How professional locksmiths are getting picked apart online.

Innovation, the Internet, gadgets, and more.
July 23 2008 3:39 PM

Pick a Lock, Any Lock

YouTube makes it easy to learn the finer points of breaking and entering—and locksmiths aren't happy.

Illustration by Mark Alan Stamaty. Click image to expand.

Locksmiths and lock manufactures have found themselves in a jam. The skills of their trade, passed down through generations under conditions of occult secrecy, have been jimmied open online (subscription required). The professionals are crying foul over enthusiasts of "locksport"—amateur lock pickers who congregate on the Web to discuss how to pick locks. The amateurs do this for fun, not mischief, they say; there's a sublime thrill in charming a deadbolt to turn your way. And they argue that by finding and publishing flaws in some of the most popular locks on the market—from the locks you've got on your front door to those the president has on his —they're forcing improvements in security. Lock professionals say the opposite is true: that in showing people how to pick locks, hobbyists are swinging your doors wide open to criminals.

This is a familiar tale. Its plot points echo those of many recent computer-security debates. An entrenched community that's used to working in secret suddenly sees its entire business upended by the secrecy-busting ways of the Internet. It's a fate suffered by voting machine firms, software companies, and ATM manufacturers. Now it's happening to locksmiths and lockmakers, too.

But there are a few interesting wrinkles to the skirmish between amateur and professional lock wranglers. For one thing, unlike security-services company Diebold, the locksmiths and lockmakers aren't just fighting a new crop of activists. They're fighting a new subculture—really, a new sport.

The Web has helped clean up the very act of picking a lock. Breaking into locks once reeked of criminality; if you dared to try it, you did so in secret, because if you were spotted, folks would assume you were up to no good. Now, picking locks has gone legit. Recreational lock pickers meet regularly in community centers around the country, challenging each other to break new locks as casually as others nearby work to break the Queen's Gambit. On Web culture blogs, fans of locksport enjoy a place besides cryptography enthusiasts and DRM hackers as practitioners of a morally defensible, geeky dark art.

What's occasioned the image rehabilitation, pickers say, is that they can now declare publicly what once was only acknowledged privately: Cracking locks is lots of fun. "It's much better than chess," says Marc Tobias, a legendary lock buster whose book Locks, Safes, and Security: An International Police Reference is considered the bible of the field. "It involves mental imagery and physical dexterity, and it's a real thrill when you open something you weren't meant to be opening." Josh Nekrep, a Canadian business coach who runs Lock Picking 101 and Locksport International, the primary online and offline groups organizing the new sport, compares picking to "doing a Rubik's Cube in the dark."

Some professional locksmiths have embraced this cultural shift; several, Nekrep says, are active members of online lock-picking groups. But many locksmiths are alarmed by the expansion of their field. The locksmiths' worry may be partly monetary—if you're locked out of your apartment, you might call your locksport buddy rather than a locksmith.

But locksmiths also fear being overrun by a competing philosophy of security. In the past, the lock industry would try to fix flaws in locks quietly. Secrecy, locksmiths and lockmakers reasoned, limited the chance that bad guys would learn dangerous tricks. In computer hacker-speak, this is known as "security through obscurity," a label that's rarely complimentary. Locksport fans argue that obscurity is hard to come by in a digital world: Relying on secrecy to keep locks safe is bad design because nothing is secret anymore. Locksport, consequently, works according to Linus' law, named after open-source-software guru Linus Torvalds: "Given enough eyeballs, all bugs are shallow."

You can see this philosophy play out on YouTube, which bursts with videos of amateur lock pickers doing their thing. And lock-picking forums regularly erupt over any newly discovered exploit. At the moment, there's much excitement over a new book by Marc Tobias and his colleague Tobias Bluzmanis that explains how to defeat high-security locks made by a company called Medeco. These locks are used at the White House, the Pentagon, Buckingham Palace, and hundreds of thousands of homes and businesses. Tobias' book would allow "a reasonably skilled person to open them," he says. He adds, in his defense: "I think everybody's got a right to know if there's a vulnerability in their locks."

Tobias' argument sounds similar to that of white-hat computer hackers who look for security flaws as a way to prevent the bad guys from getting there first. (It can also stand as a justification for writing this article—"everybody's got a right to know" is a journalist's excuse for publishing potentially mischief-making news.) But there's a hitch: Locks are physical, not virtual. When a computer scientist tells Apple that he's found a dangerous security hole in the iPhone, Apple may not welcome the negative publicity, but at least the problem is fixable—the company issues a patch to iPhone owners, and that particular hole is closed. But what should Medeco do about Tobias' findings? It can certainly try to address the newfound vulnerabilities in future versions of its locks. (Indeed, Medeco says it's fixed some of them already.) But unlike your iPhone, old locks can't be updated. And now that every would-be criminal can find out about the new flaw online, what happens to the poor souls who own vulnerable Medeco locks?

Confronted with this situation, some lockmakers have taken the (very expensive) high road. A few years ago, Tobias discovered that a ball-point pen can pick open tubular locks, and bicycle owners saw that the flaw rendered their Kryptonite-brand U-locks almost useless. Kryptonite quickly fixed the problem and eventually replaced tens of thousands of locks.

But most lockmakers don't respond this way. Often, Lock Picking 101's Josh Nekrep says, they ignore problems that outsiders bring to them. Tobias told me that he's sent Medeco reams of research documenting the flaws in its locks, and the company has never responded. Clyde Roberson, Medeco's technical director, disputes this. He says that the firm takes all information from the locksport community seriously and routinely improves its locks based on what people find. The company's director of research recently wrote an "open letter" to lock-picking enthusiasts in which he expressed hope that amateurs and professionals can come together and "continue to improve the security and safety that locks provide to the world."

But that doesn't tell you what to do if you've got a potentially vulnerable Medeco lock. Don't count on Medeco to replace it: "When you buy a lock, you don't buy a subscription," Roberson told me. Instead, he counseled, people should visit experts and determine their security needs. Locksport enthusiast Nekrep agreed—when you see on YouTube that your lock can be broken, you should do what you've always done. Call up your local locksmith.

TODAY IN SLATE

Politics

Don’t Worry, Obama Isn’t Sending U.S. Troops to Fight ISIS

But the next president might. 

The Extraordinary Amicus Brief That Attempts to Explain the Wu-Tang Clan to the Supreme Court Justices

Amazon Is Officially a Gadget Company. Here Are Its Six New Devices.

The Human Need to Find Connections in Everything

It’s the source of creativity and delusions. It can harm us more than it helps us.

How Much Should You Loathe NFL Commissioner Roger Goodell?

Here are the facts.

Altered State

The Plight of the Pre-Legalization Marijuana Offender

What should happen to weed users and dealers busted before the stuff was legal?

Surprise! The Women Hired to Fix the NFL Think the NFL Is Just Great.

You Shouldn’t Spank Anyone but Your Consensual Sex Partner

Moneybox
Sept. 17 2014 5:10 PM The Most Awkward Scenario in Which a Man Can Hold a Door for a Woman
  News & Politics
Altered State
Sept. 17 2014 11:51 PM The Plight of the Pre-Legalization Marijuana Offender What should happen to weed users and dealers busted before the stuff was legal?
  Business
Business Insider
Sept. 17 2014 1:36 PM Nate Silver Versus Princeton Professor: Who Has the Right Models?
  Life
Outward
Sept. 17 2014 6:53 PM LGBTQ Luminaries Honored With MacArthur “Genius” Fellowships
  Double X
The XX Factor
Sept. 17 2014 6:14 PM Today in Gender Gaps: Biking
  Slate Plus
Slate Fare
Sept. 17 2014 9:37 AM Is Slate Too Liberal?  A members-only open thread.
  Arts
Brow Beat
Sept. 17 2014 8:25 PM A New Song and Music Video From Angel Olsen, Indie’s Next Big Thing
  Technology
Future Tense
Sept. 17 2014 9:00 PM Amazon Is Now a Gadget Company
  Health & Science
Medical Examiner
Sept. 17 2014 11:48 PM Spanking Is Great for Sex Which is why it’s grotesque for parenting.
  Sports
Sports Nut
Sept. 17 2014 3:51 PM NFL Jerk Watch: Roger Goodell How much should you loathe the pro football commissioner?