Security

Physical security with locks, biometrics, and other fallacies

Failing to look beyond the use of locks to safeguard your information assets leaves a huge gap in your physical security strategy. In this article, we look at ways common locks are bypassed and the overall vulnerability of locks as controls.

When most people think of physical security, they envision locked doors, locked cabinets, locked desks, etc.  After all, what are locks for if not to keep people from getting things you don’t want them to have?  Well, if your planning for protecting you information assets from unauthorized physical access stops at locks, you are simply kidding yourself.

(As a disclaimer, this article is not intended as a complete tutorial about locks and lock breaking.  Rather, the takeaway should be the cautious use of locks as just one layer in a set of physical security barriers.)

About the venerable lock

The first known use of a lock is in the Khorasbad palace ruins near Nineveh (Bellis, The History of Locks, 2008).  It was a simple device devised about 4,000 years ago, and closely related to modern tumbler locks.  Since then, but not beginning until 1778, lock designers have tried tirelessly to perfect how we lock our doors and other repositories.  So how have they done?

Doorknob locks

The most common SOHO lock is integrated into the doorknob, as shown in Figure A (BYU.net).  Inserting and turning a key prevents the knob from turning and therefore the deadlatch from moving, effectively locking the door.  The fastest way to bypass this lock is a swift kick against the door next to the knob.  The more subtle process of “picking the lock” is surprising simple, as described at wikihow.com.
  • If it is a simple doorknob-style lock with a push button, get a paper clip, hair pin or similar object. If you are using a paper clip, straighten it first. Then push your 'pick' into the hole. (Either on front or to side of knob) This should unlock the door.
  • If it is a turn-style knob lock, get a flat sided hair pin, insert it into the hole on the front of knob, and turn. This will unlock this type. If it doesn't open, use a dull knife to go between the door frame and the lock. This will push the little metal bar in, bypassing the lock, and you should be able to open the door.

Figure A

Under no circumstances should this type of lock be considered “secure”.  I typically reserve these to keep family members from bothering me during my quiet time…

Deadbolts

Key-activated deadbolts are more secure, but not much of a challenge to a entry-level lock picker.  Figures B and C (HowStuffWorks.com) show a common cylinder deadbolt lock and its internal design.  (You can see an interactive demonstration of how this works at HowStuffWorks.com.)  Inserting the right key lines up the pins so the cylinder can turn the cam and move the bolt back and forth.

Figure B

Figure C

Bypassing a manual cylinder bolt lock is not very hard.  With a little practice, and the right tools, it is possible to quickly manipulate the pins so the cylinder will turn.  This is shown in Figure D, part of HowStuffWorks’ interactive demonstration.  For those who don’t care about how much of a mess they make, a crowbar used at the point where the deadbolt enters the doorframe is a faster bypass method.

Figure D

Padlocks

And then there are padlocks.  Most padlocks are as susceptible to easy-picking as deadbolts.  They are also vulnerable to methods unique to their design.  If you don’t care about someone noticing the lock is compromised, hammers and wrenches can break all but the best padlocks.

Keys and rotary/push-button combination locks v. new technology

Locks not using keys are often seen as more secure.  This is somewhat true.  First, the danger of a lost key ending up in the wrong hands is eliminated.  However, there is still the danger of a PIN or combination leaking to criminal elements due to social engineering, dumpster diving, or a stranger just relaxing near a lock waiting to shoulder-surf.

Second, there is often no lock to pick, although some padlocks and biometrics solutions offer key locks to bypass or reset PINs or combinations.  To see how poor design makes a biometrics-based lock useless, see Chad Perrin's recent post about how DefCon "lock hackers" quickly (and cheaply) rendered them useless...with paperclip.

Push-button manual locks might even be easier to hack than key locks.  The following is from LOCK1: Medeco Locks:

With 10 numbers and a 4-digit combnation [sic], you have a 1 in 10,000 chance of getting it. Let's bring that down to 256. First, push out all the buttons. Next, pull the shackle up and down and watch the buttons. See how many of these actualy [sic] move. There should be only 4. These are the numbers to the combination. You see, inside the lock the buttons are not connected to the locking mechanism except for the 4 buttons used in the combination. Okay, now you have to guess. I would make a chart to keep track of what digits I used so that way you won't be wasting your time pressing the same buttons twice or more.

Here is a hint: On some locks, you will hear and feel a click on the shackle when you press the right button. In other words, then you narrow your choice to 4 numbers, you don't have any idea which is first. When you press a button and it doesn't make a sound, push it back out and try another one again. When you find it, move on to the next digit and so forth. It's really very easy. It has only taken about 10 minutes or less to open one of these. A few have taken less than 3 minutes! (KrakMaster, 2009)

However, these locks—even those considered “high security”—are easily bypassed with the right tools, time, and training.  So let’s jump to high-tech solutions.  That will protect us from old lock designs… not so fast.

Just because a lock uses a biometrics “key” instead of a traditional key doesn’t make it any safer.  This also applies to locks using card scanners.  Design flaws in doors (i.e. locating the hinges on the outside or not protecting bolts or latches with a latch plate) or locks can result in even the most expensive solutions failing to meet basic security requirements.  Further, for every lock manufactured, there is probably a dozen hits when performing a Google search for picking instructions.

The lock’s place in physical security

Does all this mean that locks are worthless?  Should we just remove them and hope for the best?  Not at all.  Locks are just one more barrier to slow the advance of an intruder.  Combined with fences, walls, alarms, barred windows, security cameras, and other controls, they serve to frustrate and detect an unauthorized person until human intervention occurs.  (See Perform a physical security gap analysis.)

So the next time you consider how to protect information assets, think beyond locks.  They are only the beginning of a well-designed physical security strategy.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

23 comments
Shylohjacobs
Shylohjacobs

Thank you for this article! I think this is a great idea. I have been learning how to make a video game and I am shocked at the keys and how easy they are to crack! I think the biometric lock is a fantastic idea!

fsslockedlock
fsslockedlock

FS Locks understands by staying one step ahead with state-of-the-art security technology. Our fingerprint door locks are keyless and ideal for safe guarding your home or office. We also have biometric access control systems for keeping track of your employees. Simply click on the tabs below to get started, or choose from the left side menu and see why FS Locks is your premier source for all of your fingerprint doorlocks, keypad door locks, fingerprint scanners, keypads, safes and the new FS Locks Spy Equiptment store

jfowler
jfowler

Been in the "Door Business" for forty years now and the well known saying "Locks keep honest people honest" is as true today as it was in 1970. Anyone who wants to get in bad enough WILL.

oldbaritone
oldbaritone

I love the comment that "Locks not using keys are often seen as more secure." I have been amazed at the number of pushbutton locks left on the factory default combination, and the organization that installed them (DIY, of course, not a locksmith) thinks they're secure now because they have a "high-security lock."

AnsuGisalas
AnsuGisalas

No lock is unbreakable. As is no security system. That's just how it is. However: A lock is part of the resistance to break-in. The more resistance you have, i.e. the more hassle it is to break in, the more secure you are. [i]Not[/i] on account of your "secure system"* but on account of the more insecure systems that abound. Criminals aren't criminals due to their love for hard work. Being less insecure cuts out most of the arbitrary burglars. If someone has a specific reason to go after you, then a less insecure system will increase the odds of a failure, but don't bet on that. Also, someone might be sloppy at doing their homework, and not realize that next door is easier pickings. *no system is secure. They can be only more or less insecure. Aim for less insecure.

Jaqui
Jaqui

that product available in stores all over the place, Gum Off. it's an aerosol canister of nitrogen, very cold nitrogen. empty a large can of it into where the key goes, or on one spot of the lock, rap lock solidly with the can afterwards. the metal is so cold it's brittle and shatters. this can also work using refill cans of BUTANE. if done correctly, only a padlock style lock will show evidence of being compromised. [ these break apart completely. ] the rest you can break the mechanism inside the casing. I spent way to much time around homeless people, most can get past any lock in less than a minute.

santeewelding
santeewelding

A 44-magnum round worked for me, once. Good for any human intervention, too.

Ocie3
Ocie3

Quote: [i]".... If it doesn't open, use a dull knife to go between the door frame and the lock. This will push the little metal bar in, bypassing the lock, and you should be able to open the door."[/i] A credit card or a similar thin, stiff object can be used instead of a "dull knife".

robo_dev
robo_dev

" the perpetrator entered through an unlocked basement door". So user awareness is at least 70% of the problem. The best solid-cobalt locks in a 3/4" stainless steel door are worthless if the kids leave the door open. :)

AnsuGisalas
AnsuGisalas

Birthday, wife's birthday, kids' birthday, mother-in-law's hospitalizationday... the usual. They read them right out of the newspaper sometimes.

Jaqui
Jaqui

specially when the old saying is "Locks keep honest people out". they only slow down the dishonest.

gavin142
gavin142

is to have your office directly across the street from the police department! :)

Tom Olzak
Tom Olzak

Wow! Thanks for the heads up, Jaqui. I'll have to check this out... This is probably not a method most of today's information criminals would use. When the lock's owner puts a key into the lock, discovers it doesn't work, and calls a locksmith, the break-in is revealed. However, this is definitely a good reason not to security valuables behind a doorknob lock. Tom.

Tom Olzak
Tom Olzak

LOL. A .44 Magnum is a little big for my taste. I prefer my S&W .357... In any case, most information criminals want to steal your data without your knowledge. Kicking down the door (like I did many years ago when leading a drug enforcement team) or blowing it to pieces with a 'cannon' leaves evidence of a break-in Tom.

AnsuGisalas
AnsuGisalas

on big roaches too. But again; if it ricochets, get out of there. Your place isn't worth enough.

AnsuGisalas
AnsuGisalas

I've only ever seen inside-the-home doors having that kind of round-edged pins. All the perimeter doors I've seen have had flat or two-faced pins, so that a slim object will simply meet a flat surface, and then it doesn't work.

santeewelding
santeewelding

Works good. At least it does so far in this country, where police stations are not attacked as a matter of course. Yet.

Jaqui
Jaqui

when this is done to a lock, you can't put the key in. the mechanism is gone. the obvious damage being hidden from the casual observer. it's not really much different than applying liquid nitrogen to an object. the difference being in a very selective area is super frozen and broken instead of the entire object. It has the same limitations governing it as well. Brass, a nice soft metal, is very hard to get cold enough to shatter. It takes a large quantity of Gum Off or Butane to get a lock cold enough. Heck, those "kryptonite" bike locks that are supposedly unbreakable are easily bypassed with this, as well as 3' bolt cutters. ;) [ I know, I used a pair to remove one from a bike. A friends bike, it the storage area of the building he was living in. He had lost the key. ] even the carbon cylinders filling the tube in the steel shank doesn't stop the bolt cutters.

AnsuGisalas
AnsuGisalas

As we're talking about deterring factors here, how well you aim isn't that important. Unless of course you take the time to build a name for yourself as a crack shot. Barring that, the pile of used ammo casings in your yard will serve just fine. It will also keep trick-or-treaters away. And friends, and maybe family too. Not mothers-in-law though, they have that "That little skunk wouldn't dare shoot me" -mindset.

robo_dev
robo_dev

:) Physical security, like cyber-security depends on layers. The police are one layer. The lighting and layout of the yard (e.g. bushes and fences), are another layer. The security camera system and alarm system are another layer. The strength of the lock, the door frame, and the door is another layer. Next comes the size and temperment of the dog, the caliber of the gun, how well you aim.... :)

martian
martian

Most likely to be found at a Tim Horton's Near you! ;) Ttyl, Gary

AnsuGisalas
AnsuGisalas

it ensures that you're not robbed by some shifty-eyed nervous type. Who ever walks off with your goods is going to be cool as ice. And it's not vanilla ice.

Jaqui
Jaqui

the cops are rarely around them. only at shift change are you guaranteed to see a cop. :D

Editor's Picks