I have decided not to post the details of this particular attack for now, but can now confirm that the Videx Cyberlocks are definately vunerable to a certain bypass method that is mentioned in various dark corners of the web.
So as of late, the latest must have tool for your locksmith toolbag is the large neodymium magnet.
Marc Tobias has just released an official document regarding the missing C-clip on certain models of the Kaba simplex combination locks. (a good summary can be found here)
Its an attack that has been known about for quite some time but was most commonly conducted via a small hole in the left hand side of the lock case to allow a pulling wire in and pull the plate manually.
With the increasing availability of high powered magnets almost anyone can perform the ultimate NDE bypass on these locks throwing this vulnerability into the spotlight and will undoubtedly cost the makers a considerable sum of money if not cripple them financially.
Locksmiths: Make sure you order the largest magnet you can afford, I tried using a 50x50x25mm magnet which was not sufficient to pull the plate on the larger unican models, but was fine for the smaller 7000 series.
Other locks worth mentioning here would be the Avocet ABS, currently being heavilly marketed throughout the UK which incorporates a magnetic pin of which is easilly overcome using a small magnet (I use a piece of rubbery fridge magnet) inserted into the keyway above the pinstack or using a magnetised pick blade.
Im sorry its been a long time since i updated the blog iv been incredibly busy both working and optimising my locksmith site to get even more work.
So im routing through my photobucket account to see what iv been upto lately, i forget myself sometimes...
A few weeks ago i had a clearout of all the old locks i had knocking around, i really didnt realise that id saved up so many and have been flogging them on LP101 10 for £12 (free postage),theres still a fair few left if anyone fancies some cheap locks to pick.
I havent done much hobby picking at all lately the last lock i picked was an AZBE cylinder sent to me by Mike at Sheffield Locksmiths, which turned out to be an easy one, i had this lock open in under 60 seconds.
The lock was very sloppy and poorly manufactured making for a very simple pick with little opposition other than the tight keyway of the cylinder.
Going back even further i managed to pick a DOM (of some description) sent to me by Femurat of LP101. Again not much trouble at all once id worked out where the active side pin was hiding.
It might be worth mentioning that iv recently purchased a load of MT5 padlock corescomplete with reg cards and the plastic retainer which should be a direct replacement for the old classic style padlock. Contact me if you would like one ;-)
Im sorry it has been a while since i updated my locksmith blog.... My new home and DIY have been keeping me busy.
I recently met with a UK Videx distributor for a demonstration of the Cyberlock.
Im always wary of new technology and the claims made by their sales representitives, however im happy to report that i was quite impressed with what i was shown.
Encrypted lock technology is definately the way forward and is on offer by various companies in different forms; Kaba Elolegic for example should be a serious competitor offering similar management capabilities.
Basically these systems now allow the real time management of access to doors/locks/whatever.
The cyberlock is the only product i have seen so far that retrofits existing hardware, making it especially appealing.
As with all new technology price is an issue and systems can be very pricey, although could be cost effective for large business customers with massive key collections and management issues.
Its certainly a system id be interested in installing and i hope to deal with the supplier in the future.
I still find it hard to believe that multipoint lock manufacturers still havent effectively dealt with the hole bypass problem that these locks suffer from.
It seems all that is required to unlock the doors is a small hole and a bent wire to act as the cam. (shown here on an era lock case)
It seems all that is required to prevent such an attack is a hardplate escutcheon around the vunerable area.
Most of the new range of euro-deadlock lock cases are now supplied with a hardplate escutcheon for this very reason and locks such as the chubb viper deadlock come with considerable protection to prevent this easy bypass.
Others such as the London Line deadlock have a non manipulatable mechanism that can only be unlocked with a tight fitting cylinder. (in fact my cam turner wont even budge them).
I have always struggled with the picking of the 7 pin Garrison locks so have been experimenting with various new ideas to open them.
Im pretty sure after my last post its fair to say they will be shimmable like the mt5 was.
Secondly was impressioning.
I had a crude attempt at making up an impressioning key that used a plasticine face in which to sink the pins. I made this by sinking each cut to full depth (and a bit more).
I then filled the rest of the key with soft plasticine and carved the profile back in.
The main problem would be getting the key in the lock unscathed. My method was to stick the key in the freezer for 10 minutes although in a real situation it would be better to use a gas aerosol or similar.
Anyhow once the key was in the lock i left a few minutes to thaw and began the self impressioning wiggling.
I managed to get the lock to false set on 3 attempts meaning there were pins oversetting. The problem with garrisons is there always seems to be high and low pins situated alongside one another making impressioning tough. (this is why i didnt go for foil)
Although i didn't get a 100% result here it displayed some positive results and with a few modifications i think il be able to get this to work.
and Thirdly the rake key.
Using a Garrison bump key i machined away a mm of the edge of the key so that i could insert a tension wrench in with the bump key. The idea being you can hold light tension while concentrating on the raking as oppose to trying both with one hand movement.
Again some success. I managed yet again the false set, however it was then impossible to remove the key to pick the remaning pins by hand. So all in all not much use... just like the bump key
I recently aquired a small box of mul-t-lock euros of various types including a few MT5 cylinders.
Having never encountered these before i naturally spent a short time picking the lock which i found to be pretty challenging. The telescopic pins lacked the sloppy feel of the classic style lock.
In defeat i decided to open her up and see what I was up against.
Each driver pin is a self contained spring and inner pin as usual but of smaller diameter and inner driver slightly serrated on the end.
Main pins consist of inner and outer pins again of smaller diameter than the classic.
I really needed a way to defeat this lock without drilling should i ever encounter one. (Note the MT5 has the usual halfmoon hardened drillplates that sit under the plug and hardened pins so drilling could be awkward).
You may remember a few weeks back i toyed with the idea of frontal shimming. As the MT5 has such a thin plug face and no aparent protection against this attack i decided to give it a shot.
So i hacked away with a junior hacksaw right to the hardplate in the lock which was sufficient to expose the locks sheer line.
...and slowly worked the shim through the lock by overlifting the pins one at a time to progress deeper with the shim, it was a little fiddly as the serration on the inner driver tends to catch but reversing up a fraction and then manipulating the center pin easilly overcomes this.
You will be able to shim the first five pins in the lock but the special 6th pin didnt seem to want to know so instead i used a tension wrench and just picked it. It is located at the back right hand side of the keyway.
Hey presto one open lock.
Ok, its techinically a semi-destructive method but works a treat and is something i would definately use in a real world situation as oppose to trying to pick this lock which would take considerably longer in my opinion.
Im sure the MT5+ will be a different story but i cant really comment til i get my hands on one.
If you deal with any particulat lever lock on a regular basis it may be worth investing some money in a decoder / make up key kit for that lock.
They are fairly exspensive but can save a lot of time when compared to picking or drilling open the locks.
These decoder kits can read the levers in the lock.
The decoder for the securefast locks reads the levers by the height which they are lifted which then corresponds to a cut depth.
Here is a demonstration by a local locksmith in Barnsley that encounters securefast 5 lever locks on a regular basis.
Important things to note:
- Make sure to place the pins in the correct slots in the blank.
- When no pin is required remember to leave that part of your blank empty and not insert the next pin into that hole.
- When cutting a key from the make up key remember to reverse the cuts for the rest of the key.
Looking through some of my old pictures I came across a few i took whilst experimenting with drilling certain locks.
A method you can use to open the Kaba dimple cylinders:
The Kaba cylinders consist of a self contained unit housed in the lock body. This is held in by a hard steel grub screw. (This is usually sealed over with a resin)
Once that is removed the whole unit will turn, regardless of being picked or not.
As you can see above, the grub screw in a traditional shaped cylinder is located at approx 45 degrees clockwise. In a euro/oval profile the grub screw is directly beneath the plug.
You will need a hard plate drill or two to break the grub screw as its hard grade steel, drill using slow drill speed with plenty of force!
Once the grub screw is out of the picture the lock can be opened with a flat blade screwdriver. It may take a little force as the end of the grub screw may remain in tact but will fall loose quite easilly.
Proof that it works: A jammed/broken key situation, it required a little drilling in the keyway just to make room for the screwdriver blade
My brother in law gave me a few abloy knockoff cam locks a while back to see if there was a better way to open them quickly, without running a huge drill down the center and ripping out the guts.
As most rear tensioning disk detainers these little locks were almost impossible to pick so a neat destructive bypass technique was needed.
I decided the best method would be to locate the sidebar position, drill a small 1/8th hole and remove from the lock.
After dismantling the lock i located the sidebar:
Iv always been a bit wary about buying expensive curtain picks. I just cannot justify shelling out hundreds of pounds for a few pieces of machined stainless.
Im sure im not the only one, therefore im happy to share another alternative:
A local locksmith that runs a training course nearby took the time to design some simple picks and have them machined at a local engineering firm.
These picks are cheap and simple, made from toughened steel they will never break or round off at the ends.
I have used these picks since he started producing them i even have a couple of the early prototypes in my toolbag and use them frequently when opening lever locks.
The set i own has five, six and seven gauge tools complete with standard and low bellied picks for reaching under the low hanging levers. All comes in a leather pouch.
I took a quick picture of the inside of an old chubb safe i worked on just to show how the tamper mechanism works.
Older safes were prone to a destructive attack whereby the lock was hammered away from the face of the safe..
In this case a bracket is affixed to the back of the lock which holds a large ball bearing in recess.
Hooped around this Ball bearing is a wire attatched to a spring loaded deadbolt. (pictured bottom left)
When the lock is forced backwards the ball bearing is dislocated and allows the spring loaded bolt to engage, securing the safe.
This mechanism can also be triggered in old safes that have never been serviced and parts may have come loose.
A customer will usually describe the 'PING' of the ball bearing landing in the cup below it when calling a locksmith regarding their safe failure.
Sifting through some old videos I have and i came across this one i filmed for a local locksmith training school.
This is a locksmith called Shane teaching students how to open lever locks suffering from long term wear and tear.
Bumping a lever lock!?
Watch the video for an excellent demonstration of this handy little trick that can save you a lot of time!