My recent post on creating and using bump keys generated a respectable amount of buzz, and I'll like to say a few more words on the subject.
First of all, a few people have responded to me saying that I'm educating the criminals. That response was, of course, to be expected; but I don't think it's true. If someone wanted to know, the information is already highly available, much of it more complete than this. My target audience is the people who aren't looking for that kind of thing--the people who actually need to know but don't realize that there's a problem.
While the information in the video I created was presented as a "how to" guide, my primary intention wasn't to train people in this technique, but rather to emphasize just how easy it was to do. Many reports on the subject seem to suggest that some expertise is required: either the aid of a locksmith in creating the key, or some extra skill and expertise to make your own. My point was to show that it's possible for anyone to make their own bump key with no real skill to speak of, no assistance, and no prior experience.
What can you do?
A number of people have asked, with this new threat, how can you keep your house safe? Unfortunately, physical security costs money. And real physical security really costs money. There are safe locks out there, but you're not going to buy them at the hardware store. Furthermore, you're not going to be able to get your keys duplicated by anyone but a vendor-authorized locksmith, and only after presenting proper identification and a fair amount of cash.
Some examples of these high-security locks are the higher-end Medeco locks and the Schlage primus. These locks are not only bump-resistant, but also extremely difficult (nigh impossible) to pick, even for an expert. Some locks are more resistant to bumping than others; though I'm not nearly qualified enough to give out advice about which one you should use. See the "required reading" below for better information on this subject.
Another important consideration is to not rely on just a single mechanism for your security. Locking your doors and windows is important, but you should also have a monitored alarm system, store your valuables out of sight, and don't give thieves a reason to target you. Remember that most thieves prefer to hit the easy targets; that means they prefer houses in "safe" neighborhoods where people don't worry about security, and particularly go for tempting opportunities, like garage doors left open.
A few people have also asked what they can do to help improve the situation, and how to help push the lock makers toward giving us better locks. I think there's two parts to solving this issue. The first thing to do is to increase general awareness of the problem. As long as the public remains ignorant, companies like Kwikset will merrily continue to pretend that all is well; after all, these companies save a lot of research and development money this way. Tell your friends, tell your family; let everyone know. People have to understand that this is important. The second part of this solution is to let the lock making companies know in a way that they'll listen to: your purchasing decisions. These companies are in business not to make locks, but to make money; the locks are a means to an end. When Kwikset learns that people are, in alarming numbers, willing to spend ten times as much to buy a competitor's bump-resistant lock instead of their own classic lock, you better believe that Kwikset will start putting more money into high-security alternatives.
Did you say 10 times as much?
Yeah, that's probably a significant detail. With locks, you often get what you pay for: a $20 lock buys you about twenty dollars worth of security. What kind of valuables are you securing? Does $20 sound like the appropriate security investment to safeguard a $300,000 home? How about $100; does that seem like the appropriate investment? Better security costs more. However, the better known a given attack vector becomes; the more it will be guarded against. And of course, the more locks guard against that attack, the cheaper it will be to find one that does.
I'm no authority on this subject; I can't help you if your key doesn't work, I don't know enough to help you secure your house, and I couldn't give you much background information on this subject. But I can point you in the right direction.
Locked, but not secure (part 1) -- An explanation and history of bump keys.
Locked, but not secure (part 2) -- Which locks are vulnerable, which locks are not, as well as security and insurance implications.
http://www.toool.nl/bumping.pdf -- A lock picking organization's canonical explanation of bump keying.
http://www.crypto.com/hobbs.html -- Is it harmful to disclose this sort of security vulnerability to the public?
Edit: 7/7/08: Two years ago I posted this article with the intention of fueling the fire of public discontent with the existing lock technology, with the hopes that it would drive the lock makers to respond with better, more secure technology.
I've recently learned that the companies that make these products have, after literally decades of knowingly shipping insecure products, begun to respond to the challenge and actually build a safer product. Master Lock, in particular, has released what they call "bump stop" technology, with a specially crafted pin that makes lock bumping difficult if not impossible. Here's a YouTube video describing the technology.
At the moment, this type of lock is difficult to obtain for residential use; and while technology rarely ever works as well as the manufacturer claims, the important thing here is that bump resistance has become one of the metrics by which the security of a lock is measured, and products are already available to some consumers that address this threat. In short, it we're at least on the right track.
And now, on with the original article.
I recently saw a report on bump keying and how it, in theory at least, makes pin-and-tumbler locks useless. I was a bit skeptical, so I decided to try it out.
Using nothing but the little information I had gained through some Internet searches and You Tube videos, I took an old, unused key, filed it down to the appropriate shape, and tried it in my front door.
It worked first try.
This is serious. Though I've been taught how to pick locks, I've never successfully opened anything other than a simple desk drawer lock. With this one bump key, I can open about 40% of the locks I encounter in my day-to-day activities. A second key gets will open another 30% of the locks I encounter in a day, and between the two of them, I can open nearly every residential lock I've ever seen. This has very serious implications in the world of home security.
Making a bump key is trivially easy, and costs about $4 to do (or free if you already have an old key and a file). It's not a new technology, and has been used for a few years no by criminals to break into house without leaving obvious signs of forced entry.
Burying Our Heads in the Sand
Continuing to keep this technique hidden from the public is not serving our best interests. The more expensive locks you can buy at the hardware store are expensive because they're more difficult to open with a lock pick. Those same locks, though, can be opened in under 10 seconds by a bump key; often, the more expensive the lock, the easier it is to open. Everybody knows about lock picking, so lock makers build locks resistant to that technique. Very few people have heard of bump keying, so lock makers don't bother to make bump-resistant locks. (There's good reason for them to drag their feet; bump keying is a very, very difficult technique to guard against without radical changes to the way keys and locks work).
Nonetheless, the problem is here, it's serious, and it's not going away. Our only hope for any sort security is to force lock makers to start selling bump-resistant locks. They'll do that only when the general public finds out that they're being sold snake oil, not security. Our only hope is raising awareness.
To that end, I've created a simple video showing the basics of how to create and use your own bump key. All you need is an old key and a file to cut it with. You'll be opening doors within an hour.
I'm no expert at this. Not at lock picking, not at bump keying, not at anything I've talked about here. However, I know who is. Check out www.toool.nl/bumping.pdf for some refinements on this technique.
In particular, their "Minimal Movement" technique caught my attention. I was surprised to find that the directions in the referenced PDF file were all I needed to make that technique work. Unfortunately, in my zeal to create the most efficient bump key, I managed to file away too much and ruin the key.
However, and this is the point, making a new bump key is so easy that there's really no way to guard against it. You can't control through legislation any more than you can control lock picks (I've seen a lock picked with a screwdriver and a paperclip--you can't outlaw that!).
So try it out, tell your friends. This is an interesting skill that you can master in just a couple of hours, and a great way to impress strangers at parties. More importantly, when word finally gets out that everybody knows how to bump locks, lock makers will have to respond with better security.
I've recently added a follow-up article to this one that answers a number of questions and gives further information about how you can protect yourself. The article is (unremarkably) entitled Bump Key Follow Up.
I Need a New Blog.
This one is largely an unfocused repository for whatever I happen to have to say at the moment. And while that was the original intention, it's not an optimal solution. So, I've decided to break my writings up into the following categories:
- Technical articles - How-to's, explanations, tips, etc. This will probably be the meat of my writings.
- Personal happenings - Sort of a family newsletter idea. Interesting to relatives and close friends; terribly uninteresting to everyone else.
- Snide Remarks - Political commentary, opinions, editorials, that sort of thing.
Perhaps there's more to add, but that should be enought to get along with. I'm pretty sure I've got some interesting stuff to say, but one of my primary problems is that it never seems relevant to the subject of my blog... probably because my blog has no subject. Do my latest .NET coding tricks belong here? How about my musings about some bit of software I've been trying out? I don't know.
I would like to have everything hosted on my site: it sure helps my search engine ratings--my personal website is actually ranked higher than my employer's; higher than most people's, for that matter (5 of 10 by Google), meaning that most of what I write about becomes "important" in web searches if it's not too common a topic.
Since I'm going to be changing things around, I'd be interested to hear about alternatives for my blogging software. I'm using WordPress right now; It's nice and all, but I would like a bit more direct control over the content formatting. Less like blogger, more like Slashdot, if that makes sense.
Wiki-based systems are somewhat attractive if you can make the paradigm work. WordPress is always an option. I expect that this may become my new homepage, so it should be highly customizable with minimal hacking.
More on this is probably to follow once I get more figured out.
I just started a technology podcast I'm calling the "Tech Tricks Podcast." The first show was posted yesterday the 21st, and runs about 35 minutes. Blogs are great, but podcasts are audio, adding a certain extra bit of interesting-ness.
I'll, of course, continue to post content here, but please have a look at this new show and tell me what you think.
I hadn't realized just how much your day-to-day experience colors your overall perception. For example, listen to this little (absolutely true) story.
Last night, my wife and I decided to go to the store to get some food. It's been fairly cold recently, so we decided to have a quick look at the weather to see if we should wear a coat or just a light jacket. The thermometer showed that it wasn't too cold, so we both decided to take just a light fleece. We had a fun evening; it was cool out, but not too cold, just like we had envisioned.
Now that you've heard the story, let me fill you in on the details. We live in Colorado up in the "high country," at around 7000 ft elevation. When I said it had been "fairly cold," I mean that temperatures had gotten to -15°F the night before; that's before adding wind chill. Days had stayed in the single digits most of the week.
So when we decided that it was light-fleece weather, it was actually 25°F outside, still well below freezing. Of course, it's not humid here, so it was a nice, cozy 25°; but still, well below freezing. So how exactly did I begin to think that this sort of weather is not that bad? Well, my criteria for this sort of decision has changed. For example, above about 10° it no longer hurts to breathe. That makes me feel a lot warmer. Above 20°, I can make it from my car to the store without losing too much body heat. I never intend to spend more than 2 minutes out in the weather at a time, so extended exposure really doesn't even factor into the decision. Having spent all my childhood in Phoenix, I still find my new perception on this subject quite surprising.