When most people think of physical security, they envision locked doors, locked cabinets, locked desks, etc. After all, what are locks for if not to keep people from getting things you don't want them to have? Well, if your planning for protecting you information assets from unauthorized physical access stops at locks, you are simply kidding yourself.
(As a disclaimer, this article is not intended as a complete tutorial about locks and lock breaking. Rather, the takeaway should be the cautious use of locks as just one layer in a set of physical security barriers.)
About the venerable lock
The first known use of a lock is in the Khorasbad palace ruins near Nineveh (Bellis, The History of Locks, 2008). It was a simple device devised about 4,000 years ago, and closely related to modern tumbler locks. Since then, but not beginning until 1778, lock designers have tried tirelessly to perfect how we lock our doors and other repositories. So how have they done?
Doorknob locksThe most common SOHO lock is integrated into the doorknob, as shown in Figure A (BYU.net). Inserting and turning a key prevents the knob from turning and therefore the deadlatch from moving, effectively locking the door. The fastest way to bypass this lock is a swift kick against the door next to the knob. The more subtle process of "picking the lock" is surprising simple, as described at wikihow.com.
- If it is a simple doorknob-style lock with a push button, get a paper clip, hair pin or similar object. If you are using a paper clip, straighten it first. Then push your 'pick' into the hole. (Either on front or to side of knob) This should unlock the door.
- If it is a turn-style knob lock, get a flat sided hair pin, insert it into the hole on the front of knob, and turn. This will unlock this type. If it doesn't open, use a dull knife to go between the door frame and the lock. This will push the little metal bar in, bypassing the lock, and you should be able to open the door.
Under no circumstances should this type of lock be considered "secure". I typically reserve these to keep family members from bothering me during my quiet time…
DeadboltsKey-activated deadbolts are more secure, but not much of a challenge to a entry-level lock picker. Figures B and C (HowStuffWorks.com) show a common cylinder deadbolt lock and its internal design. (You can see an interactive demonstration of how this works at HowStuffWorks.com.) Inserting the right key lines up the pins so the cylinder can turn the cam and move the bolt back and forth.
Figure Cinteractive demonstration. For those who don't care about how much of a mess they make, a crowbar used at the point where the deadbolt enters the doorframe is a faster bypass method.
And then there are padlocks. Most padlocks are as susceptible to easy-picking as deadbolts. They are also vulnerable to methods unique to their design. If you don't care about someone noticing the lock is compromised, hammers and wrenches can break all but the best padlocks.
Keys and rotary/push-button combination locks v. new technology
Locks not using keys are often seen as more secure. This is somewhat true. First, the danger of a lost key ending up in the wrong hands is eliminated. However, there is still the danger of a PIN or combination leaking to criminal elements due to social engineering, dumpster diving, or a stranger just relaxing near a lock waiting to shoulder-surf.
Second, there is often no lock to pick, although some padlocks and biometrics solutions offer key locks to bypass or reset PINs or combinations. To see how poor design makes a biometrics-based lock useless, see Chad Perrin's recent post about how DefCon "lock hackers" quickly (and cheaply) rendered them useless...with paperclip.
Push-button manual locks might even be easier to hack than key locks. The following is from LOCK1: Medeco Locks:
With 10 numbers and a 4-digit combnation [sic], you have a 1 in 10,000 chance of getting it. Let's bring that down to 256. First, push out all the buttons. Next, pull the shackle up and down and watch the buttons. See how many of these actualy [sic] move. There should be only 4. These are the numbers to the combination. You see, inside the lock the buttons are not connected to the locking mechanism except for the 4 buttons used in the combination. Okay, now you have to guess. I would make a chart to keep track of what digits I used so that way you won't be wasting your time pressing the same buttons twice or more.
Here is a hint: On some locks, you will hear and feel a click on the shackle when you press the right button. In other words, then you narrow your choice to 4 numbers, you don't have any idea which is first. When you press a button and it doesn't make a sound, push it back out and try another one again. When you find it, move on to the next digit and so forth. It's really very easy. It has only taken about 10 minutes or less to open one of these. A few have taken less than 3 minutes! (KrakMaster, 2009)
However, these locks—even those considered "high security"—are easily bypassed with the right tools, time, and training. So let's jump to high-tech solutions. That will protect us from old lock designs… not so fast.
Just because a lock uses a biometrics "key" instead of a traditional key doesn't make it any safer. This also applies to locks using card scanners. Design flaws in doors (i.e. locating the hinges on the outside or not protecting bolts or latches with a latch plate) or locks can result in even the most expensive solutions failing to meet basic security requirements. Further, for every lock manufactured, there is probably a dozen hits when performing a Google search for picking instructions.
The lock's place in physical security
Does all this mean that locks are worthless? Should we just remove them and hope for the best? Not at all. Locks are just one more barrier to slow the advance of an intruder. Combined with fences, walls, alarms, barred windows, security cameras, and other controls, they serve to frustrate and detect an unauthorized person until human intervention occurs. (See Perform a physical security gap analysis.)
So the next time you consider how to protect information assets, think beyond locks. They are only the beginning of a well-designed physical security strategy.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.