Author: Bjørn Madsen

I often tell my residential customers that they don’t have to worry too much about their locks getting picked, that criminals will usually just break a window or kick your door down. I may have to revise that opinion. I recently had to unlock a job box for some construction workers whose key box was stolen. Their tools weren’t stolen but their keys were. The thieves left this lockpick behind, though they don’t seem to have used it because they don’t appear to have gained access to the house.

As the gap between rich and poor widens in Seattle I predict more and more talent and intelligence will appear in the criminal community, just as there are smarter and more capable criminals in Europe. Places like the UK and Germany are connected by land to the former USSR among others where there are many educated and brilliant people without jobs. Some of them will inevitably turn to a life of crime. Here in Seattle as rents skyrocket and full-time employment becomes more scarce, something’s gotta give.

If you are concerned about somebody picking your lock, there are lots of locks that are almost impossible to pick and they don’t cost very much.

Emtek makes a fine lock and they stand behind their locks with a lifetime warranty. I like working on Emtek locks because they are made with quality. I recommend them to customers willing to pay extra for nicer looking locks and a lifetime guarantee. I have few reservations about them except for a few annoyances:

1. Emtek lock cylinders don’t conform to generally followed dimensional standards, so lock cylinders from other manufacturers can’t be used in Emtek locks.
2. They have smaller retainer cap pins and springs that tend to shear off after a short time of use such as a few years after installation. When this happens it will be impossible to lock or unlock your deadbolt because turning the cylinder will no longer actuate the bolt since the link between them is no longer functioning. If this problem is occurring at your only entry door you are locked out and will have to pay somebody to drill out the cylinder to manipulate the bolt directly and then replace the cylinder, or perhaps more if the person you hired doesn’t know how to open the door after drilling just the cylinder.
3. The cylinder retainer caps that are very difficult to remove occasionally and sometimes a wrench must be used to tighten them to the correct position.

All of these problems can be fixed by retrofitting Emtek locks with different cylinders that conform to Emtek cylinder  dimensions. I sell high security cylinders that are very difficult to drill or pick that fit in Emtek locks’ housing. These cylinders have a restricted keyway that makes it almost impossible to make unauthorized key copies. The cap retainer pin is also of stouter construction that stands up to years of abuse without shearing off like those of regular Emtek cylinders.

When you retrofit your Emtek lock with CX5 cylinders you get the aesthetic benefits of an Emtek lock with the advanced security improvements of a high security cylinder. You will also be heading off future problems concerning the cylinder pin breaking and your key turning 360 degrees in the lock without unlocking it, possibly resulting in a lockout. If you prevent a late night lockout you may actually be saving money with this upgrade.

If you are interested in having me retrofit your Emtek deadbolts the costs are:

• $65 Service call to North Seattle. You can also bring the locks to me to avoid this charge.
• $75 per deadbolt cylinder, keyed to match
  
• $8.50 per key
• $10 labor per deadbolt
• $15 extra on the weekend and after 6 pm.

Bumpkeys or bumping a lock are very rarely used in crime and most information about them is alarmist in nature. That being said, they represent a well-known vulnerability in pin tumbler locks all around us (search for bumpkeys on youtube and see, they are widely used and discussed by hobbyists) and people who have seen them demonstrated usually want locks that defend against bumping because it appears to be so easy to do, and most people want it to be hard to unlock their door without a key!

Upgrading to locks that can’t be bumped is not terribly expensive. I made this video to show to people who are curious about how bumpkeys are used because people ask me frequently due to a trend several years ago on televised news channels talking about the danger.
This is a real storefront door in Seattle that criminals bypassed. The property owner asked me to improve his security. First, I recommended the door installer come back and fix some things. Second, I gave him the option of buying higher security lock cylinders. He asked me to demonstrate where his current lock cylinders were lacking, and I tried a bumpkey on his lock. I was surprised how fast it opened, usually it takes at least a few taps.
The cylinder that came with his door didn’t have a protection ring to guard against pipe wrench attacks, it was made of pot metal that deforms easily, and the tolerances are low in such lock cylinders making the lock easy to pick or bump (though the likelihood of a criminal using such techniques is very low compared to the chances of a rock or butter knife or screwdriver being used). He opted for a cylinder with a protected keyway, security pins and a hardened steel ring. The door company quickly  fixed their errors when they were pointed out and now the customer has a much more secure facility.

The cheapest way to prevent bumpkeys from working in your door is to simply use a lock that has a keyway other than Schlage C (SC1) or Kwikset’s KW1. There are hundreds of keyways that are readily available but most people on the internet are talking about bumpkeys in the previously mentioned keyways of SC1 or KW1. If you have an L4 lock cylinder for example, neither of these common keyways would work. Of course, somebody could still make a bumpkey out of an L4 blank but then it would be a targeted attack instead of a burglar picking the low-hanging fruit.

It can be expensive to replace all of your keys and lock cylinders but it isn’t very expensive to put security pins in your locks when you have them rekeyed.  Most locksmiths will only charge a dollar or two extra per lock for this. I have kits for retrofitting most lock cylinders with security pins and much stronger springs that make bumping nearly impossible in a conventional pin tumbler lock.

The best way to prevent unauthorized access is to make it much harder for the bad guy to get a key to make a bumpkey out of, or use a lock that doesn’t work with bumpkeys. Give me a call if you are concerned about your property’s security. I can give you options for different ways to improve your property’s defenses.

So you came back home or to the office and put your key in to your lock to unlock the door. Except… your key won’t go into your lock! You look at the key hole and see the unmistakable signs of glue or silicone sealer or something! Why were you so short with the missionaries/girl scouts/stranger a few days ago who came to your door? What do you do? All is not lost…

If you are lucky there is more than one way to get into your property and the other entry lock is not glued. If that is the case then all you have to do is go in through the functioning lock. You can fix or replace the lock with glue in it. Take the cylinder out of the lock if you are able and suspend it in 100% pure acetone, available from your local pharmacy, for 24 hours. If the lock is really cheap then just buy another lock for $10, but if it is really expensive it can be fixed.

If the glued lock is securing  your only entrance then you have a big problem. Even if you call a locksmith they won’t be able to pick the lock, they may have to use destructive entry. The two possible methods that can  be used are torching the lock to burn the glue off, or drilling the lock cylinder so that it can be bypassed. Locksmiths try to drill out just the pins because then they can use a smaller cheaper drill bit and also because then they can replace just the lock cylinder. Typically anybody who uses a bit larger than a 3/16 inch bit doesn’t know what they are doing. Since the cylinder is glued, a larger bit will have to be used or a different part of the lock will have to be drilled.

How do you prevent getting locked out because of vandals with glue? Consider getting keyless entry for your door. If you buy an August deadbolt, you can unlock your door even if your key hole is filled all the way with superglue. It only costs about $200 and thirty minutes’ time to get it on the door. If you have more money you can install an Alarm Lock Trilogy that uses fobs. There isn’t anything for miscreants to glue with fobs. People walk up to the lock, hold their fob near the lock, and the door unlocks.

I recently figured out that acetone would dissolve superglue when a locksmith buddy threw three Schlage Primus mortise cylinders on the recycle heap. They retail for $70 each so I bought a bottle of acetone at Rite-Aid for about $3 and soaked them overnight. The next day I got one open, generated a key for it, and it worked on the other two. Just recovered $200 worth of Primus cylinders, though I will only sell them for half price since they are slightly scratched from being carelessly tossed on the heap.

Your key worked fine yesterday! If it isn’t turning today it is probably because the steering lock is engaged. Try turning the steering wheel hard to one side and the other while trying to turn the key.

Try sticking your key in the ignition  and tap it on the end with a hard object like a screwdriver. Also try a small squirt of lubricant like triflow or 3-in-1 oil but not wd40.  Squirt it right down the keyhole and then move your key in and out several times to spread the lubricant around before trying to turn your key. If you are in the middle of nowhere try running your key along your dipstick to transfer some oil onto it. A little bit of oil is all you need.

If you have a Honda or Toyota you may be having problems with split wafers. These are to make it hard to pick the lock. They can wear down and bind inside the lock. Eventually they have to be removed.

Whatever you do, don’t force the key to turn. The wafers in your lock were designed to be stronger than your key so that people can’t just turn your ignition with any random key. It costs much more to remove an ignition with broken wafers and a broken key in it than a working one!

The world wide web has set information free.  Good information and bad information. Recently the Washington Post publicized photos of the TSA’s keys on their website and that was all that was needed for people to start replicating them. When the physical key is displayed then you can mathematically deduce the cuts that need to be replicated. I offer this service for people who have a picture of their key.

The root of this problem is that the TSA relied on security through obsurity, trusting that nobody would ever slip up and publicize a picture of the key, or that the key would fall into the wrong hands. Truthfully speaking, the problem is all a bit silly considering that it would be trivial for a locksmith to take apart a TSA approved lock and make a key from the lock. The whole thing is silly because the TSA approved lock is only meant to work while the baggage is in the control of the airline or the airport security.  Even so, this is an excellent example of security through obscurity, a model which the software industry was forced to abandon decades ago when it became apparent that a lot of people with the requisite brains and time on their hands would figure out how to bypass authentication mechanisms to give their software away for free.

Now, in 2015, lock manufacturers are having to deal with this problem. Actually they have been dealing with it ever since software people started getting interested in hardware security, about ten years ago. Back then there might have even been vulnerabilities that the lock manufacturers purposely built in for locksmiths or government entities.

There are lots of interesting security models in the lock manufacturing industry, and most of them are based on complicated machining of either keys or pins or both.  This, along with patent protections, prevents illicit key blank production. Somebody could study a key blank and make a production run of them but it would be prohibitively expensive and the lock manufacturer purposely releases blanks that are machined differently before the bitting of the key is even a factor.

A new era has donned.  Now people can replicate a high security key with nothing more than a high resolution picture.  I have offered the service of replicating keys by photograph already, but I am talking about 3d copying a very complicated object for $5 if they have an image of the object that allows them to make relatively precise measurements.  Pictures in a newspaper of a key could mean unlocked doors. If the would-be copier has physical access to the key then it is a much easier problem to solve.

The answer to this problem lies in more factors of authentication.  This will probably take the form of physical and electronic challenge and response.  That is, not only will the key probably have to move some pins into the correct configuration but there will also probably be an encrypted electronic communication between the lock and the key, similar to modern cars.  This will be a stepping stone to using your phone as a key and then some other wearable object or implant if I had to guess.

The point of all of this is that you can’t let your keys fall into the wrong hands if the key protects something really valuable, even for a few minutes. If the key is just to your garden shed then the risks are minimal. If the key is to your collection of gold and diamond jewelry that is publicized, you need to make sure that your stuff is secure.

Making sure that you have good security is more than just having an expensive lock. It also means knowing who has the key, making sure that there is accountability for who has the key, and also making sure that not only the lock but the entire building around the lock is secure. If you are securing something really valuable this may mean a fiberglass door and doorframe, reinforced windows and grates, an alarm system, etc. Modern technologies complicate this further requiring that those with the key do not let it out of their sight for even a few minutes. They can also not display the key in public where it might not be photographed.

The alternative is to switch to expensive electronic access solutions.  I can provide electronic security but there are caveats, it is not without its own vulnerabilities. A combination on a lock can be watched from afar. A fingerprint can be duplicated. An iris scan can be duped through methods that can be seen in horror movies. I don’t recommend locks that use biometric security because a fingerprint or iris, once compromised, cannot be revoked (not to mention that with such requirements there is a great incentive to remove an eye or a finger for bypass of the lock, see horror movies). For the truly paranoid the answer is in careful key control and keeping current with lock technologies (and their vulnerabilities). Knowing is half the battle (-G.I. Joe).

Duplicating a key is much harder if you have to duplicate not only the physical form of the key but also spoof the electronic portion.  This cannot be deduced from a high resolution picture. To replicate such a key would require complicated challenge and response spoofs. If such a method of authentication became common, well-meaning staff of higher education would most likely develop methods of circumventing it, just as WEP was compromised. These people are not to be blamed. Even as they publicize these vulnerabilities, people in the former USSR are developing the same exploits at the same speed because they have more to gain than university researchers making less than $40,000 a year. They should be lauded for publicizing these weaknesses because publication forces the manufacturer to update their product. In this modern era those with expensive property cannot rest on their laurels and trust the last generation of security products and its vulnerabilities, because criminals are now researching exploits as quickly as products are manufactured.

I cannot say what the future holds for security. In the near term I can only offer the prediction of a mechanical key with an electronic component, or a completely electronic component. Either way it is a very interesting time to be in the security industry because it is the first time in history that physical security on its own is in some cases no longer enough.

Just got my cloning device in the mail.  I am now in the cloning business.  You are not limited to getting more keys from the dealership. I can clone your key for less money. I can’t do remote head keys with the buttons on them (though my friends at Broadway Locksmith can) but I can clone a transponder key that will start your car and unlock your car door.

My keys won’t have batteries.  Their chips are passively powered through induction by the car’s ignition.

Haven’t figured out my prices yet but it will probably be on par with everybody else except after six pm and on the weekends and holidays.

Today a customer asked a very good question of me: how do you prevent somebody from hiring a locksmith to open your door?  Most locksmiths have a list of prerequisites to fulfill before they will open a door for somebody including challenge-response authentication or by address on a state-issued license, but how do you help them make the right choice?

What if some locksmith gets tricked?  How do you warn a locksmith not to unlock a door for a crazed ex-wife/ex-husband/evildoer?  The best way to warn a locksmith not to enter your home and rekey your lock is to put a sign in a window near the door instructing a locksmith not to open the door for anybody except ___________. An equally good preventative measure is to warn anybody who might try such a thing that you have surveillance cameras and a cadre of lawyers.  Another supplemental is to replace your locks with cylinders that are very difficult to drill or pick.  If you have an expensive lock cylinder with a restricted keyway it will make locksmiths ask questions about who sold you that cylinder, why you don’t ask them to come out and unlock the door or rekey it, etc.  If you have a cylinder with a restricted keyway the likelihood is that somebody has the bitting for that key filed away somewhere.

Be preemptive.   If you suspect somebody is going to try to break in make sure they know that a loud alarm will go off when the door gets opened and they will be videoed opening the door and the video is automatically being uploaded to an offsite location that is password-protected.  Make sure you have legal help against people you are wary of such as restraining orders or at the very least you have filed a complaint with the police against the person or persons to establish a history for the authorities to look at.