For the love of lock picking

The sport of picking regular old locks has many fans at the Last HOPE hacker conference.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

NEW YORK--I feel much less secure after attending the Last HOPE conference this weekend.

Not only is my personal information at risk every time I log onto the Internet and use a cell phone headset or passport, but even my gym locker, bike, and home can easily be accessed with the proper tools and manual dexterity.

Tools of the lock picking trade. Elinor Mills/CNET News

In the popular Lockpicking Village area at Last HOPE (Hackers on Planet), I watched guys twirl little pins in all types of locking devices. For some, it took less than a minute to get the locks to snap open. One lock picker even showed how to open an ordinary padlock with just a piece of aluminum from a beer can. (See video demo below.)

If I'm worried, how do they feel at the Pentagon and the White House?

Medeco, the lock that secures the doors in those two places and at high-security agencies around the world, had been un-crackable for 40 years--until last year. And now there's a book about the lock's shortcomings called Open in Thirty Seconds.

Marc Weber Tobias, co-author of Open in Thirty Seconds gets freed from a pair of prison transport handcuffs without a key. Elinor Mills/CNET News

"This is all about liability and responsible disclosure," said Marc Weber Tobias, a co-author on the book. "People need to know they are vulnerable, and the manufacturer says it can't be done."

The book doesn't reveal the codes needed to open the locks, he noted.

"The goal is to help people understand how we did it," said Tobias, who has a physical security consultancy called Security.org. "As a lawyer, I believe in full disclosure and I believe manufacturers ought to disclose the vulnerabilities in their products."

Like with software vulnerabilities, manufacturers don't want to acknowledge security flaws, he said. But the difference between software and old-fashioned hardware is that software can be easily upgraded over the Internet while locks must be replaced.

Below is a video that demonstrates just how easy it is to pick a deadbolt lock. "Steve," a member of the Toool Open Organisation of Lockpickers, uses a small tension wrench to hold the pins in place while he jiggles a lock pick tool to set the pins to "open."

Credit: Elinor Mills/CNET News

Below in this video, "Deviant" shows how to pick an ordinary combination padlock by shimmying the shackle open with a small, folded piece of aluminum or metal.

Credit: Elinor Mills/CNET News