Title: Ten Things Everyone Should Know
1Ten Things Everyone Should Know About Lockpicking
Physical Security
Deviant OllamEvent Name XXXX/XX/XX
21. Locks are not complicated mechanisms
3(No Transcript)
4(No Transcript)
5(No Transcript)
6(No Transcript)
7(No Transcript)
8(No Transcript)
9photo courtesy of datagram
10(No Transcript)
11(No Transcript)
122. Most locks are wildly easy to pick
13(No Transcript)
14(No Transcript)
15(No Transcript)
16Picking
17- Demonstration
- Everyone Cross Your Fingers
- Think No Demonstration Effect
- The Two Biggest Errors
- Too much wrench pressure
- Lifting pins too far up
18Raking
19Its typically as simple as that
Lifting TechniqueRaking TechniqueHybrid
Technique
203. Lack of pins doesnt equal invulnerable
21- Combination Locks
- Show of Hands
22- Combination Locks
- Show of Hands
- Immensely popular in the USA
- Schools
- Gyms
- Etc.
23- Combination Locks
- Show of Hands
- Immensely popular in the USA
- Schools
- Gyms
- Etc.
- These Locks Provide
- Essentially Zero Security
24(No Transcript)
25(No Transcript)
26- Padlock Shims
- Simple
- Cheap
- Buy Online
- 20-pack for 25
- Shim stock metal
- Homemade
- Aluminum Cans
27Homemade Shims A Real-Life Example
28Homemade Shims A Real-Life Example
29Homemade Shims A Real-Life Example
30Homemade Shims A Real-Life Example
31Homemade Shims A Real-Life Example
32- Combination Locks
- Also possible to decode
- Find the sticking points
- Eliminate half numbers
- Eliminate same numbers
- You have the last number
- Simple math from that point
- Calculation tools available
MasterLock.xls
33- Combination Locks
- Also possible to decode
- Find the sticking points
- Multiple dials stick, too
34- Warded Locks
- Inexpensive
- Simple Design
- Popular Outdoors
- Rudimentary Mechanism
- Resists Dirt Fouling
- Internal Latch
- Cant Use Conventional Picks
- However, Other Tools Exist
35- Warded Innards
- Simple latch spring mechanism
- Unlike pin tumblers, where every
- segment of the key is important,
- warded keys have only one
- useful segment
- The rest of the key simply gets in
- in the way
36- Warded Picks
- Store bought
- Homemade
- All very simple
37(No Transcript)
38(No Transcript)
39(No Transcript)
40(No Transcript)
41(No Transcript)
42(No Transcript)
43(No Transcript)
44(No Transcript)
45(No Transcript)
46- Tubular Locks
- Still traditional pin stacks
- Pins simply arranged in
- unconventional pattern
- Need specialized tools
- (well sometimes)
Cormu picking tubular locks Low-tech Kryptonite
bypass
47(No Transcript)
48(No Transcript)
49(No Transcript)
50(No Transcript)
51(No Transcript)
52(No Transcript)
53(No Transcript)
54(No Transcript)
55(No Transcript)
56(No Transcript)
57- Wafer Locks
- Compact Design
- Popular in cars, cabinets
- Totally Different Mechanism
- No pin tumblers
- Difficult to pick traditionally
- Raking and jiggling attacks
58(No Transcript)
59(No Transcript)
60(No Transcript)
61(No Transcript)
624. Minor changes make a big difference
63- Advanced Keyways
- Simple straight and wide
64- Advanced Keyways
- Simple straight and wide
- Medium straight but narrow
65- Advanced Keyways
- Simple straight and wide
- Medium straight but narrow
- Complex thinner and curvy
66- Advanced Keyways
- Simple straight and wide
- Medium straight but narrow
- Complex thinner and curvy
- Harder lots of angles
67- Advanced Keyways
- Simple straight and wide
- Medium straight but narrow
- Complex thinner and curvy
- Harder lots of angles
- Fiendish overlapping wards
68- Un-Shimmable Padlocks
- Collar / Boot
- Double-Ball Mechanism
- Key-Retaining Locks
- Less Convenient
- Less Popular
- Can still have combination dials
- Size doesnt always equal security
- Resistance to Brute Force
- Not Always Resistant to Finesse
69- Pick-Resistant Pins
- Spool
70- Pick-Resistant Pins
- Spool
71- Pick-Resistant Pins
- Spool
- Mushroom
72- Pick-Resistant Pins
- Spool
- Mushroom
- Serrated
73- Pick-Resistant Pins
- Spool
- Mushroom
- Serrated
74- Pick-Resistant Pins
- Spool
- Mushroom
- Serrated
75Europe Raises the Bar
76Europe Raises the Bar
77Europe Raises the Bar
78Europe Raises the Bar
79Europe Raises the Bar
805. Advanced features arent a panacea
81Side Pin Schlage Everest
pin springs
driver (top) pins
key (bottom) pins
plug
check pin spring
check pin
specialized key
82Side Pin Schlage Everest
photos courtesy of Matt Blaze
83Side Pin Schlage Everest
photos courtesy of Matt Blaze
84Side Pin Schlage Everest
specialized finger wrench
modified Everest key
85- Side Bars
- Similar to side pins
- Restrict plug movement
- Harder to pick
- than pin stacks
86Side Bar Finger Pins
87Side Bar Finger Pins
88Side Bar Finger PinsSchlage Primus
89Side Bar Sliders
90Side Bar Sliders
91Side Bar Rotating Pins
92Side Bar Rotating Pins
93Rotating Pins Medeco Locks
Medeco plug exposed, key pins rotating to align
sidebar cuts Top View Side View
94- Rotating Disks
- Tremendous Security
- Mimics a safe lock
- Very Difficult To Pick
- Takes much time and great skill
- Specialized tools required
95- Rotating Disks
- Tremendous Security
- Mimics a safe lock
- Very Difficult To Pick
- Takes much time and great skill
- Specialized tools required
- Falle Tool
- Manipulates disks individually
- Decodes cut orientation
- Numerical key values
Barry Wels picking a rotating disk lock with Mike
Glasser
96- Rotating Disks
- Abloy Protec
- Not just rotating disks
- Disk blocking mechanism
- False cuts everywhere
- Unpickable?
- Closest I ever come to using that word
- Falle tool cannot be used
97- Magnetic Locks
- Miiwa
- Japanese company
- Array of magnetic pins
- Simple North / South
- Evva MCS
- Austrian company
- Axial-rotated magnets
- Interaction with sidebar
98- Evva Magnetic Code System
- Possibly most duplication-resistant lock out
there
996. Electrical systems have weaknesses, too
100- Electrical System Weaknesses
- Hotel safes
- Deadbolts
- Access control systems
- Magnetic door locks
- Passive IR sensors
Malaysian Hotel (240) Major Malfunction (100)
101(Adding electricity to something isnt a panacea)
102(Adding electricity to something isnt a panacea)
103(Adding electricity to something isnt a panacea)
104A problematic access control door
105A problematic access control door
106Magnetic door and window systems
107Magnetic door and window systems
wiring protected? fail open or shut?
108Is this a good access control device?
109Is this a good access control device?
numbers worn off? default code perhaps? observe
operation?
110Is this a good access control device?
111Is this a good access control device?
can you fake it? tied to other token? what
wiring behind?
112Access control systems
113Access control systems
114Access control systems
ethernet
115Access control systems
ethernet
serial or plain copper
116Zac Franken the Gecko project
117- Adding electricity isnt a panacea
- Does it fail safe or fail open?
- Electromagnets need power
- Dealing with fire codes, etc
- Is it layers of security or two routes of
access? - Wired in series or parallel, as it were
- How well versed are the manufacturers?
- Often theyre good at either locks or electronics
118- Adding electricity isnt a panacea
- Making the leap from electrons to metal
- Often the low-tech attacks are most risky
- Exit systems
- Conan approach
Winkhaus Blue Chip (242)
1197. Your safe might be terrible
120- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
121photos courtesy of Don the Shadow
122photos courtesy of Don the Shadow
123photos courtesy of Don the Shadow
124photos courtesy of Don the Shadow
125photos courtesy of Don the Shadow
126photos courtesy of Don the Shadow
127photos courtesy of Don the Shadow
128- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
129- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
130- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
photo courtesy of Barry Wels
131- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
132- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
133- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
134- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
- Compromise
- Manual or Robotic Manipulation
photo courtesy of Barry Wels
135- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
- Compromise
- Manual or Robotic Manipulation
- Manipulation-Proof Safes (SG 8400)
136- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
- Compromise
- Manual or Robotic Manipulation
- Manipulation-Proof Safes (SG 8400)
- Electronic Kaba Mas Hamilton X-series
137- Safes
- Mechanism Operation
- Wheels, Gates, a Fence
- Insurance Ratings
- Underwriters Labs (TL, TRTL, TXTL )
- Compromise
- Manual or Robotic Manipulation
- Manipulation-Proof Safes (SG 8400)
- Electronic Kaba Mas Hamilton X-series
- Fire Safes
- Often terribly weak hardware
- Also not typically rated for electronic media
- Hotel Safes
- Hit or Miss
1388. Bump keying is a real problem
139 but one with real solutions
140- The Bump Key Attack
- Popping a lock open with a special key
- Takes little skill, almost no training, no
special tools - Vast number of locks are vulnerable
- The media (and public) is finally taking notice
- Exploit closely related to physics of a pick gun
- Best explained via billiard ball analogy
141(No Transcript)
142(No Transcript)
143(No Transcript)
144The Bump Key Attack
145The Bump Key Attack
146- Countermeasures to Bumping
- Certain High Security Mechanisms
- Finger pin sidebars in Schalge Primus
- Slider-based sidebars
- Pins Within Pins (newer Mul-T-Lock models)
- Rotating Disk locks (Abloy clones)
- Magnetic Key systems (Evva MCS)
- Other High Security Locks Dont Help As Much
- Assa V10 Twin is exploitable geographically
- Medeco Mul-T-Lock can be bumped
- There is a risk of information leakage in old
mastered systems - Simpler Approaches
- Trap Pins
- Shallow Drilling
- Joined Pins
- Top Gapping
- Fluids Gels
147Trap Pins
148Trap Pins Normal Key Operation
149Trap Pins Attempt Without a Key
150- Trap Pins
- A Double-Edged Sword
- Absolute evidence of any
- any attempted pick or bypass
- Only one course of action
- after trap pins have fired
- Remove lock from door and
- replace with a new one
- Shallow drilling is simpler and
- offers more elegant protection
151Shallow Drilling Normal pin stack chambers being
drilled
152Shallow Drilling Notice the difference with
shallow drilling
153Shallow Drilling Pin stacks have differing
heights in their default position
154Shallow Drilling Attempts at bumping will fail,
not all pins touch the key
155Shallow Drilling No easy, outward evidence of
this protection
156Shallow Drilling Conceivably possible to examine
for shallow stacks
but what then, carry a whole ring of bump keys?
157Joining Pins Mechanically or Magnetically
Corbin Emhart
158Top gapping This design offers the most promise
for fully hardening basic pin tumbler locks
against the bump key attack.
159Top gapping Master Lock has published on this
topic and begun equipping locks with specialized
top pins. Look for part numbers ending with the
letter N or ask a locksmith.
160Kwikset? When even this company is making locks
designed to prevent bump keying, its finally
gotten proper attention pity
that their new lock design is flawed.
161- What locks have these countermeasures?
- Short answer very few, at least at present
- Trap Pins MC (Mitchel Collin)
"Antiklop" model - Shallow Drilling CES (Carl Eduard Schulte)
VA5 VB7 models - Joining Pins Corbin Emhart (no longer
sold) - Top Gapping Master Lock / American Lock
(retail or re-pinned)
162The Bump Key Attack
dev
163- Fluids Gels
- Pickbuster
- Invented by Mark Garratt
- Distributed by Almore
- based in Pontypridd, Wales
- Impedes Pin Movement
- Mixed Industry Reaction
- Pros inexpensive, simple, bump resistant
- Cons not permanent, not perfect, and...
- Significant concern about fouling
- Weigh Costs and Benefits Yourself
1649. Large facilities have their own pitfalls
165- Master Key Theory
- Remember standard
- pin tumbler stacks?
- Same operation, with extra
- pin (or wafer) in the middle
- Potential for varied
- levels of clearance
- Also potential for many
- additional shear lines
166Master Pinning
167Master Pinning Users Change Key
168Master Pinning Top Master Key
169Master Pinning Imagine a crafty user
170Master Pinning They modify their key it doesnt
open
171Master Pinning They modify their key it doesnt
open
172Master Pinning They modify their key it doesnt
open
173Master Pinning They modify their key suddenly it
opens!
174Master Pinning This last chamber is now at the
master height
http//www.crypto.com/papers/mk.pdf
175Master Pinning This bitting can be measured
http//www.crypto.com/papers/mk.pdf
176Master Pinning This is how intermediate master
keying works
Keep in mind in a large, mastered facility all
doors have within them the full top master
pinning. Compromise of any single door can give
access everywhere.
177- SFIC Locks
- Small Format
- Interchangeable Core
- BEST
- Yale
- Others
- Easy to Manage
- Plug and pins all eject as
- a single, contained unit
- Hard to Pick
- Multiple independent shear lines
- Keyways are worse than any nightmares you could
find at - the bottom of a bottle or at the hands of the
U.S. Congress
178- SFIC Locks
- Very popular in large institutions
- Cores remove with a control key
- Two independent shear lines
- Raising pins to one level allows
- plug to rotate freely
- Raising pins to other shear line
- locks plug and control sleeve together
- and they turn as one, either exposing
- or retracting cores retaining tab
- Picking attempts typically fail with standard
tools - Tension binds across both shear lines
179SFIC Locks Pin Stacks
top pins
control pins
bottom pins
core housing
control sleeve
plug
180SFIC Locks Operating Key
181SFIC Locks Control Key
182- SFIC Locks
- Normal picking attempts typically fail
- Tension binds across both shear lines
- Extremely likely to set pins in various places
183- SFIC Locks
- There are specialized tools
- Torsion wrench with fingers puts pressure on
only one shear line - Still very difficult, however, due to tight
tolerances and keyways
184- SFIC Locks
- Matt Blazes modified sleeve
- Nothing for specialized finger wrench to grab
185- SFIC Locks
- New BEST design
- I believe the locks are manufactured this way now
186- Key control
- Preventing illicit copies
- Using restricted keyways
- Inability to make blanks
- E-Z Entrie vs. Side Cuts
187- Knox Boxes
- Prevent damage to doors
- High security key systems
- Same key for whole region
- Access controls and audits for use of
official keys - No audit trail on boxes
188Knox Boxes
189Beware of Information Leakage
190Beware of Information Leakage
191Beware of Information Leakage
192Beware of Information Leakage
193Beware of Information Leakage
194Beware of Information Leakage
195Beware of Information Leakage
196Beware of Information Leakage
197Beware of Information Leakage
198Beware of Information Leakage
199Beware of Information Leakage
200Beware of Information Leakage
201Beware of Information Leakage
202Beware of Information Leakage
203Beware of Information Leakage
204Beware of Information Leakage
205- No-Tech Risks
- Social Engineering
- Smokers Entrance
- Delivery / Workman
- Phone Penetration
206- No-Tech Risks
- Social Engineering
- Smokers Entrance
- Delivery / Workman
- Phone Penetration
- Badge Faking
207- No-Tech Risks
- Social Engineering
- Smokers Entrance
- Delivery / Workman
- Phone Penetration
- Badge Faking
- Basements, Roofs Drop Ceilings
20810. Security in the real world
209- Security in the Real World
- Technical Finesse or Brute Force
- Which is more common?
- Common criminals do not pick locks
- A 100 lock in a 10 door is little help
- Doors
- Solid-core, heavy material
- Heavy hinges, screws deep into frame
- Deadbolts with round core(s)
- Windows
- Break glass to reach knobs
- Shatterproof film
- Visibility
- Motion-sensing lights
- Keep bushes trees trimmed
Window Latch
210- So what is a good lock?
- Locks that I love
- Protec (best rotating disk)
- (sliders in 3KS magnets of MCS)
- Primus (finger pin sidebar
system) - (slider-based sidebar)
- (X-series safe
dials) - (SFICs)
- (Granit Diskus)
- (shackle-less padlock)
- (armory locks, combo locks,
safes, deposit boxes)
http//deviating.net/lockpicking
211Security is only as effective
as the person using it
212- A Security Fable
- American 700 Padlock
- Solid design
- Serrated pins
- Interchangeable cores
213- A Security Fable
- American 700 Padlock
- Solid design
- Serrated pins
- Interchangeable cores
- Core Operation
- Back of plug half circle
- Control cylinder quarter circle
214- A Security Fable
- American 700 Padlock
- Solid design
- Serrated pins
- Interchangeable cores
- Core Operation
- Back of plug half circle
- Control cylinder quarter circle
- Peterson Bypass Tool
- Slips all the way through core
- Interacts with control cylinder directly
215- A Security Fable
- American 700 Padlock
- Solid design
- Serrated pins
- Interchangeable cores
- Core Operation
- Back of plug half circle
- Control cylinder quarter circle
- Peterson Bypass Tool
- Slips all the way through core
- Interacts with control cylinder directly
- Security Wafer
216- A Security Fable
- American 700 Padlock
- Solid design
- Serrated pins
- Interchangeable cores
- Core Operation
- Back of plug half circle
- Control cylinder quarter circle
- Peterson Bypass Tool
- Slips all the way through core
- Interacts with control cylinder directly
- Security Wafer
- Wafer Breaker Tools
217- A Security Fable
- American 700 Padlock
- Solid design
- Serrated pins
- Interchangeable cores
- Core Operation
- Back of plug half circle
- Control cylinder quarter circle
- Peterson Bypass Tool
- Slips all the way through core
- Interacts with control cylinder directly
- Security Wafer
- Wafer Breaker Tools
218- A Security Fable
- American 700 Padlock
- Solid design
- Serrated pins
- Interchangeable cores
- Core Operation
- Back of plug half circle
- Control cylinder quarter circle
- Peterson Bypass Tool
- Slips all the way through core
- Interacts with control cylinder directly
- Security Wafer
- Wafer Breaker Tools
- Shackeless Padlock the American 2000
219Thank you so much. Thank you to TOOOL.us,
TOOOL.nl, mouse, Babak, Dave, Steve, JVR, Mr. E,
Barry Han, Laz, valanx the FOOLS, Matt Blaze,
jackalope, calypso, renderman, Bruce Heidi
220Security is only as effective
as the person using it
221- So what is a good lock?
- Locks that I love
- Protec (best rotating disk)
- (sliders in 3KS magnets of MCS)
- Primus (finger pin sidebar
system) - (slider-based sidebar)
- (X-series safe
dials) - (SFICs)
- (Granit Diskus)
- (shackle-less padlock)
- (armory locks, combo locks,
safes, deposit boxes)
http//deviating.net/lockpicking