Lock Bumping and Bump Keys
Wednesday, February 7, 2007 at 03:21PM See video of news story on lock bumping: http://youtube.com/watch?v=hr23tpWX8lM
Lockpicks See Security Flaw in Most Locks
As lockpicking gains traction as a hobby, a surprisingly easy new technique has been circulating online and among hackers.
By Brian Braiker
Newsweek
How many locks figure prominently in your daily routine? Maybe one or two to get you into your house or apartment? One for your office, your car and your mailbox? Once you turn the key, chances are you feel pretty secure. That's what locks do, after all, they keep things shut; they keep you protected. How naive.
A large majority of locks that open with a key, called pin tumbler locks, have structural weaknesses built into them that can be exploited with picks and practice. But a relatively new lockpicking technique known as "bumping" takes advantage of that weakness and requires no real understanding of how locks work. "You don't need expensive tools or anything," says encryption expert Barry Wels. "Any 15-year-old who's motivated can learn how to do it in 15 minutes on the Internet."
Wels ought to know. He heads The Open Organization of Lockpickers (TOOOL), which bills itself "the most well-behaved sporting association in the Netherlands." He picks locks, he says, not with criminal intent, but more in the spirit of puzzle-solving. One man's pin tumbler, it seems, is another's Rubik's Cube. In fact, lockpicking as a hobby has developed a substantial worldwide following in recent years, thanks mostly to the unprecedented availability of information online and geek charisma of polymaths like Wels (whose nickname is The Key, natch). Enthusiasts share tips and engage in flamewars at lockpicking101.com; they attend Locksport International meetings and post videos on YouTube.
For more tangible evidence of sport-picking's growth, consider a recent Friday afternoon. Wels delivered a lecture on lockpicking last month at an occasionally occurring hackers' convention called HOPE (Hackers on Planet Earth) in New York's Pennsylvania Hotel. Despite seeming a little, well, analog for a hackers' convention, the lockpicking discussion felt perfectly in tune with the weekend's ethos. "Old school, new school: we do it all," says Eric Corley (also known by the hacker pseudonym Emmanuel Goldstein), the founder and editor of 2600 magazine, which hosts the conference. The three-day affair drew some 2,500 technology enthusiasts together to consider such diverse topics as "biometrics in science fiction," how to decipher barcodes with the naked eye and why Macromedia Flash "sucks for advertisers." But none of HOPE's lectures attracted quite the crowd that Wels's did.
And few were as sobering. The bulk of the talk—which Wels cohosted with Marc Tobias, a lawyer, technical-fraud expert and author—was devoted to bumping. They explained how most locks can be bumped open with any key that fits that lock, but does not open it. If, for example, you live in an apartment complex, chances are your key will fit into (but not open) the doors to other units in your building. Similarly, if you open your mailbox with a key, your key will probably fit into other mailboxes not just in your building but on your block—even though postal locks are uniquely designed and protected under federal law. Wels and Tobias demonstrated that by modifying the key, that key could be used as a universal "bump key" for any lock it will fit into. To say nothing of breaking and entering, "this was made for identity theft," explains Tobias. "The U.S. Postal Service's worst nightmare is Ted Kaczynski with a bump key."
(A caveat for those taking notes at home: NEWSWEEK is intentionally omitting specific details about how to make, and use, bump keys. But as our reporter learned from the HOPE conference and interviews, they are very easy to make using readily available tools. No lock is perfect. Bumping, which takes its name from how the key actually undoes a lock, is simply easier to master than picking locks and, if done well, can leave very little trace behind. The principle that makes it possible is as old as Newtonian physics.)
Tobias demonstrated the technique to the U.S. Postal Service, hoping to convey the potential threat to millions of mailboxes nationwide (and push for legislation that would outlaw shipping bump keys through the mail, which is currently legal). The Postal Service subsequently examined their inventory to see how vulnerable their locks are, according to spokesman Bob Anderson. "The engineering and inspection services have identified some security issues," he tells NEWSWEEK. "We see it as a potential threat. We have identified where the risks are, but we have no recorded incidents of people reporting a bumping." Anderson declined to elaborate what vulnerabilities were discovered and what steps were being taken to remedy them.
Others are less concerned, at least publicly. "We've been around for 26 years and this is not a problem," says Richard Hallabrin, corporate spokesman for Mail Boxes Etc., the world's largest franchisor of retail mailboxes. "If people continue to go out to the media and say, 'Here's how you break into any lock,' yeah, there's going to be an increase." Fair point, but the information is already available to anyone with an Internet connection. "Lockpicking information until very recently has been hidden not from the bad guys, but from us, the consumers," says security guru and author Bruce Schneier, a cryptographer with enough clout to get a little shout out in Dan Brown's "The Da Vinci Code." "There's no economic motivator for anyone to make a better lock because you, the consumer, don't know [how vulnerable your lock really is]."
There are ways to improve upon locks, says Schneier. He points to the auto industry, which has an incentive to build cars that are tougher to break into. "If your car is easier to steal, your insurance will be more [expensive]," he points out. So automakers have begun equipping cars with locks that open only with the swipe of a card or in close proximity to a radio frequency identification (RFID) chip.
Perhaps surprisingly, Clyde Roberson, the technical director at Medeco High Security Locks (which are praised by lock aficionados as being virtually unpickable), tends to agree with Schneier. "Bumping is real. It is a vulnerability," he concedes. "Do I think lots of guys are running around bumping locks to get into mailboxes? No. Do you publicize it knowing people may take advantage of it so that you can educate people? I don't know what the answer is."
It's an interesting ethical question. But while the experts ponder it, the curious can find the information they need with a quick Google search. The pressure, say Schneier and Tobias, should be on the lock manufacturers to do something about it.