My recent post on creating and using bump keys generated a respectable amount of buzz, and I’ll like to say a few more words on the subject.
First of all, a few people have responded to me saying that I’m educating the criminals. That response was, of course, to be expected; but I don’t think it’s true. If someone wanted to know, the information is already highly available, much of it more complete than this. My target audience is the people who aren’t looking for that kind of thing–the people who actually need to know but don’t realize that there’s a problem.
While the information in the video I created was presented as a “how to” guide, my primary intention wasn’t to train people in this technique, but rather to emphasize just how easy it was to do. Many reports on the subject seem to suggest that some expertise is required: either the aid of a locksmith in creating the key, or some extra skill and expertise to make your own. My point was to show that it’s possible for anyone to make their own bump key with no real skill to speak of, no assistance, and no prior experience.
What can you do?
A number of people have asked, with this new threat, how can you keep your house safe? Unfortunately, physical security costs money. And real physical security really costs money. There are safe locks out there, but you’re not going to buy them at the hardware store. Furthermore, you’re not going to be able to get your keys duplicated by anyone but a vendor-authorized locksmith, and only after presenting proper identification and a fair amount of cash.
Some examples of these high-security locks are the higher-end Medeco locks and the Schlage primus. These locks are not only bump-resistant, but also extremely difficult (nigh impossible) to pick, even for an expert. Some locks are more resistant to bumping than others; though I’m not nearly qualified enough to give out advice about which one you should use. See the “required reading” below for better information on this subject.
Another important consideration is to not rely on just a single mechanism for your security. Locking your doors and windows is important, but you should also have a monitored alarm system, store your valuables out of sight, and don’t give thieves a reason to target you. Remember that most thieves prefer to hit the easy targets; that means they prefer houses in “safe” neighborhoods where people don’t worry about security, and particularly go for tempting opportunities, like garage doors left open.
A few people have also asked what they can do to help improve the situation, and how to help push the lock makers toward giving us better locks. I think there’s two parts to solving this issue. The first thing to do is to increase general awareness of the problem. As long as the public remains ignorant, companies like Kwikset will merrily continue to pretend that all is well; after all, these companies save a lot of research and development money this way. Tell your friends, tell your family; let everyone know. People have to understand that this is important. The second part of this solution is to let the lock making companies know in a way that they’ll listen to: your purchasing decisions. These companies are in business not to make locks, but to make money; the locks are a means to an end. When Kwikset learns that people are, in alarming numbers, willing to spend ten times as much to buy a competitor’s bump-resistant lock instead of their own classic lock, you better believe that Kwikset will start putting more money into high-security alternatives.
Did you say 10 times as much?
Yeah, that’s probably a significant detail. With locks, you often get what you pay for: a $20 lock buys you about twenty dollars worth of security. What kind of valuables are you securing? Does $20 sound like the appropriate security investment to safeguard a $300,000 home? How about $100; does that seem like the appropriate investment? Better security costs more. However, the better known a given attack vector becomes; the more it will be guarded against. And of course, the more locks guard against that attack, the cheaper it will be to find one that does.
Required Reading
I’m no authority on this subject; I can’t help you if your key doesn’t work, I don’t know enough to help you secure your house, and I couldn’t give you much background information on this subject. But I can point you in the right direction.
Locked, but not secure (part 1) — An explanation and history of bump keys.
Locked, but not secure (part 2) — Which locks are vulnerable, which locks are not, as well as security and insurance implications.
http://www.toool.nl/bumping.pdf — A lock picking organization’s canonical explanation of bump keying.
http://www.crypto.com/hobbs.html — Is it harmful to disclose this sort of security vulnerability to the public?
Yea – Not very safe at all. I was going to get a more expensive lock too but after reading this it seems there’s no reason too. I guess i’ll just get a big dog.
I mean, how could I when there is a site selling them for anyone to buy. http://www.bumpkey.us has been selling them for some time – scary.
I guess i’ll just get a big dog.
Might I suggest a big gun as well? Think of the dog as a warning system. You’ll know there’s a bad guy, but what do you do about it?
“Security through Obscurity” doesn’t really work. The burglars all know all the tricks! This is good info, and there is lots more. Go and study how to secure a castle, against all comers!
Now, if you include electronic invasion of your privacy, you really do have a panorama of problems! Why I switched all my friends and family to http://pclinuxos.com or, got them some Macintosh computers.
You might want to look into Abloy locks, theese are used all over scandinavia and are completley bump resistant.
Hi,
I really enjoyed your video but I cannot seem to open my own door with this technique. I bought a key online, and I’m not sure if its me or the key itself that is the problem. I’m suspecting the key, but this is because I’ve seen and read plenty of material on this, and still cant get it to work. I’m using the rubber handle of a hammer to apply the force, and the bump key. Images of the bump key are at: http://photos.yahoo.com/bstheeojunk Can you please tell me if this key is not yet ready for primetime? I think the tip of the key looks too steep, and thats possibly the problem. Please email me at bstrand@usc.edu if you can help me out. Thanks!
Brian
I am ordering the $200.00 locks, thanks for the info. This explains why the people at the hardware stores normally answer vaguely when you ask them are the basic $26.99 locks are safe. For my family’s safety number 1 and the valuables in my home, the costly locks are worth the upgrades. Dogs can be shot, seen that in Fla.
Why not squirt a viscous fluid into the key way to damp pin inertial movement? It would prevent the pins from moving very far after the impact from the ramp of a “bumping key.” The slower insertion of the correct key would still move the pins to the correct position. A heavy weight motor oil (or even molasses – if you don’t mind ants) might do the job. Hey, maybe this is an idea worth a big bucks patent – but I said it here and it’s free from me.
Tyler,
While your intentions might be good, your logic is flawed when it comes to not educating criminals. What you fail to realize is that there are criminals out there, and then there opportunists who become criminals. While I agree that the criminals will get in regardless of the lock, just as they will carry a gun regardless of the law, the juvenile, or maybe adult, bored at home, has now been intrigued to do what he/she never would have probably conceived – to try this key on someone ELSE’S home. You have thus turned a relatively innocent person into a felon. Don’t respond that this is not going to happen, because I see it happen. Please keep this in mind when you consider educating people on bomb building!!
Bob Valley is right…I think I’ll try this!!
at your house!
This has opened my eyes a lot. I’m the locksmith for a big University.
Hi Tyler,
I’m using the comment feature to get in touch with you since I can’t find an email address, so please do not publish this post. First, I gotta say that I found your video on Google (via Wiki) and then came over to your site. I like the way you write and I’ve bookmarked your site.
The reason I’m contacting you is to ask if I can buy a text link ad on your blog for an online locksmith website that I promote. I market several sites and may actually purchase several text links if you are willing to sell. That being said, how much (if at all) would a text link cost per year?
One other note, I noticed that you have the following text above the Google ads block “Please click on one of the links below to help pay for this site.” This is technically against G’s TOS and may get your account removed, just FYI.
Thanks,
Beau
Hi!
This is a very interesting subject. someone at school told me about this bump key thing that apparently has been going on for a while and i decided to look it up and found your video! needless to say this is scary. i am 22, female and physically a very weak person. not to mention i do not live in a safe area and i live alone!
but thank you because i ordered a bump key on a site online to see if i could do it. but i cannot and i attribute this to not knowing anything about locks. ive tried to learn about them but i just dont get it. its very depressing actually, i keep trying on my patio door that has a deadbolt on it but you know. i dont think i will ever get it but it scares me.
Well, I believe you should remove the video.. do you know how many thieves are watching or people that will send this around to others with bad intentions… its a how to on where to get, make and use bump keys.. don’t make it easier, just keep the article, but the video is just to much..
There is a cheap and easy way to make a lock bump-resistant. If you have some locksmithing tools. Yes I know most people don’t. Anyways if you take apart a lock and take the top pin out, and replace it with a thin pin then a thicker pin. When bumped the thin pin jumps, but the thin pin is already out of the cylinder and its the thicker pin thats blocking the lock from turning.
Yes, its not fullproof. But it does help.
Comment #15 is close, but I’m not sure it would actually help like they think. I’ve been in the hardware business for 12 years and can rekey a Kwikset deadbolt in less than sixty seconds. What #15 is referring to are master pins. The problem with this stopping the bump key is that master pins let two or more keys open the locks. If he bump key catches between the pins as they are suggesting, the cylinder can still turn and the lock will open. To fix the problem use PICK RESISTANT PINS. Most of the lock companies already make them. To get them put in just take your lock into most hardware stores (call about this first) and they can replace the first two or three top pins with the pick resistant SPOOL PINS for $5 to $10 per lock. P.S.-Last I heard, Depot only rekeys new locks bought there.
Sorry, now I have to recant my above comment #16. Spool pins will not always stop a lock from being bumped open. There are only two types of locks that have been tested “Bump-Proof”. They are the Medecco line and the Schlage Everest series and can only be purchased through licensed and bonded locksmiths.
Great video… I agree with you, why hide the truth? Anyone who wants to learn how to do this will figure it out one way or another, just do a google search. Now that I’m better informed I can upgrade my locks. I’m sure the lock companies also love your video!
Thanks
I would say this is pretty much bull. I have been a locksmith for 7 years now. If a lock is pinned correctly, a bump key is pretty much useless. For instance, if the pins are all 9′s or all 7′s or something, then yea, a bump key will work. But in my clark security classes I was taught to never pin a lock in this fashion, because it will make the lock vulnerable to picking and bumping. All locksmiths should know better than to pin a lock up to a vulnerable key. This is a good reason to have your locks changed by a locksmith, not a hardware store. If a lock is pinned to a good key, like 16161, it will never be bumpable, or pickable. Also, these days most locks (higher grade kwicksets, and all shlage, and all baldwins) have mushroom pins inside of them (http://www.capricorn.org/~akira/home/lockpick/p35a-nt_b.gif). When you put some torque on the lock sideways, the mushroom pins cause the lock to bind up and the pins will no longer be movable. Want to know how criminals get in? They break windows and kick doors, not stand there for 10 minutes finessing locks. Saying that this technique will work in “all locks the key will slide into” is completey and utterly false. Contact a real locksmith and ask them. Any locksmith will tell you the same thing. A good key is not bumpable nor pickable. Since this post I have received hundres of calls asking for medeco locks and high security bump proof locks. It was recently on the news here in sacramento. I’ll tell you what, locksmiths selling people medeco locks for their front doors are taking advantage of the people. Even if you put a Medeco or Primus or Everest lock on your front door, the lock can be drilled out in 20 seconds flat. Also, any big guy could just kick the door, or grab a rock and throw it through the window. Crow bars can be bought fromt he hardware store. From a criminals perspective, screw bump keys, get a crow key(crow bar) or a rotary pick(a drill).
To the guys that can’t seem to get this to work. It’s because this guys lies. Bump keys rarely work. If they are working on your locks it’s becasue you have a) a weak key. A key like 11111, or 21212, or 98998, is easy to pick with a bump key. Or b) you may have master pins in your lock. This may be the case in a dorm or an apartment (allthough a master key system in an apartment building is completely illegal, and for good reason). A standard shlage lock has 10 different depths of cuts, and 5 cuts on the key(good shlages, like baldwins, have 7 cuts). That gives us 10^5 possible keys for a standard shlage, or 100,000 possible combinations. Out of these keys, probably 1,000 are bumpable. All locksmiths use strong keys when the key locks (unless they’re not good locksmiths). My strong key set consists of only keys that are non-pickable and non-bumpable. If you pin a lock up to 26315, or 16942, or some good combo like this a bump key will just not work, period. This guy is trying to scare people so he can rip them off with $200 Medeco and Primus locks. Buying these locks will really do you no good, a criminal will still have no problem breaking a window. Get an alarm, not a new lock. If you can bump lock, go to a local locksmith and have him pin the lock to a bump-proof key, and ask him to use mushroom pins in the lock. Then try your bump key again. You will see that it simply will not work. I’m sure some of you reading this have even seen professional locksmiths, with real lock picks, have a hard time opening a lock and have to drill out the cylinder. This is because bump keys and picks are practically useless if the lock is pinned correctly.
This is my first foray into web chat rooms. I will make it brief. I worked my way through college with part time job as a locksmith. Registered and bonded. Full time on summer ‘vacations’. I totally agree with the last comment I read here about keying properly. Haven’t been in the biz for 30 years as I find being a engineer more rewarding. I will rekey for friends and neighbors. Last one was a neighbor after an ugly divorce. I rekeyed after picking and replacing the padlocks he had put on the Power box, and phone box. She locked herself out while I was out of town. The pro couldn’t pick it. Had to be drilled. I said I told you it be a tough one to pick! This a free service I provide to friends and neighbors.
Most dogs in the US are trained to be friendly. I know at least two families who were burgled successfully despite having dogs in the house… and that TV show about the two burglars brings the point home repeatedly.
As to guns, you’d better (A) know how to use one before you depend on it, and (B) be prepared for more trouble than you ever saw in your life if you DO use it, no matter how justified you are. Read Massad Ayoob’s “In the Gravest Extreme” – in fact MEMORIZE it.
Thanks for backing me up on this Ronald. This has been blown way out of proportion. It has been on the news recently here in Sacramento, and I have received hundreds of phone calls regarding this. In my opinion, selling someone a $200 lock is ripping them off. Sure, if you have some mansion then maybe you want $200 locks to go along with your security system. But for an every day, middle-class person like myself, this is just going way to far. Primus/Everest/Medeco locks are very pricy, and I can still open one within 2 minutes with a drill, or 5 seconds with a crow bar. Titans, Shlages, and Baldwins are all very pick/bump resistant these days, as well as the Kwicksets that are labled Protecto Lock (Kwicksets, aside from thir Titan series, are very cheap and I don’t reccomend their low-end models as the lifespan is pretty short. Also the cylinders in the knobs are held in place by two pieces of paper thin pot metal). These lock are generally in the $50 range, rather than the $200-$300 dollar range. And again, a good crow bar will open a Primus just as quickly it will any other lock.
the locksmiths here are right. But the one detail to really focus on is that only a lock/key set that has at least ONE pin set at the lowest setting (the highest number setting) is unbumpable. Kwiksets in particular are usually easy to bump. I won’t say exactly how, but I was able to pretty much test 200 different locks, and only ones with pins at the lowest setting gave me problems (which were few).
Hmmm. I am not a locksmith, and barely a hobbyist. I have had very little difficulty bumping locks. I have bumped Kwicksets, Schlage, Masterlock padlocks, even my wifes Ford Focus (had to file a key from our old ford), though it did set off the alarm, I got in. Nearly everybody I know (and had bump keys for, or took the time to make) I opened their lock. I do it mostly to let people know I can, and how easy it is. They dont rely on them now. Probably 80% of the locks ive bumped took me 5 seconds. 10% maybe 10 seconds, and the other 10% I could not bump in 5 minutes.
Am I getting something you other guys arent? I dunno.
In spite of your self-righteous claim that anybody can find this information out, that doesn’t excuse you from blame when someone learns how to do this from YOUR posting.
Instead of spending most of your video time as an burglary tool instructional session, you could have effectively shown people why this is such a real danger in just sixty seconds without the details (“See, this really works. It’s not just another urban legend. Take the proper precautions.”)
But no, sadly you need to feel powerful and important, so you post something that will get you attention (the wrong kind). You’re just looking for people to tell you how “cool” you are. You’ve sold out, and other people are going to pay the price.
How sad you are. Thanks for nothing. Pull the video before it does any more damage.
How major stupid are you to show this to the world??
Not once to you show people how to protect themselves !!
Do you have half a mind what you did by posting this?
After seeing a news clip on bump keys, I ordered a set of bump keys off the internet. Not to burglerize, but out of curiousity. Four different people from work figured out how to do it in 5 minutes or less (master lock). This is scary stuff, and I’ll probably be replacing locks real soon. No more cheap locks.
The comments from so called experts are incorrect. There is no such thing as a ‘good combinations’ Mushroom and spool pins dont do anything either. There are several bumping techniques and some are highly efficient at overcoming the resistant combinations and shaped pins. It is mooted that it is impossible to make a ‘standard’ pin tumbler lock immune to bumping. That too is incorrect. I agree that people are being mislead as to the level of threat and the remedies. Save your money because bumping will be very old news in about 2 months time. If you take a very close look at all the TV news items you will notice something common and that didnt happen by accident. Some major US companies have exploited bumping by using the fear of crime to promote their products and they should be ashamed. There are no recognised tests or standards anywhere in the world with regards to bumping and it wil take at least another 12 months before there are any. The physics behind bumping is far more complicated and subtle than people realise, however the physics behind defeating isnt.
I wouldn’t call the physics complicated. Basically lock picking works because the tumblers inside a lock are never perfectly aligned, so when you put some torque on the cylinder plug one tumbler will bind inside of the cylinder housing. The bound pin is the pin that needs to be picked, and if you move the bound pin to the correct position, the lock will turn slightly and bind on the next pin.
Bumping is more a raking technique (like the old bobby pin method) then a picking technique in my opinion; you put some torque on the lock and run the key in and out. Or another technique is run the key in one time quickly. No matter how you pick or bump, if there’s even one mushroom pin inside the lock, when you put torque on the cylinder plug the mushroom pin is going to allow the cylinder plug to turn slightly, and the holes in the cylinder plug are simply not going to line up with the holes in the cylinder housing. This will bind the lock and render bumping/picking almost useless.
I’m not saying that a lock with mushroom pins is impossible to pick; generally when picking these I try to push the bottom pins all the way into the cylinder housing and pick by dropping the bottom tumblers rather than raising them, therefor not allowing the cylinder plug to bind. What I am saying is that mushroom pins will make it much less likely for bump keys to work. I pick locks a lot. I can pick a lock with mushroom pins _maybe_ 1 out of 5 times. Add a good tumbler combo (16161 or something) to the equation and even a good professional locksmith will not be able to pick it, even in an hours time (at a job I pick for 2 minutes then it’s time to drill. Cylinders for Shlage are $14 my cost, and Kwickset cylinders are $7). As earlier mentioned, even a combo like 00000 or 01001 would be hard to bump (not hard to pick), because bump keys just do not bounce the tumblers high enough to get the low bit combos. Even if bump keys did bounce the pins high enough to hit the low bits, a bump key would not bounce one pin all the way up to a 0 and another only to a six without binding the cylinder plug (which is why good locks use mushroom pins).
What I see on this page is people saying “I can pick every single lock with bump keys”. This is not true. Instead of saying that you can pick every lock, I’d like to see video footage of someone pinning a lock with mushroom pins and a good combo and then bumping the lock. Take your camera, point it at yourself, replace your 14mc cutter with your 47degree cutter, and cut a SC1 to 06060. Then drop your top pins and replace them with mushroom pins, and pin it up so we can see the depths of the bottom pins in your pin kit, and bump it with no camera cuts. I know that I’ll never see this footage because it can’t be done.
IF YOU HAVE SOMETHING AND THEY WANT IT , THEY WILL GET IT, BUMP OR NO BUMP.AFTER ALL IT’S NOT SO HARD TO FIND AN OPEN OR BREAK A WINDOW GLASS, YES MORE OBVIOUS (DURING THE DAY)BUT I’LL BET sTILL MORE COMMON.I USE A CHAIN STOP WHEN AT HOME AND A DOBERMAN WHEN I AM NOT. COMMON SENSE AND AWARENESS ARE STILL THE BEST PROTECTION IN MY BOOK.HOW MANY OF YOU PEOPLE RESTRICTING FREEDOM OF SPEECH AND FREE SHAREING OF INFORMATION,
Hi Tyler,
This comment is in regards to your post on slashdot forums about enabling VT on a dv2000 laptop. I could find no better way to reach you.
Your post is below:
I’ve been running bios version f.22 (12/11/2006) on my intel HP dv2000, and it allows you to enable VT in bios. I had to reboot a few times, but it works correctly now. The download link for this bios ver is listed in TFA near the bottom. It’s not an “offical” release from HP, probably an internal testing release, and it’s not linked from HP’s site.
It’s nice to know that they’re working on it, though, and they do have a preliminary solution for those of us who REALLY need it.
I have searched for literally 30+ hours for this/other bios’s for the dv2000 with the VT enabled. Any assistance you could provide would be GREATLY GREATLY appreciated. I reallllly need VT to work.
Thank you very much,
Robert Fischer
Hi – all of you who are faulting this guy for posting this on video because “the criminals” will learn. I’m quite sure the criminals already know the scoop. They’re always the first to know and the honest people the last because honest people don’t waste their time trying to think up ways to steal. Likewise, the criminals always know where to buy the guns and the drug takers where to buy the drugs. We’re not looking for those things because we are trying to live productive lives and no dishonest ones. This is great information to know and if there is truly a bump-proof lock out there, I for one would like to know which one it is. Thanks for posting very informative and possibly life saving information.
Hi – all of you who are faulting this guy for posting this on video because “the criminals” will learn. I’m quite sure the criminals already know the scoop. They’re always the first to know and the honest people the last because honest people don’t waste their time trying to think up ways to steal. Likewise, the criminals always know where to buy the guns and the drug takers where to buy the drugs. We’re not looking for those things because we are trying to live productive lives and not dishonest ones. This is great information to know and if there is truly a bump-proof lock out there, I for one would like to know which one it is. Thanks for posting very informative and possibly life saving information.
Public service site about lock bumping. They have a lot of information.
http://lockbumping.org
Mr. Larson,
I was wondering if there was any way you could make either another video about the bump key that shows how the key starts out, or possibly send me one. I can assure you it would not be for illegal use, i just don’t feel comfortable leaving a spare house key on my porch. Please send me an e-mail as soon as possible. bubbaboy_3@hotmail.com
Thank you very much,
Collin B.
I’ve been scouring this article in the hope of purchasing a new non-picable non bump proof lock. As a mere member of the public information in the article is very confusing so I am hoping someone can help me. The story is I was recently burgled and couldn’t claim insurance. They came in through the front door which is inside a block of security door flats of which mine is one on the second floor. I have a Unican keypad lock and a mortice chubb 5 lever. How did they gain entry? They left no sign. No one would have ever known they were here apart from the fact that all my property was missing. Please give me some feedback as I have not idea where to go from here. Thanks