key_bumping.pdf

Bumping locks

How to open Mul-T-Lock (pin-in-pin, interactive, 7x7), Assa

(6000 Twin), DOM (ix, dimple with ball), LIPS (Octro

dimple), Evva TSC, ISEO (dimple & standard), Corbin,

Pfaffenhain and a variety of other expensive mechanical

locks without substantial damage, usually in under 30

seconds, with little training and using only inexpensive tools.

Barry Wels & Rop Gonggrijp

Toool - The Open Organization Of Lockpickers

barry@toool.nl, rop@toool.nl

Last revision: January 26, 2005

http://www.toool.nl/bumping.pdf

Abstract

In this paper we describe an underestimated lock-opening technique by which a

large variety of mechanical locks can be opened quickly and without damage by a

relatively untrained attacker. Among other things we examine how this works, why

it works better on some locks than on others, whether one could detect that this

technique was used against a lock and what the lock-industry could do to protect

new locks against this technique. Understanding the threat of this new method of

manipulating locks is of added importance because we have found that this method

actually works better on the more expensive mechanical locks generally considered

to be most resistant to manipulation.

1 Preface – Why publish this?

We decided to publish what we know about this method because we feel those that

depend on the security of locks (or any other piece of technology for that matter) need to

be able to continuously re-evaluate their security having full knowledge of any threats.

This vulnerability is simply too generic: it affects many locks and cannot be 'fixed' by a

single lock manufacturer working in secrecy until a new and better lock can be released.

Although we have further refined the method we were originally shown, we did

originally learn about it through a public appearance by Klaus Noch. And we noticed yet

other people knew how to make it work even better too. In other words, this knowledge is

'out there', the cat is out of the bag. Given these circumstances, rather than allowing

knowledge of this method to spread slowly amongst those that could attack unknowing

victims, we decided to publish so that facility managers can re-evaluate their security and

see whether additional security measures need to be taken at some locations.

If you disagree, we encourage you to read [1] and [2] for a more thorough

understanding of the discussion on whether or not to publish information describing

security flaws before engaging in any heated debate.

2 Introduction to locks and lock security

2.1 How locks work

Pin tumbler locks, from the cheapest to the most expensive all work in roughly the

same way. The key slides down the keyway in the inner cylinder of the lock. As it moves,

the cuts in the key move stacks of two or more pins, moving in holes drilled through the

outer and inner cylinder. Small springs behind these pins push the pins back after a high

point on the key has passed. When the correct key is all the way in and the 'shoulder' of

the key rests against the inner cylinder, all the gaps between the pins inside the lock align

on the 'sheer line', and the inner cylinder is free to turn.

Photos courtesy of Matt Blaze

The picture above shows a 'cut-away' version of a simple pin tumbler lock with the

correct key inserted. For a much more thorough introduction to the inner workings of

locks, please refer to [3].

2.2 Picking locks

Lock can be 'picked'. A skilled operator can use tools to feel and move individual

pins in the lock. Lockpicking allows one to open a lock by exploiting the fact that the pin

stacks are never perfectly aligned. This causes some pins to be stuck between the inner

and outer cylinder before others. Because of this, one can feel that certain pins are

correctly aligned before all the pins are aligned. And because the outer pins that would

jam before others will remain on the outside of the inner cylinder after the lock is turned

slightly, one can successively place the pins in the correct position and open the lock.

Lockpicking takes quite a bit of practice. Apart from intelligence professionals,

criminals and locksmiths practicing it, lockpicking has become a regular sport, complete

with official clubs and championships 1 . Lock manufacturers have defended new locks

against picking by inserting so-called 'mushroom pins', by making keyways narrower

(providing less space for tools) and by lowering the mechanical tolerances of the lock

manufacturing process. (See picture of EVVA lock on page 7)

Going over the details of locks and lock picking would be outside of the scope of this

paper. Please refer to the "MIT Guide to Lock Picking" [3] if any of the above is unclear.

1 Ssdev (Sportsfreunde der Sperrtechnik Deutschland eV) in Germany and Toool (The Open

Organization Of Lockpickers) in The Netherlands.

2.3 The snapper pick, lockpick gun and vibrating tools

Another means of opening locks without the key is by using a snapper pick, lockpick

gun or vibrating tool. These devices all exploit Newton's law that says that for every

action there is an equal and opposite reaction. Most people are familiar with Newton's

cradle, a device which is often used to demonstrate this law.

If a ball all the way on the left or right side is lifted up and let loose to collide with

the row of suspended balls, this ball will transfer all its

energy to the next ball and so forth, until the ball on the

other end moves to swing away from the other balls.

When it swings back, the process is reversed and the

original ball swings up. The same principle can be

observed during a game of billiards: one ball hits

another one, and this ball continues onward whereas

the first ball now lies still.

This principle can be used to open locks: if

impulse energy is transferred to the first pin, it will

tend to stay in place and the second pin tends to move

away from the first one, until the spring stops it and

pushes it back to touch the first pin.

A 'lockpick gun' such as the one shown below will, when the trigger is pulled,

tension a spring and then when the trigger is pulled all the way use the force of that

spring to snap the needle up for a short distance, but with a very sharp and powerful

motion. By positioning this needle into the lock, just touching the pins, and then pulling

the trigger, one tries to hit all the pins simultaneously. By then making the lock turn in

the split-second before all the upper pins are pushed back by the springs in the lock, one

can open the lock. The amount of turning force and the timing with which to apply it

require some training.

Vibrating picks use the same principle except many times a second, requiring less

training on the part of the operator. A snapper pick is the simpler version of a pick gun.

The lock industry has created locks that are more resistant to this technique. More

resistant locks have narrower keyways, preventing tools from being inserted in the first

place, and making it harder to transfer the impulse energy to the pins. More resistant

locks also have smaller tolerances, creating less space for the pins to bounce around.

lockpick gun 2

snapper pick 3

2 In this case a special gun, made by Kurt Zuhlke. The head on this gun can be reversed to snap either

up or down, allowing picking of 'European style' locks where the pins are pushed up by the springs.

3 Image taken with permission from "Locks, safes, and security" [4], page 578

3 Bumping locks

3.1 History

Bumping, sometimes also called 'Rapping', has been a known technique for at least

the past 50 years. A bump key is described in Marc Tobias's reference work "Locks,

Safes, and Security" [4] on page 603. Few people use the technique, and the method does

not seem successful against a large number of locks unless the 'minimal motion method'

described below is used. Once correctly used, we found this technique to be immensely

powerful, allowing a large variety of locks to be opened. We did not invent this

technique, and others probably thought of some of the same refinements we did. We do

feel bumping is underestimated, and this paper exists to point to its effectiveness.

3.2 Principle & Bump keys

So we have a basic trick to open a lock by making the second pin jump away from

the first, but no efficient means to apply this energy to the bottom pin. As it turns out, the

best way to transfer energy to the pins is using a key. First of all, we need a 'bump key'

for the lock in question. A bump key is a key in which all the cuts are at maximum depth.

The picture below shows bump keys for various locks. Bump keys are sometimes called

'999' keys because all cuts are at maximum (9) depth.

As you can see you can cut bump keys for both regular pin tumbler locks as well as

for 'dimple locks', whether 'pin-in-pin' or not. Just remember to take away all the material

that could be taken away by the deepest combination for that position.

There are machines that will cut a key based on the numbers that represent the depth

at each position. Having access to such a machine speeds up the process of creating a

bump key that has the cuts in the exact right position, although one can also use a file and

a steady hand to create one. Bump keys, once cut, can be copied on regular key-cutting

equipment. You do not necessarily need to have an uncut key (called 'blank') to make a

bump key: because all the cuts of a bump key are at maximum depth, any used key for a

given lock can be converted into a bump key.

3.3 The pull-back method

Now there are different methods for using such a bump key to transfer force to the

pins inside the lock. When we first learned of the method, we were told to first insert the

key all the way, and then pull it back one pin. Then, hit the back of the key (the part

where you normally hold on to it) with a solid object such as a hammer, and then turn the

key a split-second later. We found the exact timing for the turning of the lock to be

critical, requiring quite a bit of practice. While this method worked on some locks, it did

not work on a great many others. Among other problems: when keys had very deep cuts,

the trick tended to not work either because the pins would still be pushed in too far by the

parts of the bump key between the deepest points.

3.4 The minimal-movement method

Normally, if you insert a key all the way into the

lock, the pins inside the lock touch the deepest point of

the cut in the key at the point where the shoulder of the

key makes contact with the inner cylinder of the lock. By

filing a tiny bit of metal off both the tip and the shoulder

of the key, we can create a bump key that can go just a

little bit deeper into the lock. When such a bump key is

inserted all the way into the lock, it will be pushed out

again a tiny bit by the force of the springs inside the lock,

until the pins again rest on the deepest point in the key

cuts. We found filing off between 0.25 and 0.5 mm works

best, but you may wish to experiment for the best results.

We found it is very easy to take off too much. All

need to do is make sure that when the key is in all the

way, the pins touch the sides of the cuts instead of the

bottoms. Seeing the key be pushed back a fraction of a

millimeter by the springs in the lock means you have filed

away enough material from the shoulder.

Bump key. Note that tip and

shoulder are not yet modified.

to hit the back of the key with

something that applies the right amount

of impulse power, without having so

much weight that it would damage the

bump key or the lock. We use a special

bumping tool built by Kurt Zühlke called

the Tomahawk, but anything with not

too much weight and preferably also

some swing, such as a dull bread-knife

held by the blade or the handle of a

hammer could also work.

you

Now that we have our bump key, we

need

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: