By Kurt Seifried (kurt@seifried.org)

Traditionally physical security has been addressed primarily by mechanical locks to control access to places, be they buildings or a specific room. A business would have mechanical locks on all external doors and many internal doors, and these would typically be locked when no-one is around (e.g. at night). Combined with a decent alarm system the mechanical locks would slow an intruder down long enough for them to be detected and for the police to respond in most cases. For areas without an alarm system the locks would ideally discourage the attacker, there is a big difference between kicking in a door and simply turning the knob to see if it’s open.

For centuries (indeed in some areas millennia) this balance held, mechanical locks were effective in discouraging attackers or slowing them down enough to be effective. However a new lock picking technique has changed the balance, potentially rendering most mechanical locks useless.

We think mechanical locks are secure, probably because we can’t open them with a Popsicle stick. Lock picking used to be the domain of highly trained locksmiths, and criminals who spent the time and energy to learn the same techniques. Over the years lock picking has grown as a hobby among people who are neither locksmiths nor criminals. Much of the “hacker” ethos that involves understanding complex systems (be they mechanical locks, computer security or parking spots at the mall) and finding creative ways of bypassing them or otherwise manipulating the system to do their bidding seems to apply to these enthusiasts. As well many are security professionals who have a vested interest in the security and effectiveness of mechanical locks.

These enthusiasts are often at odds with the lock making and locksmithing industry. As with many industries they do not like being told that their products are defective or ineffective. Unfortunately due to a new development this is the message that is now commonplace in the lock industry:

“Bumping”

Bumping locks is a new technique that is astoundingly simple. Most mechanical locks consists of a cylinder with a series of pins, the pins must be moved into the correct place so that they are flush, allowing the cylinder to turn. Typically this is done using a key, it is inserted, and pushes the pins to the correct height, placing them flush and allowing the cylinder to turn. Traditional lock picking consist largely of manipulating the pins manually one at a time to place them flush, typically this takes some time and a degree of skill only acquired through extensive practice, as well as leaving marks.

All this however has changed. Now you can simply insert a bump key into a lock, draw it out slightly, tap it and turn it, and presto, the lock will open. This will take only seconds in most cases and the only tools required are a blank key that fits that particular lock, and a small mallet, typically with a rubber head. Just insert, tap, and open. To make a bump key you simply buy a blank key, and cut indentations into it to the full depth allowed, and presto, you’re done.

Yes it really is that easy. No tools required, and only minimal practice.

So typically at this point in the article there would be a nice summary and some helpful tips or ideas on how to address this risk. Unfortunately in this case the summary is short and simple: most mechanical locks are trivially bypassed. As far as addressing this risk unless you spend significant money on high end mechanical locks, or electronic/biometric locks you will continue to be vulnerable.

http://www.toool.nl/bumping.pdf

http://www.toool.nl/blackbag

http://ezpicking.com/

http://locksport.com/LSIGuide/lsiguide.pdf

http://www.lockpicking101.com/