Hacker News new | past | comments | ask | show | jobs | submit login
A Lock Picking Game Changer [video] (youtube.com)
227 points by DyslexicAtheist 8 days ago | hide | past | favorite | 150 comments

It's a little device sold by the guy who made the video that makes much of his hard-earned muscle memory for lock picking unnecessary. It doesn't replicate his thousands of hours of training but it goes a long way.

It also wouldn't take an Eli Whitney to turn it into an automated gadget that works as a universal key for the most common locks.

This channel does the great service of convincingly demonstrating how poorly most locks secure against a skilled attacker. And that the skill threshold is rapidly decreasing.

What’s fascinating is that it doesn’t seem to matter; most thefts in the US appear to be the result of something be completely unsecured, or via brute force. Chances are someone is far more likely to break your window than pick your lock.

The only ones that really bother me are the firearm locks. A distressingly large percentage of firearm locks he talks about can be opened in seconds by an untrained teenager, which seems incredibly bad to me.

A center punch to the driver's window welcomed me to San Francisco.

I got a $20 radio, and left my truck unlocked, with a sign.

The sign read, "Nap in the back of my truck. Use the seat to rest, but please don't break anything else."

Never happened again, and for a week someone was leaving a $10 in my glove box. Crazy?

I drive an old Toyota Truck, and most of you have nicer cars. Oh yea, I did put a kill switch in the truck.

very similar to this scenario

> George and Kramer begin parking at a discount parking lot. After picking up his car George discovers a condom inside and suspects prostitutes are servicing their clients inside the cars.


The other distressing problem with lockpicking and especially with firearm locks is that a significant part of their security model relies on obscurity.

To be professionally effective, a locksmith must know a lot of trivia about dozens of locks, and you can make that hundreds or thousands if they want to expand to gun safes and bike locks and cars and on and on... For that purpose, the plethora of cheap options is a decent deterrent. No normal burglar is likely to have specialized skills in opening dozens of locks.

But in a targeted attack, if you give any teenager a chance to look at the lock, then a few days to go on the Internet and see someone trivially jiggling the wafer core open, maybe buy an identical lock for $10 and practice their skills, none of the basic products are likely to be effective.

Security by obscurity or security by variety better yet?

Obscurity through variety :)

> Chances are someone is far more likely to break your window than pick your lock.

There are also laws in many states against possession of lockpicks during commission of a crime (esp. burglary). Criminals probably avoid carrying lockpicks because they if they are caught, the lockpicks will cause them to face more jail time. Carrying lockpicks while trespassing might also be used to show intent to commit burglary.

In my country, the law requires anyone who possesses a gun to buy a proper safe,where It'd be stored when not used. The country is very safe and the likelihood that you'd ever need to use it while at home is close to zero, however situations where a burglar could walk out with a registered gun and potentially cause endless problems for the owner down the line is more probable,so a good safe sounds like a good idea.

A lot of the wildly insecure locks he reviews came with the guns themselves. Given how many people will go with the default option in any circumstance, this is alarming.

The only reason people buy "nice" locks is because the cheap ones can be fiddly (and it should be obvious why that might be undesirable). Trigger locks are dumb compliance box checking exercise that provides little security (for mostly the same bunch of reasons anything short of full disk encryption doesn't help you if you lose your device). Of course they're cheap and crappy by default. Anyone who wants security buys a safe.

Just a heads up, but that safe would need to be mighty hard to dislodge and/or be extremely thick. The long gun safes from Costco are easily dislodged and sawn through. My understanding is the safe should be built into the wall, exposing only its toughest, front side.

Around here the rules are:

- must be approved by the insurance companies (they have a test procedure that IIRC is to have two experienced persons try to break it using anything up to and including hand held power tools)

- must weight 150kgs or

- be bolted to the floor from the inside

The limitation of turning it into a general tool for common locks is the shape of the keyway. There are multiple versions required because the contours keys can vary significantly. Similarly, these tools feature the ability to decode the lock so you can actually use the information to make a duplicate of a key without the key itself. A single tool wouldn't do that because the pin lengths can vary for different lock types, and sometimes the distance between pins.

However, something like a pick gun can server pretty well for a wide variety of locks, with the limitation that they lose some efficacy when a lock has security pins.

I bought pick gun long time ago and was pretty disapointed. Pick gun need wide keyhole. Most locks I encountered had zig zag keyhole.

Yeah, pick guns aren't great for even medium security locks or paracentric keyways. Standard schlage, kwikset, yale... They aren't too bad. But any of their models that allow them to be re-keyed by the end user generally don't use pin & tumbler designs so raking it and pick guns are useless.

>It also wouldn't take an Eli Whitney to turn it into an automated gadget that works as a universal key for the most common locks.

These have existed for a while. https://www.youtube.com/watch?v=JKZ_vJDMJ9A

The mechanism isn't quite the same, but that's because for most common locks, if you're building a machine you don't need pin-by-pin picking.

Correct, lishi picks are great for single pin picking, and I suspect it might allow dealing with security pins much easier than a pick gun. Such guns are somewhat similar to raking techniques, which are not great with security pins.

I first read about these in a book called "How to get Anything on Anybody" that I bought from the Paladin Press in 1983. They're from the 50's, I believe, and haven't changed much.

The most important general takeaway I have is that you can't rely purely on passive security.

No matter how elaborate your designs, someone will always find a way in given enough incentive. And given enough time, a tricky, narrow exploit gets widened into a highway.

Security is a red queen. You have to run fast just to stay in the same place.

> No matter how elaborate your designs, someone will always find a way in given enough incentive

I'd reverse it. When you realize you need "security" you can't just focus on one or two aspects. You have to figure out what you need security from. A padlock won't stop the government of course, but it will stop a teenager who wouldn't want to leave any trace of breaking it nor know how to pick locks.

Just like storing your cryptocurrencies on a hardware device might protect it against phishing attacks or other technological attacks but it won't stop someone from grabbing you in person and threatening you with a hammer. For that you need physical protection.

So unless you know who you're protecting yourself/your thing against, you won't be able to know what security you really need.

i.e. "threat model"

Be weary of anyone who makes security recommendations without first qualifying their audience's threat model. Unless they understand what they're trying to protect against, it's simply opinionated guesswork, and could even be counterproductive.

I guess my dog is “active” security then.

Depends on the dog. Years ago I had a black lab who slept peacefully right through an entire burglary. They even had to step over him to get to my CD collection.

I’ve got a pack of shepherds. They are all quite active. Even the old guy

There's a whistle that scares all dogs.

Without making them bark?

Yes. They become really scared and go to a safe corner.

Steve/Source: my uncle had burglars while they were sleeping and the dogs never barked.

Yes, that very literally is active security.

> And that the skill threshold is rapidly decreasing.

Especially when you consider how many locks (esp. high tech locks) are vulnerable to low skill attacks (rapping, shimming, magnets).

I don't think it's made by him, it's got a picture of Mao Zedong on it and the guy sounds pretty American. I think he just sources them from China?

> how poorly most locks secure against a skilled attacker.

So which are some of the locks that secure better than most locks?

Those have been around for years, but mostly for car locks. You need a specific one for each kind of lock. They cost about US$40-$80 each, and a full set is maybe 50 of them. For car locks, the make and model of the car tells you which one to use. For door locks, you have to go look at the lock and recognize the keyway, or try different ones. So they're more useful for automotive.

They're really a key recovery tool - you can read out the lock and make a key, as Lock Picking Lawyer does. He has a old manual key originating machine where you can hand-cut a key with specific notches. There are newer CNC machines for that.[1]

[1] https://keyline.it/en/electronic-key-cutting-machines

I would not usually try and end run around someone selling a product, however he is sold out at the moment so I don't feel bad.

These Lishi picks can be had on alibaba and aliexpress for about 1/3 to 1/2 the price he is selling them at

https://www.alibaba.com/showroom/lishi-pick-set.html https://www.aliexpress.com/wholesale?catId=0&initiative_id=S...

Ali has been hit or miss for me. The deals are great, but sometimes products are not as described, the wrong product is shipped, or nothing gets delivered at all, and reaching customer service is not made easy.

The name alone should be enough to convince anyone that these picks are from a Chinese company anyway (does anyone happen to know their official site?) Of course, there are likely to be clones.

Looks like this one, at least this could be their official storefront: https://www.lishigongju.com/

The inventor is Li ZhiQin and the brand is now called Li shi (meaning Mr. Li)

While not judging anyone, buying cheaper from a country that does not have labor laws protecting its workers is IMHO tantamount to buying cheap cotton from southern landowners before Lincoln did his thing.

but buying from the middleman who is "buying cheaper from a country that does not have labor laws protecting its workers" is ok?

Evidence that this isn't a knockoff please.

But also... rarely have I seen both a pro-Communist argument and an anti-Communist argument in the same sentence lol

Its a idea and product by a chinese guy

China is as communist as north korea is democratic republic.

Just because they call themselves something it doesnt mean they are it.

it's literally the same product

wait, how do we know it isn't a knockoff?

I guess it's possible that it could be a knockoff, but in any case it would be made in china either way, since the original is also made there, so it doesn't really change anything in relation to the point being made by the parent comment

I'll have to consider the ethics that it's OKAY to steal from a Chinese company if the knockoffs are also Chinese.

You do you. I have a product I designed, and produce, knocked off by a Chinese company and sold on Alibaba. Super Cool.

TFA is an ad. Linking to places with better prices isn't an "end run".

These look amazing! For anyone not aware: lock picking is already easy on most locks. I was locked out of a keyed door in my last apartment once and was able to pick my way back in with no experience, a friend's lock picking kit, and a few YouTube videos. The whole thing took less than 30 minutes.

Since then I've thought of locks more like deterrent than bulletproof security.

>> Since then I've thought of locks more like deterrent than bulletproof security.

Remember, a rock to the window will get someone into your house. A bolt cutter will take off small padlocks. So yes, most locks are there to protect from the casual or opportunistic thief. That doesn't mean we don't need the of course.

>Remember, a rock to the window will get someone into your house.

Security films that dramatically up the ante on what it takes to go through windows are getting cheap and easy to install. If I had thought about it when I got my windows tinted a few years back I would have just had them added on, especially for my downstairs windows (not sure I would bother with most of the upstairs - I have no trees or easy access to most of them).

There are many simple things you can do to dramatically up the ante on what it takes for someone to molest your stuff. A recent news story talked about people using coat hangers to trip emergency garage door releases so a quick re-security it with a zip tie that will break with a solid tug for it's real use, but be too hard to break with a wire from outside is all that was needed to close that "hole".

Need a place to share this kind of stuff for homeowners. I recon it would probably be a small percentage but still a large number.

Indeed. I've also had to bolt cut my way into a storage unit I forgot the combination to. Bolt cutters could be rented from the local Home Depot and cut my way into my own storage unit with no knowledge from the staff. It was my lock so no damage to the owners.

Yes, my wife was really insistent on our front door being locked while we were inside our apartment. I pointed out to her that our front door was nearly top to bottom glass panes and if someone with ill-intent wanted to gain entry, all they had to do was bust a pane and unlock the door themselves.

True, but if someone wants to get into a house and your neighbor's door is locked and yours isn't, which is the more likely to be entered?

Neither. If you're looking to break into houses, you're not going door to door testing locks.

That's exactly what you are doing. In a large majority of the cases. You can lookup security videos all day long on youtube, thieves will commonly go door to door just looking for an unlocked door or more often, car to car looking for an unlocked door so they can steal the contents.

The exact thing is happening in my neighbourhood on a regular basis in the last year. And in some cases the burglar managed to get away with notebooks and other valuables while the owner were just upstairs for 5 minutes.

How did they know the owners were upstairs?

I'm sorry, but your anecdote smells. If you are robbing houses at random, the last thing you want to do is rob an occupied home. You rob an occupied home for a reason specific to that house or the owner of that house.

Most burglaries happen in the daytime when people are at work and their houses would be locked regardless.

And the most common form of home theft nowadays is package theft. Which isn't going to be thwarted by locking your home since, you know, the package is just sitting on the porch.

Was she reassured?

Does the exposure of security theater ever reassure anyone?

The old saying is that locks are for keeping the honest people out[1]. Over 10 years ago I was able to pick my garage door lock with a pen cap, a bobby pin, and a youtube video. Around the same time I realized how locks were important as I had friends and family walk into my house because I wasn't answering the door or my phone.

[1] i tried to find who said it, but it looks like there are a ton of variations.

I thought it was "keeping honest people honest".

Most people also forget that the security is vulnerable even before you get to the lock itself. One time I was at the beach with my in-laws and they locked themselves out of the beachouse rental. I just whipped out a credit card and slid it in the door jam. The door opened right up. Another time I misplaced the key to a storage unit in my apartment complex. I just took a small hacksaw and was through the thing in a couple minutes. The only thing it was protecting me from was people who didn't want to steam my stuff in the first place. Anyone with an ounce of determination would have been off with my stuff.

And this doesn't even begin to touch on other vulnerabilities, like the hinges of doors being on the outside. Just take a screw driver and hammer and pop the pins out.

Yep, my first pick on a standard lock took fairly little time. If you're talking about something like a normal house door lock, even a beginner picker, with darkness as a cover, can get through without risking the sound generated by an entry through physical force.

My view is that you choose lock cores based on how difficult you want it to be to pick before it makes more sense to resort to destructive entry.

For a bike lock on the street, a few minutes of picking won't look much different to pedestrians than someone simply struggling with their own bike lock. But destructive removal is much more obvious. (Unless it's a physically flimsy lock, or even a beefy one with a simple bypass vulnerability)

> But destructive removal is much more obvious.

It's much more obvious, but nobody is going to give two craps about you taking an angle grinder to someone else's bicycle lock. Bystanders don't want to get involved, and police don't pay any attention to bicycle theft.

My experience is that the cops don't care a bit about thefts into the mid thousands, even if there's a high likelihood the culprit and their car, probably including the plate were caught on camera multiple times. "We'll have your report for insurance in a week. No, we're not even going to make a couple phone calls to investigate."

Hell, one time a small company I worked for had five figures of gear stolen in a break-in... and then several other businesses in the area did, too. Well over $100,000 (retail) of equipment stolen by the end. Multiple cameras at multiple businesses caught them, including their van and plate number. The cops did the same, "yeah, yeah, here's your report, we don't care" until someone called them while sitting directly behind the van in question and told them they'd found the guys and to get off their asses and do something.

AFAIK nothing was recovered anyway, but I think they were at least arrested. Yay?

I honestly don't know what they do aside from give out traffic tickets and harass people.

That depends-- it's not a great idea to confront a thief, but I think there's at least a fraction of the population that would walk on for a bit & then call the police, and if there's a unit in the area it might at least take a drive-by. Or the thief might be unlucky and have a cop stumble on their effort.

So, yes, destructive lock removal can still be fairly safe for the thief, but there is still a lot of increased risk if you employ a proper lock that would require an angle grinder, and most thieves probably don't bother to carry around tools like that and will simply move on to one of many ample opportunities for an easier target: A handheld compound bolt cutter will cut through inferior locks faster than opening with a key, so why bother bringing bulkier more obvious tools that increase risk even a little bit?

It's not about whether your bike can be stolen: it almost certainly can. It's about making other targets more attractive.

That's why I have an alarm that clips to the disk brakes.

They're considered motorcycle alarms but work on anything with disk brakes.

It also stops the back wheel from turning.

A neighbor of mine recently posted on Nextdoor about his bike being stolen from the Safeway in Menlo Park. Apparently two men looked on from their Teslas and did nothing while the thief used bolt cutters to remove the lock. A nearby woman did go after the thief, but unsuccessfully. The bike was worth several thousand dollars.

I am thinking of getting a Boosted Rev (escooter, $1,600) and have wondered how I would secure it when going into stores. It seems as if any lock under $120 can be snapped by 3-foot bolt cutters (and the more expensive ones can still be easily picked).

I think I would probably get a decent u-lock and also a lock that makes noise and is triggered by even slight motion (to draw attention if someone is fiddling with it.

How does one know that the person trying to cut a lock off isn't the owner of said lock that simply lost the key? And if someone calls the police and they show up, and it is actually the owner of the lock, how does that owner prove it to the cops?

I was surprised to see just how easily this Master Lock key safes are to unlock with a bit of practice. However, when you consider it's not much more effort to pick the door lock anyway I don't suppose it matters much.

> Since then I've thought of locks more like deterrent than bulletproof security.

To be fair most american houses are built such that a reasonably burly person could punch through the wall. I’ve seen friends leave big holes in the wall just from falling down some stairs. Glass windows also are easy to get through.

The problem with lock-picking is that it doesn’t leave signs of a break-in.

I'm sure your friends have probably made holes from the interior drywall and into the wall cavity, but I doubt that hole went through the exterior sheathing or siding. The interior drywall is basically decorative. To get all the way through the wall, you're going to need a bit more than a punch. It could be done with basic tools, but regardless, breaking a window is still a quicker way inside, and most houses around the world have that as a weakness.

You are probably correct.

However I’ve heard fun stories from my part of Europe where most people live in apartment buildings and own their apartment. Armored doors are a popular upgrade.

But nobody upgrades the thin brick wall holding that fancy $3000 armored door ... you can guess what started happening as thieves realized the doors are too difficult and a window on 5th floor isn’t very accessible.

I always remembered this happening in Artemis Fowl :)

And also from a darkweb guide to burglary. "Cut a hole in the door and the alarm won't go off"

I'm 70% sure you are hinting at thieves cutting holes in the wall. The 30% is for stealing the $3000 door. :)

Also punching into a stud behind drywall would not end well…

> The problem with lock-picking is that it doesn’t leave signs of a break-in.

Sorta. Lock picking will leave marks/wear that no key would. So I recommend everyone try to pick their own lock today to make it look like someone picked it for up-to-no-good reasons.

Do not pick any locks you intend to actually use or can't easily replace!

Sure, some locks won't care. But there are some that can permanently jam pins if you don't know what you are doing (and, in some cases, even if you do).

LPL even shows how to create one of these from a fairly ordinary core and some master discs.

Yea at the end of the day it's all about what your threat model is. The strategies you use to defend against overt entry are not the same as the strategies you use to defend against covert entry (although there is overlap).

It would suck to punch through OSB, which is the wall sheathing in most modern US houses.

OSB? That would be a very expensive fix.

There was a while in the 90s/00s when code only required wood sheathing on the corners, and elsewhere you could have just insulating foam sheathing. So if you had vinyl siding, someone could pretty easily break into your house with just box cutters.

Use an axe or a chainsaw.

I bought a set of conventional lockpicks to try out the hobby, but it ended up being so easy it wasn't interesting! I was able to reach competence in a few hours and at that point I didn't want to spend a lot of money to find harder to pick locks or try to improve my speed further. At least it's a nice tactile thing to try out and a useful skill to have in your back packet in case you find yourself locked out of your house / bike / whatever.

I bought a set of conventional lockpicks to try out the hobby, but it ended up being so easy it wasn't interesting!

Ordinary pin-tumbler locks with some wear on them are embarrassingly easy to pick. Raking or bumping usually works. Just apply some tension and stick in something that lets you move the pins.

There's a marketing reason for this. If you design a lock that wears out into a locked condition, customers eventually get locked out and are angry. If you design a lock that wears into an easier to unlock condition, customers don't notice.

Just make sure that it's not a felony to have them "in your back pocket" in your state or jurisdiction: http://lockwiki.com/index.php/Legal_issues

Isn't that true of every hobby? Video games are pretty boring if you don't go past pong, etc.

Agreed, it's way too easy for most locks to be interesting as a hobby, but to jump to pick-resistant locks is a huge increase in skill that I never made it past.

So I just treat it as a useful skill to have in emergencies. I leave a set of picks in my cars' glove compartments and a very crude set (a very basic tensioner and a bunch of hairpins) in my yard. Has come in handy a couple of times when I've locked myself out.

Did you try any with security pins, like mushroom pins? These are found where security actually matters, which is rarely the case for a straight pinned padlock.

I was able to open padlocks effortlessly, but my front door deadbolt kicked my butt.

In California, anyone selling a lock pick needs to keep the driver's license number of the purchaser on file and available to police for a year. Other state by state laws on lock picks are at [0].

[0] https://toool.us/laws.html

My guess is the number of crimes that law has prevented or solved is very, very low.

They might catch the oceans 11 crew one day! Just you watch!

One of the dumbest laws on the books.

We have no such law in Czechia. Burglars usually break locks or doors, it's quicker and works every time.

King Louis XVI of France famously enjoyed both designing and picking various locks.

Direct link to the product page for this tool on his website. It wasn't hard to find, but took me a few page clicks:


ELI 5: why do most locks not have security (spool, mushroom, &c) pins? Those are absolutely harder for a beginner to pick, and also provide a measure of security against bumping.

They cost money. The less security features you put in the bigger the manufacturers cut.

edit: And there are a lot good lock companies producing quality locks. They just cost like $100 (and way more for doors. A quality abloy lockbody and the stuff on the frame is like $300+ without work) for a lock while a cheap one costs like $5. Though expensive does not mean good some are just scams so be careful/read up on what you are buying.

And still even these good ones are pickable just require hundreds or thousands of hours (and specialized tools) to become good enough to do it reliably instead of 5 minutes.

And for doors once you put a quality lock on it you need a skilled worker to properly install both the lock and the door. Look up some physical pen testing videos online how shitty installs the worlds is full of. Basically you can get in through so many doors with a small piece of scrap plastic.

Also once you get a really good lock a locksmith (or pretty much anyone for that matter) will not be able to pick it. So if you lose your keys it will have to be broken and then you are out your expensive $100+ lock.

Because almost no burglaries are down to locks being picked.

Even cheap locks are good enough that in most installations they are not the weak link.

This and there is also higher probability that you will loose keys and picking simple lock is much cheaper.

I once lost my keys and called a locksmith. He opened the door by reaching through the letterbox with a lever and turning the door handle from the inside.

Because an angle grinder/die grinder works equally well on a very expensive pick resistant lock as it does on a cheapo master lock. Even cheap master locks have reasonably sturdy shackles. The only exception to that, I guess, is truly cheap stuff that bolt cutters work just fine.

Why bother? There's no skill to angle grinding off a lock shackle, literally anyone can do it.

Really a cost/benefit thing. Yes, it does make it harder, but not really so much harder that it's going to keep a significant number of people out. If they were more popular in practice, more people would learn to pick them. They also make the lock more prone to jam, and not as smooth.

As long as a lock is harder than other easy methods of entry (i.e. smashing a rock through your window) it is 'good enough'.

I'm curious: do people expect mechanical locks such as these to continue being used in the future? 20 years? 50 years?

I'm kind of imagining that at some point, someone will "solve" locks, and create a physical equivalent of RSA. I expect that mechanical solutions will be too cost-prohibitive, so is the only route for progress through electronic lock systems? From a few videos on this channel, it looks pretty dire for those, but perhaps the incentive isn't there yet.

My dad's $2500 in-wall gun safe battery died and he couldn't find the key. I made a bet with him I could pick it and he laughed and laughed. I ordered a 7-pin tube pick of amazon, had it fedexed, and had the safe open in under a minute (shocked myself, I'm not bragging, honest). I got a fancy dinner out of it.

Point is: there is no digital solution for this problem. It will always have an analog solution.

Security and convenience are always a trade off. If you don't want the hilariously low security analog bypass, then you have to provide means for backup power. For an in-wall safe, mains power would seem reasonable.

The Bowley lock is pretty close to a purely physical lock that cannot be opened non destructively without the key. Basically it is a warded pin tumbler lock, the pins are 180 degrees offset from where you put the key in, surrounded by a steel cylinder that needs another 180 degree bend. This combination of the 180 degree offset and the narrow bend really limits what kind of tools a lockpick can use. With the offset they can't insert and remove individual tools without rotating and retracting all of them, losing any tension or set pins. Because of the bend they won't be able to manipulate all the pins with one tool either. So a lockpick would need a tool to tension, and 3 or more picks to manipulate the pins. The physical tolerances of the lock really limits bumping, there is limited front to back play, so full depth cuts won't work. There are also the usual security measures to limit bumping and electric lock guns, zero lift pin, security pins.

I think, fundamentally, physical locks _can't_ be solved. At the end of the day, given enough time, there will always be a physical workaround to a physical lock. Even with a "perfect" electronic lock, somebody could always just cut through the door.

IMO the purpose of a lock is to either 1) slow down an attacker long enough for (eg) police to show up, or 2) discourage an attacker from breaking into _your_ house in favor of your neighbor's house.

I think, fundamentally, physical locks _can't_ be solved.

Sure they can. Lock-picking is a search for a minima. You just need a design where there's no way to tell if you're getting closer to the right combination. That is, something senses the combination on the key, saves it, and then tests the saved info while protected from manipulation. Doing this cheaply and in a small package is difficult.

Someone recently built such a lock and sent it to the Lock Picking Lawyer.[1] No results yet.

One classic lock close to that was the Chubb Detector Lock. If any lever was pushed too high, the relocking device tripped and the lock would no longer open. Use the wrong key and you were locked out.[1] This was usually fitted with a second mechanism so that turning the correct key in the wrong direction would reset the detector. If built without the reset feature, pick attempts or using the wrong key would disable the lock permanently. This was highly secure but inconvenient.

This is probably a solveable problem if you're willing to have a sizable box on the the door, like 19th century door locks or jail locks today. You'd want that anyway, for mechanical strength.

[1] https://hackaday.com/2020/11/29/making-a-unpickable-lock/

[2] https://youtu.be/7Q6rsbeJZMs

I think mentioning "well if the lock's too hard they'll just break the window" is missing a point: locks right now are just too easy. Destructive bypasses to locks, or even just cutting the lock into pieces, are probably a good thing, since it prevents the equivalent of losing your Bitcoin wallet. But you want the attacker to be forced to either make a loud mess or go elsewhere.

If you didn't encrypt HTTP, you could sniff packets on the network, walk through the front door. If it was weakly encrypted, someone with some level of expertise could basically do the same, pick the cheap lock and walk through the front door. With RSA-like encryption, this avenue of attack is basically closed, and now the options are more like "try and steal this guy's laptop" or "launch MITM attacks".

It's fun to point out to laypeople how insecure the mechanical locks are, and how easy they are to pick. But it's less often mentioned that this is a desirable feature; imagine bulletproof locks - what would the recommendation be to people who get locked out? What would the economic damage be across the board?

And in addition: the weak spot often isn't the lock but the window next to it, the door frame or similar. The lock prevents somebody from getting in by accident (I had my drunk neighbor once trying to get into my place at night ...) but the typical door and lock don't protect against somebody who wants to to get in. For that protection you have to pay a lot more

You cut it

I think this is kind of central to what a perfect lock would be. The only non-authorised access should be destructive.

While there are some locks that attempt to do stuff like this (Bowley locks?), the trade off for perfection is cost and recoverability.

This might be useful for niche use-cases or academic reasons, but for a commercial product, the value proposition doesn't make as much sense. After a certain point of pick/bypass resistance, adding cost to a lock isn't actually protecting most users from any plausible attacker. And is more likely to prevent the authorized user from gaining access in a lockout scenario than it is to prevent a real-world attack.

In most cases where someone faces a sophisticated attacker that could bypass a security lock, you'd be better served by layering other security techniques, instead of putting your eggs all in one basket with the physical lock.

I don't think it can be "solved" in that way. If you're going to have a physical lock, it needs to have a physical locking mechanism somewhere. If you watch lock picking youtube, you'll see that virtually all electronic locks sold today have horrendous physical security. Given the state of their physical security and the even more terrible state of IoT digital security, I doubt that the controllers of these locks are really secure either, though I haven't seen any reports of them being attacked in that way.

Yes. Locks in meat-space have always been and will always be deterrents. While you can't always brute-force your way through a math problem, you can brute-force basically any physical material.

Noticed recently that even Cheap Chinese bicycle locks are now "dimple" locks. People do understand now that these "american"-style pin locks are quite useless, as opening them is everyman's sport. In dimple lock the key goes in sideways, and if the keyway is tight enuff, you cannot make a rake to fit in. Also you can design the keyway so that you cannot flip them dimples from side channel with a "flag" pick.

I had to look up an example:


I guess I can see how they might be made to tighter tolerances and tighter keyways.

Yes. This is the wide-mouth dimple lock where you can use flag and rake. Those see-through training locks you can get from Alibaba are also of that type. You can even use regular rakes on those by rotating them slightly.

Do you have example of a key and keyway that are "extra slim"? I can't quite imagine that it's not possible to adapt some kind of pick - after all the key has to fit, and has to slide int the lock, "pushing" pins out of the way?

I can certainly see how such locks might be more difficult to pick, though.

I have this bicycle lock I recently found. There no room on left side of the pins, meaning the dimples are almost at the edge of the key. And on the right side there is a wall blocking half of the key way. Flag should be really curved to reach over that wall. https://photos.app.goo.gl/PjTEiqy3vRCULy366

There are rakes and picks for dimple locks. (And I don't think any dimple lock has won the tolerance game on keyways for mass produced locks) Dimple locks are just less common. The more common they become and more common you'll see the rakes and picks made for them. Despite the flags being very easy to make yourself, they're uncommon enough that if you buy them from a pick store you pay a niche premium.

I will say a product is more likely to be secure if the manufacturer is intentionally choosing a rarer style simply because they are taking security into account

I found a bicycle dimple lock last week on the street. I find it impossible to pick open. The dimple row is so tight that you can fit only straight blade in, raking is impossible. I have been making flags, but it seems to be impossible to find right curved shape so that the pin is fully movable. Also I have made a narrow blade for my Lock Pick Gun, but all in vain. Soon I have to send this bloody lock to Lock Picking Lawyer, situation is so desperate.

What does the (supposedly) Chinese characters on the key say?

likely the name of gentleman who created them?


"Your server is running PHP version 5.4.45 but WordPress 5.7.1 requires at least 5.6.20."

That's an interesting name!

> “ Today’s Original Lishi tools are the brain child of Zhi Qin Li. These amazing tools were invented in early 2000 in response to the need to help his locksmith friends and his trainees.”

Note that the picture on the sets are of him as well.

Some time ago I did purchase a lockpick kit to play around with ot for a bit. The tools in the video seem to be a useful help for beginners,but ultimately they need to develop that intimate feel of where exactly the tool is in the lock and what's going on there. Slight slips, movements,and other indicators are very important to the over success of lockpicking.

Robert De Niro's Snapper was the game changer in 1988. https://youtu.be/HUcZEX5RkzU . Looked amazing but it was true. You can really open every door in America within seconds.

My eldest teenager took about a day to learn how to pick these locks. It's just not that hard.

Not long ago - just to see if it would work - I designed and 3D printed a replacement key. It worked.

It wouldn't be too difficult to McGyver something similar to a lishi using 3D printing with a thin metal insert.

There is no such thing as a lock. There are only timers accelerated by skilled attackers.

Same goes for encryption. Your AES-256 is great today, fine tomorrow, and probably broken in 10 years.

so Lockpicking Lawyer is a badass and has way more tool time than me. But lockpicking is surprisingly easy. He does it precisely and slowly, but it can be done much more aggressively and with less thought. Individually manipulating the pins is great but turns out aggressive imprecise raking works too, especially on cheaper locks. Lots of techniques out there.

He demonstrates a lot of lower-skill attacks in various videos, showing pretty convincingly that against a lot of locks (even some more expensive ones where the manufacturer cut corners) they are effective and much quicker than single-pin picking. That includes raking, shimming, simply using force, etc.

These lock picking tools are getting so easy. I expect new types of locks, probably electronic, will be coming out soon in market.

Given how many of this man's videos contain the phrase "This security flaw has been known for [n] decades" I would not hold my breath.

Also, given how many electronic locks he features which are total garbage I would not buy one of those for most use cases.

Well known by a relatively tiny group of mostly engineers, lock smiths, and hobbyists vs widely available on a 3 million subscriber Youtube channel are very different degrees of broken.

When EVERY random teenager can easily access these tools and learn these tricks, it's liable to start causing some larger scale problems that could indeed force change in the industry.

I don't know what more you could want.

This guy has a YouTube channel with nearly 3 million subscribers and he's made nearly 1,300 hundred videos. There are dozens of subreddits focused on lock picking with hundreds of thousands of users. I am not sure what the definition of "every random teenager" really is but I can do web search and find and instructional video, it's good enough for my purposes.

Many, maybe even most of his videos of locks made by companies who sell in common retail outlets demonstrate low skill attacks and still more demonstrate low effort / specialised knowledge attacks. He also has a web store where you can buy a bunch of tools for this.

So even someone like me who has lost most of the use of my right hand can open many of the big name locks on the market without much difficulty. Most cases it's a web search to a video and perhaps next day delivery of a tool kit. Many times the attack is ridiculously trivial and can be done with stuff one might find in your average garage shop.

I mean look at some of his videos... "open with a fork" "open with a shim made out of a coke can" "open with a strong magnet" "open with a lego figure" "open with a spoon" "open by raking with a rake lock pick" "open with a sharp blow with a small hammer" "open by drilling here" "open by grinding this part" "open with a pocket knife" "open with a butter knife" "open with the top of a bic pen"

> When EVERY random teenager can easily access these tools and learn these tricks, it's liable to start causing some larger scale problems that could indeed force change in the industry.

This stuff has been publicly available for decades. I learned using the MIT Guide to Lock Picking from 1991, and bought a lockpicking set online, and off I went. Nowadays it's just easier and more accessible (like most things).


The Anarchist Cookbook has been out for a while, its probably fine.

They are. And they have different vulnerabilities. Magnets triggering relays, spinning magnets rotating motors, "reset buttons" that are hidden behind plastic covers...

Of course, that's when they don't have backup key locks; then they have the old vulnerabilities on the top of the new vulnerabilities (shimming, rapping, etc).

Most electronic locks are still garbage. Even if the computer part is somehow perfect (which it wont be), they normally/should contain bog standard manual bypasses

aaaaaaaaaand..it's sold out.

A quick search for Lishi tools shows many sites selling them. At $80 each, the cost to tinker around is too high for me. AliExpress has what I assume to be terrible quality ones selling for about $40 each.

Can you link to them? All I can find on such a search are identical tools for automobile locks- cannot find the tools for household locks he shows in the video.

You need to specify what model you want


Sold out atm.

I've read stories on reddit of people picking locks of hotel or motels to sleep free of charge.

I'm wondering what kind of victim free stuff one can easily get away with by picking locks.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact