Log in

No account? Create an account
[Digg] Bump-keying, or your pin tumbler locks are now trivially easy to pick. - Adventures in Engineering — LiveJournal
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-08-07 07:47
  Subject:   [Digg] Bump-keying, or your pin tumbler locks are now trivially easy to pick.


It's been possible almost since they were invented to pick pin-tumbler locks. Before bump-keying, though, it at least took some somewhat specialized equipment (lock picks) and at least a couple hours of study to do it reliably. No longer. With bump keying, your lock can be picked in a few seconds by anyone with a file, a screwdriver with a rubber handle, and any key (doesn't have to be a blank) that fits your lock's keyway. And it requires almost no skill to speak of. And the more expensive and better machined lock you have, the easier it is.

I don't mean to make like this is the end of the world. When I watched the video, I was laughing my butt off every time they demonstrated how easy it was to bump a lock... that was two inches away from A GLASS WINDOW! If someone really wants to get into your house, all they have to do is pick up any rock from your yard (or the jackhandle from their car, or the ceramic top from a broken spark-plug they have in their pocket, etc, etc) and break your window.

Security is only as strong as its weakest link. It's foolish to complain about your locks being easy to pick when your windows are made of glass. The only danger the bump key creates is that it's easy for someone to get into your house without you knowing about it. If that's your concern, the counter-measure is simple: An alarm keypad that requires the correct code be entered within 30 seconds of the door being opened. Or you could switch to keyless biometric locks. But those haven't proven to be very hard to fake out either...

In fact, I think if you want real security for your house, you need to incorporate both multiple forms of authentication, and layered security. For layers, I'd suggest getting a dog. Dogs aren't fooled by a bump keys. For multiple forms of authentication, remember Schneier's three kinds of authentication: Something you know, Something you have, Something you are.

- Keys, key-cards and RFID chips are something you have.
- Secret codes for keypads or secret passwords are something you know.
- Fingerprint scans, iris scans, and retina scans are something you are.

None of these are foolproof, but using multiple methods in conjunction is always more secure than using only one. If all locks installed required both a key and a fingerprint, bump-keying would be nothing more than an interesting footnote in the obscure history of lockpicking.
Post A Comment | 2 Comments | | Link

Ben Cantrick
  User: mackys
  Date: 2006-08-07 18:01 (UTC)
  Subject:   (no subject)
Hehehe, little hydraulic shock absorbers inside the pin sleeves! It's the latest fad for ricers! "Hey man, did you see those new Nismo progressive rate springs I installed in my dead bolt? Raaaaadical!!"

My idea is to make the pins out of three segements each (like those Medco locks that fit both a master key and a secondary key) and make the middle segment of the pin out of glass or other breakable material. Twist too hard with the wrong key or a tension tool, CRACK!, pins break and the lock never opens again. Try to bump it, CRACK!, pins break and the lock never opens again. Yes, this is an easy denial of service target, but at least it lets you know when someone has been trying to pick or bump your lock.

The PDF paper also talks about multi-mechanism locks. Pins and a sidebar, for instance. This is probably the better solution, since it doesn't require expensive materials and allows greater diversity of locks. Only problem is it will make life harder for locksmiths.
Reply | Parent | Thread | Link

May 2015