Tobias on Locks and Insecurity Engineering E-Book

Table of Contents

Cover

Table of Contents

Title Page

Foreword

Introduction

What Does This Book Cover?

Who Should Read This Book

Conventions Used in This Book

Additional Resources

Part I: Locks, Safes, and Insecurity Engineering

CHAPTER 1: Insecurity Engineering and the Design of Locks

What Is Insecurity Engineering?

Primary Responsibilities of Lock Manufacturers

Examples of Insecurity Engineering Failures

Important Design Rules

Summary

CHAPTER 2: Insecurity Engineering: A Lack of Expertise and Imagination

Basic Lock Types and Components

Theory of Operation for Each Primary Lock Design Category

Primary Security Classifications of Locks

Lock Materials and Their Characteristics

Standards and Their Criteria

Security Features and Enhancements

Magnetics: Theory, Implementation, and Defeat

Bypass: Fundamental Expertise Requirements

Forensics and Evidence of Entry

CHAPTER 3: Vulnerability Assessment in Lock Designs

Vulnerability and Risks

The Vulnerability Assessment Process

CHAPTER 4: The 3T2R Rule for Assessing the Security of a Lock

The 3T2R Rule: Metrics, Security, and Liability

Overall Security Assessment and the 3T2R Rule and Numerical Scoring

Part II: Legal and Regulatory Issues in Locks, Safes, and Security Systems

CHAPTER 5: Security Is All About Liability

Avoiding Legal Issues

Design Defects and Other Actions as the Basis of Product Liability

CHAPTER 6: Legal Liability and Insecurity Engineering

Development of Product Liability Law

Criminal, Civil, and Criminal Law

Defective Products: What Are They, and Why Are They Important?

Exemption from Warnings: Sophisticated Users

Warranty of Merchantability, Defective Products, and Negligence

The Repair Doctrine: Liability for Subsequent Product Upgrades

Negligence vs. Privity of Contract

Strict Liability vs. Negligence

The Malfunction Doctrine and a Defective Product

Failure to Implement an Alternative Design and Proof of Possibility

Risk-Utility Analysis of an Alternative Product Design

Knowingly Selling a Defective Product

User Misconduct Defenses

Manufacturers Are Experts

CHAPTER 7: Standards for Locks and Safes

Basic Rules and Axioms Relating to Standards

U.S. Standards Organizations

Description and Analysis of U.S. Lock Standards: UL and BHMA

Deficiencies in the UL 437, BHMA 156.30, and 156.5 Standards

Testing Deficiencies in the BHMA 156.30 Standard

Recommendations for a High-Security Standard

CHAPTER 8: Patents, Security, and the Protection of Intellectual Property

Patents and Their Relationship to the Security of an Invention

Modifications to Existing Patented Products and Security

History, Origins, Chronology, and Rationale for Patent Laws

Overview: Current U.S. Patent Law

Primary Parts of a Patent Application

Primary Statutory Criteria for the Issuance of a Patent

Patent Life and Validity

What Patent Rights Do Not Cover or Allow

Invalidation of a Patent Application: The Concept of Prior Art and Nondisclosure of Inventions

Filing for a Patent to Protect IP: Pros and Cons

Patent Classification System

Patent Infringement

CHAPTER 9: Notification of Defects in Product Design

Primary Rules and Questions

Internal Notifications

Assessing the Scope of the Issue or Problem

Action Items and Priority

Design Defects and Liability Considerations

Compensatory and Punitive Damages

Failure to Take Any Substantive Steps

Post-Sale Duty to Warn or Recall

The Protocol for the Notification of Defects in Locks

Threat-Level Criteria

Communications and Actions on Notification of a Defect

Special Cases: Consulting Agreements, Nondisclosure Agreements, and Extortion Attempts

Possible Extortion Attempts

Civil Remedies

Insider Threats as Part of a Scheme

CHAPTER 10: Legal and Security Issues in Keying Systems

How Manufacturers and Locksmiths Can Be Liable for Damages

False or Misleading Advertising About Security and Key Control

Key Control Procedures by Manufacturers

How Locksmiths and Key-Duplicating Shops Can Defeat Key Control Schemes

Identification of Counterfeit Blanks by Customers

Patent-Expired Blanks

Keyway Restrictions Are Often Easily Circumvented

Compromise of Physical Key Control: Duplication, Simulation, and Replication of Credentials

Legal Issues in Master Key Systems

Security Policies for Organizational Key Control

Part III: Basic Designs and Technologies for Mechanical and Electronic Locks

CHAPTER 11: A Brief History of Lock Design and Development

From Blacksmiths to Locksmiths: The Development of the Technology of Locks

The First Locking Systems

The Original Egyptian Pin Tumbler Design

Early Roman Locks and the Introduction of Wards

Lock Designs in the Middle Ages: The Introduction of the Lever Tumbler

Advancements in Lever Lock Designs

Advancements in the Past 50 Years

CHAPTER 12: Industry Definitions

Terminology

CHAPTER 13: Modern Locking Mechanisms: A Merging of Old and New Technology

Conventional Mechanical Locks

Security Enhancements to Conventional Locks

High-Security Mechanical Locks

Software- and Hardware-Based Keys, Locks, and Access Control

Electronic Locks

Hybrid Electronic Locks with Biometric or Wireless Authentication

Selecting Conventional or High-Security Locks

CHAPTER 14: A Comparison of High-Security Lock Designs

Criteria for Judging a Lock's Security

Assa Twin, V10, and Similar Sidebar Designs

Schlage Primus

Medeco Rotating Tumbler Sidebar Design

EVVA Magnetic Code System (MCS)

Part IV: Design and Insecure Engineering of Locks

CHAPTER 15: Attacks Against Locks: Then and Now

The Origins of the Pin Tumbler Lock and Attacks on Its Security

Warded Lock Design and Insecurity

Lever Tumbler Locks

Early Impressioning Techniques

Opening Letter Locks

Mechanical and Arithmetic Attacks and Tryout Keys

The Great Exhibition of 1851, Hobbs, and the Insecurity of Locks

Lock-Picking Advances in England and America: Nineteenth Century

Bramah Lock Design

Attacks with Explosives

Major Crimes Involving Locks During the Nineteenth and Twentieth Centuries

Attacks on Locks: The Past 100 Years

Attacks on Locks: Now and in the Future

CHAPTER 16: An Overview: Vulnerability Analysis in Designs and Testing

Primary Components in All Locks

Secondary Security Components for Multiple Security Layers

Primary Classification of Attack Types

CHAPTER 17: Destructive Attacks Against Locks and Related Hardware

Tools, Techniques, and Threats from the Application of Different Forces

Basic Tools of Destructive Entry

CHAPTER 18: Covert Methods of Entry

Covert Entry: The Fundamental Premise

Primary Points of Vulnerability for All Locks

Assessing and Choosing Methods of Attack

Magnetic Attacks

Processor Reset Attacks

Decoding Information from Within the Lock

Against Any Openings into the Lock Body with Shims and Wires

CHAPTER 19: Attacks Against Electronic Locks

Electronic-Based Locks: Common Design Vulnerabilities and Attacks

Potential Design Vulnerabilities to Review

CHAPTER 20: Advanced Attacks Against High-Security Locks

Considerations in Developing Attack Strategies, Techniques, and Tools

Unique Design Approaches to Opening Lever and Pin Tumbler Locks

Systems Based on the Use of Shims

Material Impressioning System

Variable Key-Generation Systems

Part V: Attacks on Key Control and Special Keying Systems

CHAPTER 21: Attacking Keys and Keying Systems

Summary of Attack Strategies Against Keys, Plugs, and Detainers

Intelligence from Locks and Keyways

Correlation Between Physical Key Design and Master Key Systems

Attacks Against Keying Systems

Compromising the Master Key Other than by Extrapolation

Top-Level Master Key Extrapolation

CHAPTER 22: Advanced Attacks on Key Control: 3D Printers and Special Software

3D Printing vs. EasyEntrie Milling Machines

An Overview of Typical Program Capabilities

CHAPTER 23: Digital Fingerprints of Locks: Electronic Decoding Systems

Scanner Tools, Technology, and Physics

CHAPTER 24: Code-Setting Keys: A Case Study of an Attack on High-Security Key Control

Background Facts and the Initial Problem

An Overview of the Medeco Design

Could We Bump Open a Medeco Lock?

Lessons Learned

Part VI: Specific Case Examples

CHAPTER 25: Case Examples from Part VII Rules

The Introduction of Focused Energy Against Internal Locking Components

CHAPTER 26: Case Examples by Category

Failure to Connect the Dots and Lack of Knowledge About Locks

Failure of Imagination and Engineering Incompetence

Failure to Consider or Deal with Hardware Constraints or Material Limitations

Failure to Understand or Correlate Attack Methods

Failure to Consider the Application of Force

Failure to Consider Decoding Methods and Attacks

Complex Attacks and Security Failures in Designs

Attacks on Lock Bodies and Integrity

Attacks on Credentials

Attacks on Electronic Elements

Attacks on Internal Locking Components

Attacks on Openings with Shims and Wires

Shear Line Attacks

Part VII: Design Rules, Axioms, and Principles

CHAPTER 27: Design Rules, Axioms, and Guidelines

Epilogue

Appendix A: Patents Issued

Appendix B: Trademark Listing

Index

Copyright

Dedication

About the Author

Books by the Author

Acknowledgments

End User License Agreement

List of Illustrations

Chapter 1

Figure 1-1a, 1b: A bump key can be produced from virtually any key blank for...

Figure 1-2: A key with side bit milling provides another security layer and ...

Figure 1-3: A worm gear is controlled by a small motor in electronic locks. ...

Figure 1-4: The Kaba InSync is a perfect example of a design failure to acco...

Figure 1-5a, 5b: Reverse picking of wafer locks is common. (a) A popular gun...

Figure 1-6: The Kaba 5800 electronic push-button lock could be defeated in s...

Figure 1-7: A simple modification to a valid key for an iLOQ electronic cyli...

Figure 1-8: Open keyways, as shown in this deadbolt lock, can provide access...

Figure 1-9: Several trigger locks for handguns were produced with stamped ke...

Figure 1-10a, 10b: Magnetic fields can move ferrous components within a lock...

Figure 1-11: The Kaba Simplex 1000 mechanical lock was defeated by a rare ea...

Figure 1-12a, 12b: The classic way to describe Newton's Third Law of Motion ...

Chapter 2

Figure 2-1a, 1b: Without stringent key control, cut and blank keys can be al...

Figure 2-2: Keying systems in larger facilities can be master keyed. The dia...

Figure 2-3: Attacking the shear line is the primary method to compromise a l...

Chapter 3

Figure 3-1: Medeco code setting keys were developed and patented as a covert...

Chapter 11

Figure 11-1: An early Greek door lock. Access to move the bolt was through t...

Figures 11-2: An Egyptian pin tumbler lock mounted on the inside of a door, ...

Figures 11-3: The original pin tumbler lock design replica from the British ...

Figure 11-4: The Egyptian lock had three primary components: the key (A), th...

Figure 11-5: The warded lock relied on circular obstructions or bands to blo...

Figure 11-6: An early warded lock.

Figure 11-7: An early warded lock and key.

Figures 11-8: A warded lock with several locking mechanisms

Figures 11-9: A complex warded key.

Figure 11-10: An example of a lever tumbler lock with multiple levers.

Figure 11-11a, 11b: The original Bramah lock and tubular key.

Figure 11-12: The Chubb lever locks with a detector above the levers.

Figure 11-13: The Parsons balanced lever lock.

Figures 11-14a–14c: Lever locks can offer high security and pick resistance,...

Figure 11-15: Time locks for safes and vaults.

Figure 11-16a, 16b: The original Yale pin tumbler design. The correctly bitt...

Figures 11-17a–17c: These three locks demonstrate the locking principle of t...

Figure 11-18a, 18b: A modern pin tumbler lock with a sidebar for added secur...

Figure 11-19: A modern bump key is designed to bounce all pin tumblers simul...

Figure 11-20a, 20b: A six-wafer lock. The wafers aren't properly aligned (a)...

Figure 11-21a, 21b: A double-sided wafer lock. Each side of the key acts on ...

Chapter 12

Figure 12-1a, 1b: Tubular pin tumbler lock and key. The key is (b), lock is ...

Figure 12-2: A Medeco BIAXIAL key showing fore and aft cuts with different r...

Figure 12-3: Bitting depth and measurement for a Schlage lock.

Figure 12-4: The critical components of a pin tumbler lock.

Figure 12-5: Deadbolt cylinder.

Figure 12-6: A keyway.

Figure 12-7: Maximum adjacent cut specifications. The difference between a 9...

Figure 12-8a, 8b: Medeco sidebar lock. In (a) the operation of the sidebar i...

Figure 12-9: In a pin tumbler cylinder, all pins aren't aligned at the shear...

Figure 12-10: A pin tumbler cylinder with a mushroom tumbler trapped at the ...

Figure 12-11: A paracentric keyway.

Figure 12-12: Pins at the shear line in a conventional pin tumbler lock.

Figures 12-13a–13c: (a) The lock diagram in the original patent, (b) A sideb...

Figure 12-14: The top pins protrude above the shear line.

Figure 12-15a, 15b: (a) A double-bitted wafer tumbler lock common in vending...

Chapter 13

Figures 13-1a–1e: (a) The cylinder, (b) the sidebar rack, (c) movable slider...

Figures 13-2a–2d: The EVVA 3KS (and later 4KS) is a multichannel laser track...

Figure 13-3a–3c: Abloy Classic standard 9-disc key, Classic 11-disc key, and...

Figure 13-4a, 4b: A conventional pin tumbler lock. (a) shows all pins at the...

Figure 13-5a, 5b: Creating a shear line places a gap between the plug and sh...

Figures 13-6a, 6b: Paracentric keyways can make picking difficult because th...

Figures 13-7a–7f: Bump keys are a persistent threat to pin tumbler mechanism...

Figures 13-8a, 8b: (a) (A) and (B) The original Sargent Keso featured three ...

Figures 13-9a, 9b: Many dimple locks are susceptible to impressioning with m...

Figure 13-10: The telescoping tumblers in Mul-T-Lock cylinders have outer an...

Figure 13-11a–11d: Axial pin tumbler locks are based on the pin tumbler prin...

Figure 13-12: A laser track is milled into many different keys to control an...

Figure 13-13: Medeco developed the rotating pin tumbler design. The photogra...

Figures 13-14a–14c: (a) The Original Medeco cam lock design with (c) a singl...

Figure 13-15a–15d: The EVVA MCS was developed many years ago but is still fa...

Figure 13-16: The floating magnetic wafer in the EVVA Acura 44 can provide a...

Figure 13-17a, 17b: (a) is a six-pin tumbler lock with different security pi...

Figures 13-18a–18c: This pin tumbler cylinder (a) graphically illustrates ho...

Figures 13-19a–19i: Different bitting designs include (a) DOM Diamant, (b) M...

Figures 13-20a, 20b: Many manufacturers have adopted the Mul-T-Lock interact...

Figures 13-21a, 21b: The Schlage Everest employs an undercut (a) as an addit...

Figure 13-22: The Mul-T-Lock MT5+ key. Note the laser track that moves slidi...

Figures 13-23a–23d: The Assa Abloy CLIQ (c and d) and the Medeco X4 use the ...

Figures 13-24a, 24b: The Ikon eCLIQ key and cylinder in the European profile...

Figures 13-25a–25c: The iLOQ key is universal for these cylinders. Only the ...

Figure 13-26: The iLOQ electromechanical mechanism. The key enters on the ri...

Figure 13-27: The Assa Abloy Spark key with the power source in the head. No...

Figure 13-28: Many vendors offer RFID-based electronic locking systems. Show...

Figures 13-29a–29c: Three examples of electromechanical and electronic consu...

Figure 13-30: The Schlage electromechanical lock with bypass cylinder is a p...

Figure 13-31a, 31b: Kwikset KEVO indicates a different status with color LED...

Chapter 14

Figure 14-1: An Abloy disc lock shows the sidebar (a) and two gates (b) The ...

Figure 14-2a, 2b: The side pins appear on the left side of the keyway in the...

Figures 14-3a, 3b: The unique sidebar (a) has five ridges capable of mating ...

Figures 14-4a–4c: The design of the finger pins is unique and identical. Key...

Figures 14-5a, 5b: The V10 introduced the ability to contact the side bit mi...

Figure 14-6a–6c: The side pins must all be aligned at the same horizontal po...

Figures 14-7a–7c: The Schlage Primus has five finger pins and seven position...

Figures 14-8a, 8b: The Primus finger pins have seven gate combinations. The ...

Figures 14-9a–9c: The side bit milling on a Schlage Primus key controls the ...

Figure 14-10: All the bottom pins must be properly aligned for the sidebar t...

Figure 14-11: The diagram from the BIAXIAL patent shows the cylinder design ...

Figure 14-12: A diagram of each angle rotation with the sidebar's legs.

Figure 14-13: This Medeco cutaway of a BIAXIAL shows the critical components...

Figure 14-14: This diagram shows the position of the fore and aft pin for th...

Figure 14-15: The Medeco m3 incorporated different length steps (a) on the s...

Figure 14-16a, 14b: Cutaway of the Medeco m3 showing how the sidebar and sli...

Figure 14-17: This photograph shows the m3 slider in alignment with the side...

Figure 14-18: This m3 cutaway shows four critical components. Arrow (1) show...

Figure 14-19: The Medeco M4 key vertical perspective shows the side bit mill...

Figure 14-20: The M4 key with primary and side bit milling. The interactive ...

Figure 14-21: The sidebar for the M4, together with one of the side pins. (a...

Figure 14-22: The EVVA MCS key contains four rare earth magnets that are mag...

Figures 14-23a, 23b: The arrow in (a) denotes the sidebar sliding fence asse...

Figures 14-24a–24c: This series of photographs shows the EVVA MCS’s four rot...

Figures 14-25: This photograph shows the top and bottom profile of the MCS k...

Figures 14-26: Magnetic film overlay (visa mag) shows the permutations in ma...

Chapter 15

Figure 15-1a, 1b: Examples of early versions of the Egyptian lock. (a) shows...

Figures 15-2a-2c: Early examples of Roman warded keys show the intricacy and...

Figure 15-3: The mortise-warded lock can still be found in older hotels worl...

Figure 15-4a-4c: A side view showing the interaction of the key bitting and ...

Figures 15-5a, 5b: The two keys shown in the image for the EVVA DPI reveal a...

Figure 15-6: (B) shows six individual warded keys with different bitting pat...

Figure 15-7: Six typical skeleton keys that will open many warded locks.

Figure 15-8: A key for a warded lock, a blank key, an impressioned equivalen...

Figure 15-9: A warded lock that was impressioned to produce a working key. A...

Figure 15-10: Tools to bypass warded locks.

Figure 15-11: A set of old picking tools and skeleton keys for warded locks ...

Figure 15-12: Simplified diagram of a lever tumbler lock. In (A), the key is...

Figures 15-13a-13d: Canada postal locks (a) show the bolt without a keyway, ...

Figure 15-14a, 14b: A copy of the key (a) was impressioned in silicone-type ...

Figures 15-15a, 15b: Plasticine is painted (a) on the blade of the lever tum...

Figure 15-16: A tool to precisely measure and replicate the bitting of diffe...

Figure 15-17: The John Falle foil system is superior to the earlier Martin l...

Figure 15-18: The two-in-one tool was developed to pick lever locks using th...

Figure 15-19: The KGB developed a clever variable-key-generation system for ...

Figure 15-20: Chubb detector lock, circa 1837, and a diagram of its operatio...

Figure 15-21: The bellies of the levers can be decoded because they replicat...

Figure 15-22: The Bramah lock with sliders is still one of the highest-secur...

Figure 15-23: An acoustic lock pick with an embedded microphone for listenin...

Figure 15-24: These KGB tools were designed to simulate different keys for l...

Figure 15-25: A KGB pin tumbler lock decoder to probe each tumbler and the l...

Figure 15-26a, 26b: A Soviet Nykustukas magnetic padlock from the 1980s (a) ...

Figure 15-27: These tools were designed and made by hand by Aldo Silvera, a ...

Figure 15-28: This is a cross pick for locks with multiple rows of pin tumbl...

Figure 15-29: This is a Sputnik pick for pin tumbler locks. It can manipulat...

Figure 15-30: This Lishi combined pick and decoder tool is one of the latest...

Chapter 17

Figure 17-1: These Medeco m3 plugs contain anti-drill pins made of hardened ...

Figures 17-2a–2f: These photographs show the results of drilling a standard ...

Figures 17-3a–3f: This sequence shows the use of an end mill in drilling the...

Figures 17-4a–4d: Portable battery-powered grinders can drive end mills to a...

Figures 17-5a–5c: The placement of a drill bit to drill across the shear lin...

Figures 17-6a–6d: A blank key (a) is inserted before drilling to raise all t...

Figures 17-7a–7c: A new shear line is created by drilling the plug (a) A shi...

Figures 17-8a, 8b: An interchangeable-core plug drilled so the core can be r...

Figures 17-9a–9e: A profile cylinder may be removed by drilling through the ...

Figure 17-10: A special metal screw can pull a plug or cylinder. It's tapped...

Figure 17-11: A dent puller kit that contains all the implements necessary t...

Figure 17-12: The mounting for the cylinder is cast and can be fractured, al...

Figure 17-13: A long pipe provides sufficient leverage to apply torque to br...

Figure 17-14: Wendt developed a tool to apply extreme torque to a cylinder a...

Figure 17-15a–15c: Torque is applied to the cylinder until the set screw is ...

Figure 17-16: Tumblers from a dimple lock. In this instance, the tips of the...

Figure 17-17: This tool collection from the Chubb archives was used more tha...

Figure 17-18: Iowa American produces several prybars for specific applicatio...

Figure 17-19: The Sigma Hooligan separates the door from its jamb. The wedge...

Figure 17-20: Four different attack tools for prying, wedging, peeling, and ...

Figure 17-21: (A) Sumo single-man ram, (B) two-man Enforcer ram, (C) Firecra...

Figures 17-22a, 22b: The principle of jamb spreading is to exert force again...

Figures 17-23: The Omni hydraulic jamb spreader is a simple and effective ha...

Figure 17-24: The “K” tool removes cylinders from metal frames. The assembly...

Figure 17-25: Another form of wedge that employs leverage to create energy f...

Figure 17-26: The Broco portable thermic lance will penetrate virtually any ...

Chapter 18

Figure 18-1a, 1b: A locksmith commercial pick set (a), and the John Falle pr...

Figures 18-2a, 2b: Rake picks (a) can take many forms. They're designed to m...

Figures 18-3a–3c: Ball picks are available in several configurations. (a) sh...

Figures 18-4a, 4b: The John Falle tension wrenches (a) are unique. They faci...

Figure 18-5a, 5b: Rocker picks can facilitate the raking of pins and simulat...

Figures 18-6a, 6b: One of the patent diagrams for the original mechanical pi...

Figures 18-7a–7c: Electronic pick guns generate vibration at the pick tip. T...

Figures 18-8a, 8b: The John Falle comb pick set (b) is designed to work with...

Figure 18-9: The comb pick described in U.S. Patent 2,064,818. A comb pick c...

Figures 18-10a–10c: The Sputnik tool can pick pin tumbler cylinders by exten...

Figure 18-11: The Peterson decoder is for axial pin tumbler locks and can ma...

Figures 18-12a, 12b: (a) shows an Assa V10 normal bitted key before modifica...

Figure 18-13: This set of jiggle keys can be used to open pin tumbler and wa...

Figure 18-14: By manipulation within the keyway, many different signatures c...

Figure 18-15a, 15b: The LuckyLock self-impressioning system for lever locks ...

Figure 18-16a, 16b: The Falle foil impressioning system relies on a carrier ...

Figure 18-17: The Tampke system resembles the John Falle tool, using foil to...

Figures 18-18a–18c: A blank blade surface of lead (a) and the finished key (...

Figures 18-19a–19c: The Lock Defeat Technology system can impression safe-de...

Figure 18-20a, 20b: The LuckyLocks pick, decoder, and auto-impressioning too...

Figure 18-21: This is an example of impressioning marks visible through a sp...

Chapter 20

Figures 20-1a, 1b: This is the genesis of the Pin and Cam system for a lever...

Figures 20-2a–2c: This system contains all the different bitting values for ...

Figure 20-3: The pin-lock decoder, developed by John Falle, is a precision t...

Figure 20-4: The Medeco shim decoder tool.

Figure 20-5: A dimple key can be impressioned with wax or plastic tape; the ...

Figure 20-6: A key carrier with a foil overlay that has been impressioned fo...

Figures 20-7a–7c: Several lightboxes have been designed for covert use. They...

Figure 20-8: A key produced with a variable system.

Figures 20-9a, 9b: The Falle variable key-generation system. (a) keys can be...

Figure 20-10a-10c: The Medeco lock's Falle magnetic key generation system. T...

Chapter 22

Figure 22-1: This is the 3D-printed Schlage Primus key created by MIT studen...

Figure 22-2: This is a complex Fichet key. It was replicated with a 3D SLA p...

Figure 22-3: A key for a Mul-T-Lock Interactive+. Note the hole for the inse...

Figure 22-4a, 4b: (a) A FAB key with holes for side pins. (b) The EVVA 4KS i...

Figure 22-5: A profile is imported, and the parameters are entered into the ...

Figures 22-6a–6h: These images represent ATS3DKEY previews of created keys. ...

Figure 22-7: A key profile is mapped and modified from a photo of the lock....

Figure 22-8a, 8b: Two keyway scans generated from LOPID profiles. They are f...

Chapter 23

Figure 23-1: The small SWD 1 mm probe with the tip partially extended.

Figure 23-2: The software display for the LeCoeur electronics module is at t...

Figure 23-3: A demonstration of the handheld probe for the C.O.F.E.D. system...

Figures 23-4a–4c: These are scans of different keys using the C.O.F.E.D. dec...

Figure 23-5a, 5b: This scan of an ABUS pin tumbler lock shows the detail and...

Figure 23-6: This scan from the SWD device is shown on a smartphone.

Chapter 24

Figures 24-1a, 1b: Two Medeco plugs with all the pins properly aligned at th...

Figure 24-2: A Medeco key and a simulated blank replicating the bitting and ...

Figure 24-3: This diagram represents a six-pin plug with all bottom pins rot...

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

About the Author

Books by the Author

Acknowledgments

Foreword

Introduction

Begin Reading

Epilogue

Appendix A: Patents Issued

Appendix B: Trademark Listing

Index

End User License Agreement

Pages

iii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

445

446

447

448

449

450

451

452

453

454

455

456

457

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

537

538

539

540

541

542

543

544

545

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

625

626

627

628

629

630

631

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

iv

v

vii

viii

ix

xi

xii

680

Tobias on Locks and Insecurity Engineering

Understanding and Preventing Design Vulnerabilities in Locks, Safes, and Security Hardware

Member of ASIS, ALOA, SAVTA, IAIL, FBI InfraGard, AAPP, and APA; technical advisor to AFTE; and member of the Underwriters Laboratory Standards Technical Panel on Locks and Safes

Foreword

The delicate art of security engineering, at its core, is a balancing act. On one side rests the ever-evolving spectrum of innovation: the creation of locks that safeguard our most cherished assets. On the other is the constant challenge to compromise these very inventions—a process as old as time that Marc Weber Tobias insightfully delves into within the pages of this book.

Having served for 19 years as the CTO of dormakaba, one of the world's largest lock manufacturers, I have been at the intersection of innovation and vulnerability. Often, avoidable flaws surfaced, ushering in labor-intensive reparations and tarnishing a reputation painstakingly built over the years. This urgent reminder has always been that in the world of security, there is no room for complacency. From a corporate standpoint, a security failure isn't just a product glitch: it's a liability. The reverberations of such failures can be far-reaching, ranging from reputational harm to potential lawsuits.

Security, I believe, goes beyond mere functionality. It's a philosophy that embraces an understanding of systems and recognizes the complexities woven into the fabric of interconnected technology. Today's digital era intensifies this complexity, urging industry leaders to not just focus on how a system works but also understand the myriad ways it can be exploited. This dual vision is vital. At dormakaba, I've tried to instill this approach, advocating for both creators and challengers to scrutinize our products before they reach our customers.

Marc and I have collaborated for over a decade. We've confronted multiple designs, revealing vulnerabilities that escaped our initial engineering discernment. This iterative process, while humbling, has been an indispensable exercise. It has reaffirmed a belief I've always held that security isn't just a technical endeavor but an attitude—an attitude that demands humility, continuous learning, and a touch of paranoia.

As Marc elucidates in this book, an industry-wide disconnect exists: engineers are well equipped with the skills to conceive and implement, but the art of understanding bypass techniques, both elementary and advanced, often remains uncharted. Standards aren't sufficient, as they frequently don't contemplate combining more than one technique to defeat sophisticated systems. This underestimation and lack of imagination of how to compromise supposed security poses significant threats, not just in terms of physical security but also in the realms of reputation and customer trust.

It's an unsettling revelation and one that Marc highlights with meticulous detail. Through an in-depth exploration from the history of lock designs to the nuances of modern-day lock vulnerabilities, this book bridges the gap between proven wisdom and contemporary challenges. For design engineers, risk managers, and even company executives, it provides the guidance and knowledge missing in traditional curricula to tackle real-world security issues.

It's not just a guide but a clarion call to an industry. It's a call to reevaluate, learn, and constantly challenge our understanding of security. I earnestly believe that this book isn't just “good to read” but is a necessary manual for anyone in the realm of security engineering and management.

As our world becomes more connected, the stakes get higher. The chain of security becomes ever more complex and intricate, emphasizing the need for a holistic approach to security engineering.

For the engineers and decision-makers of tomorrow, this book might just be their indispensable compass that points toward a more secure future.

—Andreas Martin Haeberli, Ph.D.

Former CTO, dormakaba

Introduction

Locks and keys, in various forms, have been employed to protect people, places, information, and assets for the past 4,000 years. Although they may outwardly appear simple, their design can be incredibly complex if they're to work properly and securely.

I have been deeply involved in the analysis and design of locks for 40 years and hold many patents on their bypass. Within the last 20 years, the industry has experienced a lock design revolution, partly due to the integration of microprocessors and sophisticated software, especially for access control applications. Improvements in metallurgy, combined with new manufacturing technology, have allowed the development of locks that can better resist criminal attacks. Modern techniques can produce locks with tolerances as high as .002″ and complex designs, yet with all the advances, security is often at risk. Why?

Unfortunately, the industry is still plagued by a fundamental problem in designing locks that must resist ever-developing new vulnerabilities and attacks. That problem partly results from how mechanical engineers are educated in engineering curriculums at universities. Typically, they're taught design theory and how to make things work. They aren't taught how to compromise or break their designs or possess the requisite knowledge for “insecurity engineering.” This problem has become vastly more complicated by the introduction, integration, and overlay of software-based locking elements, working either alone or in concert with traditional mechanical components.

Electromechanical and electronic locks are slowly changing the landscape in physical security, but they're subject to even more attacks by “lock pickers” and hackers. Technologies such as 3D printing, radio frequency (RF) and electromagnetic pulse (EMP) generators, electronic and mechanical decoders, and various forms of lock bumping, along with the employment of more sophisticated attack vectors, raise the stakes for manufacturers and end users. These problems pervade the industry and highlight the inability of engineers to think “out of the box” to conceive of possible methods of compromise or failure.

Manufacturers' loss of engineering talent through retirement or budget cutbacks has also exacerbated the problem and elevated the urgency of lock security. The loss of seasoned design engineers has largely erased the institutional memory of prior design failures.

What Does This Book Cover?

In the simplest of terms, this book is about what makes a lock or associated hardware “secure” and what can go wrong in the design. In more than one case, the result was the expenditure of millions of dollars on the research and development (R&D) of a high-security lock that was defeated in a few seconds by an 11-year-old kid with virtually no expertise. In my experience consulting for most of the world's largest lock manufacturers, lock designs fail because of a lack of imagination on the part of everyone involved in the process. This lack of imagination has had significant and costly ramifications in terms of security failures, legal damages, an inability to meet state and federal standards, and a loss of credibility among customers. Ultimately, it puts consumers at risk, and they usually don't know it. The results are from what I call insecurity engineering, which is the inability to design secure locks because of many factors in the education and training of engineers. That is what this book is about.

I started “breaking” things at the age of five years and made a career of discovering and exploiting security and related legal vulnerabilities in locks, safes, and security systems. The locks business is complex, involving liability and compliance issues and engineering requirements. Tobias on Locks and Insecurity Engineering analyzes basic lock designs and presents examples of often-catastrophic design failures that sometimes resulted in death and property destruction, compromise of critical information, and millions of dollars in damages.

Who Should Read This Book

Tobias on Locks and Insecurity Engineering is written for design engineers, security and IT professionals, risk managers, government services, law enforcement and intelligence agencies, crime labs, criminal investigators, lawyers, and investigative locksmiths. Even among these professionals, there is a lack of understanding of how to evaluate locks regarding specific security requirements. Relying on industry standards promulgated by Underwriters Laboratories and the Builders Hardware Manufacturers Association (and equivalent organizations overseas) does little to define what security means and how to defeat it when considering forced entry, covert entry, and key control issues.

The reader can expect to gain an in-depth insight into lock designs and technology and how to better assess whether specific solutions will meet security requirements for their needs. Detailed information is presented that can help prevent manufacturers from producing insecure locks and assist risk management personnel in reviewing current or proposed systems. For risk management, criminal investigators, and crime laboratories, the information provides a road map showing how locks and security systems can be or may have been compromised by criminals or rogue employees.

Conventions Used in This Book

This book uses certain typographic styles to help you quickly identify important information. In particular, be on the lookout for italicized text, which indicates key terms described at length for the first time in a chapter. (Italics are also used for emphasis.)

In addition to these text conventions, you will find the following conventions that highlight segments of text:

NOTE   A note indicates information that's useful or interesting, but that's somewhat peripheral to the main text.

TIP   A tip provides information that can save you time or frustration and that may not be entirely obvious.

WARNING   Warnings describe potential pitfalls or the danger of failing to heed a warning.

 SIDEBARS

A sidebar is like a note but longer. The information in a sidebar is useful, but it doesn't fit into the main flow of the text.

Additional Resources

For additional information about locks, please check out the following resources:

https://Securitylaboratories.org

https://lss-dame.com

for detailed videos of the compromise of locks and safes

https://zieh-fix.com

for the latest in bypass tools

Roger G. Johnston, Ph.D., security expert, author of several books on the subject, and editor of the

Journal of Physical Security:

www.linkedin.com/in/rogergjohnston

High-Security Mechanical Locks: An Encyclopedic Reference

, 2007, by Graham Pulford

For additional information about the leading innovators in the lock-manufacturing industry, please check out the following resources:

Abloy, Finland:

www.abloy.com/global/en

Allegion, Ireland and United States:

https://us.allegion.com/en/index.html

ASSA ABLOY, Sweden:

https://assaabloy.com/group/en

dormakaba, Germany:

https://dormakaba.com/us-en

EVVA, Austria:

https://evva.com/int-en

Ikon, Germany:

https://ikon.de/de/en

iLOQ, Finland:

https://iloq.com/en

Kensington Technology Group, United States:

https://kensington.com

Kwikset, United States:

https://kwikset.com

Medeco, United States:

https://medeco.com/en

Mul-T-Lock, Israel:

https://mul-T-lock.com/global/en/about/mul-T-lock-international

SaltoSystems, Spain:

https://saltosystems.com/en

Schlage, United States:

https://schlage.com/en/home.html

Videx, United States:

https://videx.com

Finally, the multimedia edition of this book contains extensive video segments and graphics that demonstrate different attack vectors to compromise locks and safes that are referred to in this book. You can find this information at https://securitylaboratories.org and www.wiley.com/go/tobiasonlocks.

How to Contact the Author

I would appreciate your input, questions, feedback, and information on new tools and bypass techniques! You can find me on Skype, LinkedIn, WhatsApp, Telegram, and Signal. My website is https://securitylaboratories.org, and you can email me at [email protected] or send secure email at [email protected].

How to Contact the Publisher

If you believe you’ve found a mistake in this book, please bring it to our attention by emailing our reader support team at [email protected] with the subject line “Possible Book Errata Submission.”

Part ILocks, Safes, and Insecurity Engineering

In this Part, you will be introduced to the concept of insecurity engineering. Locks are often the primary defense for most facilities, so their design is critical for security. Thus, having an understanding of insecurity engineering is vital to every lock manufacturer, risk manager, law enforcement organization, military branch, and government agency. Understanding what insecurity engineering is about is equally important for manufacturers and designers of locks and those who carry out covert operations to gather intelligence by defeating them.

The chapters in Part I provide the foundation to understand why the term insecurity engineering was chosen, why it denotes the problems engineers must conceive of, and why they must execute designs that cannot be easily compromised. This Part begins by reviewing the basics of lock designs and then moves on to discuss the critical problems many lock manufacturers experience: a lack of expertise and imagination.

The design of locks is only part of the equation. Testing protocols and vulnerability assessment are coequal parts, and there can be a disconnect with real-world attacks if a failure exists in the assessment process. I, along with my colleagues, have developed a rule by which to measure security. The 3T2R rule is a way to determine the vulnerability of a lock to attack and its security and legal consequences. This rule is examined in Part I and throughout the rest of the book.

CHAPTER 1Insecurity Engineering and the Design of Locks

Today's manufacturing technology, software, and hardware design capabilities mean virtually any company can produce a lock if it has the right capital resources. The challenge facing manufacturers, however, is security and the ability to make a lock sufficiently resistant to different forms of attack.

Through my consulting for most of the world's largest lock manufacturers, I've discovered that locks fail for two fundamental yet interrelated reasons:

They fail because everyone involved in the process may lack the imagination to anticipate potential and actual security vulnerabilities.

They fail due to a lack of engineering expertise about bypass techniques.

This lack of imagination and expertise can have significant and costly ramifications for manufacturers in terms of security failures, legal damages, an inability to meet state and federal standards, and a loss of credibility from their customers. Ultimately, it often places these unaware consumers at risk.

To imagine a vulnerability, it is a prerequisite that you understand and correlate different attack modes and current or proposed designs. My father, a mechanical engineer, encouraged me from the age of five to take things apart, learn how they worked, and figure out how to break them. Before becoming a lawyer, I began my career by discovering and exploiting security and legal vulnerabilities in lock, safe, and security system design. It was during this time that I realized the ramifications of insecurity engineering.

What Is Insecurity Engineering?

In the simplest of terms, insecurity engineering is a lack of expertise and understanding of how locks work and the various ways you can make them fail. It creates insecurity, contrary to a lock's raison d'etre (i.e., reason to exist). Insecurity engineering results in a failure to “connect the dots” from simple design errors to compound failures, which finally results in the compromise of components that can potentially defeat security. It's an engineer designer's lack of creativity and imagination to consider a “What if?” scenario. Finally, it's the absence of a complete understanding or knowledge of past mistakes in similar designs. Such insights can only be acquired via experience, by working with seasoned engineers and having a full familiarity with what has been designed and patented to remedy past defects or deficiencies that originally created or allowed the vulnerabilities.

Insecurity engineering is also about legal liability and the failure to understand that defective designs ultimately will invite lawsuits and damage awards. If someone is hurt or a company sustains damage in whatever form, it can cost a manufacturer a monetary loss and reputational injury. As the name implies, insecurity engineering highlights the need to forecast, discover, and prevent insecure designs from reaching the end user.

This concept, which is discussed more in Chapter 3, ensures that those responsible for the design of locks, safes, and security systems have the requisite expertise to assess a product from many different perspectives, starting with its inception and continuing through analysis and testing by a vulnerability assessment team. Competent insecurity engineering, as the term implies, is an absolute prerequisite to successfully developing any security-related product.

Primary Responsibilities of Lock Manufacturers

Let's begin by discussing the primary missions of lock manufacturers. Lock manufacturers are responsible for making products that securely perform their intended function or purpose. I can identify at least nine critical responsibilities for companies that produce locks and related security systems, all based on a foundation of competent insecurity engineering practices and programs. Here are those nine critical responsibilities:

Invent or improve on state-of-the-art technology.

Develop and continue to analyze and improve on earlier designs.

Understand all vulnerabilities and imagine new ones.

Apply design expertise to currently manufactured and new products.

Protect intellectual property (IP) from infringement.

Ensure that IP produced and sold is secure and will not cause injury or harm.

Do not produce defective products.

Fully understand product liability and its critical importance.

Initiate a disclosure program about serious vulnerabilities.

Let's break down these nine responsibilities further.

NOTE   For more information on security engineering, check out Security Engineering, Third Edition, by Ross Anderson. It's a must-read for Internet technology (IT) professionals, risk managers, and computer engineers and covers system design, emerging technologies, and what can go wrong when system developers don't understand security and vulnerability.

Invent or Improve On State-of-the-Art Technology

Manufacturers should strive to develop, improve, or create new designs to enhance their products, improve overall security, and increase their capability to secure people, facilities, assets, and information. Over the past 200 years, companies have succeeded because they innovated new locking technologies and implemented the latest advancements. The lifeblood of every manufacturer is its creation of IP and the allowance of patents. Intellectual property encompasses patents, trademarks, and copyrights and is the foundation of almost every product for every serious lockmaker because patents ensure protection for their work and creativity for 20 years under current patent laws. Customers rely on this protection when they buy security technology—a gauge of the state-of-the-art technology in the industry—which is essential for successful product marketing.

Develop and Continue to Analyze and Improve On Earlier Designs

Manufacturers should be vigilant about issues from past and present designs to ensure that they're currently aware of new attacks that could affect the security of their products. Even if a locking system was developed several years ago, if it's currently being sold, any vulnerability can be the basis of a liability. A monitoring system should be set up for every new product, not only for receiving customer feedback but also for discovering or publishing security issues.

Understand All Known Vulnerabilities and Imagine New Ones

A continuous review of products must occur to ensure that a manufacturer's products are secure against current attacks. The Simplex 1000 push-button lock is a perfect example: a mechanical system that was initially patented around 1965 but became the subject of a class action lawsuit in 2010 because it could easily be defeated by a strong magnetic field. Its manufacturer did not review it for or imagine any vulnerabilities, which is critical to securing a lock against attacks.

Apply Expertise to Currently Manufactured and New Products

Manufacturers must maintain and develop an engineering team with the requisite expertise to assess design defects of current and new products in terms of their security. Doing so is imperative to creating locks that can withstand attacks. (You'll find this issue addressed more fully in Chapters 2 and 3).

Protect Intellectual Property (IP) from Infringement

Manufacturers must maintain a corporate policy that stresses the protection of IP in locks and security systems, for the benefit of both the manufacturer and its customers. If patents and trademarks are not constantly monitored for infringement, they will not protect the property's owner or anyone relying on their enforcement. A great example is discussed in Part VI: a large manufacturer held patents for key designs with interactive elements that were reproduced and sold in large quantities in major metropolitan areas by counterfeiters. The manufacturer's inability to protect its IP resulted in economic losses to the manufacturer and many locksmiths and presented security risks to critical customers.

Ensure That IP Produced and Sold Is Secure and Will Not Cause Injury or Harm

From a legal and ethical standpoint, the primary responsibility of a lock manufacturer is to ensure that whatever products it offers for sale are secure and will not harm customers or their facilities due to improper use or the circumvention of security. Any insecurity or harm can potentially damage a manufacturer's credibility, not to mention harming its consumers.

Do Not Produce Defective Products

The term defective can be defined in many ways, including design, manufacturing, and warning. In the context of this book, it relates primarily to security vulnerabilities that are present and can or should be predicted. It is imperative that lock manufacturers ensure their products are not defective, to protect the integrity of their companies and products.

Fully Understand Product Liability and Its Critical Importance

Liability considerations must be built into every project and product from its inception until it's sold to its end users. A lock manufacturer's employees should be trained to be sensitive to legal issues that can result in a company's legal liability, which could even extend to its employees. Protocols should be set in place to document in detail every security-related product's development, modifications, and fixes to minimize the company's exposure to lawsuits and damages. Management, in addition to every employee, must be cognizant of the multiple tenets of product liability law and how to guard against tort liability and contract violations while protecting trade secrets, non-disclosure agreements, and confidentiality.

Initiate a Disclosure Program about Serious Vulnerabilities

Once vulnerabilities are discovered and their seriousness is verified, there must be a process to properly disclose all product defects affecting the security of critical customers or even the general public. It is suggested that this process detail warnings about security issues, including those involved with master key systems, key copying, and capabilities to circumvent key control. (Such a process is discussed in more detail in Chapter 2.)

Several years ago, I introduced and promoted the concept of unethical nondisclosure, where lock manufacturers were aware of vulnerabilities but failed to disclose them to customers or did nothing to remedy design problems. As a lawyer, I counseled my manufacturing clients to be up front with their customers and the public about their security-related issues. Customers have a right to rely on a manufacturer's expertise in lock design and an expectation to be forewarned about potential or known defects that could place them at risk. It is unethical for a company to fail to disclose or warn its customers about a significant flaw.

Examples of Insecurity Engineering Failures

Throughout this book, I cite insecurity engineering failures that have led to extensive product delays, product recalls, redesign, and significant legal damages. Such failures are more fully described in Part VI, but I summarize a few in this section as a sobering reminder of what can happen when there's a lack of hardware and software design expertise as it applies to lock security.

Locks can be circumvented in several ways. Here are a few examples:

Bumping:

A technique based on the application of force to pin tumblers by a special key, which has caused many security issues for the world's lock manufacturers (see

Figure 1-1

).

Figure 1-1a, 1b: A bump key can be produced from virtually any key blank for a pin tumbler lock by cutting all the bitting to the lowest possible depth. (a) A bump key for Postal Service locks. (b) What happens when the key is forced forward to cause the bottom and top pins to split at the shear line.

Shimming:

A technique in which fine wires are employed to compromise various lock types by exploiting tiny openings that allow the insertion of shims to access critical components.

Impressioning:

A technique in which an impression of a tubular pin tumbler lock is taken with plastic pens to produce a key.

The following examples demonstrate common design errors resulting from engineers failing to consider the basic laws of physics. These errors have cost my clients redesign expenses, product delays, recalls, lawsuits, federal investigations, injuries, and even deaths. Although this example list is not exhaustive, it does include all instances of insecurity engineering failures due to simple attacks that were covert and left no traces.

However, design failures are not limited to the application of the laws of physics. They are also about imagination and the ability to assess each lock component and how these components can be used to cause a compromise. They encompass every aspect of design, from key control to tolerances to the interaction of components. It's about the information derived from how each component works and what can be discovered about the inner working of a lock and, ultimately, the secrets that will enable it to be decoded or opened.

TIP   For more about lock-breaking techniques, see Chapter 12. In addition, you'll find multiple detailed lock images and diagrams throughout the book that illustrate critical parts of different lock types and how they work.

The following examples detail the various types of locks and their design errors:

Spring-loaded locking mechanism:

Many locks employ springs to retain critical components in place until activated by a key or other credential. Any spring-biased component is subject to potential compromise through the application of force and the laws of physics. Springs control other movable elements that can be subject to such attacks.