Hackers may be stereotyped as introverts, but at hacker conventions as big as DEF CON to more local confabs, you're almost certain to run across at least a few and sometimes dozens of hackers hunched over tables of metal locks and key cylinders, poking at their innards with thin metal picks and rakes. The art of lock-picking, many of them will tell you, is hacker philosophy made real, but the long-time hacker sport has faced an uncertain future since the coronavirus pandemic shuttered the world's social gatherings.
DEF CON's Lockpick Village this year, run by The Open Organization Of Lockpickers (TOOOL.us), was held entirely in a Discord chat server for DEF CON's online-only version of the conference. TOOOL.us representatives declined to comment about the DEF CON event for this story.
Competitive lock-picking dates back to the early 19th century, when lock manufacturers would offer rewards to anyone who could break their wares. Within 50 years, there were public competitions to show off the latest locks and how secure they were. The practice would fall out of favor until computer hackers resurrected it in the early 1990s, and in 1997 the first modern-era lock-picking sport group was established in Hamburg, Germany.
But while computer and online hacking doesn't require a physical presence, its analog counterpart does, says John Gordon, an early member of the Longhorn Lockpicking Club based out of the University of Texas at Austin. The club, with more than 550 members, would see between 10 and 20 attendees at its twice-monthly meetups before the pandemic.
Gordon, who when he's not making locks sit up and dance is a senior cybersecurity risk analyst for the university's Information Security Office, now runs the club — and says that he's declined to host online meetups because they are quintessentially an in-person experience.
"Online meetups never clicked with me. What we provide are people's first lock-picking experiences," he says. "A lot of it is feel. It's like learning to ride a bike; if you get a certain feedback, you know that you're getting close to picking a lock, and there's no relation to digital tools."
Lock-picking stakes can be high. Gordon says that when he bought his house, the first thing he did was change the locks because he recognized them as easily picked.
At its simplest, picking a lock requires a lock or key cylinder to unlock, and a pickset, specialized tools that you insert into the keyhole to fidget with the pins inside the lock. Tweak them in the right order and the lock opens. It's analogous to finding software or hardware vulnerabilities in modern computing, in that the hacker is forcing the lock to open without the "official" key but with the intent of learning more about the system, and ultimately making it safer — as opposed to pwning it for private gain.
But not all lock-pickers agree with Gordon's reluctance to attempt to move the culture of lock-picking online. One of Gordon’s friends, California-based Eric Michaud, has a long history of lock-picking. Currently the CEO of Rift Recon, a security training and products company that includes lock picks and other penetration testing hardware among its wares, in 2005 he was the first to pick Mult-T-Lock's set of stacked pins in a technique that cryptographer Matt Blaze named after Michaud. Soon thereafter, he co-founded the US chapter of The Open Organization Of Lockpickers and this year organized the online Lockpicking Village for July's Hackers On Planet Earth Conference.
Michaud, who estimates he has taught more than 1,000 people how to pick locks, says that sport lock-picking is best taught in person but is too important to wait until the pandemic dies down.
"You need that often in-person instruction because while you can say that you need no more pressure than you use on a keyboard, it's tricky until you do it in person," he says. "But most important is that it needs to be presented in a way that's repeatable so that people can learn the proper techniques," he says. Videos he created for HOPE this year include lock-picking basics, defeating restraints, and bypassing padlocks, lever lock doors, and other similar lock challenges.
It's legal to own lock-picking tools in most states, although there are legal caveats in Ohio, Mississippi, Nevada, and Virginia, and lock-picking tools in Tennessee are banned except for those used by locksmiths. But Michaud stresses the importance of the ethics of lock-picking beyond their legal status.
Sport lock-pickers should not pick a lock that doesn't belong to them without permission from the lock's owner; should not teach lock-picking to someone known to be willing to use the knowledge with criminal intent; and should be aware of any lock-picking restrictions in the jurisdiction they're in before they start lock-picking. (This became a controversial topic in Las Vegas during DEF CON in 2018, when hotel security staff were instructed to confiscate lock-picking tools and other hacker hardware from attendees' hotel rooms without prior knowledge or consent.)
For Corie Johnson, vice president of the Operator Foundation, it was the ethics of lock-picking that helped draw her to the hobby. She got started in sport lock-picking in 2014 from a class taught by Michaud, and learning lock-picking made her realize not only how hardware security could be as important as software security but also that the hobby taught ethics as well.
Just as it changed her, lock-picking will have to change in the pandemic era, she says. "It'll evolve into something that's decentralized, some library of locks, or lock exchange," she says. "This is a problem of all hobbies now."