Getting past the most basic physical security of all: Learning to pick locks at DEFCON 22

Much like my experience with learning to hack at RSA, learning to pick locks was something that I was very interested in learning how to do, but approached with much trepidation given that I had zero experience with the practice. Nevertheless I thought I’d give it a shot, so I headed down to the Lockpicking Village at this year’s DEFCON 22 so I could be shown the ropes.

The good news is that unlike hacking, lockpicking really is something that you can more or less just start doing — and effectively so — even if you have no experience or background knowledge on the subject. The bad news is that techniques with varying levels of sophistication and complications like more secure types of locks can make the practice frustrating at times…and exceedingly difficult to master.

The village, which was run by TOOOL (The Open Organisation of Lockpickers), gave brief presentations every half hour or so to offer the basic information necessary to understand how lockpicking works so newbies like me could actually have a shot at succeeding. The concept is relatively simple: a lock consists of a certain number of spring-loaded pins (typically anywhere from two to six) of varying lengths lined up in a plug, and each pin is separated into two pieces, the lower pin and the driver pin above it. Each driver pin needs to be pushed up by the lower pin above a certain point, known as the shear line, to “bind,” or stick into place. Once all pins are bound, the plug can turn and the lock is opened. The trick, of course, is that the pins will only bind when pressed up in a particular order, and there’s no way to know what that order is on any given lock.

So I learned that what I need to do is wedge an L-shaped piece of metal, known as a torque or tension wrench, into the groove of the lock and push it ever so gently either clockwise or counter-clockwise to create some tension inside the plug. That way, when I then insert my pick (of which there are a few different types, like a simple hook, a half diamond, and the wavy rake) and start pushing up on each pin, the one that’s next in the order will bind. And that’s because once it goes up above the shear line, the pressure that I’m applying with the wrench will turn the plug slightly so it moves into place underneath the binding pin, thus keeping it place. After this action is performed on each pin — but be careful not to let up on the gentle pressure on the wrench, lest the plug spin back and release all of the pins that have been bound so far — the plug turns and lock has been successfully picked.

It’s not always that simple, though. Security on locks can be increased through a number of different methods, making the practice far more difficult. These include measures like spool pins, which are shaped like, you guessed it, spools. That way when an attempt is made to bind the pin, the bottom part of said pin, which has a lip on it, gets caught on the shear line. It’s worth mentioning that I tried my hand a spool pin lock and failed spectacularly at getting it open.

Similar tricks to up the security of the locks include other bizarrely shaped pins like mushroom pins, serrated pins, and “sneaky” pins (which basically have multiple sets of lips of varying sizes to really complicate things). The openings to the locks themselves can be modified as well, with thinner and wavier openings posing more of a challenge to the would-be lockpicker.

The reason we so rarely see these attempts to boost physical security in this way is that it’s simply a matter of cost. It costs more for lock makers to craft these more sophisticated and secure (but not impermeable!) locks, and people typically aren’t willing to pay for that. The sad truth is that most people figure “Why bother?” and opt for the simpler locks either because they’re not willing to shell out for the better ones and don’t care what the means for their security, or they don’t know any better. Simply put, that spells bad things for physical security.

In fact, the presentations at the Lockpick Village revealed the rather scary truth that any lock can be picked with the right tools, technique, and knowledge. Techniques for dealing with all types of locks — doorknobs, wafer locks, deadbolts, combination locks, multiple types of padlocks, etc. — were covered; for example, one presentation talked about crafting and using shims thin pieces of metal or plastic that can be slid into one side of a padlock or combination to release the mechanism that catches the lip on the bolt. Lock bumping was also touched on, wherein either a device like a lockpick gun or a tap from a hammer snaps all of the driver pins up above the shear line, offering a split second opportunity to then turn the plug with the right timing. The point is, there’s an approach for taking down basically any kind of lock, and that makes physical security in general seem just a little more vulnerable on the whole.

The experience of learning how to lockpick was, on the whole, a positive one. It is immensely gratifying to successfully pick a lock, and there’s a zen-like calmness that it can sometimes bring you, not unlike putting together a puzzle. But unfortunately, I now find myself addicted to a practice is only going to get harder the more I get into it.