For the love of lock picking

NEW YORK--I feel much less secure after attending the Last HOPE conference this weekend.

Not only is my personal information at risk every time I log onto the Internet and use a cell phone headset or passport, but even my gym locker, bike, and home can easily be accessed with the proper tools and manual dexterity.

Tools of the lock picking trade.

(Credit: Elinor Mills/CNET News)

In the popular Lockpicking Village area at Last HOPE (Hackers on Planet), I watched guys twirl little pins in all types of locking devices. For some, it took less than a minute to get the locks to snap open. One lock picker even showed how to open an ordinary padlock with just a piece of aluminum from a beer can. (See video demo below.)

If I'm worried, how do they feel at the Pentagon and the White House?

Medeco, the lock that secures the doors in those two places and at high-security agencies around the world, had been un-crackable for 40 years--until last year. And now there's a book about the lock's shortcomings called Open in Thirty Seconds.

Marc Weber Tobias, co-author of Open in Thirty Seconds gets freed from a pair of prison transport handcuffs without a key.

(Credit: Elinor Mills/CNET News)

"This is all about liability and responsible disclosure," said Marc Weber Tobias, a co-author on the book. "People need to know they are vulnerable, and the manufacturer says it can't be done."

The book doesn't reveal the codes needed to open the locks, he noted.

"The goal is to help people understand how we did it," said Tobias, who has a physical security consultancy called Security.org. "As a lawyer, I believe in full disclosure and I believe manufacturers ought to disclose the vulnerabilities in their products."

Like with software vulnerabilities, manufacturers don't want to acknowledge security flaws, he said. But the difference between software and old-fashioned hardware is that software can be easily upgraded over the Internet while locks must be replaced.

Below is a video that demonstrates just how easy it is to pick a deadbolt lock. "Steve," a member of the Toool Open Organisation of Lockpickers, uses a small tension wrench to hold the pins in place while he jiggles a lock pick tool to set the pins to "open."

Below in this video, "Deviant" shows how to pick an ordinary combination padlock by shimmying the shackle open with a small, folded piece of aluminum or metal.

[Missing_dc]

For those of us in the know, lockpicking is generally easy, it's just illegal unless you are a bonded locksmith. That means don't get caught with your picks or shims.

I've heard it said that locks exist to keep an honest person honest, but an intent person will find a way.

[Squelchtone]

Missing_dc, please don't spread misinformation around if you aren't really "in the know". lock picking is generally easy if you practice enough, and of course it depends on which lock you are trying to pick. The lockpickers, such as myself who attended The Last HOPE, and who are members of TOOOL or Locksport International pick locks for fun and because we like a good challenge. Also, I have to expand on what you said about lockpicking being illegal. It is not illegal, nor is owning a set of lock picks illegal unless you are in a state or city which specifically states that possession is illegal unless you are a locksmith, tow truck driver, or a police officer. Washington DC is the only place I know that specifically says lockpicks are illegal. Other states have different varying laws which usually state that lockpick tools are only illegal if there is clear intent that you are breaking in somewhere. So if you own picks and pick for fun and pick your own collection of locks thats just fine in most states. If you are picking at 3am in a dark alley and have a police scanner and you're picking the door to a store or bank or some lock that isnt yours, thats illegal. possession without intent is just fine. Also, bonded locksmith only means that the locksmith has insurance in case he breaks something while installing a lock in your nice door, what you meant to say is licensed locksmith.

Squelchtone
TOOOL.US

[unknown_user]

An extra note: Even where it's not illegal to have a lockpick, I've seen law enforcement and professional locksmiths freak out if they see or hear of people possessing them. Regardless of the law, you're generally better off being discreet about having them and knowing how to use them.

[dirty55409]

lol yeah this is great, we'll have all these kids picking up lock picking tools... oh yeah you're really cool. Now try and pick a lock without going to jail or getting arrested. lol silly article that does nothing to benefit society.

[harrytan]

Can any of the experts here advise which padlocks or door locks generally are harder to pick or even safe (presuming that they are all vulnerable)?

Thanks.

[d.gallea]

Do others see the videos? Mine are blank.

[jdport]

As a licensed and bonded locksmith, this is something I know a little something about. If you want real security, be prepared to pay real money for it. Schlage Primus is good. Even though Marc Tobias has cracked the Medeco, I can tell you it is highly unusual even for experienced locksmiths to crack these. There are new "bump resistant" and "bump-proof" locks entering the market because of the concerns of bumping and picking. Master has a bump-proof deadbolt and I'm sure Schlage has a few. Arrow is a name most consumers are not aware of because they are sold only through locksmith dealers. For real security I recommend most any lock utilizing a restricted keyway. This means the key blanks are not readily available and possibly sold only by your local locksmith. You won't find them in the hardware store kiosks. Check with your local locksmith dealer and ask for a lock with a restricted keyway. But be prepared for sticker shock. The solutions are there, they just cost more.

[dickalmighty]

Fantastic article! Attention getting commentary! No freaking videos! Anybody picks my locks while I'm home gets shot before the door opens anyway. Anything taken if I'm not here is not worth much anyway and cracheads and meth people are too shaky to do the locks. No personal attacks intended.

[Robb Lawrence]

why broadcast that lock-picking can be done so easily? are there companies working on fool-proofing locks or is there no such thing? what about combination locks - is the formula for cracking those codes
equally as simple as picking regular types of locks?

[Robb Lawrence]

why broadcast that lock-picking can be done so easily? are there companies working on fool-proofing locks or is there no such thing? what about combination locks - is the formula for cracking those codes
equally as simple as picking regular types of locks?

[glenm812944]

Being a former locksmith and now in a IT Department I've seen those key locks on dell servers are so easy to pick and just take a hard drive, but you have to have the the restricted key to get into the front door and then you have punch in your pass code number to get into a second door into the data room then whip out your picks, pick the lock, steal the hard drive, which will trip a fault light on the server plus the audiable ear pearsing sound from the server, which our operations guys would get an instant massenge right next door to see what the problem is and maybe get caught? I wouldn't take a chance at it. I would have a better chance at picking you car lock out in the parking lot and stealing your car.

[dickalmighty]

Are the videos ever going to be put back on? That's the reason I went to the site and ..........................

[brucerobb]

If you're trying to watch at work, your employer (like mine) may have blocked videos.