How professional locksmiths are getting picked apart online.

Innovation, the Internet, gadgets, and more.
July 23 2008 3:39 PM

Pick a Lock, Any Lock

YouTube makes it easy to learn the finer points of breaking and entering—and locksmiths aren't happy.

(Continued from Page 1)

But locksmiths also fear being overrun by a competing philosophy of security. In the past, the lock industry would try to fix flaws in locks quietly. Secrecy, locksmiths and lockmakers reasoned, limited the chance that bad guys would learn dangerous tricks. In computer hacker-speak, this is known as "security through obscurity," a label that's rarely complimentary. Locksport fans argue that obscurity is hard to come by in a digital world: Relying on secrecy to keep locks safe is bad design because nothing is secret anymore. Locksport, consequently, works according to Linus' law, named after open-source-software guru Linus Torvalds: "Given enough eyeballs, all bugs are shallow."

You can see this philosophy play out on YouTube, which bursts with videos of amateur lock pickers doing their thing. And lock-picking forums regularly erupt over any newly discovered exploit. At the moment, there's much excitement over a new book by Marc Tobias and his colleague Tobias Bluzmanis that explains how to defeat high-security locks made by a company called Medeco. These locks are used at the White House, the Pentagon, Buckingham Palace, and hundreds of thousands of homes and businesses. Tobias' book would allow "a reasonably skilled person to open them," he says. He adds, in his defense: "I think everybody's got a right to know if there's a vulnerability in their locks."


Tobias' argument sounds similar to that of white-hat computer hackers who look for security flaws as a way to prevent the bad guys from getting there first. (It can also stand as a justification for writing this article—"everybody's got a right to know" is a journalist's excuse for publishing potentially mischief-making news.) But there's a hitch: Locks are physical, not virtual. When a computer scientist tells Apple that he's found a dangerous security hole in the iPhone, Apple may not welcome the negative publicity, but at least the problem is fixable—the company issues a patch to iPhone owners, and that particular hole is closed. But what should Medeco do about Tobias' findings? It can certainly try to address the newfound vulnerabilities in future versions of its locks. (Indeed, Medeco says it's fixed some of them already.) But unlike your iPhone, old locks can't be updated. And now that every would-be criminal can find out about the new flaw online, what happens to the poor souls who own vulnerable Medeco locks?

Confronted with this situation, some lockmakers have taken the (very expensive) high road. A few years ago, Tobias discovered that a ball-point pen can pick open tubular locks, and bicycle owners saw that the flaw rendered their Kryptonite-brand U-locks almost useless. Kryptonite quickly fixed the problem and eventually replaced tens of thousands of locks.

But most lockmakers don't respond this way. Often, Lock Picking 101's Josh Nekrep says, they ignore problems that outsiders bring to them. Tobias told me that he's sent Medeco reams of research documenting the flaws in its locks, and the company has never responded. Clyde Roberson, Medeco's technical director, disputes this. He says that the firm takes all information from the locksport community seriously and routinely improves its locks based on what people find. The company's director of research recently wrote an "open letter" to lock-picking enthusiasts in which he expressed hope that amateurs and professionals can come together and "continue to improve the security and safety that locks provide to the world."

But that doesn't tell you what to do if you've got a potentially vulnerable Medeco lock. Don't count on Medeco to replace it: "When you buy a lock, you don't buy a subscription," Roberson told me. Instead, he counseled, people should visit experts and determine their security needs. Locksport enthusiast Nekrep agreed—when you see on YouTube that your lock can be broken, you should do what you've always done. Call up your local locksmith.



More Than Scottish Pride

Scotland’s referendum isn’t about nationalism. It’s about a system that failed, and a new generation looking to take a chance on itself. 

What Charles Barkley Gets Wrong About Corporal Punishment and Black Culture

Why Greenland’s “Dark Snow” Should Worry You

Three Talented Actresses in Three Terrible New Shows

Why Do Some People See the Virgin Mary in Grilled Cheese?

The science that explains the human need to find meaning in coincidences.


Happy Constitution Day!

Too bad it’s almost certainly unconstitutional.

Is It Worth Paying Full Price for the iPhone 6 to Keep Your Unlimited Data Plan? We Crunch the Numbers.

What to Do if You Literally Get a Bug in Your Ear

  News & Politics
Sept. 16 2014 7:03 PM Kansas Secretary of State Loses Battle to Protect Senator From Tough Race
Sept. 16 2014 2:35 PM Germany’s Nationwide Ban on Uber Lasted All of Two Weeks
The Vault
Sept. 16 2014 12:15 PM “Human Life Is Frightfully Cheap”: A 1900 Petition to Make Lynching a Federal Offense
  Double X
The XX Factor
Sept. 15 2014 3:31 PM My Year As an Abortion Doula
  Slate Plus
Slate Plus Video
Sept. 16 2014 2:06 PM A Farewell From Emily Bazelon The former senior editor talks about her very first Slate pitch and says goodbye to the magazine.
Brow Beat
Sept. 16 2014 8:43 PM This 17-Minute Tribute to David Fincher Is the Perfect Preparation for Gone Girl
Future Tense
Sept. 16 2014 6:40 PM This iPhone 6 Feature Will Change Weather Forecasting
  Health & Science
Sept. 16 2014 1:39 PM The Case of the Missing Cerebellum How did a Chinese woman live 24 years missing part of her brain?
Sports Nut
Sept. 15 2014 8:41 PM You’re Cut, Adrian Peterson Why fantasy football owners should release the Minnesota Vikings star.