Hacking

Red Team Operations: Lock Picking and Physical Security

Lester Obbayi
February 11, 2019 by
Lester Obbayi

Introduction

In this article, we discuss the amazing art of lock picking, exploring the different lock types and tools that Red Teamers can use in order to make it happen. We will finally discuss a practical walk-through on how to successfully pick the famous pin tumbler lock.

Overview

Locksmiths have over the years defined lock picking as the manipulation of a lock’s components to open a lock without a key. This is an art that is practiced as a career for both locksmiths and security professionals, as well as criminal entities.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Before we explore the different types of locks and how to pick them, we’ll try to understand why one would even want to learn this skill as a Red Team member.

Why Should Red Team Members Learn How to Pick Locks?

In Red Teaming and penetration testing, physical security is generally an underappreciated area. Security professionals tend to focus more on the other affected areas such as vulnerable applications, networks and social engineering. This need not be the case, since physical security also poses a significant attack vector to many organizations.

It is due to this that picking locks is studied and implemented into the numerous multi-layered attack simulations incorporated within Red Team exercises.

Different Types of Locks and Their Common Functionality

There are many different lock types that malicious attackers and Red Teamers meet during their engagements. Locks can be classified generally into two broad categories:

Locks With Physical Keys

These locks require that a correct key be used to unlock them. Various techniques have been developed over the years and the result has been a number of implementations of locks. Let’s discuss a few:

  • Pin tumbler locks: A pin tumbler lock has a set of pins which prevent the movement of the lock unless a correct key is inserted. We shall be discussing in detail below how these locks work and how they can be picked using the right lock pick tools in the next section
  • Warded locks: These are the simplest locks we have today. They simply work by having obstructions within the lock that require a key with the correct and matching ridges that fit effectively on the obstructions. Bypassing such locks is so simple since it only requires a skeleton key with matching ridges to the obstructions available
  • Wafer tumbler locks: These locks apply a similar principle to the pin tumbler locks discussed above. However, instead of having a series of pins (forming different pieces) like the pin tumbler implementation, this one has what is referred to as a wafer, which is a single piece. These are mostly used in vehicles and cabinet locks
  • Disc tumbler locks (Abloy): These locks are often confused with the wafer tumbler locks discussed above. In this type, slotted rotating detainer discs are used. It is really difficult to pick these locks with the conventional tools, making these one of the most secure locks today
  • Lever tumbler locks: This is perhaps arguably the simplest lock implementation currently in use. Here, a set of levers are used to prevent any movement of a bolt within the lock. Bypassing this lock is simple, as all one needs to do is lift the tumbler to a certain extent (height). This would in turn make it possible for the bolt to slide past, achieving a successful pick. These really simple locks can be found in old padlocks
  • Magnetic keyed locks: As the name suggests, these locks make use of magnets that either push or pull tumblers within the lock. Once the correct orientation has been achieved, the lock opens as required

Locks With Electronic Keys

  • Electronic locks: These types of locks make use of an electric current and are connected to an access control system. Occasionally they might be standalone, having only an electronic control assembly which is mounted directly to the lock. When electronic locks are connected to access control systems, they become capable of performing various extra functions such as key control, fine access control and transaction logging
  • Keycard locks: These locks implement a flat card design with similar dimensions to those of a credit card. In order for access to be granted, the key card and signature must match. They can be implemented in vehicle doors as well, where the setup includes a smart key radio transmitter and the valid code is randomly generated. In the vehicle door implementation, a combination of key card locks and pin tumbler locks can be used
  • Smart locks: These locks are entirely electronic in nature and receive commands to either lock or unlock the door from a device that uses a cryptographic-key-to-wireless-protocol combination. Such locks normally have phone apps that act as remote controls. These types of locks cannot be picked with common lock pick tools

What Are the Different Types of Picks Available Today?

There are different types of picks for different locks. Even though there are categories of locks that will not be unlocked using the conventional tools (picks and tension wrenches), there are still many that are. A pick will generally resemble the following design:

Source: MIT Guide to Lock Picking  

The tip will have different designs, often with a front and back angle, and the tang will connect the handle and the tip.

The following are examples of picks that can be used for picking individual pins:

Source: MIT Guide to Lock Picking

When it comes to picking multiple pins, you can collect a set that contains rake picks. These will have multiple ridges that allow you to rake more than just one pin, eventually bouncing the pins until they are positioned above the shear line. (We’ll see more on that in a minute.) The image below shows an example of a rake, commonly referred to as a snake.

Source: MIT Guide to Lock Picking

Lock picking using rake pins is far less complicated as compared to picking individual pins. There are also multiple different rake designs that are shaped to mimic the height of pins in the lock. See the rake below.

Source: MIT Guide to Lock Picking

Note that the height will differ depending on the lock you are attempting to pick.

Pin Tumbler Locks Illustrated With and Without a Key Inserted

One of the most common types of locks today are the pin tumbler locks. These locks are based off the common cylinder-lock design that many locks are inspired from, the main difference being the puzzle implementation within the lock itself.

The image below show the general design of the pin tumbler lock, showing the hull which houses the plug and pin holding mechanism, the plug itself and the structure of pins, which consists of the spring, driver pin and key pin.

Source: MIT Guide to Lock Picking  

The pin tumbler lock with key inserted is shown above. Notice in the image and on the right, when the key is turned, the key pin is within the plug and the driver pin within its chamber in the hull.

Source: MIT Guide to Lock Picking

The pin tumbler lock with key removed is shown above. Notice on the right, the plug cannot move since the key pin and driver pin are pushed into the plug with the spring within the chamber (in the hull). This prevents the lock from being unlocked.

Understanding the Functionality of a Pin Tumbler Lock

A pin-and-tumbler lock consists of a couple of pins in pairs, running through a cylinder and into a central plug. The pair of pins consists of a driver pin (above which is a spring) on the top and a key pin on the bottom, whose purpose is to touch the key once the key is inserted. The key pins are of different lengths and once the correct key is inserted into the keyhole, the pins are pushed upwards according to their length, allowing the plug to rotate.

When a wrong key is inserted into the keyhole, the pins fail to correctly align, and the plug fails to move. When the pins are not leveled with the shear line, movement of the plug is prevented. However, when the correct key is inserted, the key pins are all pushed to the correct height, effectively aligning with the shear line and allowing the movement of the plug.

Picking the Pin Tumbler Lock

Lock picking can be done using different tools. For us, what we’re really interested in are the tension wrench and rake pick. We shall follow these steps:

a) Using the tension wrench

The tension wrench is used to align the key pins to the correct height and ensure that they align with the shear line. Tension wrenches can be of multiple designs ranging from lightweight, medium-weight, rigid and double-sided wrenches. Your choice of tool will depend on the lock you are picking. We went with the lightweight tension wrench for this exercise.

Insert the tension wrench at the bottom of the keyhole, slightly turning it. As the key pins reach the shear line, what you want to do is apply some force in order to turn the plug a bit. Applying just the right amount of force, the driver pin moves upwards above the shear line and the plug rotates slightly. You should keep doing this with all the pins until all of them are risen above the shear line. Note that this is done for each of the pins, one by one — a tedious yet rewarding endeavor.

If you bend your tension wrench too much, you might end up having the driver pins binding, and this is what you don’t want.

b) Using the pick

You can use any pick at this point, either deciding to tamper with the pins one by one or by using rake pins to simultaneously tamper with all pins at once. We will be making use of the Bogota rake, which has three ridges. This should be inserted at the top of the lock. (Remember we inserted the tension wrench at the bottom.) See the image below:

Source: The Art of Manliness

The rake should be pushed until it reaches the back.

c) Simultaneously move the tension wrench and rake

As you are slowly turning the tension wrench in the direction to unlock, push the rake back and forth, scrubbing the pins. See below, the positions of the driver pin and key pin.

Source: MIT Guide to Lock Picking

d) Repeat the process

Make sure you repeat this process until when the key pins are released, they drop and rest onto the plug and it can fully turn.

Source: MIT Guide to Lock Picking

You might, however, realize that the plug is not turning. If you notice that, it is possible that you might have applied too much force when using the tension wrench. If you find yourself in this situation, remove the wrench and rake (allowing the pins to rest) and begin afresh.

The key to mastering this procedure is to keep practicing. You might also want to acquire a transparent lock for practice.

Unpickable Locks

You might come across some HYT locks once in a while. These are perhaps the most difficult locks to pick due to the hundreds of movable parts within the lock itself. The way the unlock mechanism works is that the key snakes about inside the keyhole to match correctly with the pins and unlocks the lock. A great video of this in practice can be found here.

These locks can be picked as documented here, but with some really hard work going into it and possibly some home-built pick tools since you will most certainly not find conventional picks to use on this lock.

Conclusion

This article has focused on locks and how to pick one particular type, the pin tumbler lock. Lock picking is an interesting field that not only teaches you patience as a Red Teamer but also shows you how locks only really create the illusion of security. If this article has piqued your interest, take a deeper look and learn how to pick the more challenging locks.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

 

Sources

  1. An Introduction to Lock Picking, The Art of Manliness
  2. CIA Lock Picking: Field Operative Training Manual
  3. Why hackers learn to pick locks, IT News
  4. How Lock Picking Works, howstuffworks
  5. MIT Guide to Lock Picking, Theodore T. Tool
Lester Obbayi
Lester Obbayi

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.