What is it with hackers and lock picking? Lock picking workshops have sprung up at various conferences including Hackers on Planet Earth (HOPE), DEF CON, and of course our own SecTor conference.
For years now, Schuyler Towne has been visiting Toronto each fall to help attendees learn how to break a variety of locks with his lock picking workshop. He has also given several talks over the years, including his most recent one at last year’s SecTor conference on keyspace reduction in mechanical locks. It turns out that there’s a lot of overlap between lock picking and math.
Towne knows physical security inside out because he studies it at the Ronin Institute, where he is currently exploring its anthropology and its history. The latter is something we’ve interviewed him about before.
This time around, we visited him at the SecTor lock picking workshop where he showed us how to break into a standard serial combination lock in a minute and a half. These are the kinds of locks people use to secure bags and bikes, but after seeing him at work, anyone using these mechanisms might want to reassess their physical security choices.
A long-term romance
The romance between cybersecurity experts and locks makes sense. After all, hackers have traditionally focused on learning how systems work and testing their limits. They tend to focus their efforts on systems designed to keep them out or constrain their actions, which is partly what gives the whole movement its air of mystique. Lock picking replicates that activity with physical mechanisms.
There have been some well-publicized lock-picking shenanigans. For example, 15 years ago, network security consultant Chris Brennan managed to bust open a Kryptonite U-lock with a ballpoint pen.
The battle between lock vendors and lock pickers remained largely a physical one until the last few years, when companies began producing Internet-connected locks (because if it’s possible to connect something to the Internet these days, from kettles to sex toys, someone’s going to do it, right?)
That enabled hackers to test more than just physical weaknesses when toying with locks. The results were predictable.
In 2016, security researcher JMaxxz hacked an August smart lock, which had a feature allowing the owner to give someone a guest access key so that they could authenticate themselves to the lock temporarily. That’s great for AirBnB setups, for example. Unfortunately, a software bug enabled the guest to hack the software and enroll a new key, so that they could control the smart lock even after the owner removed them as a guest.
Researchers also tested 16 bluetooth low energy (BLE) smart locks at DEF CON that year and found three quarters of them susceptible to attack.
The smart lock hacks keep coming, and some of them combine both physical and digital flaws. Last year, UK outfit Pen Test Partners did some excellent work breaking open the TappLock, a US$100 fingerprint-scanning device, using the BLE MAC address that it broadcast. Or, alternatively, they showed how you could open it less elegantly using a 12in pair of bolt cutters to exploit a weakness in the lock’s anti-shim step mechanism.
Vendors made the effort to fix the firmware issues that plagued their locks, but that’s the thing with digital technology; it has far more complexity and a far larger attack surface than physical mechanisms. This increases the chance that an attacker will find a way through it. There’s always another hack, just around the corner.
As the gap between mechanical locks and digital protection continues to shrink, we’ll doubtless see more smart locks getting hacked along the way. It makes it difficult to know whether these devices should be in lock picking workshops or IoT hack labs (SecTor routinely runs both).
For now, if you’re interested in learning the basics of physical lock picking beyond Towne’s lock pick lab demo, you might want to look at at his 2013 talk, How they get in and how they get caught. It offers a basic guide to breaking into physical locks. You’ll be picking, raking, and bumping your way through your own locks in no time. Just be sure to use your powers for good, and not evil.