Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×

11-year-old Proves Locks Not So Secure 454

An anonymous reader writes "A new security column at Engadget details the new 'old' threat of bumping locks. The article goes on to describe and demonstrate an 11-year-old girl bypassing a standard 5-pin lock at a recent DefCon Hacker Convention. The girl had no prior experience and didn't even understand the theory she was applying. Scary!"
This discussion has been archived. No new comments can be posted.

11-year-old Proves Locks Not So Secure

Comments Filter:
  • by ackthpt ( 218170 ) * on Thursday August 24, 2006 @05:49PM (#15974199) Homepage Journal

    . The girl had no prior experience and didn't even understand the theory she was applying.

    Sign her up as a /. editor, quick!

  • Great... (Score:5, Funny)

    by dan828 ( 753380 ) on Thursday August 24, 2006 @05:51PM (#15974206)
    So now we have to worry about the lockpicker's equivalent of a script kiddy.
    • Re:Great... (Score:5, Informative)

      by Anonymous Coward on Thursday August 24, 2006 @05:56PM (#15974249)
      why do we have to worry now?? this has been known for ages..it just took a dumbass to stumble across it(and think its something new) and alert the media, which in turn got videos of it on the net, and now everyone and thier sister wants to try it.
      • Re: (Score:3, Interesting)

        by EvanED ( 569694 )
        Um, which is [one reason] why we have to worry more. More people know about it. (Though I don't really know how widespread the knowledge is. For all I know it could be confined to geeks still.) When I saw a video about it some time ago I thought that if it is anywhere as close to as easy as they make it out to be, I can't imagine why intruders bother to break windows, locks, etc. to get inside places, other than that they don't know this technique. And yet the above happens. My conclusion then is that the s
        • Re:Great... (Score:5, Interesting)

          by badasscat ( 563442 ) <basscadet75NO@SPAMyahoo.com> on Thursday August 24, 2006 @08:19PM (#15974942)
          Um, which is [one reason] why we have to worry more. More people know about it.

          Oh please. Has anybody ever put complete blind faith in the fact that they have locks on their doors as a guarantee that robbers can never get in to their house?

          There is a lot of fear-mongering going on right now about this technique (and this is the second article posted on Slashdot about it in the past couple weeks). But all of this misses the fundamental point: locks have never been enough to keep thieves out.

          What is generally enough to keep thieves out is a) basic human morality, and b) the law. Otherwise we'd all be getting robbed every single night - after all, most of us live within earshot of hundreds of other human beings.

          Now, if this technique has suddenly caused you to lose faith in both of those things, then I don't know what to tell you - most people don't rest their entire faith in humanity on the sanctity of a door lock. And if you didn't have faith in those things before, then why did you think a lock was going to protect you in the first place? I would think a loaded shotgun under your pillow would be more your style.

          The bottom line is this. If you've been robbed before, your locks didn't do you a hell of a lot of good even before this. And if you haven't been robbed before, there's no more chance that you will now. Because the reason you haven't been robbed isn't because thieves didn't think they could get past your door lock - there are a myriad of ways to get into a house for someone that wants to. The reason you haven't been robbed is because the law forbids it and basic human decency says people shouldn't do it.

          Yes, there are thieves out there, and I'm not saying you shouldn't bother to have locks - if for no other reason than to keep snooping mailmen or nosy neighbors out. But knowing how to bump and actually breaking into a house are two totally different things. And unlike "script kiddies", breaking and entering is a crime that's taken very seriously - it is usually a felony - and the physical evidence is usually easy enough to trace, especially for an inexperienced thief.
          • by MarkByers ( 770551 ) on Thursday August 24, 2006 @08:33PM (#15974999) Homepage Journal
            The thing that is most scary about this attack is that it leaves no trace of the crime, unlike a broken window. This means that some unfortunate people won't be able to convince their insurance company to pay up because there is no evidence of forced entry. The insurance company will try to claim that you forgot to lock your door and refuse to pay up.
            • by freeweed ( 309734 ) on Thursday August 24, 2006 @11:43PM (#15975862)
              Insurance companies (at least on the west side of the pond) haven't required proof of forced entry in decades. Burglary coverage was changed to theft eons ago.

              Plus, any half-decent residential insurance policy will insure you for straight loss of contents, anyway. No need to even file a police report.

              Anyone who's had a claim denied because they forgot to lock their doors really needs to shop around for better coverage, and possibly talk with a lawyer.

              Note: this doesn't apply to commercial entities. If you're running a business and all you've got is an easily defeated lock to protect your interests, well...
          • Re:Great... (Score:5, Insightful)

            by StaticEngine ( 135635 ) on Thursday August 24, 2006 @08:58PM (#15975114) Homepage
            Mod Parent Up.

            I just bought a house a few months ago, and as one does when one buys a house, the first thing I did was to change all the locks, and throw some padlocks on the gates to the back yard. Then I had a security monitoring system installed (Brinks, recommended for their professionalism), and finally, the wife and I bought a small fireproof safe to store some documents and valuables in.

            This whole process sparked off a discussion about security with a coworker who lives in a house valued at approximately four times my own, his house also being located in a gated community. The gist of the discussion was that there's no way to make your house totally secure, all you can do is add enough deterrants to make it less desirable for the common theif to break into your home. If someone really wanted to get into my place, they could, and if they knew exactly where to go and what to grab, they could really screw me and probably get away before the police were notified and showed up.

            However, each layer of security, the locks, the security system, and the safe, adds a deterrant. There's the time that has to be invested getting in, the fear of someone hearing the alarm going off and the ticking clock of the authorities being notified and dispatched, not to mention the hassle of locating and gaining access to the inside of the safe. Only someone who invested some serious research time and effort could gain access to my valuables and get away with it. And for what? My passport, some petty cash, and copies of my legal documents?

            The level of security has to match the value of what the security is trying to protect, and the common door lock is probably plenty of security for 90% of the people who have one. Only the truly paranoid, or those with something really valuable (or irreplacable), need more, and even in that case, not that much more.

            In the end, my wife and I joke every time we set our alarm and lock our door that we hope no one steals our Fabrige Egg or Hope Diamond.
            • Re:Great... (Score:5, Informative)

              by Anonymous Coward on Thursday August 24, 2006 @11:34PM (#15975825)
              Locks? Locks mean nothing even if they can't be bumped or picked (although so many can, this is trivial).

              If the door is locked, you make a hole in the cheap-ass low bidder drywall and either reach in and open the door from the other side or hell, just rip a big hole in the wall and walk right in. The door and all it's locks and alarms is happy to stand there doing nothing. Even if the alarm does go off, you usually have several minutes to do your work.

              Fences? Hop over. Chainlink fences can be unbolted and taken apart, or cut. The best actors can cut the fence and put it back so it appears to be whole. Most junkies don't care. They steal a car and ram down the fence or the gate, or the house garage door.

              Gated community? Not hard to get in, and generally a good hit because everyone inside thinks they're safe so they don't even bother with stuff everyone else would do to protect themselves.

              Car club devices? Easy to defeat with the bump or several other extremely simple methods. Clubs are absolutely useless.

              Car alarms? Most of them look for door openings as the trigger. Very few have motion detection. So you bust the window and crawl in like the Duke boys. No alarm.

              Put valuables in the trunk/boot? Most trunks are not even part of the alarm. Not sure? Cut the horn wires, usually easy to reach under the radiator. Cut the battery cables for those cars where the battery is in the fender well. Tow the whole thing if it's a valuable car. Pop into a shipping container and off to China before anyone knows it's even been taken.

              Junkies just want the radio to fence or the checkbook you left in the door pocket. Even they know how to avoid setting off the alarm. BTW, this is why most car break-ins are broken windows. It doesn't set off the alarm unless you open the door. This goes right back to the problem with house burglar alarms and the drywall. You just go around the protected area, i.e. the doors.

              But hey, if it makes you feel better, put more and more and more locks on that door. It just makes the drywall look like an even better target.:)

              BTW, on that safe? I bet the walls are thin. If not that, then there is some sort of physical weakness and a pro would have it open faster than the police would show up, but as you did note, the grab and run burglars wouldn't bother. But remember this: if someone wanted into that safe, BY FAR the easy way is to make you or your wife open it. YOU are your own weakness.
              • Re: (Score:3, Insightful)

                you're not arguing with the GP man. He's saying that each layer of security helps as a deterrant and you're just being an argumentative bitch. He's saying how nothing will make him un-robbable, but if you have enough of these security features the "junkie" that's after your radio will look at his house with the extra things to overcome, then he'll look at the next house over, which simply has locks on the door. The risk of getting caught breaking into the house with a lock is definitely far less than the on
            • Re:Great... (Score:5, Interesting)

              by dcturner ( 455180 ) on Friday August 25, 2006 @01:21AM (#15976158)

              However, each layer of security, the locks, the security system, and the safe, adds a deterrant.

              I have a friend whose parents' house has every security system I can think of. Big spiky locked gates, CCTV, the works. They get burgled more frequently than any other house on their street: it looks a lot like they have things worth protecting, and things worth protecting are worth stealing. Security != deterrant always.

            • Re: (Score:3, Insightful)

              by Aceticon ( 140883 )
              I live in Holland and around here bikes are all over the place and it's very common for bycicles to be stollen.

              Thus everybody locks their bikes when leaving them outside (for example at the train station). Still, locked bikes also get stollen.

              If you leave your bike out around here, the easiest way to NOT have your bikes stollen is ..... 2 locks.

              Simply put, a bike with 2 locks is not worth the trouble for a thief if right next to it there's a bike with 1 lock (keep in mind the this is happening in an open pa
        • Re:Great... (Score:4, Insightful)

          by Canadian_Daemon ( 642176 ) on Thursday August 24, 2006 @08:44PM (#15975046)
          I think most people are over reacting. Locks are not in place to keep out someone who wants to come in, as previously mentioned, a lockcutter or hammer will always work. Rather, these locks are meant to keep the majority of people out, people who, upon finding a locked door, will go away.
          • Re: (Score:3, Informative)

            by fbjon ( 692006 )
            It seems that pin tumbler locks are common in the US. This I don't get. I picked a similar lock on a cabinet with a paper clip just recently, with only a quick googling for reference and no experience. What is the point of having a lock like that?

            Recommendations: Abloy classic [abloy.ua] or Abloy Exec [padlockpeople.com]. Notice that both of these have discs, that need to be rotated to the proper position by tilted slots in the key, before the key can be fully turned. No springs to fool around with that wear out. Here's a detailed lockpi

            • Re:Great... (Score:4, Interesting)

              by Keruo ( 771880 ) * on Friday August 25, 2006 @04:00AM (#15976534)
              Don't use abloy classic. There's tool called "wiggler"(rough translation) which can be used to pick abloy classic locks and it doesn't leave traces either. I'm not completely sure on the principle of how the device works, but I'm assuming it has somekind of slot decoder which allows reading the key sequence in the rotary discs, and then copying new key with matching rotary set. The device won't work against modern abloy locks like exec and protec.
        • Re:Great... (Score:5, Informative)

          by Bishop ( 4500 ) on Thursday August 24, 2006 @09:24PM (#15975229)
          your basic break and enter guys don't use these tools because rocks through windows are just as convinient. Being caught in possesion of these tools would arouse suspicion. Better to be caught with nothing.
      • a) There aren't as many bad guys as [the media tells] you think.

        b) You can greatly mitigate the possibility of running into bad guys by going somewhere where they are not (if you can afford it).

        c) Put better locks on your door.

        d) Arm yourself in a appropriate fashion (if your municipality still allows this reasonable option.)

        BTW. "bumping" a lock is nothing, compared to what a sledge hammer can do.

      • by Moraelin ( 679338 ) on Friday August 25, 2006 @02:01AM (#15976267) Journal
        Well, it's sorta like this:

        Short story: this is what you get when ivory-tower nerds get a glimpse of what everyone else knew all along.

        Long story: As you said, yes, IRL everyone knew that locks aren't "secure", and won't keep a determined thief out. Locks aren't even a deterrent. They're a bit of a delay and mostly a "if we catch you past this point, we'll throw your sorry arse in jail" marker. The deterrent is the law. If you went through all the trouble of climbing over the fence (or lockpicking the gate) and lockpicking the door too, we have all the proof we need of intent, and we'll throw your arse in jail.

        IRL it's not even possible to make something 100% burglar-proof. Even if you had a 100% burglar-proof lock, someone could break a window instead, or hack down the door, or whatever.

        IRL that's our security concept, and it worked for maybe 10,000 years. People don't even expect anything to be more secure, computers included. See all the SF settings where people find it natural that a computer from 10,000 years in the future can be hacked by just shooting the keyboard, or that a high-tech computer-controlled door can be defeated with two wires and a PDA. Or by just shooting the control pannel, Star Wars style.

        Now enter the ivory tower of OCPD computer nerds, and trying to apply boolean rules to a RL that's made of continuums, and to problems that are more of a min-max problem than if-then-else binary constructs. In their world, either you're 100% secure or you're 100% unprotected and not even trying. Either something is 100% lock, deterrent, judge and jurry rolled into one, or it's crap. And, oh, unless you 100% secured your property or computer or you're an idiot. You see the kind on /. every day.

        So now one of those basically just discovered, "whaaaat? you mean RL locks have exploits and can be hacked?? and people just put up with that and didn't patch them yet???" It runs contrary to their whole (utopic) mental model. So of course they'll make a big fuss out of it, and think they've discovered some secret that noone else knew.
    • Re:Great... (Score:5, Funny)

      by novus ordo ( 843883 ) on Thursday August 24, 2006 @06:06PM (#15974302) Journal
      Professionals use their foot.
    • Re:Great... (Score:5, Informative)

      by whitehatnetizen ( 997645 ) on Thursday August 24, 2006 @06:10PM (#15974336)
      this is not funny, this attack has been arround for a very long time. during my time as a moderator of lockpicking101.com (and of course a lockpicking hobyist myself) we had our work cut out attempting to knock some sense into kids that came on the site asking for bump keys and "guides" on how to bump locks. It's become more prevelant over the net recently due to articles from TOOOL containing demonstrations from barry of some very "high security" locks being bumped and also a notification at http://www.security.org/ [security.org] (still there). but the technique itself has been arround for ages. we can only hope that someone makes a better lock (*cough* www.abloy.com *cough*)
      • Re:Great... (Score:4, Interesting)

        by NIK282000 ( 737852 ) on Thursday August 24, 2006 @06:31PM (#15974445) Homepage Journal
        Bumping seems like it could escalate if left unchecked any longer. Most locks will open to it and the only way to protect against it is to get rid of your old locks and replace them with a new one that is bump proof. When I first saw bumping (about a month ago) I wanted to try it. I picked up a 7pin lock and a triangular file. I filed the spare key into the sape of a bump key ( I pretty much eyeballed it ) and on the second wack of a screw driver handle the lock opened. Yet again the internet changes a mild nuisance into a campagn of fear.
      • Re: (Score:3, Informative)

        by interiot ( 50685 )
        For what it's worth, there's some Abloy information [toool.nl] at tool.nl for the curious.
      • Re: (Score:3, Informative)

        by myom ( 642275 )
        Yep, ABLOY (pr ASSA-ABLOY as they are called now) locks are near impossible to pick, even though they are normal domestic locks quite usual in this area (Nordic countries).

        We lost a keychain and had a professional pick all the doors, even doors costing a fortune with some really odd-looking keys. But when the locksmith saw the Abloy locks, he laughed, gave us a long stick, and told us to use it to get in. Stood there dumbfounded until he pointed at the window :D

        When we got in after breaking the window, I ju
    • by bunions ( 970377 )
      I'm not sure why the fact that she didn't understand the 'theory' of what she was doing is somehow so astounding and/or cause for mockery. Everyone here uses technology they don't understand every day.
    • Re: (Score:3, Interesting)

      by identity0 ( 77976 )
      That reminds me of the time when I was her age, when my babysitter locked herself out of her car and I was able to open the trunk just by jiggling my fingernail in the lock. I'm trying to remember what kind of car it was, some kind of Japanese hatchback in the 80's...

      Cheap house interior locks could also be picked by me in that manner. I don't think they're meant to keep out more than a curious ten-year old, but they didn't do that, even :)
      • Re:Great... (Score:4, Informative)

        by Scoth ( 879800 ) on Thursday August 24, 2006 @07:30PM (#15974757)
        Most interior "locks" I've seen are of the push and twist variety. They don't take anything more than a paperclip or other similar thing to open. I'd say they're expressly designed to keep kids out of places they shouldn't be and prevent accidents, and not at all about security.

        The ones in the house I grew up in even had the endcap easily popped off, allowing direct access to the plunger.

        The trunk one is a bit more surprising since that should be a proper key, but I've often wondered just how effective car locks are. I remember I discovered my old '83 Firebird's door key would start a friend's GM truck (remember GM cars at the time had two keys, door and ignition). She got a kick out of it but it made me wonder.
  • pen lock picking (Score:5, Interesting)

    by legoburner ( 702695 ) on Thursday August 24, 2006 @05:53PM (#15974220) Homepage Journal
    Dont forget you can do the same with bike locks and a pen [wired.com]. It seems people find more obvious ways to break things every day.
    • Did you read the article? It compromises a whole class of extremely commonly used locks - ones that are used for your home, US mailboxes, etc etc.

      I have no idea how alarmist the article is - but if its true, it's disturbing.
      • Re: (Score:2, Insightful)

        by Moofie ( 22272 )
        Why? Why is it disturbing? The state of the universe did not change because an eleven year old girl opened a lock. As a matter of fact, I'd wager that locks are pretty much just as secure as they were before a girl opened a lock (which is to say, not terribly secure, but worth having anyhow).

        What changed?
      • by BLKMGK ( 34057 )
        Yeah, those locks can be defeated that way. Did it with a "floppy lock" while doing a penetration test - they thought they would be cute by using a floppy lock and a padlock on the back of the case. We returned it software broken and floppy lock locked to the back of the case thanks to a Bic Pen top and a paperclip :)

        As it happens - I found one of the OLD Kryptonite locks in my garage this past weekend. Need to test it out!

        P.S. At DEFCON they also had a professional device for unlocking barrel locks for $15
  • memories (Score:5, Funny)

    by Anonymous Coward on Thursday August 24, 2006 @05:54PM (#15974235)
    The girl had no prior experience and didn't even understand the theory she was applying.

    Reminds me of high school.
  • deadlocks (Score:2, Informative)

    by yakumo.unr ( 833476 )
    I believe most British insurers have insisted on deadlocks on doors for house insurance for many years because of lock bumping, they're also often easily bypassed with credit cards anyway.

    It's certainly very uncommon for doors to be left with just that kind of lock in this country.
    • by ejdmoo ( 193585 )
      Somebody care to explain why this doesn't apply to deadbolts?
  • by JesseL ( 107722 ) on Thursday August 24, 2006 @05:56PM (#15974254) Homepage Journal
    Locks are to honest people honest, and keep insurance companies satisfied.
    The finest safes are only rated by how many minutes it will take a determined theif out.
    • Re: (Score:3, Insightful)

      by UbuntuDupe ( 970646 )
      Well, kind of. If you ask an economist (for whatever reason), he would tell you that the purpose of a lock is not to "keep people out" but to make the thief's best option, in his opinion, to be robbing something else.
    • by Odin_Tiger ( 585113 ) on Thursday August 24, 2006 @06:46PM (#15974531) Journal
      and keep insurance companies satisfied

      Actually, I watched a documentary about lock bumping a couple weeks ago. Lock bumping leaves -zero- sign of forced / illegal entry, and can be done very quickly and discreetly. In other words, it's very, -very- difficult to tell the difference in a lock-bumping incident and a stupid-employee / resident-leaving-the-place-unlocked incident and an outright insurance fraud incident...and just guess which of those three things your friendly insurance company will happily classify your claim under before rejecting it?
  • by onion2k ( 203094 ) on Thursday August 24, 2006 @05:58PM (#15974264) Homepage
    The Kwikset that she opened is sold in every hardware and DIY store in the country, and is believed to be secure by the public.

    As with any security measure, be it a physical lock, a cipher, encryption, anything, it only works if you know how to use it properly. A cheap cylinder lock is secure enough to deter a passing opportunist (eg, not someone who carries a bump) and should be used as such. To secure your house or office you shouldn't look at anything less than a Mortis or a deadlock, and you should have at least two on each entry point. Windows should lock from the inside, again with deadlocks.

    A cylinder lock is the equivalent of using ROT13 to secure a password file. It'll stop someone who's not trying to get in, but that's about it.
    • Re: (Score:2, Funny)

      by snowgirl ( 978879 )
      Windows should lock from the inside, again with deadlocks.

      Maybe this would help keep the spyware off my computer...
    • ROT13 (Score:2, Funny)

      by SirSlud ( 67381 )
      I used to use ROT13 to protect my files until I found out how unsecure it is. Now I ROT13 twice, just to make sure.
      • Re: (Score:3, Funny)

        by Reverend528 ( 585549 )
        Now I ROT13 twice, just to make sure.

        You know, you can save yourself a bunch of CPU cycles by just using ROT26 instead.

    • by StikyPad ( 445176 ) on Thursday August 24, 2006 @08:35PM (#15975007) Homepage
      A cheap cylinder lock is secure enough to deter a passing opportunist (eg, not someone who carries a bump) and should be used as such.

      Actually it seems to work against just about anything with split pins, regardless of its price. That's a helluva lot of locks.

      To secure your house or office you shouldn't look at anything less than a Mortis or a deadlock, and you should have at least two on each entry point. Windows should lock from the inside, again with deadlocks.

      I was intrigued by your statement, so I did some quick research. What I discovered is as follows:

      Deadbolt locks* are cylinder locks; they just have the weight of a bolt holding the pins down instead of just springs. There's no reason why bump attacks shouldn't still be successful against this type of lock since the principle of bumping is somewhat different than pin scraping.

      Mortise locks are just locks which are inserted into a hollowed out portion of the door -- it has nothing to do with the mechanism inside, and from what I was able to find out, most modern mortise locks contain cylinders.

      * Which is what I assume you meant, since the only definition of a deadlock I can find is a situation wherein two or more competing actions are waiting for the other to finish, and thus neither ever does. I have no idea how you propose putting a deadbolt on a window, but maybe you meant something else.

      References:

      http://images.google.com/images?q=mortise%20locks [google.com]
      http://www.rcmp-grc.gc.ca/tsb/pubs/phys_sec/g1-017 _e.pdf [rcmp-grc.gc.ca]
      http://en.wikipedia.org/wiki/Deadbolt [wikipedia.org]
  • by w33t ( 978574 ) on Thursday August 24, 2006 @05:58PM (#15974266) Homepage
    The concept of security is as much about perception as effectiveness.

    This article's enlightening example just drives deeper a little concept I recently heard called security theater, [wikipedia.org]

    Human psychology is certainly interesting - because on one hand we have people scared of box cutters, but on the other hand we drive 70mph mere feet away from each other every day.

    Maybe it could be argued that security is primarily about perception.
    • by QuantumG ( 50515 )
      definitely. I couldn't agree more.
    • by Jeff DeMaagd ( 2015 ) on Thursday August 24, 2006 @06:39PM (#15974485) Homepage Journal
      That's true. The deaths on 9/11 are about the same as one month's worth of traffic fatalities in the US. In the last five years, in the US, you were 60 times more likely to die in an auto accident than in an act of terrorism.
    • Re: (Score:3, Insightful)

      The locks on most house doors are utterly pointless, no matter how sophisticated: Most thieves simply kick the door hard enough to splinter the frame around the bolt. I learned this from two detectives in two cities, having been burglarized twice.

      The typical burglar's biggest needs are to avoid detection and to take things that are easily converted to cash. Method: Shake hands with the house's doorknobs, try the ground floor windows, and if nothing is unlocked, kick in a door not visible from the stre

  • Note that wmv9 now plays with ffmpeg/mplayer in FC5+livna.
    So you can watch this video...
  • by Starteck81 ( 917280 ) on Thursday August 24, 2006 @06:02PM (#15974289)
    I use to pick the lock to the computer room at home with duck tape and a paper clip, AND I LIKED IT?

    P.S. I also use to walk up hill both ways in the snow to school.
  • So... (Score:5, Funny)

    by Cheapy ( 809643 ) on Thursday August 24, 2006 @06:06PM (#15974306)
    Does that make her a door kiddy?
  • I've done this simply by wiggling a key that fits the keyway. You don't need that much force. You don't need a "tomahawk" you need to vibrate the key.

    I amazed my upstairs neighbor when I managed to open his door when he was locked out, with the wrong key.

    I didn't know the technique had a name.

    There are locks that will resist this, like the Medaco locks that require the pins to rotate to open. I don't think bumping alone will get those lined up.

  • Video of Key Bumping (Score:5, Informative)

    by GnomeCarousel ( 981149 ) on Thursday August 24, 2006 @06:10PM (#15974334)
    Here is a video of Key Bumping: http://www.youtube.com/watch?v=7Uv45y6vkcQ&search= bump%20key [youtube.com]
    Quite fascinating how easy it is, and in the end of the video they even show a 17-pin lock being bumped!

    If you are interested in the guys in the video, here is their URL http://www.toool.nl/index-eng.php [toool.nl]

  • by cashman73 ( 855518 ) on Thursday August 24, 2006 @06:11PM (#15974341) Journal
    Adam & Jamie on the Discovery Channel's MythBusters [discovery.com] just had a show last night where they showed all sorts of ways to defeat some of the newer, high tech devices. Fingerprint scanners were pretty much busted, including one really high tech fingerprint scanner that the company said had never been broken into, EVER,. . . which Adam & Jamie broke into within about 10 minutes using three different techniques! They also found ways around heat sensors (a piece of glass), sonic motion detectors (a bedsheet, or walking really slowly), and breaking into a safe with an underwater explosion,... Quite an interesting episode,...
  • by queenb**ch ( 446380 ) on Thursday August 24, 2006 @06:14PM (#15974358) Homepage Journal
    Yikes! The poor girl...she might get the wrong impression that this how she should make a living.

    Age 11 - 5 pin lock with wrong key
    Age 14 - 7 pin lock with picks
    Age 18 - Safes
    Age 21 - Bank Vaults

    So many banks...so little time

    2 cents,

    QueenB
  • by IKEA-Boy ( 223916 ) on Thursday August 24, 2006 @06:15PM (#15974365) Homepage
    I've been reading about this a bit lately and found an interesting paper on bumping locks at http://www.toool.nl/bumping.pdf [toool.nl]

    They also have a section on locks that resist bumping:

    There are mechanisms that do not allow for the two pins to separate except when slid sideways, such as used in the Emhart interlocking lock (which is not being produced anymore). As far as we can see, such a mechanism would successfully foil the bumping attack. Also some mechanisms which have a one-piece locking mechanism (such as a 'sidebar') may resist bumping. Locks that involve rotating discs (such as Abloy Protec) or magnets (such as Evva MCS and Anker) are also not susceptible to this attack. Klaus Noch sells modified standard Euro profile locks which lock up (i.e. 'broken but closed') upon most attempted manipulations, including bumping.


    I found the Abloy Protec lock (with rotating discs) especially interesting and I'm going to get this for my own front door when I get the chance. On the same website they have an paper on the Abloy Protec as well: http://www.toool.nl/abloypart3.pdf [toool.nl]
    • by Big Bob the Finder ( 714285 ) on Thursday August 24, 2006 @10:28PM (#15975503) Homepage Journal
      As a locksmith (trained- not currently practicing), I gotta comment on locks that will resist this type of attack. The Corbin Emhart (System 70) really was very good, but not good enough to keep up with things; like other clever, creative systems, it went away because not enough people used it.

      A number of systems will resist this type of attack. Probably the best is the Abloy, which I understand was bought out along with ASSA by Medeco. Alboy relies upon a sidebar; the discs need to be aligned, a sidebar drops into place, and the lock opens. I also understand there is a way to bypass this system, although the tools are pricey, resticted, and since Abloy locks are relatively rare in the United States, they remain relatively secure.

      ASSA also relies upon a sidebar, with the code being cut into the side of the blank. The blanks are heavily restricted, and locksmiths have to account for all of them- even ones that are mis-cut. Of course, a sidebar can be regional, which is its biggest flaw; apparently they are more popular in Europe. If a local locksmith uses a given key profile, then it is simple enough to turn a given cut key into a "bump" key.

      It would seem- although I have not tested it- that Medeco locks are immune; they require that the pins be brought to the correct height and that they be rotated (left, center, right- only three possible combinations) before the lock will open. Last I checked, it was still much easier to grind a Medeco out of existance than it was to pick it; they *can* be picked, but it takes many hours. I never liked Medeco, but since Abloy and other types of locks that offer higher security than hardware-store junk were either insanely expensive or no longer available, as their keys tend to be brittle and break right at the bow. But that's what I installed on the house; each door cost me $160 for a single-cylinder lock, but at least I know the lock is secure. Entry would have to be made in some other way than bumping or picking; further, high end locks also offer crush-resistant collars (to avoid "pipe wrench" attacks), better bolts (to prevent icepick and cutting attacks), and so forth. They just *weigh* more- it's not pot metal and good intentions in every box, unlike some makes.

      True story: in the early 1990's, some genius figured out that every high-security door lock on the market could be attacked in seconds- sometimes faster than using the key- with an ice pick or a bit of wire or welding rod. Pierce the door in the right way that the tool can be used to push back part of the bolt, and you're in. Ice pick attacks were popularized, but the wave of thefts never manifested. Newer generations of bolts were issued that prevent this type of attack.

      "Bumping" presents a somewhat higher threat level given that it works on more commonly available locks, which are used on probably 95-99% of homes in the United States. Given that a "Kwikset" can be bypassed with a sheet metal screw, a screwdriver, and a pair of "Vice Grips," it's a wonder more homes don't succumb to this sort of stuff every day. Fortunately (?), thieves rarely look at a home the same way we do; a good burglar or a drug addict desperate for a $20 fix will use whatever tools and techniques are handy, at great expense to society. Given that these individuals might be able to sell their gains for perhaps 10% of their value, the amount that either has to steal and re-sell to get by is quite remarkable. They don't pick locks, and they probably won't use "bump" keys.

  • by NoseBag ( 243097 ) on Thursday August 24, 2006 @06:16PM (#15974372)
    ...than picking 'em.

    Years ago I was at a tech flea market and - on a childish whim - bought a fairly nice set of lock picks (which are legal to sell in that state, unlike some). FYI - I am of the "Man from UNCLE", "T.H.E CAT", "The Prisoner", and "007" generation so I always wanted to be able to pick locks like the spies.

    I even bought a lockpicking book ("Lock-picking Made Easy" by Lenny the Wire) I always liked that name.

    I soon found out how incredibly easy it is! After picking my first lock (a random key lock I had laying around) I went to Home Depot and bought about a dozen key locks of various mfgrs and proceeded to pick 'em! I then did all the locks on all the doors on my house. Then I worked on my suitcases. I even did the lock on the li'l box I stored my 5 1/2 PC diskettes in. Then I did both cars.

    What I learned was:

    "No key lock is really secure. None are pick-proof."
    "Most are ridiculously easy to pick. Even those circular-key vending machine ones."
    "The bigger they are, the easier they are to open."
    "Car locks are a lot harder."

    The "skill" I developed has come in handy once or twice, but that's not the real virtue of it. It teaches you that locks are jokes. They keep out the already-honest, and the occasional lazy thief.
    • by Sycraft-fu ( 314770 ) on Thursday August 24, 2006 @07:01PM (#15974620)
      While your statement of "no lock is pickproof" is true, the rest really isn't. If you want a big lock that you probably won't be able to do anything to, try a Medeco. Your lockpicking knowledge is essentially worthless against it. Blank tricks don't work, since you can't get blanks unless you manage to compromise a dealer. Likewise normal pick tricks don't work because the pins aren't the right shape, they rely on being rotated as well as lifted to function.

      That does not mean, of course, you can't pick one, but it's much harder, and requires a lot more training. They aren't a perfect system, but they sure aren't a joke. Also, despite being quite large, they are quite secure.

      There's other brands of high security locks too, and they are similarly hard to deal with. It's just not more common because the construction needed for them is quite a bit more. A Medeco Maxium will run you like $200.
      • Re: (Score:3, Informative)

        by jackbird ( 721605 )
        In the youtube video posted earlier, they bump what appears to be a Medeco or German equivalent on the first hit. You might not be able to get blanks, but you can certainly buy locksets without compromising a dealer, and dremel them into bump keys at leisure.
        • Ahh but (Score:3, Interesting)

          by Sycraft-fu ( 314770 )
          Medeco uses special keys, and isn't available from just anywhere. So you've got to get a lock from the same dealer as your target, or at least a dealer that gets a key with the same sidebar code. They aren't consistent. For example we use Medeco locks at work (we are actually licensed by Medeco and have our own lock shop for campus) and I also have one at home that I bought form a local dealer. The keys, though the same shape, size and appearance, are not at all interchangeable. They won't even go in the lo
      • by FatSean ( 18753 ) on Thursday August 24, 2006 @09:28PM (#15975243) Homepage Journal
        In the 80's I read a BBS text file that described how to pick locks.
        Made a set myself out of small allen keys.

        They described the 'rake' technique where you put tension on the cylinder and just
        zip a zig-zagged piece of metal against the pin.

        With a little practice I opened many locks...didn't even have to bother going
        pin by pin. As soon as you got one pin above that line, the upper pin
        kinda 'snapped' over and stayed up.

        Worked great on old worn out locks.
  • Zzz ZZzz ZZzz (Score:3, Informative)

    by fostware ( 551290 ) on Thursday August 24, 2006 @06:21PM (#15974400) Homepage
    This isn't news...

    Locksmiths can buy a pick gun from locksmith suppliers. It's looks like a handheld staple gun, and you slot the straight strenghtened steel tip (looks like a small metal cable tie) into the gun.

    It works by bumping the whole steel tip up about a 16th of an inch, at which point you twist the entire gun anti-clockwise to open the lock while all the pins have been knocked just as the article describes.

    This came as part of a back-of-the-magazine locksmith "diploma" :)
    • This technique requires no such special tools and is easily learned by an 11 year old. Hence it is news.
  • by Brother Dysk ( 939885 ) on Thursday August 24, 2006 @06:24PM (#15974413)
    Insurance companies generally only honour your claim if there are signs of breaking and entering... A bumped lock will make it look like you left the door unlocked, and could lead to your insurance company not parting with the pennies... Scary.
  • From the whitepaper:

    A key (either cut or blank) for the proper keyway must be possessed or obtained in order to create a bump key to open a lock. This becomes the most critical issue in success or failure of bumping.

    You would think that a bent piece of music wire would do the trick. All the key provides is a series of ramps and torque. A zigzag can provide both, though a second wire might be better for torque. So much for that obstacle.

    This is an issue for post office boxes, safe deposit boxes and t

    • by taustin ( 171655 )
      Having the correct key makes it easier, because it fits in more snugly. A wire would generally move too much, sideways, up and down, at an angle. Plus, more expensive locks have keyways designed to keep wire from moving in just the right way.

      Not that it can't be done, mind you, but it's easier to learn with the bump key method.
  • no updates (Score:2, Funny)

    by elkosmas ( 976961 )
    The funny thing about doors is that there are no firmware updates on the internet...
  • by zpark ( 992383 )
    Sure it might be easy to bump a lock, but how many 11 year olds can afford a "kinetic energy tool"?
    http://en.wikipedia.org/wiki/Hammer/ [wikipedia.org]
  • by Kope ( 11702 ) on Thursday August 24, 2006 @07:14PM (#15974694)
    The average person locks their front door and goes to bed feeling secure.

    They also probably have several windows, glass patio doors, and the like at easy-access level around their home. Most don't have bars on them.

    Even those that do have bars probably live in framed out housing, where going through a wall is a trivial feat for a determened intruder with a simple sledgehammer.

    But the reality is that locks are deamed necessary because they keep out the casual intruder. The person who will enter only if there is not the most minimal level of effort required to do so.

    Beyond that, they are not a security device. They serve that one, minimal function well, but that's all they do.

    For instances where a lock is actually protecting something of value, it is usually only one aspect of a much more sophisticated security system. In those instances, the lock serves as an authentication device "this person has a key, therefore they are authorized," and could just as easily be replaced by any other type of authentication system. As again, it can't provide protection on it's own.

    That's something that any good locksmith will tell you -- if they can install it, they can bypass it. And so can any other person with access to the right tools and knowledge.

  • by sam991 ( 995040 ) on Thursday August 24, 2006 @08:03PM (#15974877) Homepage
    An 11 year old, with no prior experience in locks and clearly little interest in it not only attends the Defcon Hacker Convention, but takes the time to furnish us with a demonstration. The event took place from Friday 4th to Sunday 6th. Does she honestly have nowhere better to be?

    Won't somebody please think of the children?
    • by pHDNgell ( 410691 ) on Friday August 25, 2006 @12:55AM (#15976099)
      An 11 year old, with no prior experience in locks and clearly little interest in it not only attends the Defcon Hacker Convention, but takes the time to furnish us with a demonstration.


      She actually had quite a bit of interest in locks. I taught her how to pick locks the day before. Matt Fiddler taught her how to bump them the day that video was taken, and Mark Weber Tobias thought it was really cool to see. She enjoyed picking way more than bumping (it's more of an intellectual challenge).

      Now, she didn't seem to be that interested in the interviews (yes, there was more than one)... She wanted to get back to the locks.

      The event took place from Friday 4th to Sunday 6th. Does she honestly have nowhere better to be?


      What do you believe is a better place my daughter could've been that weekend? The mall?

      She wasn't too happy when we mentioned getting someone to watch her for Defcon 15, so I think we all had quite a good time there.
  • by tinrobot ( 314936 ) on Thursday August 24, 2006 @08:28PM (#15974979)
    It didn't work, so I reached through the dog door and opened it from the other side.

    Yeah, we're really secure around here.
  • by C0R1D4N ( 970153 ) on Thursday August 24, 2006 @08:57PM (#15975108)
    Do 11 year old girls frequently wander into Hacker conventions with no prior experience or idea of how to hack and start picking locks?
  • by ScooterBill ( 599835 ) * on Thursday August 24, 2006 @10:13PM (#15975429)
    We have three bigs dogs. Unlike a lock, they won't let anyone in who isn't authorized. Also, most burglars will move on to the next house if they think they'll have to deal with an unfriendly dog. I'm sure there are ways around dogs but it's a good deterent.

God made the integers; all else is the work of Man. -- Kronecker

Working...