|
OPENING LOCKS BY BUMPING IN FIVE SECONDS OR LESS:
IS IT REALLY A THREAT TO PHYSICAL SECURITY?
A detailed technical analysis prepared by Marc Weber Tobias
Bumping of Locks: Legal issues in the United States
IEEE on HOPE 2006, July 26, 2006
NEWSWEEK MAGAZINE, August 2, 2006, “Bumping”
A report was released on March 22, 2006 in the Netherlands regarding
the vulnerability from bumping of more than 80 different pin tumbler locks that are manufactured or utilized in that country.
The findings were researched and produced by Dutch Consumentenbond, the most prestigious Dutch consumer protection organization
. This study was largely
the result of significant research that was conducted by Toool, “The
Open Organization of Lock pickers” in the Netherlands with regard to the vulnerability of certain cylinders.
Their tests and that of Consumentenbond demonstrated that
many locks could be opened within seconds by an unskilled
individual with less than one hour of instruction.
The
author previously addressed this issue in LSS+, the
multimedia edition of Locks, Safes and Security, and
in an article published in the ALOA magazine KEYNOTES in January, 2005. A White Paper had also been issued by members of
Toool. Although the Netherlands tests showed that many
locks could easily be opened with little skill, there are many
variables that can affect the ability to compromise a lock in this
manner. As a result, a detailed analysis of the threat level to
physical security posed by bumping is now available.
USPS
AND UPS MAIL BOXES CAN BE BUMPED OPEN IN SECONDS
  
An
investigation by the author has determined that millions of public
and private rented postal
boxes are at risk because they can be easily opened with a bump
key. The Postal Service has used the same five-pin tumbler lock
for many years in its rented boxes that are located in post
offices throughout the country and on military bases. Although
these locks employ a restricted keyway that is only to be used by
the post office, we found that blanks are commercially available
that can easily be made into bump keys. We were able to purchase
post office locks and keys on the Internet without any difficulty.
Further, any post office patron can obtain as many original keys
as needed for their rented box, thus the supply of original blanks
for bump keys cannot be prevented. A video demonstration and
briefing is
available to law enforcement agencies.
There
is a significant problem with theft of mail. Bump keys combined
with twenty-four access to most post offices may exacerbate the
problem and make it easier to target specific individuals or
businesses for mail theft or interception. Many high profile
individuals as well as corporations utilize box addresses,
believing that they are more secure and that they have insulated themselves
from surveillance, invasion of privacy, harassment or identity
theft issues. The ability to target a mailing address and access
mail through the use of a bump key is, in the view of the author,
a serious threat which needs to be addressed and which will surely
focus attention on bumping as a bypass technique.
In
some cities, thieves have already obtained keys to fit postal
collection boxes. These same keys allow entry into apartment
complexes, potentially placing all residents and their mail at
risk. The Postal Service has already taken steps to deter this
practice. Unless all public and private mail delivery boxes
utilize bump-resistant locks, this threat is likely to increase.
Higher security locks should be offered to all box rental patrons
who are concerned about the threat from bumping.
  
UPS
also offers private mail boxes in thousands of locations
throughout the world as a result of their acquisition of Mail
Boxes Etc. (MBE). These boxes are secured by locks that cost about
one dollar to manufacture in Asia. Although several different
keyways are used throughout the system, the vast majority of these
locks can be opened in seconds with a bump key or other means.
Blanks are readily available from commercial vendors and are
easily cut. Many UPS mail locations offer 24 hour access. In the
facilities that we examined, there was no real security against
unauthorized entry to boxes by thieves. You may contact the author
for further details at mwtobias@security.org.
PRODUCT SECURITY ALERTS
Information is provided about locks, safes, and other security products which have been
found to be defective, or allow bypass without special skills. Locations and facilities using
such devices, where applicable and relevant, are also identified, in order to apprise the
consumer, law enforcement, security management, and legal counsel, of potential risks
associated with the use of such security devices. The Alerts and Reports shown
in this area are available to the public for a nominal fee. No security
clearance on our site is required.
DEVICE SECURITY ANALYSIS REPORTS
Locks, safes, and security products are analyzed for bypass capability. This material is
restricted to security access clearance level II and above. You must be a registered site user,
and have been granted access clearance to view this material. Reports provide in-depth examination of products, bypass procedures, applicable patents,
specific tools designed for each device, photographic and video documentation, training in
the latest techniques of bypass, and other pertinent information. The user must agree to the terms and conditions of distribution.
Click on the REPORTS icon to view.
Click here to see new
reports and alerts.
|
