Profile of the lock-hacker who bumped the "unbumpable" Medeco lock

Wired's Charles Graeber has an astounding piece up about master lockpicker Marc Weber Tobias, who challenged Medeco's claim that its locks are "bump-proof" (that is, that they can't be simply broken by filing down a key, inserting it, and tapping it, sending a shock down the metal that makes the pins jump). Medeco launched an aggressive campaign to market its products to people who were worried about bump keys, but Tobias shows that their locks aren't substantially harder to bump than cheaper models from competitors. Medeco sent Wired a note that said Tobias's claims weren't true and implied that Wired might be sued for publishing them, so Wired set up a test, and then Medeco raised a flurry of vague, lame objections to the test. But the test speaks for itself -- the Medecos fly open at Tobias's caress.

More interesting is Graeber's look at the motives, personality and technology of lockpickers -- a fine trick of the tech journalist, blending culture and gadgets into a seamless whole.

The problem, if you're a safe company or a lock maker, is that Tobias makes it all public through hacker confabs, posts on his site, and tech blogs like Engadget. He views this glasnost as a public service. Others see a hacker how-to that makes The Anarchist Cookbook read like Betty Crocker. And where Tobias sees a splendid expression of First Amendment rights, locksmiths and security companies see a criminal finishing school. Tobias isn't just exposing problems, they say. He is the problem.

But forget bike locks and hotel room safes: These days, Tobias is attacking the lock famous for protecting places like military installations and the homes of American presidents and British royals.

Between stabs at his salad, Tobias hands me his latest idea of fun: nearly 300 pages of self-published hacker-porn detailing his attack on the allegedly uncrackable Medeco high-security lock. "Trust me, this will cause a goddamned riot!" he says, dabbing at tears of joy with a paper napkin. "Oh yeah, this is way, way bigger than the liquid explosives thing!" And he's right, it is bigger--and with way, way bigger consequences.

The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit


  1. They sent a note saying the claims WERE true? Then how could they be sued for publishing?

  2. You know — Medco could just HIRE him….he gets paid beaucoups bucks, and they have someone right there to test all of the locks and assist in the design of one that can’t be bumped. They sell lots of “new improved” locks, he gets a cut of the royalties, and there’s not a “Lockpicking for Dummies” website…

    Everybody happy, no?

  3. As it it usual in sensationalist articles which likes to present achievements of whole communities as products of a single hero, the Wired article attributes way too much to Tobias.

    Granted, he is indeed a central figure in the lock security world (his second edition of Locks, Safes and Security is the Bible of lockpicking), but many of the achievements attributed to him in fact come out from the German and Dutch lockpicking communities and other lockpickers (bump key method, breaking the Kryptonite lock etc etc). That’s another issue that recently he puts effort into make them public in the US. The emphasis is on recently, he is a relative late-comer in the “let’s make security loopholes public” mentality, where the lead was again taken by organizations like toool. No problem with that, I’m just saying that the single-hero-who-fights-the-establishment picture is a bit uneven-handed.

    Tobias fame doesn’t need to be unnecessarily boasted, his own achievements are plenty enough. This Medeco break is sweet (although here again the Venezuelan Tobias should get more credit in my opinion)!

  4. “Security through obscurity” is NEVER an intelligent choice. It doesn’t work in virtual systems, and here’s an example of it not working in a physical lock either.

    Is there such a thing as open source lock design? If there isn’t, there should be!

  5. Google Assa-Abloy. I don’t think there are many lock companies left that are not owned by these guys. Lips, Zeiss Ikon, HID, Keso, Adams-Rite, Emtek, Mul-T-Lock, Emeco, Nemef, Yale: it is hard to find halfway decent door locks not from this group.

    And we all know how innovative quasi-monopolies are…

  6. I find it laudable that he is exposing the flaws in locks. Would it not be more productive to CREATE an unbreakable lock rather than boast about how weak the others are?

    THEN they would have credibility.

  7. I love people like this. And I love the internet. Just brings a smile to my face when someone hoists a middle finger at the Man. “I’m smarter than a group of you with a bunch of money to back you. Eat at Dick’s while I make a blog entry about it.”

  8. How was that bumping? When I think of bumping, I remember the video of the little girl putting the key in, hitting it and opening the lock. It looked like a standard lock pick to me.

  9. once you know how to pick locks, you look at your security differently. You still use locks, but just adjust your other measures depending on the risks instead of blindly relying on locks.

    Medeco ought to be sued for actively working against the public good instead of accepting reality and educating their customers. How are they currently morally different from a drug company that conceals new studies about dangerous side effects? Or those corporate douchebags in the bisphenol-a thread?

    It’s bad business, it’s immoral and it’s wrong.

  10. once you know how to pick locks, you look at your security differently. You still use locks, but just adjust your other measures depending on the risks instead of blindly relying on locks.

    As the owner of a Stanley Fubar, I’ve always known that locks are a provisional, social-contract-required thing at best. There are hand tools available to law enforcement (and anyone else, by extension) that trump your locks, no matter how “unpickable” they are.

    My strategy is to own nothing mission-critical that is also stealable.

  11. @ #9 JPOLLOCK – the old dude bumps the final lock after the whole 10 minute test thing. Only he bumps it in his hand rather than in a vice, so while I don’t think it’s a convincing example of bumping the lock, if that guy says it’s possible, I’m inclined to take him at his word!

    As for the picking itself, I’m always impressed by how few tools they use. I understand the principle of lockpicking barrel chambers, so it looked like they were using a zero-key to lift the pins, bumping them up whilst under tension, then working them individually into the gap with a lockpick.

    Personally I have two doors, one with an inverted yale, and a second with a yale and a mortice lock. Then there’s an alarm. The back door setup is much the same. All the windows are PVC framed, double glazed. None of this stopped me climbing in through an open window when growing up.

  12. I’ve often wondered why the locks used in anglo-american countries are of such poor quality. The ones used in Finland (Abloy Classic) have used the same design for 100 years and they are very hard to pick.

    I’m not saying that the rest of the world should use Abloy-locks, but would think that the level of sophistication would be about the same everywhere.

    Link; abloy-lock. Variation of that is incorporated into doors.

  13. The minute one person touts that their new security device is unbreakable, it’s a given that someone else will try to break it. For Medeco to pretend that the problem doesn’t exist is out-and-out fraud, especially as they are in use by secure(!) facilities.

  14. I completely mis-read this part the first time: “the Medecos fly open at Tobias’s caress.” I saw the words “fly open” and thought it was a metaphor about Medeco’s uuuhhh. . . “barn door” being open, and Tobias was “caressing” . . . something.

  15. These are skilled people using specialized tools and taking several minutes to pick a lock. I think there’s a big difference between that and using a filed-down key to bump open a lock in two seconds.

    This video seems to confirm that the way through a Medeco is by picking, not bumping. (Otherwise, why bother picking?)

    I bought Medecos because they’re bump-proof. No one told me they were pick-proof, and I never assumed it.

  16. #1, You’re joking, right? Mythbusters proved you could open a fingerprint lock with a simple photocopy of a person’s fingerprint!

  17. I bought Medecos because they’re bump-proof. No one told me they were pick-proof, and I never assumed it.

    Did you watch the whole video?

  18. The Medeco locks used are not their high grade locks. Medeco makes several versions (good, better, best, if you will), and these are not the ‘best’. The ones used on government and military are ‘best’ and are not shown here to be vulnerable.

    We have Medeco on our house (because it’s mixed use/commercial). I assure you if you saw the kind of key we have vs. the key’s used in this demonstration, you would see the difference in security right away.

    All that aside, a professional lockpick with as much time as he needs SHOULD be able to pick a lock. What do you think locksmiths do? They pick locks, they crack safes. It’s a profession. You don’t lose your Medeco key and then have to break down the door.

  19. #9 & #15

    sometimes you have to WAIT for the good stuff. i’m guessing you didn’t watch til the very end?

  20. locomodem: I don’t think that you read the article. It explains that, yes, any lock is pickable given enough time; the guarantee is for the lock to take at least a certain amount of time, and military/civilian government security procedures take this into account.

  21. Well, I can say one thing, if you have to pay 20$ for a secure copy of these keys at your office when you are forced to buy one, you want your money well spent. On the bright side, now I can break into my old office…

  22. halloweenjack: I don’t think you read my post. The are showing Medeco residential locks, not commercial, government, or institutional.

  23. Well if that’s what Medeco thinks of residential security, I’ll take my business elsewhere. At least purchase equipment from a company that doesn’t misrepresent their products.

  24. TED8305, good luck finding better security elsewhere. Are you a big residential security account?

  25. ackpht, after all the picking by the younger man, the older man bumps the Medeco3 in eight seconds.

    Locomodem, if that’s the case then why does Medeco themselves say “Medeco3 is our premier brand technology?” They were using Medeco3 locks in the video. I don’t see a lot of detail on the keys they’re using, so can’t comment on their specifics. But keep in mind the keys they’re using are generic ground-down “bump keys” and not the keys that are cut to operate the lock. So any side bar cuts are not going to be present or will be cut all the way down.

  26. To everyone wondering about the bumping– they demonstrated the bump at the end of the video; it took 7 seconds.

  27. That’s nothing. Crooks in Venezuela have been picking medeco locks for over a decade to break into apartments and homes. Having a medeco lock and an password protected electronic lock on our private elevator to our apartment didn’t stop them from breaking into it through the front door and taking all of our valuables. I’ve known for years that medeco is full of crap.

  28. LOCOMODEM, I’ve got a front door and a back door, and one on the side of the garage. My account is scaled for about, oh, 3 deadbolts. And they’re not going to be made by Medeco after seeing this.

  29. locomodem: Your wrong. The Medeco3 is supposed to be the most pick resistant lock that Medeco produce, more so than the commonly used bi-axial lock.

    It is supposed to meet UL437 which states that the lock should be pick/impression resistant for at least 10 minutes. This is the same standard that secures government installations all over the US.

    In the video it can be picked in under 10 minutes and bumped in less than 10 secondss. I’ve not seen this done in a lock in a door – it’s often significantly harder to work on a lock mounted in a door.

  30. Last time i had to go through a “secure” door i just smashed the hinges with a metal bar, i don’t even know what was the brand of the lock, nor do i care.

    Keys and locks are only symbols, not security.

  31. Hey, if this guy takes up software security, maybe he can get Apple to fix the java flaw. Or maybe not.

  32. The bumping is much easier while you’re holding the bare lock in your hands. You get a lot more action in the bump that way. That’s why they don’t show them bumping it in a situation you might actually encounter the lock – in a vise, simulating actually being mounted in a door. They might actually be difficult/impossible to bump when mounted properly.

  33. It’s always a pleasure to be exposed to a new subculture. Normally I’m already a part of said subculture, thus I scoff–but this is news to me.

    AWESOME news.

    So my conclusion is that Abloy locks are hip, that in the US there’s basically no likelihood that a criminal will have the necessary tools, and that worrying any further is pointless. Lesson learned.

  34. Cory, you should write something in the body of the article saying that no actual bumping happens until the last 15 seconds of the video.. It’s very misleading. The other 4 minutes deal with *picking* the lock, not bumping it. The meat of the video is in those last 15 seconds, yet it’s being advertised as the main course.

  35. My dad had worked at a lock company, during the 1930s. What I remember about his stories was the quick succession of new lock / new cracking technique / new lock / new cracking technique. Nothing about the lock company being shocked or incredulous, just analyzing the vulnerability, coming up with an improvement, and advertising their advantage while they had it.

    This might even be de rigueur straight through to today. The stonewalling that Medeco puts up may just be a typical PR part of the cycle.

    How often do you see a marketing guy who’s informed about what his company actually makes? It doesn’t have anything to do with his job.

  36. Anonymous “You know — Medco could just HIRE him….he gets paid beaucoups bucks, and they have someone right there to test all of the locks and assist in the design of one that can’t be bumped.”
    He’s better on the outside looking in. If he worked for them he’d have to sign an NDA, cutting him off at the knees if they didn’t improve their locks (protecting their bottom line-slash-image over their customers).

  37. Just thought I’d add the following for those that are interested in this stuff:

    I designed and built a tool to both decode and pick Medeco Classic, Biaxial, and m3. I released my research publicly around the same time Marc did (Defcon 16 and The Last Hope). I approached Medeco and they actually responded positively. They upgraded the pins to resist my attack (and numerous others by extension) and began installing them in all new cylinders and pin kits. Marc’s attacks were not met with the same results at all.

    I’m not saying Medeco is a great company or anything, but they are definitely not ignoring all threats from the locksport/lockpicking community.

    Here is a page about the tool and the company’s response:

    -JKtheCJer/Jon King

  38. SO — does anyone think that they will tryout the other supposed Bump-Proof lock ? The bilock with 13 pins ? ~ Just curious

Comments are closed.