they probably won't use "bump" keys.

  9. Evidence of forced entry not needed by freeweed · · Score: 5, Informative

    Insurance companies (at least on the west side of the pond) haven't required proof of forced entry in decades. Burglary coverage was changed to theft eons ago.

    Plus, any half-decent residential insurance policy will insure you for straight loss of contents, anyway. No need to even file a police report.

    Anyone who's had a claim denied because they forgot to lock their doors really needs to shop around for better coverage, and possibly talk with a lawyer.

    Note: this doesn't apply to commercial entities. If you're running a business and all you've got is an easily defeated lock to protect your interests, well...

    --
    Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  10. Re:I think concern stems from auto policies by freeweed · · Score: 5, Informative

    Oh, absolutely. Auto insurance is a whole different ballgame - however the discussion seemed to revolve around breaking into your average house lock. Anti-theft systems on your average car are more than good enough to stop "bumping" these days, but I guess if you still have your 1984 K car and are worried your insurance company might not reimburse you the $500 you're out... :)

    Mostly I respond to posts like the GGP because it's a common insurance myth, based on what our grandparents faced. It's much like the ever-popular "Acts of God aren't covered!!!" Yes, 100 years ago proof of forced entry was required, and "Acts of God" was a legitimate exclusion clause. However, these days neither is really true. Hail, lightning, windstorm - these are all "Acts of God" that have been covered for decades. Catastrophic natural disasters aren't.

    I used to be an insurance geek. So, much like 5,000 Slashdotters scream when CNN gets a tiny detail wrong about technology, I try to correct these decades-old insurance myths whenever I can. Especially when people start advocating insurance fraud :)

    --
    Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  11. Re:Why on earth is she there? by pHDNgell · · Score: 5, Informative
    An 11 year old, with no prior experience in locks and clearly little interest in it not only attends the Defcon Hacker Convention, but takes the time to furnish us with a demonstration.


    She actually had quite a bit of interest in locks. I taught her how to pick locks the day before. Matt Fiddler taught her how to bump them the day that video was taken, and Mark Weber Tobias thought it was really cool to see. She enjoyed picking way more than bumping (it's more of an intellectual challenge).

    Now, she didn't seem to be that interested in the interviews (yes, there was more than one)... She wanted to get back to the locks.

    The event took place from Friday 4th to Sunday 6th. Does she honestly have nowhere better to be?


    What do you believe is a better place my daughter could've been that weekend? The mall?

    She wasn't too happy when we mentioned getting someone to watch her for Defcon 15, so I think we all had quite a good time there.
    --
    -- The world is watching America, and America is watching TV.