Today Wired ran an article about Kwikset Smartkey locks and how easily they are compromised. They use nearly the same technique that I use when people are locked out of a Smartkey lock, except that I torque an actual key. They hammer a key blank into the lock so they can’t take it back out. My method, I take the key back out after I am done, and the regular key still works half the time.
The main premise of their argument, however, is correct: Smartkey locks are not that smart. They won’t keep criminals out. Their main use is for low security rental units that landlords want to rekey after each change in occupancy. I know my key looked very worn when I got it from my property manager.
So, in an analysis of what these guys did wrong: They should have tried torquing a nickel key so that they could remove it. This would have two beneficial results: they wouldn’t have damaged the lock face with their screwdriver, and there would not be a key still inside the keyway. There would be absolutely no sign of forced entry. The lock would probably still work. I feel like an idiot for not pulling their grant money for this study, because I could have done this a lot better. On the other hand, maybe they purposely obfuscated the methods I describe because they don’t want to give criminals the ability of forced entry with no forensic signs.
At any rate, the old adage remains true: if the criminal wants into your house, they will get in. The trick is making it look harder to get into your house than your neighbor’s (but not so hard as to attract interest). Kwikset advertises this deadbolt as grade 1, meaning that it can be used thousands of times without failure. I have lots of customers whose smartkey locks have failed after a few years. They seem more likely to fail if poorly copied keys are used in them.
Another thing this video points out is the need for a keyway that is less common or restricted entirely. This method wouldn’t work if these men weren’t able to stick a blank that fit the keyway into the lock. I always offer customers the choice of changing the keyway to a less common one or a restricted keyway for a little bit more money. Then you are far safer from bumpkey attacks, not to mention how much harder picking a lock is if it is not kw1 or wr3. There is a lot of room for manoeuvrability in these latter keyways.

Everybody knows that successfully running a business is a PITA.  You have to constantly be worrying and networking and thinking about your business.  Mine is no different.  Complicating matters is the recent removal of my business’s listing from Google Maps.  You can read about it here.  Or, you can read my summary

1.  Google removes my listing from Google Maps

2.  I ask google why they removed my listing via email as they recommend

3.  4 weeks later they respond and say that my business listing doesn’t meet their quality criteria, and that my business’s category, locksmith, is very contentious.

4.  I renew questions on a thread I started about my deleted listing, because I already made one when google deleted my business listing the last time.

5.  Some guys that hang out in the Google products forums respond, and basically tell me that my business looks sketchy and they can’t tell my business from all of the other sketchy locksmiths around, even though my business is registered with the city and the state and I only have one listing.  They tell me that they would reinstate me, but they just don’t have enough evidence that I run a legitimate business.  They suggest I should join ALOA amongst other things.  Apparently seeing my business registered with the state is not enough for them.  They also suggest that my business name is an example of keyword stuffing, even though my business name is succinctly expressing my location and my profession.

This all reminds me of the time my parents started a winery, and the city of Lacey made up some arbitrary rule that they couldn’t have a sign on the freeway advertising a winery unless they also had a vineyard.  So my father planted a grape vine next to the door of the warehouse we are using as our winery.  Unfortunately, these guys want me to jump through far more hoops.

I am getting more business now than I ever have before thanks to positive reviews on yelp and also references from happy customers, so now I am just tilting at windmills trying to get reinstated because I am angry about getting kicked off of Google Maps while a bunch of obvious scammers’ listings remain.  I report all of these listings, and yet they remain.  As a result of Google’s actions I am planning on running my own email server and weaning myself off of all google services including gmail, which I happily used for the last decade and also set up those I know who are technically inept with.  Harder will be the process of removing their software from my Android hardware.

If you are a locksmith thinking about paying for adwords, don’t bother.  Just go with Yelp.  Yes, they charge more per click, but you are going to get a better return.  Nobody is going to click on your ads on yelp trying to learn how to lockpick in a video game, or find out where to buy a deadbolt.  And chances are after you invest $800 in adwords like I did, Google will decide that your business isn’t real and delete your business listing from Google Local, a.k.a. stab you in the back.  So, consider yourself warned.

Update: It has been almost two months since Google deleted my listing and I am still waiting for Google to tell me what I did wrong.  The most they can tell me is this:

Thanks for contacting Google. Your account has been suspended due to quality violations and we will be unable to assist you further. For more information on our quality guidelines, please see this article: http://support.google.com/places/bin/answer.py?hl=en&answer=107528

 

Sincerely,



Mike S

Months ago I was pondering taking apart a car’s authentication system and using a car ignition as my front door lock due to the added security of transponders and the car’s ECU, which is two-factor authentication, somewhat rare on consumer door hardware. Today I noticed that manufacturers of door hardware have caught up with the times and I would be reinventing the wheel. Mul-T-Lock has had two factor authentication for some years now, but “unikey” has just come out with their “Kevo” lockset which interacts with Bluetooth 4.0 devices.
Apparently all you have to do is touch the lock while your phone is in close proximity. Knowing the distance that Bluetooth can go, I wonder if somebody could amplify the signal and unlock the Kevo by touching it while you are inside, if the phone is within 30 feet or so of the lock (distance required by bluetooth to work). According to this article the lock can determine if you are inside or outside, so this may already have been addressed by the manufacturer.

Most interesting to me is that the Kevo has the ability to share e-keys to different people’s phones, including one use only e-keys.  Unfortunately, the only devices able to interact with the Kevo at the moment are iOS devices, though android apps are in development.  Probably iPhone owners are the only ones who would buy a $200 deadbolt that works with their phone anyway.

A competitor that also offers these abilities is “Lockitron”.  Interestingly, they have engineered their lock to be connected to your wireless network allowing the owner to lock or unlock the door remotely from anywhere in the world they have internet access.  I imagine it is only a matter of time before somebody figures out how to defeat the security of this detail, if this lock becomes more popular.

There are some crews around the Seattle area pillaging mailboxes and using the information gleaned from their bounty to steal your identity!  One thing you can do to prevent this is to get a locking mailbox.

Before you go out and buy a locking mailbox though, you have to know what kind of locking mailbox.  Sometimes the mailman won’t deliver your mail because the slot isn’t big enough!  Take notice of the size of your daily mail deliveries, because the thickness of these deliveries is the necessary dimensions your mailbox slot must have at a minimum.  Otherwise, the mailman will claim the slot isn’t large enough and you will have to go to the post office to get your mail that wouldn’t fit!

While on the subject of mailbox locks, I will change a mailbox lock or install one for $65 flat, no fees, service call already included, parts already included.  You can also see my mailbox lock page to view a video on how to change them yourself.

Today a charming lady called me because she was locked out of her car.  After making quick work of opening the 2003 Saab, I returned to my own car to get back home before my better half.  In my haste, I inserted my motorcycle key into the ignition.  It felt like the first tooth might have cleared two wafers.

It was interesting being the 1% of people who could remove the key without actually getting any additional tools.  A lockpick was all that was necessary for manipulating the stuck wafers out of the way and getting the motorcycle key out.  It made me think what would happen to somebody else though.

For people without lockpicks or a firm understanding of how locks work, getting your key out will be more difficult.  The first step is of course to wiggle and pull the key lightly.  If you pull too hard you could bend the wafers and damage the lock.

The second step is to find something really thin made of metal, like a hacksaw blade.  You have to stick it in alongside the stuck key, right down the middle.  Then, you move it up and down and try to visualize what it is getting stuck on.  If you feel something that won’t move easily, try pushing slightly harder.  Hopefully it is the wafer that is sticking.

Of course, this whole process has an added level of complexity if you have successfully turned the ignition partially with the wrong key.  Then you have to torque it back into the position for taking the key out before performing the above steps.  You can also possibly remove the entire ignition if you have turned the key and more easily manipulate the inner workings of the ignition, assuming it is the type where the wafers are visible.  Don’t bend it too hard or you will shear off the key!  The best way to accomplish this is with some vicegrips and grip as close as possible to where the key comes into contact with the keyway.

Of course, if you mess anything up this was just friendly advice and I am not to be held liable for your own dumb self.  Call a pro if you can’t get it!

If you are like most Seattlites, you have a wireless access point transmitting and receiving your data for all the world to listen to.  If you are smart, you will encrypt this traffic using WPA2 using a complicated passphrase involving letters, numbers and symbols.  If you are really cagey, you won’t transmit information wirelessly at all but use ethernet cables.

The reason for this paranoia is that there are entire linux distributions written for the express purpose of decrypting your passphrases and gaining access to your wireless network, where various actions of ill intent can be taken such as hijacking your internet sessions with facebook or even worse your bank, accessing your financial records and important information about you that can be used to steal your identity, etc.  This can also be accomplished by those with less technical knowhow by applying elbow grease and digging through your trash.

How to prepare against this possibility?  Put a passphrase on your wireless internet.  Shred important documents.  Practice good computer security, i.e. don’t set up data shares without passwords on your home network.

There are programs available that can let somebody crack WEP in a few seconds flat, if the password is easy.  Likewise for windows user passwords.  Therefore, use strong encryption like WPA2 and use complicated passwords, and especially don’t use common passwords like the word password, because people who like to compromise networks have built dictionaries (called rainbow tables) of the most common passwords and can cycle through the 5000 most common ones in ten seconds.

If you are concerned about lending out a key to somebody and then they go to the hardware store (or Fred Meyer’s) and copy it and then give it back to you without telling you that they still retain a copy, you can prevent this hypothetical problem with getting keys in a restricted keyway.  This means that the profile of the key looking at it when pointed at your eye will be a different shape than fits in other locks.  This also means that people can’t buy the same key blank, and thus can’t copy your key.  If they had detailed information about the key they could copy it, or they could use a lost wax method or something to copy the key with a different medium than pre-cast key blanks.  They will also have to go to a great deal more trouble to do so however.  More trouble than simply pulling your door off with a tow hitch or blowtorching through your wall, etc.

The point of all of this is that with a restricted keyway, you can protect against a lot of scenarios involving security breaches that you can’t protect against if you have a common keyway.  The costs are minimal: changing your keyway won’t break the bank.  You are also not tied to my business.  If you want you can pay another locksmith to change the keyway.  If you want key copies however you have to come to me, and I maintain a database of who has what keys, and if you aren’t the same person who bought that key I will call the person in my database for that key.  That is called key control management, and it means that nobody has the key unless you give it to them.

When I rekey people’s houses I always ask if they would like one knob or lever to be keyed differently to allow them to give out a key to workmen.  On days when workers are expected, the deadbolt can be left unlocked and entry is permitted by unlocking the knob or lever.  When entry by people without the common housekey is not desired, the deadbolt is left locked.  This allows you to maintain a relatively safe and secure house though it still leaves you vulnerable to impressioning, picking and bumping.  Criminals don’t usually employ these methods but it is worth thinking about to employ a keyway that makes it almost impossible to use a bumpkey or impressioning on.  Such a lock is still susceptible to picking, but I also offer the upgrade of anti-pick pins which will defeat those of common criminal lockpicking skill.  If your door is thick and your door frame is secure and your lock is grade 2, with a restricted keyway and anti-pick pins you are going to be nearly unassailable.

For those who are interested in the most reasonable prices, I can also give you a less expensive keyway that isn’t restricted, but is old and unused by most and only a locksmith will probably have access to the same key blank.  Let me know!

Today I was reading lock related periodicals as I am wont to do when time weighs heavily and I came across some interesting information regarding masterlock.  Nobody thinks of this company as producing anything that could be called high security as everybody knows somebody that can open their combination locks using a pop can or by listening to the clicks and writing down numbers and doing a small amount of number crunching.

Apparently masterlock did a study on bumpkeying locks and figured out a way to prevent it.  Unfortunately the changes they made to their locks make it even easier to pick them.  You can turn the plug after setting 3 of the 4 pins!  They have always been easy to impression as well.  The silly part is that their locks are now being marketed as “high security” and “ultra security” at Home Depot even now.  Of course, none of this will stop anybody who has a $35 bolt cutter found farther down the store a few aisles, or even a digging bar that will fit in the shackle.

The best security against bumpkeying to my knowledge without buying better locks is to retrofit your locks with higher tension springs and spool pins or serrated pins.  These won’t stop bumpkeying but they will require about ten more taps which is enough to make burglars think twice in the middle of the night.  A well-lubricated Kwikset lock with no security pins only requires one or two taps, for comparison’s sake.

Some days we start at 5am and don’t stop working until after midnight.  There’s plenty of time for a nap in between jobs though!