Recently, I got an e-mail with a video of a story on lock bumping. Lock bumping is a technique that allows one to open a lock with a specially cut “bump” key very quickly and easily. The news article goes on to talk about defenses against lock bumping. In particular, they mention two locks, one by Medeco, and the other a Schlage Primus. These two locks are supposed to resist picking and lock bumping. However, the story really doesn’t give the full background on these two locks.

The Medeco locks are better at resisting lock bumping for one major reason. These are the locks that you often find in large institutional type buildings, that are easily identified by the fact that the keys have the teeth cut at different angles, rather than at a plain 90˚ angle. The pins must not only rise, but rotate, in the proper manner before the lock can be opened. This helps make their locks more bump resistant.

The Everest Primus series of locks by Schlage use a different method to increase their difficulty to open. The keys are thicker than standard keys and have a set of keyways cut into the sides. This means that you not only have to deal with the pins on top of the key, but the pins on either side of the key. While this sounds like a really secure method, these locks are not necessarily any more resistant to lock bumping. The reason why is found on their website:

Factory side-cut combinations provide multiple levels of geographic end-user or dealer exclusivity.

What this means, is that if the bad guy can get a Primus-type key blank from the same region or dealer as your locks, the side-cuts are effectively neutralized. Now, if you buy your locks at Home Depot, chances are that the bad guys can get the same model lock at their Home Depot, and modify the key to make a “bump” key that will open the Schlage Primus locks in the area.

Every year, they have a lock-picking competition in Germany. The winner last year, was able to “bump-pick” his way past locks very similar in design and construction to the Schlage Primus series in under 60 seconds.

Now, you’re probably asking what does this have to do with computers. Well, it is a basic premise in IT security that if the bad guys can get to the computer in-person, there is very little you can do prevent them from doing what they want with it. Also, the news story is much like many stories found in IT circles. It provides incomplete information and provides a solution that is not really secure, providing the user with a false sense of security.