(Un)locked2022-02-02T14:31:43+01:00http://unlocked.own-hero.netdecoderdecoder -at- own-hero -dot- netShort Review: UAP+ ZeroLift Cylinder (UK)2015-10-11T00:00:00+02:00http://unlocked.own-hero.net/2015/10/11/short-review-uap
<p>While I was on a business trip in London, I couldn’t resist going to a hardware store and buying some UK lock to satisfy my collector instinct. I was surprised to find a lock that claims to protect against many of the commonly known threats at once (including picking and bumping) while also being extraordinarily cheap: The UAP+ ZeroLift Cylinder.</p>
<h2 id="packaging-promises-and-price">Packaging, Promises and Price</h2>
<p>So here’s the packaging of the cylinder</p>
<p><img src="/assets/images/uap_packaging.jpg" alt="UAP+ Packaging" /></p>
<p>which already makes some serious claims:</p>
<ul>
<li><strong>Anti-Pick</strong></li>
<li><strong>Anti-Drill</strong></li>
<li><strong>Anti-Bump</strong></li>
<li><strong>Anti-Snap</strong></li>
</ul>
<p>It should be noted that “Anti-“ in this case does not mean that the lock is <em>immune</em> to this kind of attack. Instead the manufacturer meant to say that the lock is <em>resistant</em> to these attacks, making them harder to carry out, compared to usual cylinders. I’ve watched one of UAP’s advertising videos and they use the term <em>resistant</em> themselves, it’s just not clarified on the packaging. However, for the purpose of the lock (regular burglary protection), providing resistance against these attacks is all that is required.</p>
<p>Also, for the price of <strong>12.49 GBP (around 17 EUR / 19 USD)</strong> referring to 35/35 length, getting a lock that is resistant to these attacks would be a great deal.</p>
<h2 id="anti-pick">Anti-Pick</h2>
<p>Since I’m a lock picker, I tried to hand pick the lock first. And indeed, it provided a fair amount of resistance: It took me around 8 minutes to open it for the first time. The lock felt a little weird to pick overall and seemed to have some extreme spools in it. So I went on to disassemble it and figure out what kind of pins were used:</p>
<p><img src="/assets/images/uap_pins.jpg" alt="UAP+ Pins" /></p>
<p>As we can see, we have two extreme spools that cause a fair amount of rotation when engaged. In addition, we have these pins with a thinner part on the top that can pop back into the core when setting spools, making the process of picking even longer. Even with that knowledge and a lot of skill, it still takes me up to a few minutes to open the lock (and burglars are not experienced lock pickers in my opinion). We also notice that one key pin is extremely long and in fact doesn’t require any lifting (hence the name ZeroLift):</p>
<p><img src="/assets/images/uap_zerolift.jpg" alt="UAP+ ZeroLift Pin" /></p>
<p>According to the patents, this pin was mainly introduced to make bumping harder (see below), but it also effectively prevents novice raking attacks: During raking, it is highly likely that you touch the ZeroLift pin and overlift it, keeping the lock closed. Raking is one of the more likely picking methods used by a burglar (although even that is rare), so defending against that is very useful.</p>
<h2 id="anti-bump">Anti-Bump</h2>
<p>Next we will take a look at bumping this cylinder. As we previously described, this system always has one pin with the maximum length. Assuming that we cut down a bump key from an existing key, keeping the cut angle and spacings and going a little deeper than the deepest cut, we likely end up with a bump key that looks like this:</p>
<p><img src="/assets/images/uap_bump.png" alt="UAP+ Bump Key Simulation" /></p>
<p>I measured the distances (cut height, pin spacing, etc.) from the key and estimated the cut angle carefully, since I did not have technical specifications available that gives me this data. Therefore, the picture might not be 100% accurate. However, it is clear that with these specifications, the ramps of the bump key are quite small and therefore will only engage the pins slightly. That makes bumping harder because less energy can be transferred to the pins. However, this doesn’t prevent bumping because we can simply adjust the specifications a little: By making the cut angle (a little) steeper, you can already make the ramps longer and therefore improve the bump key. The same holds for reducing the cut space a little (some bump keys even work better when doing this).</p>
<p>However, looking at the pins, even a modified bump key will probably not open this look very easily. The pins with the thin end on top can re-enter the core even after some rotation which can help preventing the bump key from opening.</p>
<p>Overall I believe that it should be possible to make working bump keys for this lock, but that they won’t work so easily. For me, that qualifies as bump resistant and maybe I will try to make a bump key for this lock in the future.</p>
<h2 id="anti-drill--anti-snap">Anti-Drill / Anti-Snap</h2>
<p>While I typically don’t deal with destructive methods, I still wanted to take a quick look at the cylinder design to prevent these attacks.</p>
<p>As we can see, on the following pictures, there are multiple anti-drill and anti-snap features in the core and housing:</p>
<p><img src="/assets/images/uap_snapdrill1.jpg" alt="UAP+ Anti-Snap/Anti-Drill features" />
<img src="/assets/images/uap_snapdrill2.jpg" alt="UAP+ Anti-Snap/Anti-Drill" /></p>
<p>The anti-snap feature is a predetermined breaking point. If you try to break the cylinder using the common methods, it will break around the fourth pin hole and not in the middle as required for a successful opening.</p>
<p>Overall, these features look solid to me and the cylinder has a 1-star KiteMark on it, which means that the resistance against destructive entry has been validated independently.</p>
<h2 id="negative-remark-e-pick">Negative remark: E-Pick</h2>
<p>Unfortunately, while hand picking is sufficiently non-trivial on this cylinder, using an E-Pick isn’t: It took me less than a minute to open the cylinder using an MHP II. In my opinion it’s much more likely that a burglar uses an E-Pick compared to hand picking because using an E-Pick is much easier to learn and often faster than hand picking as well.</p>
<p>While it’s hard to make cylinders more resistant to the E-Pick without making them expensive, I think that UAP should consider securing their product somehow against that kind of attack as well.</p>
<p>So, dear UAP: You could make this product the perfect low-budget solution if you manage to fix this :)</p>
<h2 id="summary">Summary</h2>
<p>Summarizing, the UAP+ ZeroLift is a <strong>6-pin, 1-star KiteMark</strong> cylinder resistant to</p>
<ul>
<li><strong>Drilling</strong></li>
<li><strong>Snapping</strong></li>
<li><strong>(Hand-)Picking</strong></li>
<li><strong>Bumping</strong></li>
</ul>
<p>for the price of only <strong>12.49 GBP (around 17 EUR / 19 USD)</strong>. For the same amount of money, you can hardly get anything else on the market that has the same defensive capabilities. If you have little money to invest, you are trying to protect <strong>only against regular burglary attempts</strong> and you don’t need advanced things like copy-protected keys, master key systems and such, then buying this cylinder doesn’t seem like a bad idea to me. Of course, a cylinder at this price has limits and the general disclaimers apply: The value of the assets you are trying to protect and the risk of theft should match your cylinder and door/door furniture choice.</p>
<p>But in general, I like the idea of having a low-priced cylinder for the masses that still provides a certain level of protection for the most common attacks and I think UAP has already done a reasonably good job here.</p>
Preview: PhotoBump - Working plastic bump keys for any profile2014-07-10T00:00:00+02:00http://unlocked.own-hero.net/2014/07/10/preview-photobump-plastic-bumpkeys
<p>Historically, bump keys have only been a problem if blanks were available for the targeted lock. They provide a convenient and fairly easy way (at least compared to lock picking) to open a lock in little time, if it is vulnerable to bumping. While there are locks on the market, that are immune to bumping, a large quantity of locks in use is theoretically vulnerable, but practically protected by their profile. Blanks fitting the profiles of these locks are restricted, so obtaining them is harder than usual. In some cases, they are also protected by law, such that bump keys couldn’t be made commercially available, even if there was a source of blanks. This has changed now…</p>
<p><em>Note: The following article is a <strong>preview</strong> on the upcoming presentation at LockCon 2014. Technical details and software are left out on purpose and will be described/published more detailed later.</em></p>
<h2 id="photobump">PhotoBump</h2>
<p>At LockCon 2014, I will present a technical process that allows you to create a working bump key only using a photo of the keyway and the manufacturer specific details about the lock series. The latter is easy to obtain, as the major key blank manufacturers provide software including large databases that list all the specific characteristics per manufacturer and system. In detail we need</p>
<ul>
<li>Photo of the keyway</li>
<li>Position of the pins on the key blank (distances)</li>
<li>Maximum cut depth (to duplicate keys, information about the different heights)</li>
<li>Cut angle, plateau length</li>
</ul>
<p>As mentioned before, none of these characteristics are secret and they are typically shared at least across the lock series. Some manufacturers also use the same characteristics for multiple series even.</p>
<p>From that information, we can create a 3D model of the requested bump key which we can then manufacture (through 3D printing).</p>
<h2 id="demo">Demo</h2>
<p>So far, I have successfully created a key blank for a protected profile and then used a regular key cutting machine to create a bump key out of it (the bump key could have been printed directly as required, but at that time, the software did not have the functionality yet to perform this, which is complex). The cylinder attacked here is a Zeiss IKON SK6 with a restricted profile. Note that this particular cylinder is probably not an easy bumping target anyway (it has 6 pins and a deep spool). I tried a metal bump key on that one (created from one of the existing keys) and did not succeed in bumping it with that. With the plastic bump key, I was successful multiple times. Here are a few pictures and a video for preview:</p>
<p>The target cylinder (IKON SK6, protected profile):</p>
<p><img src="/assets/images/IkonSK6-keyway.jpg" width="710" alt="IKON SK6 Keyway" /></p>
<p>The corresponding key, pin 3 is a spool and causes the cylinder to false set when not enough force is used during bumping:</p>
<p><img src="/assets/images/IkonSK6-key.jpg" width="710" alt="IKON SK6 Key" /></p>
<p>Here we have the 3D model of the blank. The software can also directly create the bump key as a 3D model, as well as a copy of the original key, given the key combination:</p>
<p><img src="/assets/images/IkonSK6-model.png" width="710" alt="IKON SK6 Model" /></p>
<p>The bump key, cut from the modeled blank, and the bumped cylinder:</p>
<p><img src="/assets/images/IkonSK6-bumpkey.jpg" width="710" alt="IKON SK6 Bumpkey" />
<img src="/assets/images/IkonSK6-bumped.jpg" width="710" alt="IKON SK6 bumped" /></p>
<p>Finally, here’s a video demoing the bumping process. As you can see, it takes a bit to bump the cylinder, but that’s not due to the key being plastic, but rather because the cylinder isn’t easily bumpable.</p>
<div align="center">
<iframe width="560" height="315" src="http://www.youtube.com/embed/wX2s1KkvyxI" frameborder="0" allowfullscreen="1"> </iframe>
</div>
<p>The software I wrote for this purpose works almost automatically, and given the manufacturer-specific measurements, it can not only create bump keys but also working key duplicates.</p>
<h2 id="coming-up-next">Coming Up Next…</h2>
<p>At <a href="https://toool.nl/LockCon">LockCon 2014</a>, I will present the details including the software described here. If all goes well, I will also be able to show printed bump keys for the ABUS E20/E30 cylinder that everyone can try out. There’s of course no guarantee that I’ll get these working in time, but let’s hope for the best :) See you at LockCon!</p>
Beware of the KESO2014-05-08T00:00:00+02:00http://unlocked.own-hero.net/2014/05/08/beware-of-the-keso
<p>The KESO series of dimple locks is a well known and (in Europe) very commonly used high security cylinder series that provides not only a high amount of pick resistance but is also outstanding in terms of resistance if offers against destruction (optional pulling protection, full steel housing, etc.). It is well known that these locks can be picked though, although it requires a fair amount of skill and is also somewhat depending on the state and pinning of the lock.</p>
<p>It is also not new that turning these locks by 90 degrees when picked can destroy them, because most of these cylinders have their keyway open at the bottom, such that one row of the side pins will fall into the keyway (key pins, drivers and springs), if not held back by a key. Some other models have a thin piece of metal at the bottom, covering the keyway opening. While this would pose a problem when trying to turn such a lock by 360 degrees to unlock a door, it is not unsolvable. A custom made tension wrench or a key, cut in half, can help overcoming this difficulty.</p>
<p>However, recently I’ve found a far more troubling problem with picking some KESOs.</p>
<h2 id="once-upon-a-keso">Once upon a KESO</h2>
<p>I decided to pick a KESO cylinder I had in my collection, that had its keyway closed at the bottom. So in theory, even if I turn 360 degrees, nothing bad should happen. It took a while but I successfully picked it, and turned it 90 degrees. Before reaching the 90 degrees, I already noticed that the core was starting to provide more resistance when turning. On positions 90, 180 and 270 degrees I had to repick only 1-2 pins each time (in fact, many KESOs I tried don’t have overlapping dimples at all and can be turned 360 degrees without relocking). However, the core was getting harder and harder to turn, until I finally got the 360 degrees and closed it. But the core was still very hard to move, and I was puzzled about what could have happened.</p>
<h2 id="dissecting-the-cylinder">Dissecting the cylinder</h2>
<p>Since I had no key and picking it again was not an option given the amount of force required to turn the plug, I decided to dissect the cylinder forcefully with the help of a friend. We made three cuts into the housing so we could just remove it carefully, which revealed what happened: On position 2 of the top row pins, the combination of key and driver pin is so short that it fits entirely into the core, leaving space for the spring to also reach into the core. Furthermore, the driver pin is so thin, that picking it while the core has already turned a bit can cause it to “flip” in the housing standing vertically. My guess is that I either picked all the pins and left that one untouched, or I managed to flip that driver pin with the picking. Either way, it lead to the spring being pulled between core and housing, slowly making its way through the metal, causing the core to block.</p>
<p>Here are two pictures of the core when I took it out of the housing:</p>
<p><img src="/assets/images/keso_broken1.jpg" alt="Broken KESO" />
<img src="/assets/images/keso_broken2.jpg" alt="Broken KESO" /></p>
<p>As you can see, the pin on position 2 has turned (and this did not happen while we opened it) and the spring is already jammed up between the core and the bar part containing the driver pins.</p>
<p>Here’s a picture of the key pin together with the driver pin entirely fitting in hole 2 of the core, leaving space for the spring. The broken spring is in front of the core.</p>
<p><img src="/assets/images/keso_broken_core.jpg" alt="Broken KESO" /></p>
<p>Finally, this is how we dissected the cylinder (all pins already removed for this picture):</p>
<p><img src="/assets/images/keso_dissected.jpg" alt="Broken KESO" /></p>
<h2 id="conclusion">Conclusion</h2>
<p>Picking KESO cylinders is possible, but not in a (guaranteed) non-destructive way. While some KESOs behave fine when picked, others might just break as described. Be absolutely careful with picking these, even turning them less than 90 degrees could break them already. I don’t know if this is an intended feature of some KESOs or just bad luck, but for now we can just speculate.</p>
A look at the ABUS EC700/8002014-01-19T00:00:00+01:00http://unlocked.own-hero.net/2014/01/19/a-look-at-the-abus-ec700800
<p>The ABUS EC 700/800 is an older dimple lock series that has been superseded for a while by the EC 750/850. Both series look somewhat similar, especially their keys. However, there is a huge difference between them: While the EC 750/850 has 6 active pins in its main row plus some passive pins from the top, the EC 700/800 has 4 <em>active</em> pins coming from the top in addition to its 6 main row pins. The total of 10 active pins itself wouldn’t be a big issue yet, if the top pins wouldn’t be exactly facing the bottom pins. With this design, the top pins are overlifted by the bottom pins in their default state. This makes the EC 700/800 one of the most difficult to pick pin tumbler locks.</p>
<p><em>Note: I think this lock was manufactured by CISA like its successor, but if someone could confirm that (and tell me how it was called), that would surely be helpful.</em></p>
<p><em>Note: The orientation is quite important when talking about this cylinder. I will call the 6 pins in main row “bottom pins” from time to time, while calling the second active row of 4 pins “top pins”. This matches the lock’s use as a euro profile cylinder in Europe. Sorry my American friends, you will have to think the other way around now ;)</em></p>
<h2 id="telling-the-difference">Telling the difference</h2>
<p>The differences between the EC 700/800 and the 750/850 are already visible when looking at the cores:</p>
<p><img src="/assets/images/ABUSEC700-750-Comparison2.jpg" alt="Comparison of the EC700/800 and EC750/850 Cores" /></p>
<p>One can clearly see that the core of the EC 700/800 is smaller while the housing around it is much thicker. This design allows enough space for the driver pins and springs of the 4 active top pins.</p>
<h2 id="key-and-pins">Key and Pins</h2>
<p>A look at the key already reveals some information about the position of the pins:</p>
<p><img src="/assets/images/ABUSEC800-Key.jpg" width="673" alt="An ABUS EC700/800 Key" /></p>
<p>We can see that the bottom row consists of 6 pins, where pins 2-5 face the 4 pins in the top row. Note that the EC750/850 key also can have 4 holes in almost the same position, however, these holes are all the same depth and meant for the passive pins. So in order to distinguish the EC700/800 from the EC750/850 only by the key, just take a look at the 4 holes of the top row. If they have different depths, then it’s an EC700/800:</p>
<p><img src="/assets/images/ABUSEC700-750-Comparison.jpg" alt="Comparison of the EC700/800 and EC750/850 Keys" /></p>
<p>Here’s a picture of the pins used, posted by <em>ingoingo</em> on the Koksa Board:</p>
<p><img src="/assets/images/ABUSEC800-Stifte.jpg" width="673" alt="Pins of the EC700/800" /></p>
<p>The position of the spools may vary, but having them at position 2 and 5 seemed like a very common thing for most of my cylinders. We can also see that all the driver pins have rounded ends, which makes them much harder to pick. Combined with the high accuracy of this cylinder, the rounded ends cause less feedback when setting a pin and require much more tension to stay in place.</p>
<h2 id="the-difficulty-for-non-destructive-opening">The difficulty for non-destructive opening</h2>
<p>As we’ve seen now, the top pins face the pins 2-5 of the main row while pins 1 and 6 of the main row do not have a corresponding upper pin. This is why by default, the top pins are not visible at all because they are entirely overlifted by the bottom pins which have stronger springs. If one starts to pick the main row now, then at some point, one of the top pins is likely to bind, but it will likely be still overlifted. Combined with a highly accurate manufacturing process, this makes it quite impossible to pick the lock the regular way. I’ve heard that some people raked some of these locks, but until now, there was no known reliable method for non-destructive opening that I know about.</p>
<p>After some experiments, I quickly found out though, that either clockwise or counter-clockwise, the top row binds and can be set entirely separate from the bottom row. Initially I used a piece of metal to hold down the main row pins and simultaneously tried to pick the top pins. After the top pins had been set, there was a fair (visible) amount of rotation and the main row was binding. This amount of rotation allowed to ease up the tension a bit and allow the main row pins to come back (since they will be overlifted now as well). Finally, this allowed the main row to be picked and the lock opened after a huge amount of time. The whole method was still very impractical though because the tool wasn’t very convenient and it also wasn’t clear if this would work with other models. Here’s a picture of the initial (successful) attempts:</p>
<p><img src="/assets/images/ABUSEC800-Halterung.jpg" width="673" alt="Initial attempt" /></p>
<h2 id="creating-a-little-helper-tool">Creating a little helper tool</h2>
<p>It took a while until I finally came up with a simple idea on how to hold down the bottom pins easily while picking the top pins. The idea was to use a long tension wrench diagonally inside the lock, holding down the main row and touching the upper right corner of the lock with the other side. However, in order to allow the top pins to freely move, the tension wrench would need a large hole in the middle, matching the position of the top row. My initial prototype looks like this:</p>
<p><img src="/assets/images/ABUSEC800-Spanner2.jpg" width="673" alt="Initial prototype for EC700/800 tension wrench" /></p>
<p>Using this tool, I was able to open all of my 5 ABUS EC700/800 models either clockwise or counter-clockwise. When opening counter-clockwise, the tool acts both as a tension wrench and to hold down the bottom pins. When opening clockwise, a second tension wrench is required to apply tension and the tool solely holds down the pins:</p>
<p><img src="/assets/images/ABUSEC800-Spanner.jpg" width="673" alt="Initial prototype for EC700/800 tension wrench" /></p>
<h2 id="result-and-conclusion">Result and Conclusion</h2>
<p>This is the result of a few hours of picking time:</p>
<p><img src="/assets/images/ABUSEC800-alle.jpg" width="673" alt="All of my EC700/800 picked" /></p>
<p>While this lock can also be opened non-destructively as shown, I think that the design is something that deserves appreciation and more popularity. Having several locking elements overlifted by default (when no key is inserted), is an effective way to increase manipulation difficulty. Not only does this make manual picking very hard, but it also effectively prevents bumping and other semi-automatic methods. I could imagine that one of the problems was that the top springs would fail earlier since they’re under tension all the time, but this could probably be resolved by investing more into robust springs for the top row.</p>
Picking Slider Based High Security Locks - Part 3, EVVA Dual2013-07-14T00:00:00+02:00http://unlocked.own-hero.net/2013/07/14/picking-slider-based-high-security-locks---part-3-evva-dual
<p>In the <a href="/2013/03/19/picking-slider-based-high-security-locks---part-2-evva-3ks/" title="Picking Slider Based High Security Locks - Part 2, EVVA 3KS">last part</a> of this article, we discussed the EVVA 3KS as a springless slider-based lock. In contrast, one of the older cylinders manufactured by EVVA, the <strong>EVVA Dual</strong>, is a slider-based lock that uses the same amount of sliders and sidebars, but the sliders are backed by springs. We’re now going to discuss how that affects picking this cylinder.</p>
<!--more-->
<h2 id="the-evva-dual-cylinder">The EVVA Dual Cylinder</h2>
<p>As we previously mentioned. the EVVA Dual is also a high-security cylinder with 12 sliders, 6 on each side, and one sidebar on the left and on the right. Again. sliders have false gates, however, they are more sophisticated compared to the EVVA 3KS. A very detailed and excellent description of these (and the lock in general) has been written by scholls and is <a href="http://www.koksa.org/viewtopic.php?f=46&t=15081" title="Koksa Board - EVVA Dual">available on the Koksa board</a>. I highly recommend reading this article if you want to pick the EVVA Dual successfully.</p>
<h2 id="picking-the-evva-dual">Picking the EVVA Dual</h2>
<p>For picking the EVVA Dual, I recommend using a very strongly bent hook, because it allows setting sliders without touching the ones in front of it. Picking can be done with a regular round hook, but because the slider parts that you interact with are round themselves, it helps to have a tiny serration on the pick so you don’t slip off the slider while setting it.</p>
<p><img src="/assets/images/SliderToolDual.jpg" alt="Tool for picking the DUAL" /></p>
<p>The biggest problem in the picking process are the false gates. If a slider is in a big false and the lock rotated a bit, there is usually no way to set this slider, even when removing all tension. The best way to avoid this is to set such big false sliders before they actually bind. If you ever hit such a false set, then memorize which slider had it on which height. Then rotate back slightly until it loosens up and you can set it. If you ever loose this slider again (due to another false set), then try to reset it to it’s correct position from time to time so you don’t run into that false gate again.</p>
<p>That said, even though the sliders are backed with springs here, it can help to see them to confirm they’re not moving or to get their exact position.</p>
<p><img src="/assets/images/EVVADualInner.jpg" alt="DUAL Inner View" /></p>
<h2 id="picking-results">Picking Results</h2>
<p>I’ve had my hands on two EVVA Dual cylinders so far. The first was a cylinder in a padlock without any key, temporarily provided by Toool (Thanks to Barry!). It took me a few days to open this because it was behaving very odd due to dirt (probably sand) in the cylinder.</p>
<p><img src="/assets/images/EVVADualPadlock.jpg" alt="DUAL Padlock" /></p>
<p>The second cylinder is a regular double cylinder that I cheaply bought. Although it’s used it’s very clean and provides good feedback. Initially it took approximately 30 minutes to pick it:</p>
<p><img src="/assets/images/EVVADualDouble.jpg" alt="DUAL cylinder" /></p>
<h2 id="comparison-to-evva-3ks">Comparison to EVVA 3KS</h2>
<p>It is hard to say if this lock is easier or harder compared to the 3KS. Both the springless and spring-loaded designs have their advantages. While a springless design is nearly impossible to pick without visual feedback, it is also much easier to correct false gates because other sliders don’t necessarily move when rotating back. The spring-loaded design provides already enough feedback to be picked without any visual aid, however, the springs ensure that you loose correctly set sliders when correcting a false gate (they enforce a certain order of setting). Especially if the lock is very precise in general, which is the case for pretty much everything EVVA manufactures, spring-loaded designs can cause a lot of pain for picking. Overall, I would rate the EVVA Dual to be harder to pick than the 3KS.</p>
Picking Slider Based High Security Locks - Part 2, EVVA 3KS2013-03-19T00:00:00+01:00http://unlocked.own-hero.net/2013/03/19/picking-slider-based-high-security-locks---part-2-evva-3ks
<p>In the <a href="/2013/03/14/picking-slider-based-high-security-locks---part-1-assa-desmo" title="Picking Slider Based High Security Locks - Part 1, ASSA Desmo">first part</a> of this article, we discussed the ASSA Desmo which has a limited amount of sliders and a relatively large keyway. With the same methods, we’re going to try to open an <strong>EVVA 3KS</strong> now.</p>
<!--more-->
<h2 id="the-evva-3ks-cylinder">The EVVA 3KS Cylinder</h2>
<p>The EVVA 3KS is a high-security cylinder with 12 sliders, 6 on each side. On each side, there is a sidebar that can enter the sliders if they are properly aligned. Sliders also have false gates that make the picking process harder. The key is much thinner compared to the ASSA Desmo, so there’s much less space for picking as well. Also, there are some sliders with two pins on them and those pins are shorter compared to the one-pin version. This can lead to accidentially touching the larger pins and is also confusing when trying to see the different sliders.</p>
<p>The <a href="http://www.lockwiki.com/index.php/EVVA_3KS" title="LockWiki - EVVA 3KS">lockwiki</a> also has an entry for this lock that I recommend to read if you want to know more.</p>
<h2 id="picking-the-evva-3ks">Picking the EVVA 3KS</h2>
<p>In order to pick the 3KS, we’re going to use the same lighting method that we already used for the ASSA Desmo – a 0.75 mm optical fiber that we place under the torsion wrench. This method provides some amazing insights into the inner of the cylinder:</p>
<p><img src="/assets/images/3KSInner1.jpg" alt="3KS Inner View" />
<img src="/assets/images/3KSInner2.jpg" alt="3KS Inner View" /></p>
<p>With this view, it’s clear that our chances to pick the 3KS successfully are much higher compared to a blind approach.</p>
<p>For the picking, I used the same tool that I previously used for the Desmo:</p>
<p><img src="/assets/images/SliderTool.jpg" alt="Tool for picking the 3KS" /></p>
<p>The picking process is also very similar: We start searching for the binding slider with a good amount of torque applied. With the sliders being visible, it’s easier to see if a slider moves freely by touching it and slightly trying to push it up and down to see if it moves. Non-binding sliders move even on the lightest touch while a binding slider moves only under force or doesn’t move at all (e.g. in a narrow false gate). Note that the last two sliders can be hard to see/observe even with light, extra care might be required to confirm they are not binding. Once we have identified the binding slider, we put a little pressure on the it and if it doesn’t move, we reduce torque until it does. If this slider is in a false gate, it might even be necessary to temporarily remove all torque.</p>
<p>After setting a slider (most of the time when taking it out of a false gate), other sliders might change their position slightly (drop a little, or get accidentially moved with the pick). If the cylinder was already rotated a few degrees (due to a false gate) and doesn’t return into that position after setting the slider correctly, one must carefully check all the other sliders without accidentially moving them around. Note that even in a fully horizontal position, these sliders usually don’t immediately fall down due to gravity, as one would expect. However, vibrations and other impact on the cylinder can make this happen easily, so too much force is usually a bad idea.</p>
<p>One last trivial but important thing is the position of the torsion wrench. If you put the torsion french into the cylinder, make sure you are not blocking the two sidebars which also “grab” the key at the entrance of the cylinder (on the left and right, the sidebars will enter the keyway to hold the key while rotating).</p>
<h2 id="picking-results">Picking Results</h2>
<p>As someone donated 3 EVVA 3KS double cylinders to me (thanks again!), one with a key, two without a key, I had plenty of time to test this method. I opened two of them on the same day I got them</p>
<p><img src="/assets/images/3KSPicked.jpg" alt="3KS Inner View" /></p>
<p>and also reopened one of them in a fully horizontal position to confirm that it still works. As I mentioned already, the sliders don’t fall down even in this position. Retak from the Koksa community suggests that this is due to some special grease being used in these cylinders. I think it’s also due to the friction and the force required to overcome it being larger than gravity (as the same effect can be seen in the ASSA Desmo). Probably both factors contribute to this behavior.</p>
Picking Slider Based High Security Locks - Part 1, ASSA Desmo2013-03-14T00:00:00+01:00http://unlocked.own-hero.net/2013/03/14/picking-slider-based-high-security-locks---part-1-assa-desmo
<p>In this and the next article, I’ll describe how to pick two springless slider-based locks. In general, these locks work the same way: They have springless sliders on each side of the lock that have one or more cuts (also called gates) for a sidebar to enter them. In order for the sidebar to fit in, the sliders must be moved to a certain height each. Usually, the sliders each have a pin/knob on them that the key can interact with. For this purpose, the key has one or more tracks on its sides. When the key is inserted, the pins of the sliders on each side fit into the track and get moved to the correct height. Don’t worry, this probably gets much clearer with some pictures. For our first lock we’ll use the <strong>ASSA Desmo</strong>.</p>
<!--more-->
<h2 id="the-assa-desmo-lock">The ASSA Desmo Lock</h2>
<p>The ASSA Desmo is a rather small lock primarily manufactured for the gaming and casino market. Applications might include protection of machines (e.g. slot machines), change banks, cash drawers and so on. Therefore it’s clear that this lock has to provide a high amount of security even though it can’t be very large in size. Furthermore, protection against manipulation of all sorts is probably more important than protection against destructive entry.</p>
<p>For this purpose, the ASSA Desmo uses a total of 8 sliders, 4 on each side. Each side has it’s own sidebar, that means two sidebars in total. There is a great set of pictures showing a <a href="http://keypicking.com/viewtopic.php?f=88&t=6066#p49567">gutted Desmo on the keypicking.com board</a>. Note that although the sliders here somewhat look like regular pins, they are not operated by the lower side of the key, but by the tracks on the left and right.</p>
<p><img src="/assets/images/Desmo.jpg" alt="ASSA Desmo" /></p>
<h2 id="picking-the-desmo">Picking the Desmo</h2>
<p>During the first picking attempts, I quickly noticed that picking the lock without being able to <strong>see</strong> the sliders would be very hard for two reasons:</p>
<ol>
<li>
<p>The difference between a binding and a non-binding slider is, in my opinion, harder to feel than for spring-based siders/pins. The non-binding slider will either be able to move completely freely (easy to notice) or it will be able to move slightly within it’s gate. The latter case is harder to feel because it requires moving the slider up and down rather than just pushing on it. However, if one is able to see the slider, it’s often easy to notice that it can move when touching it with the pick.</p>
</li>
<li>
<p>When setting a slider, one can accidently touch other sliders. Especially when moving a slider out of a false gate, chances are high that either vibration or accidential touching moves another slider out of its proper position. While this cannot be avoided all the time, it’s easier to fix if you can immediately see which slider probably moved.</p>
</li>
</ol>
<p>This is also the reason why some people use cylinders that allow light to enter from the back (e.g. by removing the coupling on a single-sided cylinder). I also used this technique when I first picked the Desmo and I put a lamp behind it in order to see even more. However, it’s clear that this isn’t a very realistic scenario so I was looking for something that could also be applied to a properly installed cylinder.</p>
<h3 id="let-there-be-light">Let there be light</h3>
<p>To solve the light issue, I decided to bring lighting into the cylinder using an <strong>optical fiber</strong>. So I took a 0.75mm thick fiber out of PMMA (acrylic glass), put it through a cork and attached the cork to my cell phone which has a bright LED. Here’s what it looks like:</p>
<p><img src="/assets/images/DesmoLight1.jpg" alt="Desmo Light Setup" />
<img src="/assets/images/DesmoLight2.jpg" alt="Desmo Light Setup" /></p>
<p>As one can see, the optical fiber is right under the torsion wrench, so it’s not in our way when picking. Now we can take a closer look inside the lock as well:</p>
<p><img src="/assets/images/DesmoInner1.jpg" alt="Desmo Inner View" /></p>
<p>One can clearly see the first four sliders, the other four sliders are behind those. Note that the Desmo is usually open at the end, but I covered the opening with some black paper to take away most light from the back. If we shift our viewpoint a little, we can also see that even the last slider is clearly visible with the light:</p>
<p><img src="/assets/images/DesmoInner2.jpg" alt="Desmo Inner View" /></p>
<h3 id="the-actual-picking">The actual picking</h3>
<p>Now that we can see each slider, picking is much easier. I use a (very small) self-made dimple pick, but a half-diamond will likely work as well at least for the Desmo, since the key is quite thick:</p>
<p><img src="/assets/images/SliderTool.jpg" alt="Tool for picking the Desmo" /></p>
<p>To pick, one should start with medium torsion, then search for the binding slider. Once the slider has been located, a ligher torsion should be used while trying to move it. If the slider is not moving (e.g. in a false gate), it helps to almost completely take away torsion and then attempt to move it again. Attempting to move the slider forcefully will usually also work but produce a lot more vibration that can cause other sliders to change their position, so it’s not advisable.</p>
<p>But even when proceeding carefully, sometimes sliders accidentially get moved. Therefore, it can help to memorize the position of the sliders (or writing it down). Furthermore, it’s often the same slider(s) that have to be corrected. When following these instructions, the lock should be open after a while:</p>
<p><img src="/assets/images/DesmoPicked.jpg" alt="Desmo picked" /></p>
<p>If you liked this article, make sure you also check out the <a href="/2013/03/19/picking-slider-based-high-security-locks---part-2-evva-3ks" title="Picking Slider Based High Security Locks - Part 2, EVVA 3KS">second part</a>, where we’ll take a look at the EVVA 3KS.</p>
First!2013-03-09T00:00:00+01:00http://unlocked.own-hero.net/2013/03/09/first
<h2 id="what-is-this-all-about">What is this all about?</h2>
<p>After some people asked me to blog about my hobby, I finally decided to create this page. So what is it about? It's about a sport called lock picking which is concerned with <strong>non-destructive opening of locks</strong>.</p>
<!--more-->
<p>I am a big fan of this sport and have a growing collection of locks, most of which I can open by now. I'm furthermore interested in different and maybe new techniques that might be helpful for this purpose. </p>
<h2 id="why">Why?</h2>
<p>Simply because it’s fun! I like solving problems and riddles and opening a lock requires skill, concentration and sometimes creativity. And that’s what it’s about :) Furthermore, locks themselves are often underestimated in terms of complexity. People just use them on a regular basis but some locks really have a unique and complex mode of operation which deserves to be studied. Another nice thing about lock picking is that it’s mostly an “offline” activity. I am an IT person, some people might say a “nerd” and it’s really nice to have an additional hobby that is not IT-related. Even better, with this hobby I also got interested in mechanical work, like metalworking, required to create additional tools.</p>
<h2 id="what-it-is-not-about">What it is not about…</h2>
<p>My hobby, the sport and this page are not about breaking into peoples houses, opening stuff that you aren’t authorized to open or any other kind of illegal activity. Lock picking as a sport and hobby is strictly about opening <strong>your own locks</strong>. Of course I’d always help a friend or neighbor who’s in trouble, but even that requires careful checking and keeping record of your activities.</p>
<p>Now people might be asking “Aren’t you encouraging/teaching burglars with your site?”. I’d say no for two reasons:</p>
<ul>
<li>Burglars usually have easier ways to get around locks (especially since they don’t need to open them non-destructively). Lock picking is just not practical in most of these scenarios.</li>
<li>Information is not everything required to be successful in lock picking. The other thing you need is <strong>practice</strong>, and a lot of it for sure. Those that are willing to practise that much to use it for illegal activities also will have other ways to get the necessary information. I’d imagine that these are usually parties that have enough money and resources available, like governments or businesses involved in industrial espionage.</li>
</ul>
<p>One more reason to publish such information is that although most (if not all) locks can be picked, some are a lot easier to pick than others. If this is due to a particular vulnerability, and/or if there are ways to improve, then we should always talk about the problems openly to get them addressed.</p>