Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:41 PM
John H. Sawyer
John H. Sawyer

Lock-Picking Popularity Grows

As security professionals, it is easy to get focused only on the technical side of security and forget about the importance of physical security.

As security professionals, it is easy to get focused only on the technical side of security and forget about the importance of physical security.The beauty of security and hacking, however, is that the thinking that goes into circumventing security controls on a computer system can be abstracted and applied to other areas like physical security--bypassing electronic access controls, circumventing physical security systems, and picking locks.

One of the always-popular areas during Defcon is the lock- picking village where attendees can try their hand at picking locks of all types. From padlocks to deadbolts, the lock-picking village is a playground for those new to the practice, hobbyists, and those who treat it as a sport to see who can pick a series of locks the fastest.

I've not spent much time in the lock-picking village in the past, but every year I have friends come back with new sets of lock picks, practice locks, and a passion for "hacking" locks. There has been an entire community that has sprung up from lock picking into what is called "locksport," and this year has seen a couple of new projects to help bring lock-picking to the mainstream.

The first was the release of "Practical Lock Picking: A Physical Penetration Tester's Training Guide" by Deviant Ollam. This is a fantastic book that I highly recommend if you have any interest in physical security. It's a great reference and guide book for getting started with lock picking, learning how locks work, and really motivates you to want to get your hands dirty trying out the techniques covered in the book.

The other project was by Schuyler Towne who created the Kickstarter project called "Lockpicks by Open Locksport." I met Schuyler in the Las Vegas airport on my way back home from Defcon and was instantly impressed with his passion for lock-picking. We talked a bit about Defcon, the "Gringo Warrior" contest, and he pointed out a reference to himself in the book above.

After I got back, I started seeing some chatter on Twitter about the Kickstarter project to create custom lock-picks that included templates, practice locks, and much more depending on the amount you pledged in support of the project. It didn't surprise me to see Schuyler's name and face as the creator after having spent only about 15 minutes with him in the airport.

What's incredible about Schuyler's project is that he started out only trying to raise $6,000 and ended up with nearly 1,200 supporters and $87,407. It's amazing to see the support an and interest in lock-picking.

Just like computer security, the people out there finding vulnerabilities in locks are helping advance the field by demonstrating how easy it is to exploit them. Congrats to Deviant Ollam and Schuyler for helping to educate and bring awareness to the rest of the world.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/21/2012 | 7:57:35 PM
re: Lock-Picking Popularity Grows
Lockpicking is awesome!
http://www.lockpickwinkel.nl is a good shop for tools if u need any :)
itsin Europe tho
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.