Profile of the lock-hacker who bumped the "unbumpable" Medeco lock

Discuss

45 Responses to “Profile of the lock-hacker who bumped the "unbumpable" Medeco lock”

  1. Ted8305 says:

    Well if that’s what Medeco thinks of residential security, I’ll take my business elsewhere. At least purchase equipment from a company that doesn’t misrepresent their products.

  2. Anonymous says:

    Last time i had to go through a “secure” door i just smashed the hinges with a metal bar, i don’t even know what was the brand of the lock, nor do i care.

    Keys and locks are only symbols, not security.

  3. locomodem says:

    TED8305, good luck finding better security elsewhere. Are you a big residential security account?

  4. DWittSF says:

    It could be worse…they could start making unhackable voting machines;)

  5. Anonymous says:

    Public service site about lock bumping. They provide information on how to protect yourself from lock bumping and lock bumping keys.

    http://lockbumping.org

  6. dculberson says:

    ackpht, after all the picking by the younger man, the older man bumps the Medeco3 in eight seconds.

    Locomodem, if that’s the case then why does Medeco themselves say “Medeco3 is our premier brand technology?” They were using Medeco3 locks in the video. I don’t see a lot of detail on the keys they’re using, so can’t comment on their specifics. But keep in mind the keys they’re using are generic ground-down “bump keys” and not the keys that are cut to operate the lock. So any side bar cuts are not going to be present or will be cut all the way down.

  7. Takuan says:

    so many industries just unwilling to accept reality: to live is to change.

  8. Troglodyte says:

    To everyone wondering about the bumping– they demonstrated the bump at the end of the video; it took 7 seconds.

  9. Anonymous says:

    They sent a note saying the claims WERE true? Then how could they be sued for publishing?

  10. Anonymous says:

    You know — Medco could just HIRE him….he gets paid beaucoups bucks, and they have someone right there to test all of the locks and assist in the design of one that can’t be bumped. They sell lots of “new improved” locks, he gets a cut of the royalties, and there’s not a “Lockpicking for Dummies” website…

    Everybody happy, no?

  11. Anonymous says:

    As it it usual in sensationalist articles which likes to present achievements of whole communities as products of a single hero, the Wired article attributes way too much to Tobias.

    Granted, he is indeed a central figure in the lock security world (his second edition of Locks, Safes and Security is the Bible of lockpicking), but many of the achievements attributed to him in fact come out from the German and Dutch lockpicking communities and other lockpickers (bump key method, breaking the Kryptonite lock etc etc). That’s another issue that recently he puts effort into make them public in the US. The emphasis is on recently, he is a relative late-comer in the “let’s make security loopholes public” mentality, where the lead was again taken by organizations like toool. No problem with that, I’m just saying that the single-hero-who-fights-the-establishment picture is a bit uneven-handed.

    Tobias fame doesn’t need to be unnecessarily boasted, his own achievements are plenty enough. This Medeco break is sweet (although here again the Venezuelan Tobias should get more credit in my opinion)!

  12. Anonymous says:

    That’s nothing. Crooks in Venezuela have been picking medeco locks for over a decade to break into apartments and homes. Having a medeco lock and an password protected electronic lock on our private elevator to our apartment didn’t stop them from breaking into it through the front door and taking all of our valuables. I’ve known for years that medeco is full of crap.

  13. Anonymous says:

    Hey, if this guy takes up software security, maybe he can get Apple to fix the java flaw. Or maybe not.

  14. nosehat says:

    “Security through obscurity” is NEVER an intelligent choice. It doesn’t work in virtual systems, and here’s an example of it not working in a physical lock either.

    Is there such a thing as open source lock design? If there isn’t, there should be!

  15. Brettspiel says:

    The bumping is much easier while you’re holding the bare lock in your hands. You get a lot more action in the bump that way. That’s why they don’t show them bumping it in a situation you might actually encounter the lock – in a vise, simulating actually being mounted in a door. They might actually be difficult/impossible to bump when mounted properly.

  16. Anonymous says:

    Google Assa-Abloy. I don’t think there are many lock companies left that are not owned by these guys. Lips, Zeiss Ikon, HID, Keso, Adams-Rite, Emtek, Mul-T-Lock, Emeco, Nemef, Yale: it is hard to find halfway decent door locks not from this group.

    And we all know how innovative quasi-monopolies are…

  17. HotPepperMan says:

    I find it laudable that he is exposing the flaws in locks. Would it not be more productive to CREATE an unbreakable lock rather than boast about how weak the others are?

    THEN they would have credibility.

  18. HDN says:

    I love people like this. And I love the internet. Just brings a smile to my face when someone hoists a middle finger at the Man. “I’m smarter than a group of you with a bunch of money to back you. Eat at Dick’s while I make a blog entry about it.”

  19. jpollock says:

    How was that bumping? When I think of bumping, I remember the video of the little girl putting the key in, hitting it and opening the lock. It looked like a standard lock pick to me.

  20. Modusoperandi says:

    Anonymous “You know — Medco could just HIRE him….he gets paid beaucoups bucks, and they have someone right there to test all of the locks and assist in the design of one that can’t be bumped.”
    He’s better on the outside looking in. If he worked for them he’d have to sign an NDA, cutting him off at the knees if they didn’t improve their locks (protecting their bottom line-slash-image over their customers).

  21. nosehat says:

    =D Tak: That’s a membership card I would proudly carry!

  22. teufelsdroch says:

    It’s always a pleasure to be exposed to a new subculture. Normally I’m already a part of said subculture, thus I scoff–but this is news to me.

    AWESOME news.

    So my conclusion is that Abloy locks are hip, that in the US there’s basically no likelihood that a criminal will have the necessary tools, and that worrying any further is pointless. Lesson learned.

  23. Takuan says:

    once you know how to pick locks, you look at your security differently. You still use locks, but just adjust your other measures depending on the risks instead of blindly relying on locks.

    Medeco ought to be sued for actively working against the public good instead of accepting reality and educating their customers. How are they currently morally different from a drug company that conceals new studies about dangerous side effects? Or those corporate douchebags in the bisphenol-a thread?

    It’s bad business, it’s immoral and it’s wrong.

  24. nosehat says:

    once you know how to pick locks, you look at your security differently. You still use locks, but just adjust your other measures depending on the risks instead of blindly relying on locks.

    As the owner of a Stanley Fubar, I’ve always known that locks are a provisional, social-contract-required thing at best. There are hand tools available to law enforcement (and anyone else, by extension) that trump your locks, no matter how “unpickable” they are.

    My strategy is to own nothing mission-critical that is also stealable.

  25. Anonymous says:

    Cory, you should write something in the body of the article saying that no actual bumping happens until the last 15 seconds of the video.. It’s very misleading. The other 4 minutes deal with *picking* the lock, not bumping it. The meat of the video is in those last 15 seconds, yet it’s being advertised as the main course.

  26. hbl says:

    @ #9 JPOLLOCK – the old dude bumps the final lock after the whole 10 minute test thing. Only he bumps it in his hand rather than in a vice, so while I don’t think it’s a convincing example of bumping the lock, if that guy says it’s possible, I’m inclined to take him at his word!

    As for the picking itself, I’m always impressed by how few tools they use. I understand the principle of lockpicking barrel chambers, so it looked like they were using a zero-key to lift the pins, bumping them up whilst under tension, then working them individually into the gap with a lockpick.

    Personally I have two doors, one with an inverted yale, and a second with a yale and a mortice lock. Then there’s an alarm. The back door setup is much the same. All the windows are PVC framed, double glazed. None of this stopped me climbing in through an open window when growing up.

  27. Anonymous says:

    Just thought I’d add the following for those that are interested in this stuff:

    I designed and built a tool to both decode and pick Medeco Classic, Biaxial, and m3. I released my research publicly around the same time Marc did (Defcon 16 and The Last Hope). I approached Medeco and they actually responded positively. They upgraded the pins to resist my attack (and numerous others by extension) and began installing them in all new cylinders and pin kits. Marc’s attacks were not met with the same results at all.

    I’m not saying Medeco is a great company or anything, but they are definitely not ignoring all threats from the locksport/lockpicking community.

    Here is a page about the tool and the company’s response: http://theamazingking.com/medecoder.html

    -JKtheCJer/Jon King

  28. Anonymous says:

    I’ve often wondered why the locks used in anglo-american countries are of such poor quality. The ones used in Finland (Abloy Classic) have used the same design for 100 years and they are very hard to pick.

    I’m not saying that the rest of the world should use Abloy-locks, but would think that the level of sophistication would be about the same everywhere.

    Link; abloy-lock. Variation of that is incorporated into doors.

    http://www.youtube.com/watch?v=toGBp4APmuU

  29. Anonymous says:

    The minute one person touts that their new security device is unbreakable, it’s a given that someone else will try to break it. For Medeco to pretend that the problem doesn’t exist is out-and-out fraud, especially as they are in use by secure(!) facilities.

  30. Anonymous says:

    SO — does anyone think that they will tryout the other supposed Bump-Proof lock ? The bilock with 13 pins ? ~ Just curious

  31. ill lich says:

    I completely mis-read this part the first time: “the Medecos fly open at Tobias’s caress.” I saw the words “fly open” and thought it was a metaphor about Medeco’s uuuhhh. . . “barn door” being open, and Tobias was “caressing” . . . something.

  32. Ted8305 says:

    LOCOMODEM, I’ve got a front door and a back door, and one on the side of the garage. My account is scaled for about, oh, 3 deadbolts. And they’re not going to be made by Medeco after seeing this.

  33. ackpht says:

    These are skilled people using specialized tools and taking several minutes to pick a lock. I think there’s a big difference between that and using a filed-down key to bump open a lock in two seconds.

    This video seems to confirm that the way through a Medeco is by picking, not bumping. (Otherwise, why bother picking?)

    I bought Medecos because they’re bump-proof. No one told me they were pick-proof, and I never assumed it.

  34. airship says:

    #1, You’re joking, right? Mythbusters proved you could open a fingerprint lock with a simple photocopy of a person’s fingerprint!

    http://www.youtube.com/watch?v=LA4Xx5Noxyo

  35. cybergibbons says:

    locomodem: Your wrong. The Medeco3 is supposed to be the most pick resistant lock that Medeco produce, more so than the commonly used bi-axial lock.

    It is supposed to meet UL437 which states that the lock should be pick/impression resistant for at least 10 minutes. This is the same standard that secures government installations all over the US.

    In the video it can be picked in under 10 minutes and bumped in less than 10 secondss. I’ve not seen this done in a lock in a door – it’s often significantly harder to work on a lock mounted in a door.

  36. arkizzle says:

    I bought Medecos because they’re bump-proof. No one told me they were pick-proof, and I never assumed it.

    Did you watch the whole video?

  37. locomodem says:

    The Medeco locks used are not their high grade locks. Medeco makes several versions (good, better, best, if you will), and these are not the ‘best’. The ones used on government and military are ‘best’ and are not shown here to be vulnerable.

    We have Medeco on our house (because it’s mixed use/commercial). I assure you if you saw the kind of key we have vs. the key’s used in this demonstration, you would see the difference in security right away.

    All that aside, a professional lockpick with as much time as he needs SHOULD be able to pick a lock. What do you think locksmiths do? They pick locks, they crack safes. It’s a profession. You don’t lose your Medeco key and then have to break down the door.

  38. Anonymous says:

    #9 & #15

    sometimes you have to WAIT for the good stuff. i’m guessing you didn’t watch til the very end?

  39. FutureNerd says:

    My dad had worked at a lock company, during the 1930s. What I remember about his stories was the quick succession of new lock / new cracking technique / new lock / new cracking technique. Nothing about the lock company being shocked or incredulous, just analyzing the vulnerability, coming up with an improvement, and advertising their advantage while they had it.

    This might even be de rigueur straight through to today. The stonewalling that Medeco puts up may just be a typical PR part of the cycle.

    How often do you see a marketing guy who’s informed about what his company actually makes? It doesn’t have anything to do with his job.

  40. Halloween Jack says:

    locomodem: I don’t think that you read the article. It explains that, yes, any lock is pickable given enough time; the guarantee is for the lock to take at least a certain amount of time, and military/civilian government security procedures take this into account.

  41. Anonymous says:

    Well, I can say one thing, if you have to pay 20$ for a secure copy of these keys at your office when you are forced to buy one, you want your money well spent. On the bright side, now I can break into my old office…

  42. locomodem says:

    halloweenjack: I don’t think you read my post. The are showing Medeco residential locks, not commercial, government, or institutional.

Leave a Reply