WELCOME TO SECURITY.ORG

RESPONSE TO ALOA PRESS RELEASE

By Marc Weber Tobias

On August 28, ALOA posted a press release regarding recent publicity about the vulnerability of pin tumbler locks through the use of the bump key. Although not named, ALOA was clearly pointing the finger at myself and my associates who have made public the security issues from bumping that affect most mechanical cylinders, including those employed by the U.S. Postal Service and Mail Boxes Etc.. Although I have always supported the goals of the organization, because of the position taken by ALOA, I felt obligated to respond.

First, their press release, see: http://aloa.org/pdf/bumpkeys.pdf

The ALOA Position

From their brief statement, ALOA evidently believes the following to be true:

I and others (including some locksmiths) have made information public that was heretofore secret and unknown to the general public;

We made statements that burglaries have resulted from the use of bump keys in an effort to scare and “unduly alarm” the public;

The public does not need to know about bumping, nor were they at risk prior to the public disclosure;

Bumping now poses a serious threat to security but prior to the media coverage, it did not;

The recent publicity will only serve to education criminals and does not serve any other legitimate purpose;

No locksmith or member of ALOA should be making any public statements about bumping and why it is a security threat.

ALOA clearly believes that “security through ignorance” should be the rule. If nobody knows about a vulnerability, then it does not pose a threat. Evidently, if we “kill the messenger” that will surely take care of the problem! Unfortunately, the criminals have known about bumping for quite some time, as have the sports lock picking groups. The vast majority of consumers were not aware of the insecurity of their locks. Amazingly, some manufacturers were also unaware of the vulnerability. I just met with one of the largest lock makers. They stated that they had no knowledge of bumping until they saw the news reports and read articles on the Internet. Some manufacturers have publicly attacked the concept of bumping, stating that it does not work on their locks, notwithstanding multiple reports and videos to the contrary. “Smoke and mirrors” is how one leading high security lock manufacturer described bumping. To make such blanket statements, by any manufacturer, is arrogant, denotes a lack of knowledge of the subject, is deceptive and misleads the consumer.

Perhaps the leadership of ALOA and some lock manufacturers might want to come up to speed on the new method of bumping. When reporters and kids can open the cylinders that locksmiths sell, there is a problem. Everyone that relies upon locks has a right to understand it so they can assess their own risk and take the appropriate steps. If we follow the ALOA logic, they and the locksmiths and security professionals are the only ones that should understand the problem and the inherent risks. Unfortunately, the vast majority of lock users do not get to deal with these experts, but have to make their own decisions.

The Facts

Since 2004, there has been a significant amount of publicity in Europe and on the Internet about bumping, including many videos from all over the world showing how to open locks. I was interviewed on our statewide CBS affiliate in 2004 and 2005 with regard to bumping and the vulnerability of post office and UPS mail box locks. In addition, I wrote a detailed article on the subject in Keynotes in 2005, as well as covering the subject in my book.

In December, 2005, I began consulting with the Postal Inspection Service regarding the vulnerability of their locks to bypass by bumping. They were not aware of the seriousness of the problem prior to my initial meeting with them and immediately escalated the matter to the highest levels in Washington . I believed this to be a serious problem that needed to be urgently addressed due to the increased publicity that bumping was receiving. I waited four months before publishing a report in order to give the postal service time to respond.

They did not request that I not publish my report. In fact, some management-level employees advocated that I should make the findings public so that enough attention would be drawn to the issue that something could be accomplished in Washington . I also recommended and continue to advocate that the postal laws be changed to prevent the trafficking in pre-cut bump keys. The Postal Service has issued a statement indicating that they have identified several security vulnerabilities and are addressing them, and have also begun replacing all post office box locks with a new design. That is a direct result of the media attention to the subject and clearly serves the public interest.

In March, 2006, a detailed report was issued by Consumers Reports in the Netherlands . Their findings examined the test results that were obtained in evaluating about seventy lock manufacturer’s products. This was a joint effort between the police, consumer reports and the Dutch sports lock picking group, known as TOOOL. That article stated that a majority of the locks could be opened without difficulty, even some with high security ratings. As a result of that publication and after consulting with a number of manufacturers in Cologne , I posted a White Paper on www.security.org that detailed the real threat from bumping and the legal issues involved.

In July and August, I lectured in New York and Las Vegas at the international hacker conventions. According to ALOA, these are gatherings of criminals and persons of “questionable character.” The fact is, most attendees are corporate IT professionals, security managers and government agents. At Defcon in Las Vegas , I lectured with Matthew Fiddler, a security expert employed by a Fortune 100 company. Barry Wels, one of the leading experts on bumping and the person who is most responsible for bringing this issue to light in Europe , co-presented with me at the New York conference.

The security vulnerability of pin tumbler locks affects just about everyone and it did not take the news media long to figure it out, especially when a young girl demonstrated opening a popular five pin cylinder in seconds with no prior experience. Now, many locksmiths are speaking out and acknowledging the problem and working to fix it. In my view, this is the responsible thing to do.

I challenge ALOA to produce one article or press release that stated that criminals had utilized bumping to effect entry! The media has asked for such information, but it has not happened in any widespread fashion, even with the publicity during the past two years. Bumping is a real threat, but there is a remedy: just install better locks. Nobody has said that there is an outbreak of burglaries, but there surely could be, and that is precisely the issue. Why is ALOA so concerned about letting the public in on their “secret?” Maybe it is because just about everyone is affected and they can understand the simplicity of the attack and thus its potential danger.

Does ALOA really believe that we should have waited for the criminals to deploy bumping as a popular and common method of entry before we warned the public of the threat? Who would that policy place at risk? Does ALOA actually advocate trying to keep security vulnerabilities secret when it affects millions of people, hoping that nobody will find out? This is not the kind of problem that the manufacturer can easily remedy, especially in the hundreds of millions of locks that are already installed. So should we place everyone at risk, or should we give them the opportunity to opt for more security and upgrade their locks.

Just how would ALOA go about warning the consumer to even give them that option? If this was a vulnerability that was in a product that did not affect a large segment of the population, then I would say to let the manufacturers quietly do a recall or fix the problem. But that course of action would not work in this case. So, there are only two options: keep quiet and allow widespread losses to occur that would place millions of people at risk, or warn them. And if we opted for the first alternative, keeping quiet, and the media learned of the vulnerability, then just how would ALOA, as the representative of the locksmith community, explain the fact that they knew about the potential security vulnerability for many years but failed to do anything about it? Their answer would surely be interesting!

The locksmith, in my view, should be proactive and suggest, where appropriate, an upgrade to better locks. Of course, there is a problem in doing this, as I am sure ALOA recognizes: the locksmiths would have to admit that they knew, but said nothing about the vulnerability in the locks that they have been selling. But then again, perhaps ALOA should be the one to respond to that issue, given their policy of non-disclosure of security defects to the end user.

The real question for ALOA is why they have not been pushing the lock manufacturers to deal with this problem, given that they have known about it for so long. The illogic is striking. If ALOA and their members have known that they have been selling and installing locks that could be easily bypassed, why would they continue to do so and place their customers at risk without warning them? The short answer, but not a good one, is that ALOA prevents its members from disclosing defects in any detail to the public. Why would that be? Surely it could not be linked to revenues received from those very same manufacturers and institutional organizations who are concerned with their embedded base of assets which could be at risk, to say nothing of the potential for lawsuits for negligence and product misrepresentation that could result!

For ALOA to state that the technique of bumping was not public information prior to July is untrue and they know it. Evidently, they believe that there are still secrets and that the public does not have a right or a need to know about vulnerabilities in the locks that they purchase and rely upon for security. The reality is that there are no more secrets! The Internet took care of all of that. This is not the eighteenth century with locksmith guilds, where information about locks was tightly controlled. This is the twenty-first century, where information about everything is instantly accessible. And if you really think that you could publish a general and vague warning about the security of pin tumbler locks but not specifics, it would take about twenty-four hours for detailed reports to start showing up on the Internet!

I believe that ALOA prevents locksmiths from disclosing specific security vulnerabilities to the public to their detriment. I have advocated, as a lawyer, that this is bad public policy, irrational, and will ultimately lead to liability on the part of both the locksmith and ALOA. The public relies upon the locksmith as their first line of security. If they sell cheap locks, like the eleven year old girl opened in seconds in Las Vegas , they have an obligation to warn the prospective purchaser of the risks in using such products. By doing that, they would be acting responsibly, meeting their legal obligations, and most importantly, fulfilling their ethical duty. I know some locksmiths disagree with me on this point, and they made their views known two years ago after I posted an editorial in Keynotes on the subject of liability and full disclosure. But at the end of the day, full disclosure is the best policy. An educated consumer makes for a better customer, and a more secure one.

ALOA’s contention that the public does not have a right or a need to know is irresponsible and without logic. The public, not the locksmith, should be making security decisions based upon a full understanding of the risks, whether from bumping, the compromise of master key systems, or other simple methods of attack. This means that they should understand how easy or difficult it is to open a cylinder, then make their own judgment as to whether that cylinder provides sufficient security. A failure to disclose security vulnerabilities will subject the locksmith to civil liability for misrepresentation and negligence, should there be a loss or injury resulting from the failure of the locks that were recommended by him. I can guarantee that ALOA would be joined in any such lawsuit, because the locksmith would look to them for compensation, claiming that they were following the ALOA mandated policies on disclosure.

Might I suggest that rather than attacking “misguided individuals” for making a potentially serious problem public, which ALOA has now admitted is a significant security threat to everyone, they should be taking the lead to deal with the real issues. Specifically, I would urge them to:

Change their rules to allow locksmiths to educate the public in security vulnerabilities of their products;

Form an industry-wide consortium of manufacturers to improve the current technology to frustrate bumping;

Educate the consumer with regard to the availability of high security locks;

Encourage and work with sport lock picking groups to identify security vulnerabilities. It will help everyone, and the fact is, these groups are now operating in America . ALOA should view them as allies, not enemies. The fact is, some of their members are professional locksmiths, safe technicians, and Fortune 100 Security Professionals responsible for the protection of critical Financial assets in America;

Join me in proposing legislation to prohibit the sale of pre-cut bump keys through interstate commerce. Currently, postal regulations specifically exempt bump keys from all such prohibitions. Many sites are now selling these keys and are placing everyone at risk;

Work with UL and other standards organizations to insure that high security ratings encompass bumping;

Work with lock manufacturers and encourage them to provide warnings on their product packaging that alerts the public about security vulnerabilities in their locks. The public needs to know what they are buying and the attendant risks;

Work with major retailers such as Home Depot and Lowe’s to encourage them to only sell locks with appropriate warnings on their packaging. Consumers that purchase these locks do not generally have the benefit of dealing with a locksmith, yet they need the information;

Propose legislation that makes the possession of bump keys by unauthorized individuals’ equivalent to the possession of burglary tools.

In my view, ALOA and every locksmith should recognize that bumping is perhaps the most efficient method of bypass of a conventional pin tumbler cylinder, and thus the most serious threat. Virtually every conventional pin tumbler lock is at risk. Why not address the issue head-on and educate the public to upgrade their locks, where warranted. The locksmith is the first line of defense, and bumping can provide a real opportunity to serve the public and enhance their security. They should embrace that potential, not attack those who have dared to bring this problem to light. Millions of pin tumbler locks were insecure long before I or my associates brought the issue to the public. Media attention has served the public interest. At least now, they understand their vulnerability and can choose to do something about it. If they elect to ignore the risk, that is their decision, but at least now they have the knowledge to make that judgment.