This is the lockpicking equivalent of calling a cracker a hacker.
Also, no lock can be 'unbumpable' just because it has a restricted blank, as by definition in those cases, if the blank can be obtained, the lock can be bumped.
Unbumpable is generally reserved for locks that actually are, by using a mechanism other than pin tumblers (e.g. rotating discs (e.g. Abloy Protec), magnetic encoding on the key (e.g. EVVA MCS), sliders (e.g. EVVA 3KS), or driverless pins (e.g. BiLock)).
High security locks have for a few years been incorporating moving/active elements into keys to avoid duplication, both now from 3D printing, but also originally from casting a copy of the key. As it is, keys witout those can be directly duplicated rather than even needing to bother with a bump key (unless you wanted to open more locks than the key used to make the copy can access).
Jos Weyers has repeatedly brought plain sense to hyperbolic reporting. His statement at the end is bang on:
“The sky isn’t falling, but the world changes and now people can make stuff,” says Weyers. “Lock manufacturers know how to make a lock bump-resistant. And they had better.”
Always very pleased to see his name pop up when this sort of thing makes news, as he never seems to offer a quote that can be used to stoke unreasonable fear.
I mean we've known about bump keys and lock picking for more then 50 years. None of this is news. If I 3D printed a set of lock picking tools would Wired run a story on me?
Author of the story here. Like I wrote, 3D printed bump keys make locks that weren't easily bumpable in the past more easily bumpable. That's not a 50 year-old idea. Likewise, if your 3D-printed lock picking tools were more effective than the traditional kind, than yes, I might write about them, too.
I'm not sure what 3D printing has to do with any of this, other than that bump key was 3D printed. That key could have just as well been CNC'd or cast or whatever manufacturing method.
Unless they figured out this key because 3D printing allowed for rapid iteration.
The difference is there's the possibility that anyone could download a blank key 3D file off of the pirate bay and then get it printed for $5 from Shapeways no questions asked.
Even I could do it.
I don't even know where I'd find a CNC machine. If I asked someone who has one to make a blank key for me he'd probably tell me to fuck off or call the police, and if I tried to use it myself I'd probably cut off my arm.
It's definitely not a revolution of any kind, it's just another step towards lockpicking made easier and more accessible, and makes the concept of physical locks as a lone defense weaker.
There were many points in the article why 3D printing makes the old technique more easily accessible.
For example:
> In this video, Holler demonstrates a 3D-printed and filed bump key for an Ikon SK6, a key that uses restricted, carefully contorted blanks that can’t even be created by many key-milling machines.
I briefly looked into buying high-security locks and reinforcing my door frames when I moved into my new house. Then I realized I had two massive, 20-year-old windows on either side of the front door. In other words, a $350 lock isn't going to stop any crackheads who really want to get in.
Physical security (the real, you-can't-break-this kind) is for banks and governments. For everything else there's video.
It's true that the average random person doesn't need a lock by Abloy/EVVA/etc. just because it's (as close as possible to)unpickable, but I would always avoid bumpable locks as well as ones that are (more)vulnerable to destructive attacks, two categories which include quite a lot of 'high security' locks including UL 437 rated ones. Bumping is still rarer than breaking a window, crowbarring a weak door frame, or kicking at the spot of a weak lock, but is definitely increasing in popularity as it's significantly less obtrusive and doesn't leave visible damage that may alert passers by while the crime is still in progress.
Myself, when I am able to own my own house, I am definitely fitting upgraded (unbumpable) locks as part of basic diligence with regards to security, along with fixing any easily breakable windows.
It's also worth noting that windows can always be reinforced/refitted with laminated glass or even protective films that provide enough protection that the random opportunistic crackhead will probably give up when it doesn't break straight away so as not to get caught. Burglaries that take longer than 30 seconds or so to get in will often be aborted because of the risk of getting caught, especially when there are so many houses with no or insufficient alarms, windows that can server as an easy entry point without a motion sensor behind them, and weak locks that can easily be bumped/pulled[1].
If you have big breakable windows, always invest in a good alarm with motion and/or glass-break sensors though.
[1]Pulling/snapping is gradually becoming the new bumping - some lock designs are physically weak enough that they can be either broken inside the door or physically pulled out with hand tools. Example news article: http://www.bbc.co.uk/news/uk-england-leeds-17075027
This really hit me recently when I left the house after doing some cryptography research.
When I "locked" the wooden door with a piece of metal that has been photographed by probably countless cameras... I just had to laugh at myself and wonder why I bad been programmed to do this seemingly pointless action my entire life.
Keys have and always will be security through obscurity.
For most people it's not an issue. The only people that are likely to bump your lock are really professional thieves (who are rare) or intelligence services who'll have better equipment.
Most businesses are more than secure enough. It's far easier for a crook to gain access via social manipulation than it is to bypass physical security systems. As with home security, humans are always the weakest link in the chain.
I previously worked for an international company that manufactures hinges for heavy doors. I once spoke with a man who worked with locks. He said,(and I don't recall the jargon) [keys will soon have more than one set of teeth and the angle between the rows of teeth will be variable].
Do you remember when this was? Multiple rows of pins have been around for ... well, since 1848 at least, but in modern locks, Kaba & Sargent (later bought by Kaba) have been using multiple rows for many decades.
Doesn't actually prevent bumping, though! Additionally, the "angle between the rows" is interesting in thinking what exactly he might have said. Sargent, again, with the Keso introduced the idea of somewhat variable spacing of the pins in the Keso.
Additionally, if we're talking angles, there was the Medeco Biaxial (often confused for the original Medeco lock) which introduced the idea of "fore", "center" and "aft" positioning of the cuts in the key/position of the chiseled tips of the pins.
The former, Sargent, can still be readily bumped as even though you won't always know if a pin will be present, you know every possible location of the pins and can adjust accordingly. With Medeco, it's significantly harder, though they caused themselves problems with a heavily restricted code book so that the mere visual observation of the first two pins in the lock could give you a very good idea of the positing of the other elements and allow you to make a few possible bump keys to attack them. They've since fixed that problem.
Two very different problems, though both are locks. In the case of a car you don't always get to choose the security of the community it lives in. Its portability, price and effective lifespan dictate different standards of security.
In the US the average length of car ownership is at an all time high of 6 years. You can reasonably expect the locks to outlive your interest in the vehicle. Whereas (and this is all quick googling to get to a point, so anyone feel free to correct my figures) the average ownership of a home is 20 years. Now, while locks can certainly survive that long, it's a good idea to replace them once in a while.
Additionally, in the rental market where turnover is significantly higher, there are often laws that require the regular changing of the locks from tenant to tenant.
And - another factor - insurance standards related to security on cars are much more robust than insurance related to security on buildings. You can occasionally find a break for having a second lock, or deadbolt, etc. but your returns on insurance breaks diminish completely as you invest in higher end physical security.
All of this is to say - door locks are a commoditized after-market product that are influenced by geography. They are made to be replaced/maintained by the user and there will always be a thriving budget marketplace for them. Your car locks, on the other hand, are never meant to be worked on by the user, are rarely replaced and have almost no competitive after-market.
Hope that helps lay out some of the differences between the two.
(and I could go on. Lot of other stuff around OEM, cost of production, ability to sell on security, etc. etc.)
They're expensive, complicated, failure-prone and proprietary. But then again, so are some high-security door locks.
Honestly it's probably just the industry wants to keep its separate businesses which adds up to more money. People sell rfid fobs separate from their high-security keys while cars combine the two. There's no reason you couldn't take the ECU out of a Lexus, wire it up to an arduino, plug it into a wall, attach a solenoid to a door lock and weld the lock cylinder of the car into a door handle. Since modern Lexus keys act as RFIDs when their batteries die it should be mostly fail proof.
Or just use a better lock. Pin-tumbler locks are just awful and inexcusable. We have know that they are bad and had better options for more than 5 decades. Yet for some strange reason they have managed to maintain their market dominance in the US. Every year they add new mitigation features that generally either don't actually work, or if they work, they just make picking it a tiny bit harder. If you want your front door not to be easily pickable, just get Abloy Protec or a similar lock for it.
Of course, the reason for this is that criminals largely don't pick locks.
Of course, but the point of the article is that blanks for high security locks used to be much harder to come by. Now, software and 3-D printers make it easier to defeat the feature that makes them "high security". The implication is that pretty much anybody can do it now.
I remember reading several years ago about how one can take a picture of a key from far away and use that image to replicate the key. Back then, replicating keys from a picture was not something just anybody could do, so it wasn't a threat worth fretting about. Presumably 3-D printing will make that easier too. One can even imagine an app: point your phone, press a button, and get a key in the mail a few days later. I expect we'll see that article soon.
For some locks, that's true. Other lock companies use copyright to do key control. Your not going to find blanks for many of the kinds of keys this promises to print.
[+] [-] blueskin_|11 years ago|reply
This is the lockpicking equivalent of calling a cracker a hacker.
Also, no lock can be 'unbumpable' just because it has a restricted blank, as by definition in those cases, if the blank can be obtained, the lock can be bumped.
Unbumpable is generally reserved for locks that actually are, by using a mechanism other than pin tumblers (e.g. rotating discs (e.g. Abloy Protec), magnetic encoding on the key (e.g. EVVA MCS), sliders (e.g. EVVA 3KS), or driverless pins (e.g. BiLock)).
High security locks have for a few years been incorporating moving/active elements into keys to avoid duplication, both now from 3D printing, but also originally from casting a copy of the key. As it is, keys witout those can be directly duplicated rather than even needing to bother with a bump key (unless you wanted to open more locks than the key used to make the copy can access).
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] emhart|11 years ago|reply
“The sky isn’t falling, but the world changes and now people can make stuff,” says Weyers. “Lock manufacturers know how to make a lock bump-resistant. And they had better.”
Always very pleased to see his name pop up when this sort of thing makes news, as he never seems to offer a quote that can be used to stoke unreasonable fear.
[+] [-] valarauca1|11 years ago|reply
[+] [-] agreenberg|11 years ago|reply
[+] [-] narrowingorbits|11 years ago|reply
Yes.
[+] [-] RobLach|11 years ago|reply
Unless they figured out this key because 3D printing allowed for rapid iteration.
[+] [-] kalleboo|11 years ago|reply
Even I could do it.
I don't even know where I'd find a CNC machine. If I asked someone who has one to make a blank key for me he'd probably tell me to fuck off or call the police, and if I tried to use it myself I'd probably cut off my arm.
It's definitely not a revolution of any kind, it's just another step towards lockpicking made easier and more accessible, and makes the concept of physical locks as a lone defense weaker.
[+] [-] legulere|11 years ago|reply
For example:
> In this video, Holler demonstrates a 3D-printed and filed bump key for an Ikon SK6, a key that uses restricted, carefully contorted blanks that can’t even be created by many key-milling machines.
[+] [-] mkesper|11 years ago|reply
[+] [-] Domenic_S|11 years ago|reply
Physical security (the real, you-can't-break-this kind) is for banks and governments. For everything else there's video.
[+] [-] blueskin_|11 years ago|reply
Myself, when I am able to own my own house, I am definitely fitting upgraded (unbumpable) locks as part of basic diligence with regards to security, along with fixing any easily breakable windows.
It's also worth noting that windows can always be reinforced/refitted with laminated glass or even protective films that provide enough protection that the random opportunistic crackhead will probably give up when it doesn't break straight away so as not to get caught. Burglaries that take longer than 30 seconds or so to get in will often be aborted because of the risk of getting caught, especially when there are so many houses with no or insufficient alarms, windows that can server as an easy entry point without a motion sensor behind them, and weak locks that can easily be bumped/pulled[1].
If you have big breakable windows, always invest in a good alarm with motion and/or glass-break sensors though.
[1]Pulling/snapping is gradually becoming the new bumping - some lock designs are physically weak enough that they can be either broken inside the door or physically pulled out with hand tools. Example news article: http://www.bbc.co.uk/news/uk-england-leeds-17075027
[+] [-] sirdogealot|11 years ago|reply
When I "locked" the wooden door with a piece of metal that has been photographed by probably countless cameras... I just had to laugh at myself and wonder why I bad been programmed to do this seemingly pointless action my entire life.
[+] [-] StavrosK|11 years ago|reply
[+] [-] joshvm|11 years ago|reply
For most people it's not an issue. The only people that are likely to bump your lock are really professional thieves (who are rare) or intelligence services who'll have better equipment.
Most businesses are more than secure enough. It's far easier for a crook to gain access via social manipulation than it is to bypass physical security systems. As with home security, humans are always the weakest link in the chain.
[+] [-] acd|11 years ago|reply
https://www.google.com/atap/projecttango/#devices
Pin codes are also not secure, subject to capture by movie cameras Google glass and IR heat scanners picking up the key strokes.
So both keys and pin codes are not secure.
[+] [-] justaman|11 years ago|reply
[+] [-] emhart|11 years ago|reply
Doesn't actually prevent bumping, though! Additionally, the "angle between the rows" is interesting in thinking what exactly he might have said. Sargent, again, with the Keso introduced the idea of somewhat variable spacing of the pins in the Keso.
Additionally, if we're talking angles, there was the Medeco Biaxial (often confused for the original Medeco lock) which introduced the idea of "fore", "center" and "aft" positioning of the cuts in the key/position of the chiseled tips of the pins.
The former, Sargent, can still be readily bumped as even though you won't always know if a pin will be present, you know every possible location of the pins and can adjust accordingly. With Medeco, it's significantly harder, though they caused themselves problems with a heavily restricted code book so that the mere visual observation of the first two pins in the lock could give you a very good idea of the positing of the other elements and allow you to make a few possible bump keys to attack them. They've since fixed that problem.
[+] [-] ianstallings|11 years ago|reply
waves hands
[+] [-] hamburg|11 years ago|reply
[+] [-] emhart|11 years ago|reply
In the US the average length of car ownership is at an all time high of 6 years. You can reasonably expect the locks to outlive your interest in the vehicle. Whereas (and this is all quick googling to get to a point, so anyone feel free to correct my figures) the average ownership of a home is 20 years. Now, while locks can certainly survive that long, it's a good idea to replace them once in a while.
Additionally, in the rental market where turnover is significantly higher, there are often laws that require the regular changing of the locks from tenant to tenant.
And - another factor - insurance standards related to security on cars are much more robust than insurance related to security on buildings. You can occasionally find a break for having a second lock, or deadbolt, etc. but your returns on insurance breaks diminish completely as you invest in higher end physical security.
All of this is to say - door locks are a commoditized after-market product that are influenced by geography. They are made to be replaced/maintained by the user and there will always be a thriving budget marketplace for them. Your car locks, on the other hand, are never meant to be worked on by the user, are rarely replaced and have almost no competitive after-market.
Hope that helps lay out some of the differences between the two.
(and I could go on. Lot of other stuff around OEM, cost of production, ability to sell on security, etc. etc.)
[+] [-] peterwwillis|11 years ago|reply
Honestly it's probably just the industry wants to keep its separate businesses which adds up to more money. People sell rfid fobs separate from their high-security keys while cars combine the two. There's no reason you couldn't take the ECU out of a Lexus, wire it up to an arduino, plug it into a wall, attach a solenoid to a door lock and weld the lock cylinder of the car into a door handle. Since modern Lexus keys act as RFIDs when their batteries die it should be mostly fail proof.
[+] [-] Tuna-Fish|11 years ago|reply
Of course, the reason for this is that criminals largely don't pick locks.
[+] [-] teklulz|11 years ago|reply
[+] [-] adamtj|11 years ago|reply
I remember reading several years ago about how one can take a picture of a key from far away and use that image to replicate the key. Back then, replicating keys from a picture was not something just anybody could do, so it wasn't a threat worth fretting about. Presumably 3-D printing will make that easier too. One can even imagine an app: point your phone, press a button, and get a key in the mail a few days later. I expect we'll see that article soon.
[+] [-] taylorbuley|11 years ago|reply