The Hacker Mind Podcast: The Gentle Art of Lockpicking

Robert Vamosi
March 9, 2021
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

What is the allure of lockpicking at hacker conferences? In this episode Deviant Ollam explains why these mechanical puzzles remain popular with hackers.

Ollam, who was an early member of Toool, The Open Organization of Lockpickers, discusses his career as a physical pen tester and also provides some basic lockpicking hacks.


Vamosi: Over the years I’ve accumulated more than a few combination locks. In fact, I keep a bag of them. Why? They’re all in great condition -- except I forgot their original combinations. Then, a several years ago, I discovered a website that steps you through the process of hacking combination locks. It’s actually pretty easy. Just pull up on the hasp then turn the wheel until you feel a slight tension. When you feel that, write down the numer. There should be a dozen or so hits on any given lock as you go around the dial. Now look at the numbers. Any numbers that fall between two numbers, like 10 a half, 15 and a half, you can discard. The remaining whole numbers will then lead you toward the final combination. There’s obviously more to it, but you get the general idea and maybe on some rainy Sunday afternoon, you can puzzle out these long lost combinations and reclaim a few combination locks for reuse.

In this episode, I’m talking to someone who goes way beyond hacking your basic drug store combination lock; I’m talking about hacking locks that protect assets potentially as great as the White House. You’d think some higher end locks would be nearly impossible to crack -- I mean, consider the assets they’re protecting on the other side. My guest makes picking locks, at least after he explains it, easy and this understanding into the mechanic starts to explain why lock picking challenges have become a part of the hacker culture today. 


[Music]


Welcome to The Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about people who hack for a living.

Want to Learn More About Fuzz Testing?

Tune in to FuzzCon TV to get the latest fuzzing takes directly from industry experts.

Watch EP 01 See TV Guide

I’m Robert Vamosi, and in this episode I’m going behind the scenes on the lock picking culture within hacking, introducing you to someone who works as a physical pen tester and has helped to establish the lock picking villages you see at most of the major hacking conferences today.


[Music]


Ollam:   So lockpicking has always been a huge part of the hacker world, and the community, both as a hobby interest, and also now increasingly as with faces like mine as a professional endeavor.


Vamosi: This is Deviant Ollam, one of the names often associated with modern  lockpicking. I first interviewed him a few years ago at Black Hat for my book When Gadgets Betray Us. Recently, I asked him why lock picking remains so appealing within the hacker culture.


Ollam:  I think it's so appealing because anyone at literally any level of technical prowess can find something out of it, and can gain something out of it immediately. If someone is already very skilled. Well, they can start lockpicking if they've never tried it, and their brain will find new and in kind of fun ways of thinking about problems and that appeals to them. If someone's already understanding, oh I understand how locks work. There's always new kinds of, there's always new problems and new challenges that are always out there, but nothing really in the purely mechanical space is ever out of one's grasp entirely. 


Vamosi: One of the oldest and most crowded independent villages at DEF CON is the lock picking village. I remember walking into that village years ago and finding table after table of locks and picks with friendly volunteers to assist anyone who had questions. Literally, each lock came with its own tutorial. I have to admit, it is addictive. 


Ollam:  Locks it at any hacker conference they've been around right they've been on somebody's table at lunch or in a hallway. So these informal sessions were always part of the hacker culture, but it was really fella named Kai and his friend doc and some other people from Colorado in the 719 area code day. They were the first that anyone really remembers in those early single digit days of DEF CON. To start, challenges, and workshop tables. Still very informal, but it was that was the beginnings of, hey, come over here and why don't you try this. So, when they saw my presentation, years ago, about locks and lock picking at DEF CON. That's when they approached me and DEF CON leadership approached me and said hey, do you want to be a part of this do you want to stand up some of you you know you had that you had a table in the hallway after your talk that was as big as anything other people set up, usually all weekend. Do you want to do that next year, and that was sort of the inception of what I called the lockpick village at DEF CON.


Vamosi: DEF CON wasn’t the first conference to host pock picking. As we are about to hear, the Dutch were way ahead of  other countries in providing lockpicking as a sport for hackers.


Ollam: The Dutch had sometimes been doing what they called a village tent at Dutch events in a big campground. But yeah, the idea of the mantra of the lockpick village I called it three words: Learn Touch Do. It is a one stop shop, the lockpick village and many other teaching villages that have grown out of that tradition now. Gosh, there must be 20 or more villages at DEF CON if you want to learn radio if you want to learn tampering with seals if you want to learn encryption if you want to learn, you name it. There was a cannabis village recently at DEF CON. But all one stop shop you can learn about a topic with someone instructing you, you can immediately go hands on and immediately get that wow, I can do this feedback moment that encourages people to keep on learning and developing that skill.


Vamosi: And it’s not just DEF CON. Lock picking is a part of most legitimate hacker conferences. That’s largely because of something called The Open Organization of Lockpickers or Toool, with three o’s. They are an international organization that provides membership for those wanting to pick locks for spot and they also provide the general public with a lot of free resources online. Many of those resources were created by Deviant.


Ollam:   I was there right at the earliest days, although I was not one of the original board members when the tool was spun up in the United States. So tool, T with three O's the open organization of lockpickers was originally a Dutch organization, still exists to this day in the Netherlands, and there are chapters all around the world there are chapters in the United Kingdom later there are people who've contacted us from Canada and other countries, but the largest presence in addition to the Dutch chapter is the American organization tool us. Initially, many of us were exposed to the tool, through some of the Dutch hackers who were mainstays at American hacker conferences right around 2000. That was the first time that lockpicking made the leap from the silver screen to the tabletop in front of us at hacker events many times. So, when the Dutch Toool chapters, especially Bode Wells who's a name that comes up a great deal. He and his associates sort of gave their blessing to people in America to start Toool in the US. I was friends with that whole group and Bode met me at the same time, but the initial board members were a couple gentlemen named Eric one guy named Skyler and one guy named Bob Chuck Schuyler left early on, he was still very close to the community but he left the board, and I was voted on to the board in those early days, but I was not one of the original founders I have been very proud to keep it going for many years I am still on the board I am one of the only board members remaining from that era. But we have no shortage of interest and great support and volunteer staff so totally around long after I'm gone,


Vamosi: Lockpicking, then, is more about the immediate gratification. It’s either open or it is still locked. Within infosec, where so many challenges that are  intangible -- like configuring network or firewalls.  This is something concrete that you can literally hold in your hand.


Ollam: It's not like if you are a cryptographer, and you understand basic code, and then someone shows you something that no one's ever done before, you might say, wow, that new generation, they're really going to new places. I could never do that. Or at the very least, a large time investment is needed to kind of get your foot and you might say I don't, I don't have time for that right now 


Vamosi: As humans, we’re basically hardwired for the physical world so we’re naturally more drawn to the basic tactile experiences rather than the cerebral.


Ollam: With lockpicking fundamentally humans are you know dexterous creatures we can understand mechanical bits, pushing themselves together in certain ways, and even newer or more complicated locks, with a quick explainer, they're usually accessible. And the real fun part is for the non technical crowd right if you are there are a new face in the hacker community, or if you're an old head, but you're bringing someone new in a lot of times they'll make a beeline right for the lockpick village is they'll say all this stuff is a big bright world you're going to get to it. But right now I want to put something in your hands that will have immediate impact and reward, just like anybody training somebody to work out. You don't want to give them the hardest exercise or the heaviest weights that will discourage them. You want to give them something that's immediately achievable, and they can build off of that feeling of success, and lock picking is that for many many hackers.
Vamosi: So right away there are many questions. Culturally we know that breaking and entering is illegal, yet it is not illegal to pick a lock that you own or otherwise have permission to use. And, as Deviant explains, there can be some legitimate reasons why I would use my lockpicking skills in the real world.


Ollam:   Certainly, to kind of make an analogy to someone studying martial arts, you know, you should never go punch someone in the face without their permission right. But that doesn't mean that strictly engaging in street combat in a crisis is the only use of that martial skill. Doing it simply for the prospect of enjoying it. I enjoy self-betterment and I enjoy the challenge. That's the type of healthy quiet enjoyment, and that's perfectly valid. So doing it as a way of solving puzzles is one type of practice in my opinion practical use of lockpicking.


Vamosi: Martial Arts I could argue is good for physical fitness. Lockpicking, then, I could argue is good for mental fitness -- lock is, after all, a challenging mechanical puzzle.


Ollam: I think maybe a lot of people have the question and what you might be thinking of applied. How can I really apply this knowledge? And frankly, while you shouldn't pick locks you don't own, there are many people I know in this world who pick locks they do own, not for fun, but because they were stuck. You know you, you go to your vacation home or your cabin and you realize, oh the key was on the other key ring and do I want to drive all the way back into town, well hang on let me see I've got my picks on me. Or if you're with a friend or associate, and they say oh my goodness this locker locker just stopped working on me I don't know it's the same locker I've used at this gym for the past five years. Is that what you do? Mind if I give it a shot. And then you could try to manipulate it open or shim it open. Oh thanks buddy. So there are plenty of times having a skill like that is applicable even in a practical sense in the real world.


Vamosi: Okay. Accepting that you have permission to pick your own locks, that you are doing so for mental fitness and that the idea of at least knowing the fundamentals of picking locks can have practical application within the real world where should I begin my lockpicking journey? What’s a good entry level lock for me to pick?


Ollam:  Yeah, there's sort of general hardware store sub $10 products that are on many shelves, of course, masterlock is a name that's well known in the market and they make plenty of appearances at our teaching tables, not because they're inherently a bad company. They simply serve all segments of the market. MasterLock makes some commercial and higher end products but the real major penetration in the dollar store Harbor Freight Home Depot market comes from anybody who's going to charge five to 10 bucks. And there's no shortage of products that are great beginning products at that level, many of them don't have any brand name on them because they're just complete no name generics, but they all mechanically behave the way we are expecting, 
Vamosi: So you probably have noticed that combo locks appear to be different from key locks. Don’t be concerned. They’re not really different. At least, not deep down.


Ollam:  Yeah, yeah, locks are just objects designed to check some sort of token that an ostensibly authorized user is possessing, and whether that token is a piece of knowledge like a combination or a physical token like a key. The lock is just verifying that. And if you can find a way around it, find a way to do it without the proper token again even someone who's not a security practitioner instantly rocks the realization of what that kind of impact is.
Vamosi: This is one of those moments, as a podcaster, when I’ll admit it’s probably easier if I just throw up a graphic and explain some of the mechanics behind locks. In some cases there are pins  and you are trying to get them to set in a particular way meanwhile… Okay, Deviant is better at explaining all this. 


Ollam:  what's happening in a lock is that you have small elements, which, when not pressed into the correct position. Cause larger pieces to not be able to move. Anyone can think of a door, just a door like you might have in your closet. Well, the door is very large, but the tiny plunger that sticks out in the door latch mechanism that that one plunger is not moved to the correct position that tiny piece is arresting the motion of the whole large door inside of a lock is no different locks have very tiny pins conventionally, and those very small pins, even though they don't move very far. They have to be moved into the right position for the larger mechanism and the release mechanism of the lock to actually operate. We're reaching in into a spec normally you couldn't reach with your fingers and moving those pins in a way, normally the manufacturer wouldn't want them moved without the proper key.


[music]


Vamosi: Once you understand the basic concept of what’s going on inside a lock, then it’s easier to understand how you might go about picking that lock. And you start to understand how the specific actions that you take, the tool that you use, can influence your goal of opening the lock.


Ollam: When you show somebody that and you show someone some educational diagrams or animations, especially that gives them a view from the inside, they couldn't normally see. It all starts to click, so to speak, in their mind, and they say oh I see what's happening here and if I push on it this direction. Well those forces are causing this, and then if I move this piece of wiggle at this one. Oh it's open, and that real that that impact moment. Nothing digital in my mind can really compare, even when you exploit a system and gain root access or if you decode a cipher. It's all just data on a screen tangible reaction popping the shackle out of the block body or turning the deadbolt and the door is unlocked. That's something that harkens back to physical objects we've been picking up blocks since we were little kids and moving things around. So anything tangible is an instant reaction, it's just great that you can get people started right away.


Vamosi: And, staying with the topic of visuals for a moment, there are countless mis-representations of lock picking in the media, in the movies in particular. You know, the hero pulls out a paper clip and jiggles it within the keyhole for a few seconds and presto--the door is now unlocked. Yeah, that’s only half right. You actually need the actions of more than one tool to get it right.


Ollam:  Yes, the minimum generally is two often times those of us exposed to lock picking in fiction on the screen. They kind of forget that part, because a lockpick is a you know classic idea it's very characteristically cool looking. It's got all these bits and bobs and sometimes a fancy handle prop departments love lockpicks prop departments do not always remember to include the very boring basic looking thing known as a turning tool. It's another implement, usually just a flat bent piece of metal, a strip of metal stock, but that tool is imparting some rotational turning force conventionally, while the lockpick is doing the cool looking job of moving about those inner components. When you think of operating the lock the right way the official way with a key. You are pushing those pins into position with the key then turning the plug. With lockpicking you're using manipulation tools to do that in the opposite order, you try to turn the plug. And then you go in and start manipulating those pins.


Vamosi: Okay, sometimes Hollywood does get it right. For example in the film Midnight Run, Robert DeNiro’s character actually uses a turning tool along with a kind of a rake tool. One time he’s successful. Another time, he’s not. So Hollywood, when it wants to, can get it right. In the real world, a lock picker would have more than one tool.


Ollam:  Yes, in the world of, let's say, edge tools edged cutting tools. Many people will group. If you're in a kitchen looking at an assorted set of chef's knives, you might think of their serrated blades, and then there's straight edge blades, one for sort of sawing, and the other for precision slicing. In that sense, how the most wide range of tools can group into larger categories. Most lockpicks can be grouped broadly into two categories tools that are used for precise sometimes called single pin or one pin at a time manipulation single pin picking or tools that lend themselves much more to something like raking or scrubbing, where you're attacking all the pins almost simultaneously in a very frenzied manner. And both techniques have their place. That's not to say that some tools can't do a little bit of each. Some people have heard of the diamond shape pick, a lockpick that is a little Diamond Head, that can kind of do each, you can kind of scrub or rake with it you can kind of single pin pick with it. But as people's collections of equipment get larger and larger you'll see more and more intricate tools designed to enhance this type of raking or that type of pin picking.


Vamosi: What’s happening inside the lock is not, if you think about it, very complicated. It’s really not. The jagged edge of a key moves the pins to their open positions while you simultaneously turn the key. The tools the pen tester carries, then, are trying to recreate that process. One of the tools is used to set the pins in the open position, and often the pins have to set one at a time. Hence you can jiggle and bump them the pin into their open positions, meanwhile the turn tool recreates the physical way a key would turn to open the lock. 


Ollam: Yes. So when someone first sees a large lockpick like a rake, they say oh so is this just taking the place of the key it just pushes all the pins right at once. It's not exactly what happens many times the analogy we like to use when manipulating a lock. It's almost like if you were looking at a kind of a slot machine, and the slot machine all the wheels are spinning and you're hoping for that big payout jackpot. But what if you could hold or lock, some of the wheels, into desirable positions. If you do one round of the slot machine and you get a couple of cherries and you say I'm gonna I'm gonna click, I'm gonna lock those cherries. Let's spin the other wheels and see what we get. That would be of course a lot easier to get yourself that big payday. Well, lockpicking works the same way you are. Yes, manipulating all the different pins as you go through the lock. But if some of them land into the right desirable position, and you learn what that is, you learn how to feel it by getting the feedback from the lock it's actually auditory and tactile tactile feedback. You can say oh good I think this pin I think I've got it in the right position. Let's not disturb that any further, let's keep applying just some gentle, turning force to the lock and it'll hold that and that's called setting a pin, so you can get a pin set into the right position, and you work on another pin and then another pin. And if you're doing it gracefully enough and with enough finesse and care. It's just like that slot machine that you can kind of lock the certain wheels where you want them and get a kind of get an edge on the house.


[music]


Vamosi: Now that we’ve mastered or at least understand the locks that use pins, there are other kinds of locks. There are other systems and other ways to keep the lock from opening. They are often layered on top of this basic understanding that we now have about how locks work. 


Ollam:   wafer systems, rotating discs are sometimes called disc detainer locks. There are sometimes locks that use pins but the pins are in different orientations to, They might be transverse to the keyway. There are locks that use what are called sliders, which are typically that's a term used for unknown spring biased elements that are just floating elements, so they don't give you as much feedback. But in all cases, we are dealing with that same analogy of a small piece that needs to be in the right position to allow a much larger piece bearing on it to slide into its correct position. Moving small things can eventually if done right, have implications for moving a much larger thing that is attached to them.


Vamosi: In fact the more secure locks are just combinations of pins and cylinders layered in various ways.


Ollam:  Yes, so I can even send you a photo of the locks from the White House, they happen to use medeco locks, which is a very popular lock in the government space, medico is a company that is an example of many types of high security firms where what you start to do is make those little interacting movements, adding another order of remove to more more.


Vamosi: This is important. With these more expensive and more secure locks, what we’re doing is increasing the layers of challenges involved. The various layers of remove. So there’s not just one set of pins, or even one mechanism, there are multiple. You not only have to get the one right, you have to all the others right as well. The idea, as in any security defense is to sufficiently frustrate an attacker so he or she will go elsewhere. 


Ollam:  If I have a truck, and I can drive my truck forward and back down the road. That's pretty easy to do. Well if I hitch a trailer to the back of my truck, let's say I need to haul some firewood. I can drive it forward down the road, pretty easily, but I have to use some real caution if I start backing up, because I have to, oh well now it's now it's kind of reversed and if I turn left the trailer goes right, but I can still do it. I'm cautious. Let's say I chain a third, you know, unit on so now it's two trailers so doing it the right way going forward down the road works fine. If I want to back up. That becomes really hard because I now have to care not about just the one piece I'm pushing on but how that piece pushes on the next piece behind it. And as you can see, adding more orders of remove to the piece you're actually trying to get manipulated becomes very hard if you're not doing it in the conventional expected manner. 


Vamosi: If I were to design a very sophisticated and therefore very secure lock, I’d just pile on various elements. That’s what the heavy duty locks actually do. 


Ollam: Medeco is an example of that because if you're pushing on pins, but those pins aren't what hold the lock shot, those pins really interact with another element that's called a sidebar in a medical system many many locks have side doors, and it's the sidebar holding the lock shot. I've even seen locks where there's the conventional pins and then there's side pins, and then the side pins interact with a sidebar, which is holding the lock shut.


Vamosi: Knowing there are different levels of secure locks, from the inexpensive ones up to the very expensive ones, what does Deviant recommend?


Ollam:   Everything ultimately comes down to the economic value involved in the equation. Locks exist, because in an imperfect world, we are ultimately just trying to protect assets and the value of the asset, often dictates the value that someone might be willing to spend in terms of time and effort and material and money in attacking to get to that asset. So, for your average home user I think it's a really neat thing to see the development of locks and security devices, deadbolts, and padlocks that are available on the market today, far exceed what you would have seen in a store or a shop 100 years ago. And for the average home user, because again, economies of scale and Value Engineering, the average price of even a nice high quality padlock makes them much more achievable now than they would have been 100 years ago. 


Vamosi: It’s a classic walls and ladders scenario.  I built a high wall to protect my assets--my castle or my village-- but now the adversary builds a taller later, and so I build a taller wall and so forth. There will always be that sufficiently resourced persistent attacker who can, with enough time and enough money, defeat most security systems in place today. Knowing there’s this near constant level of escalation, we need to keep thinking of security in terms of layers. Defense in depth. At the outermost edge, you’ll want to introduce some friction to the attacker so use basic locks, locks that can be defeated within say five minutes. At the next level you’ll want to introduce more tension, so you’ll want what are known as contractor grade locks bought at hardware stores that are designed to defeat high grade bumming attacks. The next level, then, you want to introduce the most tension and for that you need high security locks, which have additional mechanisms designed to thwart a would be attacker. And finally, there are the so called unbeatable locks without known attactor vectors or bypass weaknesses. These locks are typically only available from the vendor directly.  So, really, you can find a lock that’s right for your needs. The question remains -- is the asset you’re protecting worth the additional sums of money involved?  


Ollam: So for your average home user, sure, your security has actually gone up a great deal. But for something like a bank or a museum or a government installation, where foreign governments and adversaries budgets have kept pace with the growth of technology, we're always going to see that ladders and walls game continuing at the highest levels of security, which is why ultimately no single lock, no single device or solution should ever be the totality of a high security facilities posture. We talk about security in layers. We talk about how some elements of your security might deter or delay an attacker, but other elements of your security or they are just so that you can detect an attack is in progress.

[Music]


Vamosi: When he’s not evangelizing lock picking, Deviant’s a very busy man. He runs several companies, but with a common theme. He’s trying to secure businesses and often that means he’s out in the field performing physical pen tests.  

Ollam: So one is called the core group, I've had that the longest, my friend bhavik actually who shows up in much of my material I'm very, very very linked to the tool world he was a tool Board of Directors member for years and years and years. He had founded that company shortly before moving to the Philadelphia area where I was at the time he had moved out so that we could work together. And they went away and much more recently, we've been doing a lot of consulting and training as well. The training arm became so popular that it almost would overtake some of our consulting work. Not to mention that we would sometimes get requests for types of training that we knew the material, but we really want to put our best foot forward at all times so to be really a subject matter expert we had some very close connections with another firm called Red Mesa things in the surveillance space the RF spectrum, and by bringing red Mason core together Red Team Alliance is a training and certification division, that is a kind of a joint venture of those two firms

Vamosi: So we’ve focused mainly on traditional lock picking. There’s also another category of lockpicking that is called bypass. Rather than trying to pick the lock directly, bypass is where you simply defeat the security system itself. One way to bypass is to use a shim. For example, a quick way to pop open a combination lock is not to divine its actual combination, but to create a thin wedge of metal in a v shape that you slide down the shaft so the lock is forced open. In most lockpicking talks you’re shown how a common beer can be quickly cut open, laid flat, and used to create a shim that can defeat the mechanism holding the lock closed. I could do that with each of my combo locks, but in a way that’s kind of like cheating. 

Ollam:  Much like anyone who's ever picked up some, some thin wedges of wood at Home Depot, they were moving some construction pieces around and a shim in that context is a thin element, designed to just give a little bit of extra oomph to slide larger objects into position in lock opening a shim is a thin piece of usually metal that can slip its way into a very tiny crevice, and in the same sense get larger pieces to actuate move around into other positions. shimming would be an example of a category of attack we would call bypassing. Many times if I'm using a shim on a lock that lock might have a keyhole it might have pins, it might have a lot of things I could insert an attack pick into. But shimming is just saying, No, I'm not going to bother with that I'm just going to bypass that lock and just shim the release mechanism. Most of the time in the lock sport world in the sport picking and hobbyists community, bypassing, while the practical implications are understood and appreciated. And while we will tell people some knowledge about it -- Here's how you make sure your locks can't be bypassed-- it's not an endeavor that's engaged in with much enthusiasm or competitive spirit, because there's no real skill involved in most bypassing attacks.

Vamosi: In another example of bypassing, Deviant uses a metal bar that can be slid under a door and then, once rotated upright , used to pull the door handle down from inside, releasing a locked door. This, along with other tricks, are what he uses when performing a physical pen test of breaking into an otherwise secure site. 

Ollam: These would all be roughly in that category of bypassing which someone like me for any listeners who don't know I mean my career is to help run a covert entry team where we evaluate spaces by breaking into those spaces, bypassing is a great deal of what we do. A lot of this has to do with the fact that in our world again You can't introduce inordinate levels of friction, to the average user, you would say you know what's the most secure room.

Vamosi: Good point. There’s always this healthy tension between convenience and security. If you put in too much security, too much friction, people will want to find a way to bypass it.  So security has to find a balance. 

Ollam: Well, the most secure room would be a room with no portals in it, no doors no windows, no air vents, just, you know, reinforced steel reinforced cinderblock on all six sides. That's a very secure room, but if you want to get in that room, let's say you're storing gold bars in there. I guess you're getting what a sledgehammer out. That's that's not practical. So you've got to, you've got to add a door. And if you say okay well this one if you have the old kind of joke from like someone living in New York in the 70s, where they had nine bolts nine different dead locks all the way up and down their door, and in that funny scene where the person tries to get their pizza delivery they got to unlock nine locks. Sure, it's very secure. But that's not practical that introduces too much friction to the user. 

Vamosi: Sometimes good intentions have unintended consequences. Take hotel rooms with adjoining doors. When you have family in the next room, that’s convenient. But when there’s a stranger, you want that door locked. But what if there’s a fire--you need that second door to open in an emergency. So there are two doors, and if you have legitimate access to the adjoining room, you’ll have the key that opens the first door. The second door at least on the inside must remain unlocked to allow egress in the case of a fire. Knowling this, Deviant says he can slide a metal bar under the first door to pop it open, then access the neighboring room via the second door. I don’t think hotels, following regulations, intended it to be that easy. 

Ollam: And we can carry this down out of the realm of fiction on TV, to just something like if I need to make sure people can enter and exit my space if I'm a commercial building. Well, I can't have a bunch of thumb turn deadbolts all over the place on the interior of a door. What if someone's not tall enough to reach what if a little kid needs to get out an emergency. What if someone is enfeebled What if someone doesn't have good tactile grip function with their hands,

Vamosi: For regulatory reasons, some doors are designed to work the way they do. For example, in office buildings you have to accommodate the egress of a large number of people from an office building in the case of a fire or other emergency. They can’t be blocked by deadbolts or access cards when exiting. Unfortunately, this also creates more opportunities for someone like Deviant to break in.

Ollam: We in fact have municipal building codes. We have NSPA, we have ADA compliance, so many buildings, particularly commercial buildings, the interior lock side is not that challenging at all for purposes of egress. If I have a tool that can reach through as you've alluded to reach through the door, maybe not through the door like I'm a ghost reaching through like Casper but what if I can reach through that little gap at the bottom of the door with a very skinny tool or over the top of the door, through that, that very thin crack. And then I can manipulate the inside handle well by code that inside the handle will allow that door to unlock and open very quickly, very little, very little dexterity is needed, less than five pounds of pressure is needed. This is all in the code documents and if I have tools that can do that which yes of course we do. That gets us in.

Vamosi: To counteract this, designers of really secure facilities have started putting in ways to frustrate a potential attacker. 

Ollam: So there are ways to shroud or recess that handle so that it's still code compliant anyone on the inside is able to you know to get themselves out in the event of emergency. But if I'm reaching through, I get frustrated after a minute or two and I break out my little under door camera. What did they do to this installation? Oh my goodness, this is going to be a pain.

Vamosi: Hmm, so we’ve regulated that the interior doors must allow for egress from at all times, then why not also regulate that the handles have to be shielded or recessed as well?

Ollam: So I would say normalizing them normalizes these solutions both by raising awareness, first of all, because how often do we talk about this. And the other thing is normalizing the aesthetics. Aesthetics are a really, really big sticking point. 

Vamosi: It’s true. People sometimes unknowingly give up degrees of security just for the sake of convenience. And sometimes they do so just for the aesthetics.

Olllam: In fact, one of the famous examples we give. If you're ever out in the sort of Silicon Valley area, in the Bay Area, where the climate is mild and buildings love to have a very slick presentation. If I describe for you a design element known as the frameless glass door. This is a glass door where it's literally, there is no metal Malian or edge to the story it's just two big panes of glass with beautiful usually brushed steel kind of handle hardware. Looks great. And you can do that if you don't have harsh winters and hot, you know, wet summers. But you can't have glass crashing into glass, there's always going to be that sort of quarter inch or even half inch gap. And no one thinks about the fact that it looks wonderful. But, it allows us to get our bypass tools in there every day of the week and twice on Sunday. So, at changing what people's mindset is in terms of the aesthetic look they desire, that's a harder hurdle to overcome.

Vamosi: Convenience can compromise security in other ways. We have modern smartphones with some of the best photo technology to date. The average smartphone today can capture a high resolution image of a key, even a key in someone’s hand in a photo on Instagram. You use that high resolution photo to recreate the physical key.  Perhaps you’ve seen the kiosks in grocery stores that offer to make a duplicate key? They take a photo.

Ollam: That is that is photo duplication of keys, which many people did not believe was feasible until a number of firms started making it part of their business model, probably the largest of which in this country is the service key me and absolutely you can snap a photo of your key, send it to this service and they will mail you a duplicate you know right through the post. So, it is very very possible to do what's called optical duplication or optical key decoding, and do it with very imperfect images. In fact, I believe it was students at UC San Diego years ago that demonstrated a key, a key ring on a table at a great distance away if photographed through kind of a telescopic lens that they had put together, not the greatest picture, not the perfect clarity, but it gave them enough data to mathematically determine oh here's what those keys values are we can generate those keys and they worked cover up those keys don't put them online don't tweet them.

Vamosi: Unfortunately there remains a stigma around lockpicking. For example, breaking and entering without permission is illegal. But there’s the distinction. Without permission. If you only pick locks that you own, then, really, what’s the harm in cracking the code? 

Ollam: I think the greatest thing that everyone who is not in the hacker world or in the security world would do well to understand is that there are forces and values beneath the surface that are different sometimes from the mainstream public's view of the situation in the landscape. That is to say, a someone who has an interest in locks and lock picking can absolutely have that interest in a non criminal way. Just like again to return to our martial arts analogy, not everyone who goes and learns, you know Krav Maga is doing so because they want to hurt people, plenty of them don't even expect that anyone will try to hurt them plenty people just want to have a challenging endeavor for personal betterment. Everyone who you see with lockpicks isn't trying them out because they want to be a criminal. Some people just like puzzles. That's how the hacker brain works.

Vamosi: Deviant’s second point is hackers too often see themselves as the smartest people in the room. And that might be the case, but the other people in the room don’t necessarily want to hear that. To get them, or anyone for that matter to change, you have to work with people. That means listening to the other side of the story. There’s always another side to every story.

Ollam: And the other side of the equation. My message to the hackers and the tech types out there, is when you see problems in the world with locks and security systems, try to not address them with a scoffing voice. My rule of life is in general if I'm ever giving someone guidance or advice. And the word just comes out of my mouth. I'm probably missing some piece of the equation, you know. Oh, your car ran out of gas well you just gotta fill it up. Okay, well, the person probably knew there's what prevented them from filling up their car with gas. Did they not have the money to? Was there no gas station is the gas pump not compatible with their car somehow? So telling someone oh you your Billings got bedskirt well you got to just do this. And you're that person is invariably going to roll their eyes and say, Yeah, well, you know we have guests in our building that aren't ambulatory, so that's not going to work at all. You know, we have a building that happens to need a lot of sunlight. This is a botany lab Did you not notice that we can't just take the windows out. Thank you for that suggestion though, right. Do you think we would have thought of that? So, yeah, don't assume everyone's a criminal and get the word just out of your suggestions are my two big takeaways.

Vamosi: Lock picking, then, is really not too different from any other form of hacking challenges. If anything much more tangible. You can both hear and feel the lock opening. Also the fundamentals of lock picking your basic $10 combination lock aren’t too hard to pick up and apply to a wide variety of other locks. Lock picking your own locks, for sport, for the challenge, really should not be ostracized; and it might come in handy when you least expect it. And while we continue to improve the safety of our office buildings through better egress, we should also be adding more security by using recessed door handles and the like. I think we’ve only begun to scratch the surface of lockpicking. I think we’ll need to talk much more about the value of lock picking sometime in the near future.In the meantime, though, I still have my bag of combination locks to puzzle out.

I want to thank Deviant Ollam for sharing his expertise. You can follow him on Twitter @DeviantOllam or learn more about this subject with his lock picking content available for free on the TOOOL website. 


This podcast is brought to you commercial free by ForAllSecure.


For The Hacker Mind, I remain your friendly turning tool and rake pick-enabled Robert Vamosi.

Share this post

How about some Mayhem in your inbox?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem