Is your stuff really secure?

Just saw this article on Wired.com about lockpicker Marc Tobias. Pretty fascinating read. Looks like this guy can literally pick any lock. A good reminder that if someone else wants your stuff, the best you can hope for is to slow them down. Reminds me of that saying, "you don't have to outrun a bear, just run faster than the other guy."




http://www.wired.com/techbiz/people/magazine/17-06/ff_keymaster?currentPage=1

Bumping locks is pretty darn quick!! I've done it at my old house testing out the locks and you can do it quietly and easily if you have the key setup for it.

Most people have a HUGE sense of false security.
In the real world a broken window is all it takes and they are in.

Marc Weber Tobias just put out a book on flaws in the Medeco biaxial and slider (m3) design, which has garnered quite a bit of attention lately. In fact, the Medeco3 design is relatively new and was touted to be reasonably high security. With some study, Tobias discovered a flaw in the design that makes it surprisingly easy to defeat. He found something that Medeco and the Underwriters Labs missed. That's what makes him, him; and he's very good at what he does.

See, there are a few things to keep in mind with this. First, Marc Weber Tobias is considered the foremost expert on locks and lockpicking, as well as security in general. Basically, he's one of the best out there, if not "THE" best.

Second, reports are, that Medeco is finally working with him to create better designed locks without the flaw exhibited here. It will only be a matter of time before they fix the problem. Security is ever evolving, it has to be.

Third, just because a lock is high security doesn't mean it can't be defeated. All can be defeated through means that use a bit of finesse and study or enough brute force. It just comes down to the amount of time it takes to do so. There is still the aspect of key control and resistance to brute force attacks (when properly installed) that make some high security locks [like the M3] better security than some other options. It just depends on how the lock is being attacked.

Finally, the Medeco3 lock, even with its flaw, is still more secure than the low-end Schlage, Kwickset, and Masterlocks the majority of America uses to secure their homes, buildings, ect. That's the part that scares most people.

The thing to learn from this is that the best way to keep things secure is to do your research and use layered security. If someone wants to get into something bad enough, they'll probably find a way to do it. Therefore, the best you can hope for is deterring them, slowing them down, and/or finding a way to catch them in the act.

On a side note, if you want to learn more about locks and security check out this forum: http://www.lockpicking101.com/ Alternately, if you find yourself in Las Vegas this summer check out DEFCON 17 (which is a convention revolving around hacking and security). It's expensive to get in (a bit over $100 per person, IIRC), but it's an eye opening experience.

Locks and security is like a hobby of mine. The locksmith my father used to use for his rental properties would have to shoo me away because I would hover right over his shoulder watching everything he did. Finally, at around age 8 I was taught how to pick a basic masterlock padlock, and I was hooked. They're like little mechanical puzzles.

It scares most people... it shouldn't.

Most door frames are weaker and if they are not the door itself is... hollow, made of fiberglass, etc. A lot of doors now days if you try to kick you put your foot through, not everyone has $800+ solid doors.

Not to mention there are MUCH easier ways to get in a house than "picking a lock"... statistically most homes are not broken in to via someone picking an "insecure" lock.

People need to realize that leaving the darn thing unlocked is what gets MOST people "broken" into.

Modern construction standards aren't much better than a Japanese paper house for security. Forget doors and windows, you can go through a wall on most stick built homes inside of 30 seconds.

Moderrn residential type security is really an illusion. for most concerned people, all you are going to be able accomplish is to simply make your home more difficult than your neighbors, thereby making it less desirable as a target. It also pays to advertise, meaning I want burglars to see my security, and likewise I don't show off the goodies I am trying to protect inside.

It's always fun when you see commercial buildings or other places that are doing things right (i.e. steel door frame secured into iron and concrete structure, fire-rated steel doors, window bars, fire rated glass, ect) then to see that the lock and deadbolt they are using is some piece of garbage they bought at home depot, and, worse yet, probably installed incorrectly.

I see this all the time. When the old owner or tenant moves out or a lock breaks, instead of doing the right thing and having the locksmith come to rekey the place, they just go out and buy cheap hardware. Then they're dumbfounded when a 14 year old kid with a screwdriver gets in and wrecks the place.

That's why all our buildings are alarmed and CCTV equipped. Most tenants are terrible with security, so you kind of have to help them along a bit. Still, it amazes me how even when you take the time to teach them how to use the alarm and change the code, they still never do it. When they move out the code is still the default 00000 or whatever.

With that said, bumping has become increasingly common lately, as it requires very little skill, tools to do it aren't hard to get at all, and it leaves little trace. The scary part about this is a lot of people who are a victim of this don't even realize it. They just believe they must have accidentally left the door unlocked. This can lead to further problems, say with insurance, as they usually aren't happy with stolen goods due to unlocked doors. Nowadays, at a minimum, I would want bump resistant hardware. Regardless of what the actually level of security is. Think about it, why make the noise and mess of breaking a window to get in, when you can get in and out in seconds without drawing any attention to yourself and without any easily noticeable evidence you've been there? That's what bumping offers thieves, and it's the reason why it's heavily on the rise.

I have a home alarm system, less for its deterrent effect, and more as a means of attracting attention. If someone bumps a lock to get inside my home, especially if I'm home, I want there to be some warning and a racket to draw some attention when an outer door or window is opened unexpectedly.

Even if a neighbor is looking right at someone trying to bump my lock, it's too easy for the burglar to just angle their body to hide what you're doing and they look like they're just using a key to get in the house legitimately.

So what do you guys think is the best deadbolt lock for the average person? Medeco? From the article I don't remember them saying it could be bumped as easily (if at all) as your average lock from home depot. I understand security is an all inclusive package but a new doorlock wouldn't hurt.

I agree that most burglars don't pick locks. They go through unlocked doors, open windows and into garages left open to kick in the kitchen door.

No one, and I mean no one, can make a totally secure lock. All you are doing is slowing the bad guy down to make it not cost/time effective to break into your house and force him to move along to someone else. I've seen great doors with crap locks, crap doors with great locks and about everything in between. 90% of doors can be opened with a small prybar or a screwdriver. By making your door just a little tougher, the guy moves on and someone else becomes a crime statistic.

One of my pet peeves was the decorative locksets sold at homeless depot (I worked, past tense, there). One lock, a dead bolt. No handle lock. No provisions for a second lock. I talked many people out of these.

To fool some burglars, get some alarm company stickers. Prominently place them in windows. Now take the fridge magnets, cut one up into pieces and put a slice in each window frame. some guys check windows and doors with a compass to see if they are alarmed - magnetic relays make the needle move. Fake em out if you don't have an alarm.

I was going to say the same thing. A typical wall is, what?, a thin layer of siding over some rigid foam over some poofy insulation over some drywall. The only thing there that might offer any resistance is the siding, but you could bash that in with a rock and waltz right through the rest of the stuff. Hell, a woodpecker pecked his way inside my neighbors house with no issues!

Best thing to do would be to talk to a local reputable locksmith and see what they recommend and stock. You wouldn't want to buy a lock that can't be fixed or re-keyed locally, if the need ever arises. I would hesitate to recommend a specific lock for that reason.

Talking to a local locksmith has the added benefit of them possibly being able to offer security advice in other areas, as well as helping tailor specific products to your needs.

With that said, I can add a bit of simplified knowledge that may help you in your decision:

There are a few different standards that locks are tested to.

First, there is the ANSI 156.5 scale. This scale goes 1-3 with 1 being the highest. Presently, the best stuff you'll find in a typical house is Grade 2. Grade 1 is for commercial applications (i.e. Similar to a Grade 2 lock, but made to be stronger, last longer, and more resistant to brute force attacks.)

Next, there is ANSI 156.30. This is a bit stricter standard, where the focus becomes less on how well the lock is made and more on how actually secure the lock design is. This also has three grades C-A. Grade C adds basic pick resistance and harder than average to find key blanks. Grade B and the separate UL-437 standard go hand in hand, as they both require the same amount of picking resistance (at least 10 minutes under testing) and use blanks that are protected by law. Finally, grade A is the top. This requires picking resistance for at least 15 minutes and has heavily restricted keys/keyways.

For retrofitting a home, what you'll typically use as high end security is Grade 1 hardware with a Grade B/UL-437 cylinder (unless you have a door that can accept higher grade mortise locks). While this isn't the best, it's still head over heals better than what most people have and will stop or slow down thieves used to defeating common door locks.

On a side note, neither standard currently requires any resistance against bumping, however an ANSI 156.30 lock does have some inherent resistance to this method, as bump keys are typically harder to procure. So again, a cylinder that meets at least grade B/UL-437 is still going to be reasonably secure.

Now, just as an example, the following manufacturers are common in the U.S. and offer a wide variety of locks that can meet these standards:

Medeco
Assa
Mul-T-Lock
Everest Primus (by Schlage)

With that said, it's still best to talk to a good locksmith. If your door or door frame is weak or installed incorrectly than you may not even truly get any benefit of upgraded lock hardware.

Thats some serious information there Paul, thanks.

Tobias has done multiple lectures at DefCon, the videos and / or notes of which are legally available online.

http://www.defcon.org/html/links/dc-archives/dc-15-archive.html

Look for:

"High Insecurity Locks Lies and Liabilities" - some mention of Medeco

The original link I had bookmarked is 404'd, so searching in / around the site for the following will be fruitful (also by Tobias), not to mention the intelligent use of Google.

"Open in 30 Seconds Cracking one of the Most Secure Locks in America" - all about Medeco

"Opening Locks by Bumping in Five Seconds or Less Is it Really a Threat to Physical Security" - some mention of Medeco

"Physical Security Bypass Techniques" - don't remember if it mentions Medeco or not, but it is a discussion of bypass by one of the best in world.

There's more good stuff in the DefCon archives by other speakers.

But as most have already replied above, basically all security can be gotten through - just a question of resources. The general point is to be a more difficult target than your neighbor...and if somebody's bypassing a properly installed Medeco-what-have-you lock to get at you and / or your stuff, you've got other kinds of problems.

-----------------------------------------------------------------------------------

EDIT:

Found a live URL to the DefCon Media Archives, with all available content from DefCon 1 (1993) through present day available for legal viewing and download, just for all you history buffs.

http://www.defcon.org/html/links/dc-archives.html

One might also google for "last HOPE" (2008, New York City) videos - if I remember correctly, there was an excellent physical security talk on high-security locks.

I have no idea what the best deadbolt would be if I was not home. I would guess one that is locked as I think most B&E would occur through an open door or window.

Being in a room however, like say a hotel room or guest room at a house, i use a $3 door wedge forcing the door into the frame, rather than holding it open. it prevents people walking in when there is no lock. If someone could pick the lock or bust the door down, the wedge will not slide, thus the door literally needs to be folded in half to get inside. More than enough time to figure out a defense.

The one time my house was broken into, they actually broke down the solid wood door - jamb partly ripped out - cops said it looks like someone went at the door with a crowbar - the then current MO!

They want in bad enough, they will get in. In college, I hung around with a locksmith

2 "Interesting" calls - One was a call - the STEEL door had one of the Medico "drop bolt" locks - no big deal - the theifs took a sawsall to the door!!! The locks were still locked, still hanging there - the Apartment (in Manhattan) was cleaned out

The other? They broke into the apartment next door, and punched a 5 ft tall, 3 ft wide hole through the cinderblock wall between apartments!

Guess that there's the counter-example to being a more difficult target than your neighbor...

My method of security involves having the crappiest-looking house on the block.

I will second that method; it seems to have worked for us so far .

Pete