Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/10/2020
03:40 PM
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Lock-Pickers Face an Uncertain Future Online

Teaching the hardware hacker the skill of picking locks is evolving because of the pandemic's lockdown.

Hackers may be stereotyped as introverts, but at hacker conventions as big as DEF CON to more local confabs, you're almost certain to run across at least a few and sometimes dozens of hackers hunched over tables of metal locks and key cylinders, poking at their innards with thin metal picks and rakes. The art of lock-picking, many of them will tell you, is hacker philosophy made real, but the long-time hacker sport has faced an uncertain future since the coronavirus pandemic shuttered the world's social gatherings.

DEF CON's Lockpick Village this year, run by The Open Organization Of Lockpickers (TOOOL.us), was held entirely in a Discord chat server for DEF CON's online-only version of the conference. TOOOL.us representatives declined to comment about the DEF CON event for this story.

Competitive lock-picking dates back to the early 19th century, when lock manufacturers would offer rewards to anyone who could break their wares. Within 50 years, there were public competitions to show off the latest locks and how secure they were. The practice would fall out of favor until computer hackers resurrected it in the early 1990s, and in 1997 the first modern-era lock-picking sport group was established in Hamburg, Germany.

But while computer and online hacking doesn't require a physical presence, its analog counterpart does, says John Gordon, an early member of the Longhorn Lockpicking Club based out of the University of Texas at Austin. The club, with more than 550 members, would see between 10 and 20 attendees at its twice-monthly meetups before the pandemic.

Gordon, who when he's not making locks sit up and dance is a senior cybersecurity risk analyst for the university's Information Security Office, now runs the club — and says that he's declined to host online meetups because they are quintessentially an in-person experience.

"Online meetups never clicked with me. What we provide are people's first lock-picking experiences," he says. "A lot of it is feel. It's like learning to ride a bike; if you get a certain feedback, you know that you're getting close to picking a lock, and there's no relation to digital tools."

Lock-picking stakes can be high. Gordon says that when he bought his house, the first thing he did was change the locks because he recognized them as easily picked.

At its simplest, picking a lock requires a lock or key cylinder to unlock, and a pickset, specialized tools that you insert into the keyhole to fidget with the pins inside the lock. Tweak them in the right order and the lock opens. It's analogous to finding software or hardware vulnerabilities in modern computing, in that the hacker is forcing the lock to open without the "official" key but with the intent of learning more about the system, and ultimately making it safer — as opposed to pwning it for private gain.

But not all lock-pickers agree with Gordon's reluctance to attempt to move the culture of lock-picking online. One of Gordon’s friends, California-based Eric Michaud, has a long history of lock-picking. Currently the CEO of Rift Recon, a security training and products company that includes lock picks and other penetration testing hardware among its wares, in 2005 he was the first to pick Mult-T-Lock's set of stacked pins in a technique that cryptographer Matt Blaze named after Michaud. Soon thereafter, he co-founded the US chapter of The Open Organization Of Lockpickers and this year organized the online Lockpicking Village for July's Hackers On Planet Earth Conference.

Michaud, who estimates he has taught more than 1,000 people how to pick locks, says that sport lock-picking is best taught in person but is too important to wait until the pandemic dies down.

"You need that often in-person instruction because while you can say that you need no more pressure than you use on a keyboard, it's tricky until you do it in person," he says. "But most important is that it needs to be presented in a way that's repeatable so that people can learn the proper techniques," he says. Videos he created for HOPE this year include lock-picking basics, defeating restraints, and bypassing padlocks, lever lock doors, and other similar lock challenges.

It's legal to own lock-picking tools in most states, although there are legal caveats in Ohio, Mississippi, Nevada, and Virginia, and lock-picking tools in Tennessee are banned except for those used by locksmiths. But Michaud stresses the importance of the ethics of lock-picking beyond their legal status.

Sport lock-pickers should not pick a lock that doesn't belong to them without permission from the lock's owner; should not teach lock-picking to someone known to be willing to use the knowledge with criminal intent; and should be aware of any lock-picking restrictions in the jurisdiction they're in before they start lock-picking. (This became a controversial topic in Las Vegas during DEF CON in 2018, when hotel security staff were instructed to confiscate lock-picking tools and other hacker hardware from attendees' hotel rooms without prior knowledge or consent.)

For Corie Johnson, vice president of the Operator Foundation, it was the ethics of lock-picking that helped draw her to the hobby. She got started in sport lock-picking in 2014 from a class taught by Michaud, and learning lock-picking made her realize not only how hardware security could be as important as software security but also that the hobby taught ethics as well.

Just as it changed her, lock-picking will have to change in the pandemic era, she says. "It'll evolve into something that's decentralized, some library of locks, or lock exchange," she says. "This is a problem of all hobbies now."

 

Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danielan
50%
50%
danielan,
User Rank: Apprentice
8/10/2020 | 3:55:35 PM
At the risk of seeming old...
Lots of people learned to pick locks from Foley-Belsaw correspondance courses before the internet.  I think we'll be able to manage.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Google Cloud Debuts Threat-Detection Service
Robert Lemos, Contributing Writer,  9/23/2020
Shopify's Employee Data Theft Underscores Risk of Rogue Insiders
Kelly Sheridan, Staff Editor, Dark Reading,  9/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...