Welcome back, my aspiring cyberwarriors!
Physical perimeter security is just a important as your IT perimeter security. If the hacker can gain access to your physical systems...GAME OVER!
Taking over you network is SO much easier once the attacker is physically inside your perimeter and on your network. For this reason, we have begun a new series and classes on physical security.
Your physical security can be compromised in many ways including;
Social engineering
Access Cards
Lock Picking and more.
To initiate this series on physical security, we will begin with some lock picking basics. Look for articles in the near future on cloning RFID access cards and social engineering access.
Introduction to Lock Picking
You may be wondering why a website about hacking is hosting articles about lock picking. That is because cybersecurity is not confined to the digital realm. If you’re a fan of Mr. Robot you’ll recall multiple examples when Eliot used lockpicking to gain access to server rooms and secured areas. Security is multifaceted in the modern world of cybersecurity and lock picking is an essential tool for the modern hacker.
What is Lock Picking?
Lock picking is the practice of manipulating a lock's internal components to unlock it without using the original key. The fundamental principle behind lock picking is understanding how a lock functions, then using that knowledge to bypass the locking mechanism.
A Brief History of Lock Picking
For as long as there has been locks, there have been lockpickers. The earliest known locks date back to ancient Egypt and Babylon, where simple wooden devices were used to secure valuables.
During the Middle Ages, locksmiths began developing more complex locks to protect against lock pickers, who, in turn, honed their lock picking skills. The industrial revolution brought about significant advancements in lock technology, including the invention of the pin tumbler lock, which remains widely used today and will be the focus of this article.
The Ethics of Lock Picking
Before diving into the mechanics of lock picking, it is important to address the ethical considerations. Lock picking should be approached with a strong sense of responsibility and understanding of legality. Unauthorized lock picking can lead to serious legal consequences. As a general rule, you should only pick locks you own, have explicit permission to pick, or are engaged in the act for professional security testing.
The lock picking community often emphasizes a code of ethics, commonly known as "lock sport" ethics, which includes respect for others' property and the responsible use of one's skills. Understanding these ethical guidelines is as important as learning the technical aspects of lock picking.
Understanding Lock Mechanisms
To pick a lock, one must first understand how it works. The most common type of lock is the pin tumbler lock, which consists of a cylindrical plug housed within a larger cylindrical body. The plug is prevented from rotating by a series of pins that rest against the shear line (the boundary between the plug and the body). Each pin stack consists of a driver pin and a key pin, which are separated by a small gap. When the correct key is inserted, the pins are aligned along the shear line, allowing the plug to rotate and the lock to open.
There are many numerous types of locks, each with unique mechanisms and methods for picking. Understanding these different types of locks is essential for developing a well-rounded skill set and we will review them in later articles.
Basic Tools for Lock Picking
Lock picking requires specific tools, which are designed to manipulate the internal components of a lock. The most common tools are:
Tension Wrench: This tool applies rotational tension to the lock plug. By applying tension, the picker sets up a binding pin condition, where one or more pins are slightly more resistant to movement. This resistance helps in setting the pins to their correct positions.
Pick: The pick is used to manipulate the pins within the lock. There are various types of picks, including hook picks, rake picks, and diamond picks, each serving a different purpose. The choice of pick depends on the lock type and the technique used.
Rake: A type of pick that resembles a small, thin rod with a series of ridges. Rakes are used to quickly "scrub" the pins, hoping to set them through rapid movement.
Basic Techniques of Lock Picking
Single Pin Picking (SPP)
Single Pin Picking (SPP) is a precision-based lock picking technique that focuses on manipulating each pin individually to align them with the shear line, allowing the plug to rotate and the lock to open. This method involves a tension wrench and a pick:
Step 1: Applying Tension
The initial step in lock picking involves applying a gentle rotational force to the lock’s plug. Normally, a key would perform this action, but when picking a lock you use the tension wrench. Insert the tension wrench to the bottom of the keyway and press lightly on the tension wrench.
This will apply a turning pressure to the plug. This tension causes the binding pin to press against the plug and housing, preventing the plug from turning freely.
Step 2: Identifying the Binding Pin
After tension is applied, you must next find the binding pin. Insert your pick into the plug. Continue to apply a light pressure with the tension wrench. Use the pick to gently press on each pin stack, lifting them slightly. Most pins will move easily and return to their resting position when released. There will be one pin that feels stuck, this is your binding pin.
Step 3: Setting the Binding Pin
If you release the tension slightly, this pin stack will move like the others. Gently lift the binding pin using the pick. The amount of pressure applied to the tension wrench is crucial; too much makes it hard to lift the binding pin, while too little won’t hold it. While experimenting with pressure be careful not to bend your pick or wrench.
As you lift the binding pin, do so slowly. Pay close attention to feedback from the lock and pick. When the binding pin reaches the shear line, the plug will rotate slightly and you might feel as a small click through the tension wrench. This indicates the pin is set.
Step 4: Identify the Next Binding Pin
Once the first pin is set, the slight turn of the plug will cause the next pin to bind. Use the pick to find the new binding pin by testing each pin stack for resistance. Lift the newly identified binding pin slowly until it reaches the shear line. Feel for the small turn and listen for the faint click that confirms the pin has been set.
Step 5: Repeat the Steps
Continue this process for each remaining pin. As each pin reaches the shear line, the plug turns further, similar to using a key. Repeat these steps until all the pins are set and the plug turns completely, opening the lock.
I encourage all new students of lock picking to start with learning Single Pin Picking. SPP is a reliable method for opening a wide variety of locks, including high-security models. It is often more effective against locks with multiple security features and SPP teaches pickers to understand the intricacies of lock mechanisms, improving their overall skill and knowledge of lock picking.
However, there will be situations where Single Pin Picking will not be the best technique. SPP can be a slow process, which leads to ...raking.
Raking
Raking is a faster, less precise lock picking method that involves using a rake pick to manipulate multiple pins simultaneously. The idea is to move several pins up and down quickly, hoping that some or all of them will reach the shear line and set, allowing the lock to open.
Step 1: Inserting the Rake:
The picker begins by inserting a rake pick into the keyway. These picks have multiple ridges or bumps that can interact with several pins at once.
Step 2: Applying Tension:
As with SPP, a tension wrench is used to apply rotational pressure to the plug. This tension must be light enough to allow pins to move freely yet firm enough to catch them when they align with the shear line.
Step 3: Scrub
The picker rapidly moves the rake pick back and forth, up and down, or in a scrubbing motion. This motion jostles the pins, encouraging them to move up and potentially fall into place at the shear line. The idea is to use random motion to exploit any pin that might already be close to setting.
Step 4: Repeat
Raking often requires multiple attempts. If the lock does not open after a few tries, the picker may reset the lock (by releasing tension) and start over, applying slightly different tension or using a different rake pick.
Raking is particularly effective on simple locks with fewer pins or those with standard pin configurations, which do not have additional security features. It also can also open these simple locks much faster than SPP, which makes it useful when time is critical. Don’t allow yourself to become overly reliant on raking and neglect to develop more nuanced picking skills. The locks you will find at institutions with high security will mostly immune to raking.
Summary
Lock picking is a skill that combines knowledge of mechanical systems, manual dexterity, and problem-solving. Learning lock picking equips penetration testers with a valuable tool for assessing physical security. It enables them to provide a more comprehensive evaluation of an organization’s overall security posture, ensuring that vulnerabilities are identified and addressed. As threats continue to evolve, the ability to understand and exploit physical security weaknesses remains a crucial component of effective penetration testing.
Comments