The Lockdown: Locked, but not secure (Part I)
Noted security expert Marc Weber Tobias contributes a new column, The Lockdown, exposing the shoddy security you may depend on.
The Bump Key: A new old threat to the security of mechanical locks
The most popular locking mechanism in the world utilizes the pin tumbler design, first developed 4000 years ago in Egypt and then rediscovered and perfected a century and a half ago by Linus Yale. There are billions of these locks in the world and they come in all sizes, configurations, and security ratings. Some are secure; most are not, and even some high security rated cylinders can be easily compromised. All that is required to open many times of pin tumbler cylinders -- the kind of lock that probably keeps the bad guys out of your home -- is a bump key and a tool for creating a bit of force. The bump key shown above opens an extremely popular five pin lock, and the plastic bumping tool is produced by Peterson manufacturing, although many others are now being offered for sale. With these two cheap implements, anyone -- and I do mean anyone -- can get into your home or business in a matter of seconds.
In 2004, this relatively old technique of opening locks was rediscovered by the European locksmith community in Germany and other countries. As the word spread as to the ease with which certain locks could be bypassed, several sports lock picking clubs and notably the members of TOOOL began to examine the issue more closely. Subsequently, tests were conducted by the prestigious consumer research organization in the Netherlands in 2006 and published last March. In early April, we issued a security alert on security.org with regard to the vulnerability of United States Postal Service and Mail Boxes Etc. locks. Two White Papers were also posted, dealing with the security threat and legal issues involving bumping: A detailed technical analysis of bumping and Bumping of Locks: Legal issues in the United States.
There is significant misunderstanding about the bumping technique, what locks are affected, and which products will provide real security against this threat. Barry Wels and I discussed bumping during a panel at HOPE in New York in July, and Matt Fiddler and I presented the same topic at DEFCON 14. A great deal of international media attention resulted from these talks because of the apparent simplicity of opening cylinders that were previously believed to be secure. The photograph to the right shows an eleven year old girl that opened a popular five pin cylinder in seconds at Defcon 14. She had no prior experience or expertise. You can watch a video (WMV) of her opening the lock here, it's actually a little scary.
I interviewed and videotaped the eleven year old girl at the lock picking village at DEFCON who demonstrated how she could quickly open a popular cylinder. She had no prior experience with locks and did not understand the underlying theory. Her parents simply thought that she might be intrigued with the challenge of opening locks. And they were correct! All she had was a pre-cut bump key and a "tomahawk" kinetic energy tool, like the one pictured above. The Kwikset that she opened is sold in every hardware and DIY store in the country, and is believed to be secure by the public. It is far from it, and that is at the crux of the security issue at hand. The manufacturers have failed to warn the consumer that certain cylinders can potentially be opened in seconds with this technique.
Definition of terms and how a pin tumbler locks works
You should become conversant with a few terms that are used to describe the critical components of a pin tumbler lock.
Bitting: The actual cuts of the key.
Center-to-center measurement: The required spacing between each cut.
Chamber (or bore): A series of holes are drilled through the shell of the lock and into the plug, one for each set of tumblers (the pins that keep locks shut). Each chamber contributes to the overall security of the lock by housing a set of pin tumblers and springs that can individually prevent the plug from turning without the proper key.
Code value for each depth: The number that the manufacturer assigns to each individual bitting depth.
Keyway: The combinations of obstructions (wards) at the front of the plug that allows or prevents a specific key from entering.
Pin Tumbler: A round pin that moves up and down within each chamber and whose purpose is to block the ability to turn the plug unless it is raised to shear line.
Plug: The round center core of a lock that is activated by the proper key and is utilized to turn the bolt.
Shell: The fixed portion of the lock that contains the springs, top pins and plug;
Shoulder of the key: The portion of the key that abuts against the face of the plug. The purpose of the shoulder is to stop the key from forward movement, once fully inserted into the plug.
You need to understand the basic operation of pin tumbler locks and the nomenclature for critical components in order to fully appreciate why a bump key is so effective. I will briefly describe its operation for those readers that are not familiar with these mechanisms. The diagram above shows the relationship between the main parts of a non-master keyed cylinder. A key is shown inserted into a six-pin lock. The critical concept to understand and the principle that distinguished the modern Yale design from the original Egyptian lock is the shear line. This idea allowed Linus Yale to create a very small lock and key that was secure and which could offer many different combinations, unlike its predecessors.
In the modern pin tumbler lock, each chamber contains a spring, top pin and bottom pin. If the lock is master-keyed, then one or more additional pins will be inserted into each chamber to provide for additional unlocking combinations. In the standard cylinder, a rotating portion, called the plug, is the part that is controlled by the key and actuates the bolt when it is turned. The plug is normally prevented from moving because there are normally five, six, or seven pin tumblers that protrude from the fixed part of the lock, called the shell, into the plug.
In order for this lock to be opened, all of the bottom pin tumblers must be raised precisely to the shear line, (the exact point at the top of the plug), so that it can rotate freely. If any pin is even a couple thousandths of an inch above or below the shear line, then the plug is stopped from turning.
In the diagram above (we slapped it in a second time so you don't have to keep scrolling up), all of the bottom pins are aligned at shear line. They are shown in green. The depths for four of the pins are shown. Note the shortest bottom pin corresponds with the shallowest cut of the key and is given the code value of "0" by the manufacturer. There is a direct correlation between the depth of the pin and its number. All lock makers assign values to each pin depth so that keys can be replicated by number rather than requiring the physical key. The deepest pin in this lock is 9. This is an important concept to understand when discussing bump keys, because the proper bump key requires that all of the bitting positions be cut to the lowest depth. In this example, that would be 999999 (see: the topmost picture).
We need to understand two concepts: what keeps the lock from opening, and more importantly, how can we unlock our cylinder? The first question is simple to answer. Without any key inserted, each top pin will occupy space in the chambers of both the shell and the plug. This will prevent the plug from turning. When the wrong key is inserted, one or more tumblers are either above or below shear line, depending upon the key bitting. Either way, the plug is prevented from rotating because the pin forms an obstruction that binds the plug to the shell. The lock can only be opened only when there is no obstruction crossing the shear line. This can happen in one of several ways.
Of course, a key can raise all of the lower pins to the shear line, which will in effect make the plug into a solid block of round metal, free to turn. Note, I said "a key" rather than the "correct key," because in a master key system, many different keys will open a given cylinder. In our simplest of examples, we raise the lower pins to shear line with the correct key, and the lock opens.
One form of bypass is picking, which actually simulates a key. Pins are individually raised to shear line and trapped there. Once all tumblers are "set" at this position, the plug is free to rotate and the lock can be opened. Another form of bypass, and the subject of this article, is bumping.
Earlier I stated that there can be no obstruction at the shear line for the plug to rotate. That means that the pins must be split precisely at the shear line, as would be the case in the normal operation of the correct key. But, there is another way, and that involves not only splitting the pins but creating a gap that crosses the shear line. This is what bumping is all about. The top and bottom tumblers are separated for a brief moment; just long enough for a gap to be created at shear line which allows the plug to be turned. As I will explain, this method is perhaps the simplest and fastest way to compromise a pin tumbler mechanism. The problem is integral to any lock that employs split pins in each chamber. Many have asked me if this means that the lock is defective. The answer is no; it is just a built-in problem that needs to be understood and addressed.
Theory and history of bumping
The technique of utilizing a specially cut key to open pin tumbler locks has been known for at least twenty-five years and appears to have been first developed by locksmiths in Denmark to disassemble cylinders quickly in their shops. It actually began by "rapping" a lock on the work bench while applying slight pressure to the back of the plug. If done properly, the movable portion of the cylinder would be forced slightly forward, and could be rotated and removed. Locksmiths then figured out that a key cut to all "9" depths (deepest value) could be used to simultaneously transmit energy to the pins to cause the bottom and top tumblers to separate.
The theory of bumping is quite simple and was actually formulated by Sir Isaac Newton around 1650, long before modern pin tumbler locks were invented. Energy is created and used to split the bottom and top pin, thereby allowing the plug to rotate. The original method of bumping, which required the key to be withdrawn by one tumbler position and then slammed forward, was replaced in 2004 by what I have referred to as the "negative shoulder" method. This new process made opening some locks quite a bit simpler and more reliable than the original method. In an instant, almost all of the conventional locking mechanisms became vulnerable.
As shown in the diagram below, a bump key is inserted fully into the lock. Because of the removal of a slight bit of material from the shoulder, the key is free to move forward when struck with a mallet (tomahawk), plastic-handled screwdriver, piece of wood, or almost any other weighted item. All of the pins are violently forced upward by making contact with the ramps of the key. This causes the top pins to move and creates a momentary gap between the two within each chamber. If the timing is correct, the plug is free to turn and the lock is open. It is just that simple!
Although I learned the Denmark technique almost fifteen years ago while in Copenhagen, I did not pay a great deal of attention to it in the first edition of Locks, Safes, and Security because it was not thought to be applicable as a covert method of entry. Since 2004, that has all changed. As I have noted in several articles, bumping is perhaps the fastest and easiest way to open a conventional pin tumbler lock, but there are caveats that the reader must understand. The bottom line: a high percentage of the locks in the world are pin tumbler mechanisms. A significant number of those can be compromised by exploit of Newton's Third Law of Motion, "For every action, there is an equal and opposite reaction."
Mechanical Locks: what constitutes security against covert entry?
Security against covert entry can be measured by what I refer to as the 3T-2R rule. All locks can be gauged by this standard, and all standards organization, UL included, essentially employ the same formula. Simply stated, it relates to the amount of time, the sophistication of the tools and the amount of training that is required to open the lock. Then, the reliability and repeatability of the process must be assured. The lower the requirements for the 3Ts, then the greater the threat to security. The problem is compounded if the reliability and repeatability of the process of compromising the lock is relatively high.
Bumping poses a serious security threat because the training to bump open a lock is minimal to non-existent. This was evidenced by three separate experiences that I had: a reporter that interviewed me in a recent television story, a correspondent for Newsweek, and the eleven year old at DEFCON were all shown the basic technique of bumping, and within a couple of minutes each was able to open five and six pin cylinders. The tools required are readily available. I have opened thousands of locks using screwdriver handles, a plastic mallet, and even wooden sticks.
Finally, the time to open a cylinder can range from two seconds to more than a minute. As a lawyer, my view is that if a cylinder, any cylinder, can be compromised in under a minute, there is a serious security issue and potential legal ramifications. But this is not the end of the story, because there are certain technical issues that you need to understand. All locks cannot be opened by this method. As noted in my White Paper, there are certain obstacles to success. Unless you have a pre-cut bump key for the proper keyway, the process can prove more difficult or even impossible.
In the second part of this article, I will talk about locks that are secure and which are not. You might be surprised!
Additional materials can be found on security.org and toool.nl. Bumping is thoroughly detailed in LSS+, the multimedia edition of Locks, Safes and Security by the author.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.