Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:40 PM
Connect Directly

Lock-Pickers Face an Uncertain Future Online

Teaching the hardware hacker the skill of picking locks is evolving because of the pandemic's lockdown.

Hackers may be stereotyped as introverts, but at hacker conventions as big as DEF CON to more local confabs, you're almost certain to run across at least a few and sometimes dozens of hackers hunched over tables of metal locks and key cylinders, poking at their innards with thin metal picks and rakes. The art of lock-picking, many of them will tell you, is hacker philosophy made real, but the long-time hacker sport has faced an uncertain future since the coronavirus pandemic shuttered the world's social gatherings.

DEF CON's Lockpick Village this year, run by The Open Organization Of Lockpickers (TOOOL.us), was held entirely in a Discord chat server for DEF CON's online-only version of the conference. TOOOL.us representatives declined to comment about the DEF CON event for this story.

Competitive lock-picking dates back to the early 19th century, when lock manufacturers would offer rewards to anyone who could break their wares. Within 50 years, there were public competitions to show off the latest locks and how secure they were. The practice would fall out of favor until computer hackers resurrected it in the early 1990s, and in 1997 the first modern-era lock-picking sport group was established in Hamburg, Germany.

But while computer and online hacking doesn't require a physical presence, its analog counterpart does, says John Gordon, an early member of the Longhorn Lockpicking Club based out of the University of Texas at Austin. The club, with more than 550 members, would see between 10 and 20 attendees at its twice-monthly meetups before the pandemic.

Gordon, who when he's not making locks sit up and dance is a senior cybersecurity risk analyst for the university's Information Security Office, now runs the club — and says that he's declined to host online meetups because they are quintessentially an in-person experience.

"Online meetups never clicked with me. What we provide are people's first lock-picking experiences," he says. "A lot of it is feel. It's like learning to ride a bike; if you get a certain feedback, you know that you're getting close to picking a lock, and there's no relation to digital tools."

Lock-picking stakes can be high. Gordon says that when he bought his house, the first thing he did was change the locks because he recognized them as easily picked.

At its simplest, picking a lock requires a lock or key cylinder to unlock, and a pickset, specialized tools that you insert into the keyhole to fidget with the pins inside the lock. Tweak them in the right order and the lock opens. It's analogous to finding software or hardware vulnerabilities in modern computing, in that the hacker is forcing the lock to open without the "official" key but with the intent of learning more about the system, and ultimately making it safer — as opposed to pwning it for private gain.

But not all lock-pickers agree with Gordon's reluctance to attempt to move the culture of lock-picking online. One of Gordon’s friends, California-based Eric Michaud, has a long history of lock-picking. Currently the CEO of Rift Recon, a security training and products company that includes lock picks and other penetration testing hardware among its wares, in 2005 he was the first to pick Mult-T-Lock's set of stacked pins in a technique that cryptographer Matt Blaze named after Michaud. Soon thereafter, he co-founded the US chapter of The Open Organization Of Lockpickers and this year organized the online Lockpicking Village for July's Hackers On Planet Earth Conference.

Michaud, who estimates he has taught more than 1,000 people how to pick locks, says that sport lock-picking is best taught in person but is too important to wait until the pandemic dies down.

"You need that often in-person instruction because while you can say that you need no more pressure than you use on a keyboard, it's tricky until you do it in person," he says. "But most important is that it needs to be presented in a way that's repeatable so that people can learn the proper techniques," he says. Videos he created for HOPE this year include lock-picking basics, defeating restraints, and bypassing padlocks, lever lock doors, and other similar lock challenges.

It's legal to own lock-picking tools in most states, although there are legal caveats in Ohio, Mississippi, Nevada, and Virginia, and lock-picking tools in Tennessee are banned except for those used by locksmiths. But Michaud stresses the importance of the ethics of lock-picking beyond their legal status.

Sport lock-pickers should not pick a lock that doesn't belong to them without permission from the lock's owner; should not teach lock-picking to someone known to be willing to use the knowledge with criminal intent; and should be aware of any lock-picking restrictions in the jurisdiction they're in before they start lock-picking. (This became a controversial topic in Las Vegas during DEF CON in 2018, when hotel security staff were instructed to confiscate lock-picking tools and other hacker hardware from attendees' hotel rooms without prior knowledge or consent.)

For Corie Johnson, vice president of the Operator Foundation, it was the ethics of lock-picking that helped draw her to the hobby. She got started in sport lock-picking in 2014 from a class taught by Michaud, and learning lock-picking made her realize not only how hardware security could be as important as software security but also that the hobby taught ethics as well.

Just as it changed her, lock-picking will have to change in the pandemic era, she says. "It'll evolve into something that's decentralized, some library of locks, or lock exchange," she says. "This is a problem of all hobbies now."


Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/10/2020 | 3:55:35 PM
At the risk of seeming old...
Lots of people learned to pick locks from Foley-Belsaw correspondance courses before the internet.  I think we'll be able to manage.
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...