As the locksport and security communities investigate each device, there is sure to be a weakness discovered for every single one. But why is this the case? Why is it that there is no such thing as an unpickable lock? What makes these inventions so prone to failure? We will go on a journey through what makes a lock a lock. There we will find out what it is about the nature of a lock that keeps them vulnerable to picking.
There are many different types of locks, but they have one thing in common. Locks have two functions, to lock and to open. A lock that does not work because it does not secure provides no protection. Locks were created with protection in mind. A lock that is not locking is not securing any valuables. A lock that is unlocked is the same as no lock at all. A lock that doesn’t work because it will not open cuts the user off from their valuables or the outside.
If the lock cannot open it is also not a lock. The same way that a door that does not open is not a door, but a wall. A lock that does not open is not a lock, but a sculpture. All locks are meant to open. Something built to open, can be opened. This is simple logic.
To open a lock, you need to make a key. A key is used to give a single person, or a select group, access. The key overrides the internal components that keep the device secure. Once the correct key is inserted into the lock it is no longer secured. The key will manipulate the internal locking mechanisms so that the device can be moved in and out of the secure position. A key is not necessarily a physical object, a key can be a code that is manually punched into a keypad, turned on a dial or four-wheel combination, or transmitted remotely from a device.
Things such as codes redefine the basic idea of key, with a handle and some biting, into something less permanent. Odd little knives (keys) have been replaced by the little rectangles (getting bigger every year) that we use to snap and chat to our friends, but these changes have not disrupted the core concept of the lock. Despite all the new ways that a lock can open, it is still designed to open.
Key Take Aways
- A lock must open and close.
- Because a lock must open, all locks can be opened.
- To open a lock you must use a key.
- A key has a pattern, physical or not, that interacts with the lock to both secure and open it.
Picking and Manipulation
The key to picking and manipulation is to exploit the very nature of a lock. If it can open, then it opens. The only thing left to do is fool the device into opening without the proper key. It is at this point that we begin to pick and manipulate the lock. Picking will work, in theory, for any lock that has a keyway, or point of physical key insertion. For a successful pick, the procedure of inserting the key will need to be replicated. The pattern of the key will also need to be mimicked. Often this is done by tensioning the lock and placing a piece of metal in the keyhole.
The metal will serve to move the internal components of the lock one at a time, just like the key working in slow motion. To make sure that the work done in the lock remains in place, the lock most often be tensioned. The tension puts the internal components under the same stress as a turning key. The finer points of the process will vary depending on the type of lock, but if the key exists and the lock works, eventually this process will work. It may take a special tool, but it can be done. As a rule of logic, picking will always work on locks with physical keys.
A physical key is not to be confused with a token. Something like key cards for electronic locks may have to be physically inserted into the lock, but that key is not physically interacting with the lock. It is, however, sending signals that cause the lock to open. The real key is still noncorporeal, just as a key combination must be physically entered but does not exist in a physical form. That card does not have the correct code no matter what. The code can be removed, but the card will remain physically the same.
These types of locks would need some sort of hack for the software or bypass to the physical bolt or fastener. This could still be considered manipulation. It is not technically picking, but the point is that doors without physical keys can still be opened without the proper key. Because these items are still locks, there will always be a way to unlock them. The correct tool may not be shaped out of metal, but it will manipulate the lock to open freely.
Key Take Aways
- Picking and manipulation exploit the fact that all locks are designed to open.
- Picking attempts to recreate the function of physical keys.
- A physical key is any key that physically holds the code needed to open the lock.
- Tokens, such as keycards are not physical keys.
- Digital locks that do not use physical keys can still be manipulated.
- All locks can be either manipulated or picked.
The Unpickable Myth
No lock is unpickable. The idea of an unpickable lock died way back in the 1850s along with the dream of perfect security. After several outstanding additions to lock technology it was still discovered that no addition could make a lock immune to picking. This trend has led the security and locksport communities to the common saying, “There is no such thing as an unpickable lock. There are just locks that have not been picked yet.”
That quote can be accredited to anyone that picks locks because everyone eventually gets asked: “Is there, like, an unpickable lock?” I think that the myth is perpetuated, mainly, by Hollywood heist movies as a convenient plot device, but there is a bit of truth to it. There are locks that no one has ever picked, and there are locks that will take far too long to pick for it to be feasible in a movie style heist. That is about as unpickable as things get.
Many times on this site I refer to locks as devices and mechanisms. This is not purely a way of not having to write ‘locks’ a million times in a post. It is also because a lock is a machine. Most locks are not motorized, but the internal workings of a lock use kinetic energy to in their functions of locking and unlocking. Because a lock is a machine, that means that it is built by humans or other machines that humans have built.
With a standard pin tumbler lock, such as a Kwikset and/or Schlage deadbolt cylinder the human aspect of their creation gives them the flaw that makes them pickable. The basic idea of picking comes from the slight misalignment of the holes in the plug of the lock. The holes in the plug are meant as slots for the pins to rest in. By not being perfectly aligned, the pins will set at different times. When one pin sets before another, this will allow the lock to be opened. The first pin to set is the binding pin, and after that, the picker just needs to find the binding order.
If a lock could be made perfectly, and the pin holes were all perfectly aligned, this would, in theory, stop single pin picking. With the hypothetical perfectly machined lock, all of the pins would have to be moved to the proper height at the same exact time. Something like a bump key, however, would be able to open this type of impossible lock. Why is this type of lock impossible? It just comes down to imperfection in the machining process.
Humans cannot make things perfect, and machines need humans to refine the products they produce. There are several types of theoretical locks that people like to posit to the locksport and security communities, but when it comes down to it all locks can be picked. Your theoretical lock may be bulletproof against all forms of forced entry, but until it exists, it is not real. And as history has shown us, once it is real, it will be picked or manipulated open.
Key Take Aways
- No lock is unpickable.
- Some locks can take a long time to pick.
- Some lock pickers cannot pick certain locks.
- There are locks in existence that have never been picked.
- Locks are machines that can be taken apart and understood.
- Flaws in the machining process leaves pin tumbler locks vulnerable to picking.
Intention to Protect
More than how great your locks are, you should analyse your intention to protect. What this principle comes down to is how invested you are in keeping your property safe. Your intention to protect has to be greater than everyone around you. Your competitors are any people who have placed an item, similar to the one you would like to protect, in the immediate vicinity of your item.
So if you have a lawn mower and your neighbour has a lawn mower, your lawn mower needs to be harder to steal. How much harder? That depends on how much more expensive it is than your neighbour’s lawn mower. Say you have better security, but your lawn mower is in fact significantly better than the one your neighbour has. It would still be worth the potential risk because the reward is higher. The more unbalanced your protections are, in terms of greater security than something demands, the more potential theft they will deter.
Your intention to protect has to outweigh the value of the item(s) being protected. If you have three alarms, in a secret room, that holds a safe, which only has an 80s troll doll, that doll is pretty secure. Obviously, your intentions cannot be absurdly balanced for everything, or living day to day would become horribly impractical. This is the ultimate decision of security professionals. There is no easy way to decide how to balance practicality with security.
How fixed are you on protecting your valuables? Obviously, you don’t want to be the victim of theft, but preventing that is going to take time and money. The heavier your protections are, the more you are going to deter criminal activity. Your security does not have to be better than the skill of the thief, it just needs to be better than the security of the person next to you. This may make your life more difficult, so take into account how at risk you are for the threats that concern you.
Key Take Aways
- Intention to Protect – How much you care about keeping something, or someone safe.
- The greater your intention to protect is, the more criminals will ignore your property.
- Your intention to protect must be greater than the intentions of those around you.
- It is often not practical to have excessive protections on everything you own.
Prevention Through Obscurity
Obscurity holds back easy answers. If people want to know how to open a Lock, they can Google it and find the information they need. Say there is a lock that has not been picked, and you would like to know how to open it without the key. Well, you can buy one and take it apart. From there it is only a matter of time and skill before you know how to do it. Obscurity can come from something that people can’t find, but ideal obscurity is something people don’t even know to look up. I consider the perfectly obscure to be that which is not even thought to exist.
The closer your locks are to a work of fiction, the more a criminal will have to assume. Assuming denotes a great level of unpreparedness. Unpreparedness means that further preparation is needed. Preparation is time. And time is the best thing you security can buy. In order to have something truly unique, it needs to come from your imagination. If you purchase something rare that means that someone else can potentially buy it. If you commission something to be made then you need to be able to trust that your fabricator will not share your information or use it on their own. The safest option is to design and make your security yourself.
Without giving away too much, I once used a locking system I designed that required a fish hook, two small lengths of copper wire, a battery, and a whole lot of time. What was being protected needed to be accessed too regularly for that much effort and time to be expended. To be generous, I would say that the people using the method got fed up with it (very quickly). People were trying to find easier ways to unlock the device, which is great for a practical vulnerability test, but it ended up breaking the security device.
I made the security so that destructive entry was ultimately useless without a detailed understanding of the device, but after the destruction was done it could not be opened even with a fish hook, two small lengths of copper wire, a battery, and a whole lot of time. Needless to say, there was a headache and a few lost days to open the device. But it did open after a few days, so a criminal could have opened it given that time. The protection was that a criminal does not have a few days to spend and would not have known where to start with a handmade lock.
Key Take Aways
- Obscurity – prevent information from being attained easily.
- Perfect obscurity – information that cannot be arrived at without prior knowledge, which is only available from one protected and unavailable source.
- The fewer people know about your security, the safer you are.
- The easier it is for a person to find out about your security the less obscure it is.
- The best way to keep your locks and security measures obscured is to make and design them yourself.
There you have it, another post that was not conceived as a fear invoking tirade but became one in spite of our best intentions. The reason that this is a trend in the lock and security world is because the truth is rather scary. Locks are not perfect and security is most certainly not perfect without a perfect lock. Locks are built to open, so people are going to find a way to open them. There are certainly locks that are beyond the skills of most pickers. There are also locks that have yet to be picked. Security in any form can only ever give you time.
Your intention to protect has to be great enough to make you a less attractive target than the people on either side of you. Make sure that your protections are not well known, and people will not know how to defeat them.