Locksmiths and lock manufactures have found themselves in a jam. The skills of their trade, passed down through generations under conditions of occult secrecy, have been jimmied open online (subscription required). The professionals are crying foul over enthusiasts of “locksport”—amateur lock pickers who congregate on the Web to discuss how to pick locks. The amateurs do this for fun, not mischief, they say; there’s a sublime thrill in charming a deadbolt to turn your way. And they argue that by finding and publishing flaws in some of the most popular locks on the market—from the locks you’ve got on your front door to those the president has on his —they’re forcing improvements in security. Lock professionals say the opposite is true: that in showing people how to pick locks, hobbyists are swinging your doors wide open to criminals.
This is a familiar tale. Its plot points echo those of many recent computer-security debates. An entrenched community that’s used to working in secret suddenly sees its entire business upended by the secrecy-busting ways of the Internet. It’s a fate suffered by voting machine firms, software companies, and ATM manufacturers. Now it’s happening to locksmiths and lockmakers, too.
But there are a few interesting wrinkles to the skirmish between amateur and professional lock wranglers. For one thing, unlike security-services company Diebold, the locksmiths and lockmakers aren’t just fighting a new crop of activists. They’re fighting a new subculture—really, a new sport.
The Web has helped clean up the very act of picking a lock. Breaking into locks once reeked of criminality; if you dared to try it, you did so in secret, because if you were spotted, folks would assume you were up to no good. Now, picking locks has gone legit. Recreational lock pickers meet regularly in community centers around the country, challenging each other to break new locks as casually as others nearby work to break the Queen’s Gambit. On Web culture blogs, fans of locksport enjoy a place besides cryptography enthusiasts and DRM hackers as practitioners of a morally defensible, geeky dark art.
What’s occasioned the image rehabilitation, pickers say, is that they can now declare publicly what once was only acknowledged privately: Cracking locks is lots of fun. “It’s much better than chess,” says Marc Tobias, a legendary lock buster whose book Locks, Safes, and Security: An International Police Reference is considered the bible of the field. “It involves mental imagery and physical dexterity, and it’s a real thrill when you open something you weren’t meant to be opening.” Josh Nekrep, a Canadian business coach who runs Lock Picking 101 and Locksport International, the primary online and offline groups organizing the new sport, compares picking to “doing a Rubik’s Cube in the dark.”
Some professional locksmiths have embraced this cultural shift; several, Nekrep says, are active members of online lock-picking groups. But many locksmiths are alarmed by the expansion of their field. The locksmiths’ worry may be partly monetary—if you’re locked out of your apartment, you might call your locksport buddy rather than a locksmith.
But locksmiths also fear being overrun by a competing philosophy of security. In the past, the lock industry would try to fix flaws in locks quietly. Secrecy, locksmiths and lockmakers reasoned, limited the chance that bad guys would learn dangerous tricks. In computer hacker-speak, this is known as “security through obscurity,” a label that’s rarely complimentary. Locksport fans argue that obscurity is hard to come by in a digital world: Relying on secrecy to keep locks safe is bad design because nothing is secret anymore. Locksport, consequently, works according to Linus’ law, named after open-source-software guru Linus Torvalds: “Given enough eyeballs, all bugs are shallow.”
You can see this philosophy play out on YouTube, which bursts with videos of amateur lock pickers doing their thing. And lock-picking forums regularly erupt over any newly discovered exploit. At the moment, there’s much excitement over a new book by Marc Tobias and his colleague Tobias Bluzmanis that explains how to defeat high-security locks made by a company called Medeco. These locks are used at the White House, the Pentagon, Buckingham Palace, and hundreds of thousands of homes and businesses. Tobias’ book would allow “a reasonably skilled person to open them,” he says. He adds, in his defense: “I think everybody’s got a right to know if there’s a vulnerability in their locks.”
Tobias’ argument sounds similar to that of white-hat computer hackers who look for security flaws as a way to prevent the bad guys from getting there first. (It can also stand as a justification for writing this article—”everybody’s got a right to know” is a journalist’s excuse for publishing potentially mischief-making news.) But there’s a hitch: Locks are physical, not virtual. When a computer scientist tells Apple that he’s found a dangerous security hole in the iPhone, Apple may not welcome the negative publicity, but at least the problem is fixable—the company issues a patch to iPhone owners, and that particular hole is closed. But what should Medeco do about Tobias’ findings? It can certainly try to address the newfound vulnerabilities in future versions of its locks. (Indeed, Medeco says it’s fixed some of them already.) But unlike your iPhone, old locks can’t be updated. And now that every would-be criminal can find out about the new flaw online, what happens to the poor souls who own vulnerable Medeco locks?
Confronted with this situation, some lockmakers have taken the (very expensive) high road. A few years ago, Tobias discovered that a ball-point pen can pick open tubular locks, and bicycle owners saw that the flaw rendered their Kryptonite-brand U-locks almost useless. Kryptonite quickly fixed the problem and eventually replaced tens of thousands of locks.
But most lockmakers don’t respond this way. Often, Lock Picking 101’s Josh Nekrep says, they ignore problems that outsiders bring to them. Tobias told me that he’s sent Medeco reams of research documenting the flaws in its locks, and the company has never responded. Clyde Roberson, Medeco’s technical director, disputes this. He says that the firm takes all information from the locksport community seriously and routinely improves its locks based on what people find. The company’s director of research recently wrote an “open letter” to lock-picking enthusiasts in which he expressed hope that amateurs and professionals can come together and “continue to improve the security and safety that locks provide to the world.”
But that doesn’t tell you what to do if you’ve got a potentially vulnerable Medeco lock. Don’t count on Medeco to replace it: “When you buy a lock, you don’t buy a subscription,” Roberson told me. Instead, he counseled, people should visit experts and determine their security needs. Locksport enthusiast Nekrep agreed—when you see on YouTube that your lock can be broken, you should do what you’ve always done. Call up your local locksmith.
