Lock bumping

[unixronin]

You may or may not have already seen this news video on a relatively new lockpicking technique called lock bumping.  I just spent about half an hour reviewing various information on it, and it's pretty alarming.

Basically, lock bumping amounts to a class break for ALL mechanical cylinder locks.  It doesn't matter what brand or how many pins.  Five-pin, seven-pin, three-row firteen pin, they're all vulnerable.  All you need is a key blank for the lock type in question and some work with a file (or a couple of minutes on a key cutting machine for that key type), and any cylinder lock can be opened in seconds.

Some US reports assert that more expensive US-made locks (Medeco and Schlage Primus were mentioned by name) are immune to lock bumping.  Lock experts in Germany and the Netherlands say no, it doesn't matter; no mechanical cylinder lock offers any more protection than any other.  In some ways, the more expensive locks are easier to open, because they're machined to tighter tolerances and are smoother internally.

The unpleasant but simple truth seems to be that any mechanical cylinder lock — be it KwikSet, Yale, Schlage, Wiseco, Medeco, or whoever — is now only a psychological barrier, offering no real security whatsoever.

Now that the technique is well known, it's probably possible to design a mechanical lock that cannot be opened by bumping.  How long it will be before they appear on the market is anyone's guess; and how will you know a lock that really is immune to bumping from one that simply claims to be immune but is mechanically unchanged inside?

It may be time to move to electronic locks, or perhaps to electronically coded keys such as those that are becoming increasingly common in cars.  General Motors introduced them first, to my knowledge; it was a simplistic scheme — the keys had an embedded resistor, and if the onboard computer didn't see the correct resistance when the key was turned, it refused to start the car, and (if memory serves) wouldn't allow another attempt for 20 minutes.  Modern coded keys use a digital code and may have many thousands of combinations.  Mercedes-Benz uses infra-red "smart keys" that have no mechanical locking component to the ignition lock at all.

(Note:  I didn't intend to imply this was something brand new.  I said, "relatively new."  It's been known for about a year now, as ilcylic points out.  This was just the first time I'd looked into it in this detail and considered the implications for the real security of what we now consider to be "safe and secure" locks.)

Comments

[ithildae.livejournal.com]

For some locks it is harder to get key blanks. I did some work with a locksmith, so this is not really a revelation. Now that the technique has hit the internet big time, I suppose something new is in order. Our electric combination was just changed from 2-7-1-8-2-8, we learn the right numbers around here.