How professional locksmiths are getting picked apart online.

How professional locksmiths are getting picked apart online.

How professional locksmiths are getting picked apart online.

Innovation, the Internet, gadgets, and more.
July 23 2008 3:39 PM

Pick a Lock, Any Lock

YouTube makes it easy to learn the finer points of breaking and entering—and locksmiths aren't happy.

(Continued from Page 1)

But locksmiths also fear being overrun by a competing philosophy of security. In the past, the lock industry would try to fix flaws in locks quietly. Secrecy, locksmiths and lockmakers reasoned, limited the chance that bad guys would learn dangerous tricks. In computer hacker-speak, this is known as "security through obscurity," a label that's rarely complimentary. Locksport fans argue that obscurity is hard to come by in a digital world: Relying on secrecy to keep locks safe is bad design because nothing is secret anymore. Locksport, consequently, works according to Linus' law, named after open-source-software guru Linus Torvalds: "Given enough eyeballs, all bugs are shallow."

You can see this philosophy play out on YouTube, which bursts with videos of amateur lock pickers doing their thing. And lock-picking forums regularly erupt over any newly discovered exploit. At the moment, there's much excitement over a new book by Marc Tobias and his colleague Tobias Bluzmanis that explains how to defeat high-security locks made by a company called Medeco. These locks are used at the White House, the Pentagon, Buckingham Palace, and hundreds of thousands of homes and businesses. Tobias' book would allow "a reasonably skilled person to open them," he says. He adds, in his defense: "I think everybody's got a right to know if there's a vulnerability in their locks."


Tobias' argument sounds similar to that of white-hat computer hackers who look for security flaws as a way to prevent the bad guys from getting there first. (It can also stand as a justification for writing this article—"everybody's got a right to know" is a journalist's excuse for publishing potentially mischief-making news.) But there's a hitch: Locks are physical, not virtual. When a computer scientist tells Apple that he's found a dangerous security hole in the iPhone, Apple may not welcome the negative publicity, but at least the problem is fixable—the company issues a patch to iPhone owners, and that particular hole is closed. But what should Medeco do about Tobias' findings? It can certainly try to address the newfound vulnerabilities in future versions of its locks. (Indeed, Medeco says it's fixed some of them already.) But unlike your iPhone, old locks can't be updated. And now that every would-be criminal can find out about the new flaw online, what happens to the poor souls who own vulnerable Medeco locks?

Confronted with this situation, some lockmakers have taken the (very expensive) high road. A few years ago, Tobias discovered that a ball-point pen can pick open tubular locks, and bicycle owners saw that the flaw rendered their Kryptonite-brand U-locks almost useless. Kryptonite quickly fixed the problem and eventually replaced tens of thousands of locks.

But most lockmakers don't respond this way. Often, Lock Picking 101's Josh Nekrep says, they ignore problems that outsiders bring to them. Tobias told me that he's sent Medeco reams of research documenting the flaws in its locks, and the company has never responded. Clyde Roberson, Medeco's technical director, disputes this. He says that the firm takes all information from the locksport community seriously and routinely improves its locks based on what people find. The company's director of research recently wrote an "open letter" to lock-picking enthusiasts in which he expressed hope that amateurs and professionals can come together and "continue to improve the security and safety that locks provide to the world."

But that doesn't tell you what to do if you've got a potentially vulnerable Medeco lock. Don't count on Medeco to replace it: "When you buy a lock, you don't buy a subscription," Roberson told me. Instead, he counseled, people should visit experts and determine their security needs. Locksport enthusiast Nekrep agreed—when you see on YouTube that your lock can be broken, you should do what you've always done. Call up your local locksmith.

Farhad Manjoo is a technology columnist for the New York Times and the author of True Enough.