My recent post on creating and using bump keys generated a respectable amount of buzz, and I'll like to say a few more words on the subject.
First of all, a few people have responded to me saying that I'm educating the criminals. That response was, of course, to be expected; but I don't think it's true. If someone wanted to know, the information is already highly available, much of it more complete than this. My target audience is the people who aren't looking for that kind of thing--the people who actually need to know but don't realize that there's a problem.
While the information in the video I created was presented as a "how to" guide, my primary intention wasn't to train people in this technique, but rather to emphasize just how easy it was to do. Many reports on the subject seem to suggest that some expertise is required: either the aid of a locksmith in creating the key, or some extra skill and expertise to make your own. My point was to show that it's possible for anyone to make their own bump key with no real skill to speak of, no assistance, and no prior experience.
What can you do?
A number of people have asked, with this new threat, how can you keep your house safe? Unfortunately, physical security costs money. And real physical security really costs money. There are safe locks out there, but you're not going to buy them at the hardware store. Furthermore, you're not going to be able to get your keys duplicated by anyone but a vendor-authorized locksmith, and only after presenting proper identification and a fair amount of cash.
Some examples of these high-security locks are the higher-end Medeco locks and the Schlage primus. These locks are not only bump-resistant, but also extremely difficult (nigh impossible) to pick, even for an expert. Some locks are more resistant to bumping than others; though I'm not nearly qualified enough to give out advice about which one you should use. See the "required reading" below for better information on this subject.
Another important consideration is to not rely on just a single mechanism for your security. Locking your doors and windows is important, but you should also have a monitored alarm system, store your valuables out of sight, and don't give thieves a reason to target you. Remember that most thieves prefer to hit the easy targets; that means they prefer houses in "safe" neighborhoods where people don't worry about security, and particularly go for tempting opportunities, like garage doors left open.
A few people have also asked what they can do to help improve the situation, and how to help push the lock makers toward giving us better locks. I think there's two parts to solving this issue. The first thing to do is to increase general awareness of the problem. As long as the public remains ignorant, companies like Kwikset will merrily continue to pretend that all is well; after all, these companies save a lot of research and development money this way. Tell your friends, tell your family; let everyone know. People have to understand that this is important. The second part of this solution is to let the lock making companies know in a way that they'll listen to: your purchasing decisions. These companies are in business not to make locks, but to make money; the locks are a means to an end. When Kwikset learns that people are, in alarming numbers, willing to spend ten times as much to buy a competitor's bump-resistant lock instead of their own classic lock, you better believe that Kwikset will start putting more money into high-security alternatives.
Did you say 10 times as much?
Yeah, that's probably a significant detail. With locks, you often get what you pay for: a $20 lock buys you about twenty dollars worth of security. What kind of valuables are you securing? Does $20 sound like the appropriate security investment to safeguard a $300,000 home? How about $100; does that seem like the appropriate investment? Better security costs more. However, the better known a given attack vector becomes; the more it will be guarded against. And of course, the more locks guard against that attack, the cheaper it will be to find one that does.
I'm no authority on this subject; I can't help you if your key doesn't work, I don't know enough to help you secure your house, and I couldn't give you much background information on this subject. But I can point you in the right direction.
Locked, but not secure (part 1) -- An explanation and history of bump keys.
Locked, but not secure (part 2) -- Which locks are vulnerable, which locks are not, as well as security and insurance implications.
http://www.toool.nl/bumping.pdf -- A lock picking organization's canonical explanation of bump keying.
http://www.crypto.com/hobbs.html -- Is it harmful to disclose this sort of security vulnerability to the public?