the exclamake! blog

I became aware of bump keys during media coverage of the HOPE conference in NYC. To those unfamiliar with the term, it’s a technique that allows an individual to open the majority of mechanical locks (one estimate is 90%) by using a special key and tapping or bumping it. With practice, the lock can be opened in a few seconds and leaves no evidence of a break-in. There is a well-written Dutch news segment that provides a nice overview. Note that this program aired in April 2005.

That segment made a large “wow” impact on me. I’m amazed and unsurprised simultaneously. As I keep up-to-date with network and data security, it’s not a shock that the principles causing the risk and mitigating methods to reduce the risk are the same. Some observations:

• Motive
  I know this may seem obvious, but it’s worth stating the cause of the issue. As long as certain people want to steal, whether for the excitement, or money, or both, security will be an issue. The other fact that’s equally obvious is that society, as a whole (sweeping statement here), does not seem to be getting more ethical, but less so. This trend in motivation, coupled with tools/knowledge (next point) has led to an increase in attempted break-ins. I don’t think a statistic is necessary here.
• Sophisticated tools and training are easily accessible to unsophisticated masses.
  First requirement… how do you get the ’special’ bump keys? Well, a quick google yields a lot of info. How to make your own keys with a key machine, or buy a set on eBay, or buy a set from a company called Multipick-Service. The point is, just as with network security break-in tools, these are readily available.

  Second requirement… how do you master the technique? Again, there are many sources of info on this. You can find videos on Google or YouTube, PDF’s on TOOOL and many other blogs are documenting their successes and failures with specific types of locks. Practice is easy, buy a lock and try at home!

• Layered Security is a Necessity
  Most property owners realize that they need more than a single lock to protect their belongings. A door lock is supplemented with additional locks (access control), a security alarm system (more access control and intrusion detection), and a video surveillance system (intrusion detection and reporting).

  One of the big concerns with bump keying is that there is no evidence that a break-in occured. Yes, you’re missing your plasma tv, but the insurance company has no proof of a burglary. A layered security would provide that proof. I find there is a tremendous parallel between this and network security. So many of my clients have insisted that they have never been a break-in target, yet have no reporting mechanism or IDS to really know. In contrast with a physical burglary, it’s obvious that the family jewelry is gone, but when we’re talking about data, theft is taking a copy, and often not altering any obvious systems.

• Disclosure is Best
  You either agree or disagree, but disclosure of bump keying is the best way to mitigate it. I am glad that there is public awareness over this so I can now take steps (most very simple) to mitigate the risks. Yes, awareness will also expose this information to those who mean harm, but the most malicious individuals assuredly knew of this break-in technique before I did, so now I’m glad that I can make defenses. I’ll take knowledge over ignorance every day.

Since I don’t know anyone that leaves their home unlocked when they leave, these comparisons are useful in explaining principles to business owners on network security.

Have a secure day!