Ten Things Everyone Should Know

1
Ten Things Everyone Should Know About Lockpicking
Physical Security
Deviant OllamSecTor 2008/10/08
2

• 1. Locks are not complicated mechanisms
• Simple components
• Simple operation
• Efficient resilient

3
(No Transcript)
4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8

• 2. Most locks are wildly easy to pick
• Common faults
• Easily exploited
• Anyone can do it

300
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
Picking
13

• Demonstration
• Everyone Cross Your Fingers
• Think No Demonstration Effect
• The Two Biggest Errors
• Too much wrench pressure
• Lifting pins too far up

14
Raking
15
Its typically as simple as that
Lifting TechniqueRaking TechniqueHybrid
Technique
16

• 3. Unpickable doesnt mean invulnerable
• Combination instead of key
• Pins arranged in other formats
• Different keyway orientation

700
17

• Combination Locks
• Show of Hands

18

• Combination Locks
• Show of Hands
• Immensely popular in the USA
• Schools
• Gyms
• Etc.

19

• Combination Locks
• Show of Hands
• Immensely popular in the USA
• Schools
• Gyms
• Etc.
• These Locks Provide
• Essentially Zero Security

20
(No Transcript)
21
(No Transcript)
22

• Padlock Shims
• Simple
• Cheap
• Buy Online
• 20-pack for 25
• Shim stock metal
• Homemade
• Aluminum Cans

23
Homemade Shims A Real-Life Example
24
Homemade Shims A Real-Life Example
25
Homemade Shims A Real-Life Example
26
Homemade Shims A Real-Life Example
27
Homemade Shims A Real-Life Example
28

• Combination Locks
• Also possible to decode
• Find the sticking points
• Group the numbers
• Find the outlier
• You have the last number
• Simple math from that point
• Calculation tools available

MasterLock.xls
29

• Combination Locks
• Also possible to decode
• Find the sticking points
• Multiple dials stick, too

30

• Warded Locks
• Inexpensive
• Simple Design
• Popular Outdoors
• Rudimentary Mechanism
• Resists Dirt Fouling
• Internal Latch
• Cant Use Conventional Picks
• However, Other Tools Exist

31

• Warded Innards
• Simple latch spring mechanism
• Unlike pin tumblers, where every
• segment of the key is important,
• warded keys have only one
• useful segment
• The rest of the key simply gets in
• in the way

32

• Warded Picks
• Store bought
• Homemade
• All very simple

33

• Tubular Locks
• Still traditional pin stacks
• Pins simply arranged in
• unconventional pattern
• Need specialized tools
• (well sometimes)

Cormu picking tubular locks Low-tech Kryptonite
bypass
34

• Dimple Locks
• Traditional pin stacks
• Horizontal keyway

35

• Dimple Locks
• Traditional pin stacks
• Horizontal keyway
• Nearly impossible to
• insert usual pick tools

dev
36

• Dimple Locks
• Traditional pin stacks
• Horizontal keyway
• Nearly impossible to
• insert usual pick tools
• Other means to bypass
• Impressioning
• Bump keying

Barry Wels Laz impressioning a dimple lock
37

• 4. Minor changes make a big difference
• Specialized pins
• Unshimable padlocks

1300
38

• Pick-Resistant Pins
• Mushroom

39

• Pick-Resistant Pins
• Mushroom

40

• Pick-Resistant Pins
• Mushroom
• Spool

41

• Pick-Resistant Pins
• Mushroom
• Spool

42

• Pick-Resistant Pins
• Mushroom
• Spool
• Serrated

43
Europe Raises the Bar
44
Europe Raises the Bar
45
Europe Raises the Bar
46
Europe Raises the Bar
47
Europe Raises the Bar
48

• Un-Shimmable Padlocks
• Collar / Boot
• Double-Ball Mechanism
• Key-Retaining Locks
• Less Convenient
• Less Popular
• Can still have combination dials
• Size doesnt always equal security
• Resistance to Brute Force
• Not Always Resistant to Finesse

49

• 5. Advanced features arent a panacea
• Sidepin the industrys first attempt
• Sidebars good and bad
• Mul-T-Lock dimple system
• Abloys rotating disks
• Magnetic madness

1500
50
Side Pin Schlage Everest
pin springs
driver (top) pins
key (bottom) pins
plug
check pin spring
check pin
specialized key
51
Side Pin Schlage Everest
photos courtesy of Matt Blaze
52
Side Pin Schlage Everest
photos courtesy of Matt Blaze
53
Side Pin Schlage Everest
specialized finger wrench
modified Everest key
54

• Side Bars
• Similar to side pins
• Restrict plug movement
• Harder to pick
• than pin stacks

55
Side Bar Finger Pins
56
Side Bar Finger Pins
57
Side Bar Finger PinsSchlage Primus
58
Side Bar Sliders
59
Side Bar Sliders
60
Side Bar Rotating Pins
61
Side Bar Rotating Pins
62
Rotating Pins Medeco Locks
Medeco plug exposed, key pins rotating to align
sidebar cuts Top View Side View
63

• Advanced Dimple Lock
• Mul-T-Lock
• Developer Manufacturer
• Patent Holder
• Exclusive Distributor
• Specialized Design
• Pins Within Pins
• Cant Impression

64

• Mul-T-Lock
• Pins within pins

65

• Mul-T-Lock
• Pins within pins
• Imagine the inside

66

• Mul-T-Lock
• Pins within pins
• Imagine the inside
• In fact, this is the
• actual mechanism

67
Mul-T-Lock
see the difference now?
68

• Mul-T-Lock
• Standard Operation

69

• Mul-T-Lock
• Standard Operation
• Overlifting

70

• Mul-T-Lock
• Standard Operation
• Overlifting
• Michaud Attack

71

• Rotating Disks
• Tremendous Security
• Mimics a safe lock
• Very Difficult To Pick
• Takes much time and great skill
• Specialized tools required

72

• Rotating Disks
• Tremendous Security
• Mimics a safe lock
• Very Difficult To Pick
• Takes much time and great skill
• Specialized tools required
• Falle Tool
• Manipulates disks individually
• Decodes cut orientation
• Numerical key values

Barry Wels picking a rotating disk lock with Mike
Glasser
73

• Rotating Disks
• Abloy Protec
• Not just rotating disks
• Disk blocking mechanism
• False cuts everywhere
• Unpickable?
• Closest I ever come to using that word
• Falle tool cannot be used

74

• Magnetic Locks
• Miiwa
• Japanese company
• Array of magnetic pins
• Simple North / South
• Evva MCS
• Austrian company
• Axial-rotated magnets
• Interaction with sidebar

75

• Evva Magnetic Code System
• Possibly most duplication-resistant lock out
  there

76

• 6. Adding electricity isnt magical
• Hotel safes
• Deadbolts
• Access control systems
• Magnetic door locks
• Passive IR sensors
• The Wiegand pitfall

Malaysian Hotel (240) Major Malfunction
(100) Winkhaus Blue Chip (240) Mul-T-Lock CLIQ
System (015)
2500
77

• A problematic access control door
• Magnetic lock

78

• A problematic access control door
• Magnetic lock
• Large gap

79

• A problematic access control door
• Magnetic lock
• Large gap
• IR Sensor

80
Zac Franken the Gecko project
81

• Knox Boxes
• Prevent damage to doors
• High security key systems
• Same key for whole region
• Access controls and audits for use of
  official keys
• No audit trail on most boxes

82
Knox Boxes
83

• 7. Safe locks vary as widely as door locks
• Mechanisms
• Certifications
• Resistance to other conditions
• Amazing electronic models

3500
84

• Safes
• Mechanism Operation
• Wheels
• Gates
• Fence
• Nose
• Cam

85
photos courtesy of Don the Shadow
86
photos courtesy of Don the Shadow
87
photos courtesy of Don the Shadow
88
photos courtesy of Don the Shadow
89
photos courtesy of Don the Shadow
90
photos courtesy of Don the Shadow
91
photos courtesy of Don the Shadow
92

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )

93

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )

94

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )

photo courtesy of Barry Wels
95

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )

96

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )

97

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )

98

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )
• Compromise
• Manual or Robotic Manipulation

photo courtesy of Barry Wels
99

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )
• Compromise
• Manual or Robotic Manipulation
• Manipulation-Proof Safes (SG 8400)

100

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )
• Compromise
• Manual or Robotic Manipulation
• Manipulation-Proof Safes (SG 8400)
• Electronic Kaba Mas Hamilton X-series

101

• Safes
• Mechanism Operation
• Wheels, Gates, a Fence
• Insurance Ratings
• Underwriters Labs (TL, TRTL, TXTL )
• Compromise
• Manual or Robotic Manipulation
• Manipulation-Proof Safes (SG 8400)
• Electronic Kaba Mas Hamilton X-series
• Fire Safes
• Often terribly weak hardware
• Also not typically rated for electronic media
• Hotel Safes
• Hit or Miss

102
8. Bump keying is a real problem but one
with real solutions
3800
103

• The Bump Key Attack
• Popping a lock open with a special key
• Takes little skill, almost no training, no
  special tools
• Vast number of locks are vulnerable
• The media (and public) is finally taking notice
• Exploit closely related to physics of a pick gun
• Best explained via billiard ball analogy

104
(No Transcript)
105
(No Transcript)
106
(No Transcript)
107
The Bump Key Attack
108
The Bump Key Attack
109

• Countermeasures to Bumping
• Many High Security Mechanisms are Solid
• Turning finger pin sidebars (Schalge Primus)
• Slider-based sidebars (Evva MCS, Scorpion)
• Rotating Disk locks (Abloy clones)
• Magnetic Key systems (Evva MCS)
• Older High Security Locks Dont Help As Much
• Assa V10 Twin is exploitable geographically
• Medeco some Mul-T-Lock can be bumped
• Information leakage in old mastered systems
• Simpler Approaches
• Trap Pins
• Shallow Drilling
• Joined Pins
• Top Gapping
• Fluids Gels

http//security.org
110
Trap Pins
111
Trap Pins Normal Key Operation
112
Trap Pins Attempt Without a Key
113

• Trap Pins
• A Double-Edged Sword
• Absolute evidence of any
• any attempted pick or bypass
• Only one course of action
• after trap pins have fired
• Remove lock from door and
• replace with a new one
• Shallow drilling is simpler and
• offers more elegant protection

114
Shallow Drilling Normal pin stack chambers being
drilled
115
Shallow Drilling Notice the difference with
shallow drilling
116
Shallow Drilling Pin stacks have differing
heights in their default position
117
Shallow Drilling Attempts at bumping will fail,
not all pins touch the key
118
Shallow Drilling No easy, outward evidence of
this protection
119
Shallow Drilling Conceivably possible to examine
for shallow stacks
but what then, carry a whole ring of bump keys?
120
Joining Pins Mechanically or Magnetically
Corbin Emhart
121
Top gapping This design offers the most promise
for fully hardening basic pin tumbler locks
against the bump key attack.
122
Top gapping Master Lock has published on this
topic and begun equipping locks with specialized
top pins. Look for part numbers ending with the
letter N or ask a locksmith.
123
Kwikset?? When even this company is making locks
designed to prevent bump keying, its finally
gotten proper attention
124

• What locks have these countermeasures?
• Short answer very few, at least at present
• Trap Pins MC (Mitchel Collin)
  "Antiklop" model
• Shallow Drilling CES (Carl Eduard Schulte)
  VA5 VB7 models
• Joining Pins Corbin Emhart
• Top Gapping Master Lock / American Lock
  (retail or re-pinned)
• Kwikset "Smart Series" line includes
  biometric options

125
The Bump Key Attack
dev
126

• Fluids Gels
• Pickbuster
• Invented by Mark Garratt
• Distributed by Almore
• based in Pontypridd, Wales
• Impedes Pin Movement
• Mixed Industry Reaction
• Pros inexpensive, simple, bump resistant
• Cons not permanent, not perfect, and...
• Significant concern about fouling
• Weigh Costs and Benefits Yourself

127

• 9. Large facilities have their own
• unique set of pitfalls and concerns
• Master keying
• Interchangeable cores
• Key control
• Information leakage

4800
128

• Master Key Theory
• Remember standard
• pin tumbler stacks?
• Same operation, with extra
• pin (or wafer) in the middle
• Potential for varied
• levels of clearance
• Also potential for many
• additional shear lines

129
Master Pinning
130
Master Pinning Users Change Key
131
Master Pinning Top Master Key
132
Master Pinning Imagine a crafty user
133
Master Pinning They modify their key it doesnt
open
134
Master Pinning They modify their key it doesnt
open
135
Master Pinning They modify their key it doesnt
open
136
Master Pinning They modify their key suddenly it
opens!
137
Master Pinning This last chamber is now at the
master height
http//www.crypto.com/papers/mk.pdf
138
Master Pinning This bitting can be measured
http//www.crypto.com/papers/mk.pdf
139
Master Pinning This is how intermediate master
keying works
Keep in mind in a large, mastered facility all
doors have within them the full top master
pinning. Compromise of any single door can give
access everywhere.
140

• SFIC Locks
• Small Format
• Interchangeable Core
• BEST
• Yale
• Others
• Easy to Manage
• Plug and pins all eject as
• a single, contained unit
• Hard to Pick
• Multiple independent shear lines
• Keyways are worse than any nightmares you could
  find at
• the bottom of a bottle or at the hands of the
  U.S. Congress

141

• SFIC Locks
• Very popular in large institutions
• Cores remove with a control key
• Two independent shear lines
• Raising pins to one level allows
• plug to rotate freely
• Raising pins to other shear line
• locks plug and control sleeve together
• and they turn as one, either exposing
• or retracting cores retaining tab
• Picking attempts typically fail with standard
  tools
• Tension binds across both shear lines

142
SFIC Locks Pin Stacks
top pins
control pins
bottom pins
core housing
control sleeve
plug
143
SFIC Locks Operating Key
144
SFIC Locks Control Key
145

• SFIC Locks
• Normal picking attempts typically fail
• Tension binds across both shear lines
• Extremely likely to set pins in various places

146

• SFIC Locks
• There are specialized tools
• Torsion wrench with fingers puts pressure on
  only one shear line
• Still very difficult, however, due to tight
  tolerances and keyways

147

• SFIC Locks
• Matt Blazes modified sleeve
• Nothing for specialized finger wrench to grab

148

• SFIC Locks
• New BEST design
• I believe the locks are manufactured this way now

149

• Key control
• Preventing illicit copies
• Using restricted keyways
• Inability to make blanks
• E-Z Entrie vs. Side Cuts

150
Beware of Information Leakage
151
Beware of Information Leakage
152
Beware of Information Leakage
153
Beware of Information Leakage
154
Beware of Information Leakage
155

• 10. Security in the Real World
• Technical Finesse or Brute Force
• Common criminals do not pick locks
• A 100 lock in a 10 door is little help
• Forcing destructive entry can good
• Doors
• Solid-core, heavy material
• Heavy hinges, screws deep into frame
• Deadbolts with round core(s)
• Windows
• Break glass to reach knobs
• Shatterproof film
• Visibility
• Motion-sensing lights
• Keep bushes trees trimmed

5500
156
Forensic Evidence
157
Forensic Evidence
158
Forensic Evidence
159
Forensic Evidence
160
Forensic Evidence
161
Forensic Evidence
162
Forensic Evidence
163
Forensic Evidence
164
Forensic Evidence
165
Forensic Evidence
166
Forensic Evidence
167
Forensic Evidence
168
Forensic Evidence
169
Forensic Evidence
170
Forensic Evidence
171
Forensic Evidence
172
Forensic Evidence
173
Security is only as effective
as the person using it
174

• A Security Fable
• American 700 Padlock
• Solid design
• Serrated pins
• Interchangeable cores

175

• A Security Fable
• American 700 Padlock
• Solid design
• Serrated pins
• Interchangeable cores
• Core Operation
• Back of plug half circle
• Control cylinder quarter circle

176

• A Security Fable
• American 700 Padlock
• Solid design
• Serrated pins
• Interchangeable cores
• Core Operation
• Back of plug half circle
• Control cylinder quarter circle
• Peterson Bypass Tool
• Slips all the way through core
• Interacts with control cylinder directly

177

• A Security Fable
• American 700 Padlock
• Solid design
• Serrated pins
• Interchangeable cores
• Core Operation
• Back of plug half circle
• Control cylinder quarter circle
• Peterson Bypass Tool
• Slips all the way through core
• Interacts with control cylinder directly
• Security Wafer

178

• A Security Fable
• American 700 Padlock
• Solid design
• Serrated pins
• Interchangeable cores
• Core Operation
• Back of plug half circle
• Control cylinder quarter circle
• Peterson Bypass Tool
• Slips all the way through core
• Interacts with control cylinder directly
• Security Wafer
• Wafer Breaker Tools

179

• A Security Fable
• American 700 Padlock
• Solid design
• Serrated pins
• Interchangeable cores
• Core Operation
• Back of plug half circle
• Control cylinder quarter circle
• Peterson Bypass Tool
• Slips all the way through core
• Interacts with control cylinder directly
• Security Wafer
• Wafer Breaker Tools

180

• A Security Fable
• American 700 Padlock
• Solid design
• Serrated pins
• Interchangeable cores
• Core Operation
• Back of plug half circle
• Control cylinder quarter circle
• Peterson Bypass Tool
• Slips all the way through core
• Interacts with control cylinder directly
• Security Wafer
• Wafer Breaker Tools
• Shackeless Padlock the American 2000

181
Thank you so much. Thank you to TOOOL.us,
TOOOL.nl, mouse, Babak, Chris, Mr. E, Barry
Han, Laz, valanx, steve, JVR, Matt Blaze,
jackalope, calypso, renderman, Bruce Heidi, DT,
and Ping. Thank you so much to Brian, NaNa,
everyone else at SecTor who did so much to bring
us here!
182

• So what is a good lock?
• Locks that I love
• (sliders in 3KS magnets of MCS)
• Protec (best rotating disk)
• Primus (finger pin sidebar
  system)
• (slider-based sidebar)
  
• (X-series safe
  dials)
• (SFICs)
• (Granit Diskus)
• (shackle-less padlock)
• (armory locks, combo locks,
  safes, deposit boxes)

http//deviating.net/lockpicking deviant_at_deviating
.net