Locked But Is It Secure?

The most commonly used and least expensive method to control access to any facility’s building perimeter and interior space is by use of mechanical locks and keys. The lock and key is a simplistic methodology that is used today even in the most sophisticated access control systems. The methodology requires a lock, or mechanism that controls access. Access to the lock is authenticated by a credential or key that affirms the right to enter.

Historical perspective

Locks date back some 4,000 years ago to the ancient Egyptians, who developed a crude lock constructed of wood and other weaker materials. The ancient Romans developed the “warded” lock that involved a key inserted into the lock, with a center post within the lock aligning the key cuts to the corresponding “wards.” One of the biggest drawbacks to the warded lock was that it was relatively easy to pick.

In 1778, Robert Baron developed the lever tumbler lock involving multiple levers that had to be aligned simultaneously for the lock to operate. It could also be defeated by picking, but doing so required greater time and skill. In 1848, Linus Yale Sr. developed the pin tumbler lock, which was refined by his son in 1861, and is the basis for pin tumbler locks used today.

Pin tumbler locks

The pin tumbler works in a simple fashion. The lock itself has a number of individual driver pins, which are spring-loaded and correlate to the “biting” of the correct key. When a key with the correct biting is inserted into the lock, the pins align with the shear line, thus allowing the plug to turn and a bolt or latch to retract.

One of the advantages of a pin-tumbler lock is that it is possible to subdivide access to a grouping of doors by providing change keys within a master keying system. These levels of security ensure that change keys, which represent the lowest hierarchy of keying in a key system, will not be able to open doors that a person does not have access rights to. In turn, although change keys within a keying system may not operate all doors, a single key, called a grand master, great grand master or GMK key, can be used to open any door that is keyed within its level.

Locking threats

The most recognized threat to any type of lock and keyway is lock picking. Lock picking involves opening a lock without the key and without damaging the lock. In movies, the thief attempting to gain access to a lock unzips his “little black bag” and quickly gains access to a room or area by “picking” the lock. The reality is that lock picking is an art form; knowing how to pick a lock does not mean that you will be able to gain access to a lock quickly.

A more recent threat emerged in 2002. AT&T Labs Research released a white paper widely thought to reveal closely guarded locksmith secrets. The paper describes the theory of how to reverse-engineer a change key to make a master key for a pin tumbler lock. As we have learned, the change key can open fewer doors than the master key, which is capable of opening all doors associated with that specific master. This by itself is a great threat, but would still require a specific degree of knowledge and probably could only be carried out by a locksmith or equivalent.

The greatest threat to a mechanical lock and keyway would be if there were ways to manipulate a lock quickly without tools, without specific knowledge about locking systems and, finally, if this information were readily available, say on the Internet.

The reality of lock bumping

This hypothetical threat is a now a reality. The greatest threat to the pin tumbler lock is called “lock bumping.” It is a topic that has moved to the forefront as a result of the Web and media, and the prevalence of lock bumping information in mainstream media presents a potential security threat that legitimate users may not be aware of.

Some sources believe this technique was mastered in the 1970s, while others believe it occurred around the same time that the AT&T’s white paper was released.

Lock bumping is a type of lock picking that applies Isaac Newton’s third law of motion, “for every action, there is an equal and opposite reaction.” Lock bumping is reportedly so easy that children have successfully opened a pin tumbler style lock using the method. Persons wishing to bump a lock would either purchase the appropriate lock manufacturer “bump key” or “999 key” legally from an online retailer, or make it themselves. It is called a “999 key” because all biting(s) are cut to nine, the lowest or deepest biting value on a key. Once purchased or created, the key is inserted into the lock and is gently tapped with an instrument, generating force. The energy is transferred down the key, and with nowhere to go, it is transferred into the driver pins, which control the plug movement. The pins are driven upward, thereby creating a momentary gap between the shear line, allowing the plug to turn. Bumping a lock can be done in seconds. There are no special tools needed, and the most common online retailers sell sets of bump keys for less than $10. Worse, online tutorials can teach someone how to make their own bump key using tools readily available from many hardware stores.

Why is bumping a legitimate threat?

• No knowledge or skill is needed to manipulate a lock using the bumping or rapping method.

• Bump keys for all manufacturers are sold on the Internet.

• The deterrent value has decreased, allowing a pin tumbler lock to be opened in a matter of minutes as opposed to a longer delay with conventional lock picking methods.

• The use of the World Wide Web further promulgates this idea, which broadens the number of people who know about the threat, thereby creating more potential adversaries.

• Other ramifications may include insurance coverage. Without a way to prevent forced entry, an insurance company would conclude that the lock was left unsecured and would associate this with negligence, which could be used by some insurance companies to exclude a loss on their policies.

Potential solutions

• It might be time for a re-key for your organization. First, evaluate your keying system. If you determine that the locks used are susceptible to lock bumping, evaluate going to a more secure keyway.

• Re-keying is expensive, so start from the outside of your facility and move inward. In some instances, a high security keyway can be blended with existing keying systems.

• Consider re-keying or adding access control with door monitoring, in lieu of a mechanical lock, to all perimeter doors as well as other doors located internally that could present a security risk.

• Identify if your locks are equipped with an Interchangeable Core (IC). Some ICs are compatible with higher security keyways that should reduce some costs.

• When setting up your keying system, keep control of your grand master key and sub-compartmentalize master keys so fewer doors are affected by the loss of a single key.

• Secure the master key with a digital key system or by “sealing” grand master keys that will identify usage and return dates. People who need to have master or grand master keys should have their key rings welded to reduce the ease of key duplication.

Ensure that all high-security keys have the words “Do not duplicate” on them. Legitimate locksmiths will honor and turn away persons who are attempting to have a high security or standard pin tumble key duplicated. However, for this reason, if a high security grand master key is lost, the whole system will have to be re-keyed to ensure security.

About the Author

Sean Ahrens, CPP, CSC, is a senior security consultant with Schirmer Engineering. He has more than 16 years of experience in the security industry, 11 of them as a practicing consultant. He has been responsible for providing security threat and risk analysis, contingency planning, loss prevention and force protection design and planning for private, public, state and governmental organizations. He can be reached at (847) 272-8340 or via e-mail at [email protected].