By Sara Schaefer Munoz
The Wall Street Journal
November 6, 2006
NEWINGTON, CONN. On a recent evening in this quiet suburb, Matthew
Fiddler hunched over a door lock, jiggling it with a pick and poking it
with a wrench. In just a few moments, it popped open.
Fiddler wasn't locked out and he isn't a thief. Instead, the 36-year-old
father of four, clad in khakis and a blue button-down shirt, was seated
around a table with a handful of people who pick locks for fun.
The group, a chapter of Locksport International, gets together monthly
to poke and prod everything from padlocks to dead-bolt cylinders. They
swap tips, hold contests and eat pizza.
Most say they do it for the challenge. "It's like doing a Rubik's Cube
in the dark," says Josh Nekrep, a construction sales representative and
Locksport's administrative director. And for Nekrep and others, it
carries a broader mission: finding and exposing the vulnerabilities in
common locks so people can better protect themselves.
"The public has a right to know if some $30 lock they bought is not
secure," says Fiddler, the Connecticut chapter president, who, like many
in his group, works in computer security.
That philosophy has riled lock manufacturers and law-enforcement
officials, who believe disseminating information about lock weaknesses
can only encourage illicit activity. It has also split the locksmith
community, putting them at odds about whether picking techniques should
Fueling their concern: the spread of Internet videos that show how to
pick many types of locks.
Pin tumbler locks, commonly used on doors, mailboxes or padlocks, are
opened with a key when their spring-loaded pins are pushed into the
right alignment. To open them without a key, hobbyists often use a
slender pick to maneuver the pins, while at the same time sticking a
tension wrench in the keyhole to apply turning pressure.
Another popular method is "bumping," which involves inserting a
specially filed key blank into a lock and hitting or "bumping" it.
Key blanks, made by lock manufacturers and used for making duplicate
keys, are widely available for most common locks online or in hardware
stores. The force of hitting the key makes the pins jump in such a way
that for a split second the lock can be opened.
Google co-founder Sergey Brin says he became interested in lock picking
as a graduate student and years ago picked the lock of Google's offices
when he didn't have a key. He told reporters attending a Google
conference earlier this month that he recently learned the "bumping"
technique by watching a video available through Google's site.
"I was curious," he said. "You want to see a person just do it."
Law-enforcement officials fear that any tactic that exposes
lock-breaching can put information into the wrong hands.
"They are exposing vulnerabilities to everybody, and everybody includes
criminals," says Jim Pasco, the executive director of the National
Fraternal Order of Police. "I am absolutely mystified at what they
perceive to be ethical about that."
Organized groups of lock-picking hobbyists have operated in Europe for
years, and have recently been increasing in North America. Locksport
International started last year and has 100 members in six chapters in
the U.S. and Canada. The Netherlands-based Open Organisation of
Lockpickers (TOOOL) formally launched a U.S. group in August and so far
has 40 members.
The hobby is also becoming popular on college campuses: students at the
University of Texas in Austin recently launched a picking group.
Even as the hobby's popularity has grown, members acknowledge it still
faces an image problem.
"Picking locks is so often viewed by the layperson as a nefarious act,"
says a statement posted on Locksport's Web site. It says the group wants
"to promote the hobby/sport of lock-picking in an ethical manner."
Members say they take problems to manufacturers first and then go public
if the companies don't respond.
At the recent meeting in Newington, about 10 men, with ages in their 20s
to 60s, sat around a brightly lit table, bending over different types of
locks and brandishing picks and wrenches. During breaks in the chatter,
all that could be heard was tapping and clicking.
"I'm interested in how locks work," says Jack Craib, a 63-year-old
"When you are picking a lock and it clicks open, it seems like something
magical has happened," says Eric Schmiedl, a college student on the
TOOOL board of directors.
Police and lock manufacturers say they get worried when pickers swap
tips on the message boards of lockpicking101.com, a Web site for
lock-picking enthusiasts, and post how-to demonstration videos on the
popular video-sharing site YouTube.com.
After several videos circulated this summer showed how the "bumping"
method could be used to open locks, the Dallas-based Associated
Locksmiths of America, a trade group, fired off a statement calling the
information "a misguided attempt at consumer awareness" that could
"stimulate the interest of would-be burglars."
Paul Dickard, a spokesman for lock manufacturer Schlage, said the
company would prefer if the hobbyists "acted more like a magic society,
where the trade secrets stay in the room."
Still, at least one lock maker says the hobbyists can help companies.
Walt Strader, vice president of research and development for Black &
Decker, which makes Kwikset, Weiser and Baldwin locks, says the company
recently became aware of the "bumping" method from information
disseminated by the groups.
While the company doesn't agree with the groups' publicity tactics, he
said it is "taking the issue seriously" by re-evaluating its products
and considering a warning on the packaging. The company is also working
with the industry to call for a ban on the Internet sale of bump keys,
Nekrep says the group makes a concerted effort to keep out anyone with
shadowy motives. He says all new members must be endorsed by two
existing members and everyone must abide by a code of ethics, which
includes the promise to pick only locks that they own or have been given
express permission to pick.
Fiddler says he can spot undesirables right away. He has turned away
several people because they were asking "how to break into things,
rather than demonstrating a real interest in how things work."
Visit the InfoSec News store!