Getting past the most basic physical security of all: Learning to pick locks at DEFCON 22

Much like my experience with learning to hack at RSA, learning to pick locks was something that I was very interested in learning how to do, but approached with much trepidation given that I had zero experience with the practice. Nevertheless I thought I'd give it a shot, so I headed down to the Lockpicking Village at this year's DEFCON 22 so I could be shown the ropes.

The good news is that unlike hacking, lockpicking really is something that you can more or less just start doing -- and effectively so -- even if you have no experience or background knowledge on the subject. The bad news is that techniques with varying levels of sophistication and complications like more secure types of locks can make the practice frustrating at times...and exceedingly difficult to master.

The village, which was run by TOOOL (The Open Organisation of Lockpickers), gave brief presentations every half hour or so to offer the basic information necessary to understand how lockpicking works so newbies like me could actually have a shot at succeeding. The concept is relatively simple: a lock consists of a certain number of spring-loaded pins (typically anywhere from two to six) of varying lengths lined up in a plug, and each pin is separated into two pieces, the lower pin and the driver pin above it. Each driver pin needs to be pushed up by the lower pin above a certain point, known as the shear line, to "bind," or stick into place. Once all pins are bound, the plug can turn and the lock is opened. The trick, of course, is that the pins will only bind when pressed up in a particular order, and there's no way to know what that order is on any given lock.

So I learned that what I need to do is wedge an L-shaped piece of metal, known as a torque or tension wrench, into the groove of the lock and push it ever so gently either clockwise or counter-clockwise to create some tension inside the plug. That way, when I then insert my pick (of which there are a few different types, like a simple hook, a half diamond, and the wavy rake) and start pushing up on each pin, the one that's next in the order will bind. And that's because once it goes up above the shear line, the pressure that I'm applying with the wrench will turn the plug slightly so it moves into place underneath the binding pin, thus keeping it place. After this action is performed on each pin -- but be careful not to let up on the gentle pressure on the wrench, lest the plug spin back and release all of the pins that have been bound so far -- the plug turns and lock has been successfully picked.

It's not always that simple, though. Security on locks can be increased through a number of different methods, making the practice far more difficult. These include measures like spool pins, which are shaped like, you guessed it, spools. That way when an attempt is made to bind the pin, the bottom part of said pin, which has a lip on it, gets caught on the shear line. It's worth mentioning that I tried my hand a spool pin lock and failed spectacularly at getting it open.

Similar tricks to up the security of the locks include other bizarrely shaped pins like mushroom pins, serrated pins, and "sneaky" pins (which basically have multiple sets of lips of varying sizes to really complicate things). The openings to the locks themselves can be modified as well, with thinner and wavier openings posing more of a challenge to the would-be lockpicker.

The reason we so rarely see these attempts to boost physical security in this way is that it's simply a matter of cost. It costs more for lock makers to craft these more sophisticated and secure (but not impermeable!) locks, and people typically aren't willing to pay for that. The sad truth is that most people figure "Why bother?" and opt for the simpler locks either because they're not willing to shell out for the better ones and don't care what the means for their security, or they don't know any better. Simply put, that spells bad things for physical security.

In fact, the presentations at the Lockpick Village revealed the rather scary truth that any lock can be picked with the right tools, technique, and knowledge. Techniques for dealing with all types of locks -- doorknobs, wafer locks, deadbolts, combination locks, multiple types of padlocks, etc. -- were covered; for example, one presentation talked about crafting and using shims thin pieces of metal or plastic that can be slid into one side of a padlock or combination to release the mechanism that catches the lip on the bolt. Lock bumping was also touched on, wherein either a device like a lockpick gun or a tap from a hammer snaps all of the driver pins up above the shear line, offering a split second opportunity to then turn the plug with the right timing. The point is, there's an approach for taking down basically any kind of lock, and that makes physical security in general seem just a little more vulnerable on the whole.

The experience of learning how to lockpick was, on the whole, a positive one. It is immensely gratifying to successfully pick a lock, and there's a zen-like calmness that it can sometimes bring you, not unlike putting together a puzzle. But unfortunately, I now find myself addicted to a practice is only going to get harder the more I get into it.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityphysical securityDef Con

More about RSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Hatchimonji

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place