Terra Matsu
18-09-2004, 09:37
Twist a Pen, Open a Lock by Leander Kahney
A 50-year-old lock design was rendered useless last week when a brief post to an internet forum revealed the lock can be popped open with a cheap plastic pen.
"Your brand new U-Lock is not safe," warned Brennan in a note posted to Bike Forums. (http://www.bikeforums.net/showthread.php?t=66128&page=1&pp=25)
Wired News tested Brennan's claims. A brand new Kryptonite Evolution 2000 (http://www.kryptonitelock.com/inetisscripts/abtinetis.exe/PublicArticleDetails@public?artid=2789&atf=products_item&pgrp=20) was opened in seconds using a Bic pen. After cutting four small slits in the end of the pen's barrel to ease it in, the lock opened with a single twist.
Brennan, 24, of San Francisco, said he successfully opened two Kryptonite locks, an Evolution 2000 and an older Kryptonite Mini lock.
Subsequent posts (http://www.bikeforums.net/showthread.php?t=66128&page=20&pp=25&highlight=kryptonite+york) to Bike Forums and other websites report the vulnerability applies to many of the company's cylindrical-lock products, including some from Kryptonite's vaunted New York series.
"That's the absurdity of it," Brannan said. "It's not picking the lock or smashing it open. It's the absurdity of a small piece of plastic breaking your unbreakable lock."
"They're worthless," he added. "I don't trust them anymore."
Kryptonite declined to comment, but in a statement, the company said it is rushing to market a new "disc-style cylinder" design that is more secure. The disc-style cylinder is used in the New York products.
"Kryptonite will provide the owners of Evolution and KryptoLok series products the ability to upgrade their crossbars to the new disc-style cylinder, where possible," the statement said. "This cylinder provides greatly enhanced security and performance. Kryptonite is finalizing the details of this upgrade process and will publicly communicate these details as soon as possible."
Brennan said he will not be buying a new lock from Kryptonite.
"That's a slap in the face," he said. "They're looking to profit from a series of mistakes they made. They need to replace their faulty product."
The vulnerable Kryptonite locks use an axial pin tumbler, a common cylindrical design used in a wide variety of products. The lock's design was invented at least 50 years ago by Chicago Lock, said attorney and security consultant Mike Tobias, who claims to have first publicized the design's vulnerability five weeks ago.
In early August, Tobias' website, Security.Org (http://www.security.org/), claimed laptop security locks by Kensington Technology Group, Targus and Compucage International could be easily compromised with a pen or a toilet-paper tube.
"It's the same problem," said Tobias. "Isn't it incredible? There are millions of people who are reliant on these locks. The problem for Kensington and Kryptonite is that everyone knows it now."
Tobias said not all axial locks are vulnerable, depending on several factors such as the lock's diameter (to match the pen) and the lock's engineering tolerances. He claims to be a veteran lock-and-security consultant who has worked for lock manufacturers, government agencies and law enforcement.
Kryptonite and CompX International, which now owns Chicago Lock, didn't respond to requests for comment.
When told of the vulnerability, Tom Volk, owner of American Bicycle Security (http://www.ameribike.com/), which makes bike lockers and racks, expressed surprise. "That's not good for them, but other companies are using the same lock. They all use a seven-pin tumbler lock."
Volk noted that several cylindrical lock picks (http://www.lockpicks.com/index.asp?PageAction=VIEWCATS&Category=220) have been available online for more than a year. Volk said they apparently work well, opening locks in seconds.
The lock's flaw was apparently first publicized in 1992 in the United Kingdom, according to BikeBiz.com (http://www.bikebiz.co.uk/daily-news/article.php?id=4637). The BBC even covered it, but the news apparently didn't resurface until a dozen years later.
"We read about it online like everyone else," said Leah Shahum, executive director of the San Francisco Bicycle Coalition (http://www.sfbike.org/). "It's amazing, but a lot of people have heard of it. The news is definitely out there."
Brennan said his experience in computer security gave him no doubt about publicizing the vulnerability.
"The problem's not going to go away," he said. "Keeping it quiet just gives thieves more time to use this to their advantage. I wanted to let people know they are vulnerable. It's an illusion of security."
Original article in its Wiredy goodness (http://wired.com/news/culture/0,1284,64987,00.html?tw=wn_tophead_7)
A 50-year-old lock design was rendered useless last week when a brief post to an internet forum revealed the lock can be popped open with a cheap plastic pen.
"Your brand new U-Lock is not safe," warned Brennan in a note posted to Bike Forums. (http://www.bikeforums.net/showthread.php?t=66128&page=1&pp=25)
Wired News tested Brennan's claims. A brand new Kryptonite Evolution 2000 (http://www.kryptonitelock.com/inetisscripts/abtinetis.exe/PublicArticleDetails@public?artid=2789&atf=products_item&pgrp=20) was opened in seconds using a Bic pen. After cutting four small slits in the end of the pen's barrel to ease it in, the lock opened with a single twist.
Brennan, 24, of San Francisco, said he successfully opened two Kryptonite locks, an Evolution 2000 and an older Kryptonite Mini lock.
Subsequent posts (http://www.bikeforums.net/showthread.php?t=66128&page=20&pp=25&highlight=kryptonite+york) to Bike Forums and other websites report the vulnerability applies to many of the company's cylindrical-lock products, including some from Kryptonite's vaunted New York series.
"That's the absurdity of it," Brannan said. "It's not picking the lock or smashing it open. It's the absurdity of a small piece of plastic breaking your unbreakable lock."
"They're worthless," he added. "I don't trust them anymore."
Kryptonite declined to comment, but in a statement, the company said it is rushing to market a new "disc-style cylinder" design that is more secure. The disc-style cylinder is used in the New York products.
"Kryptonite will provide the owners of Evolution and KryptoLok series products the ability to upgrade their crossbars to the new disc-style cylinder, where possible," the statement said. "This cylinder provides greatly enhanced security and performance. Kryptonite is finalizing the details of this upgrade process and will publicly communicate these details as soon as possible."
Brennan said he will not be buying a new lock from Kryptonite.
"That's a slap in the face," he said. "They're looking to profit from a series of mistakes they made. They need to replace their faulty product."
The vulnerable Kryptonite locks use an axial pin tumbler, a common cylindrical design used in a wide variety of products. The lock's design was invented at least 50 years ago by Chicago Lock, said attorney and security consultant Mike Tobias, who claims to have first publicized the design's vulnerability five weeks ago.
In early August, Tobias' website, Security.Org (http://www.security.org/), claimed laptop security locks by Kensington Technology Group, Targus and Compucage International could be easily compromised with a pen or a toilet-paper tube.
"It's the same problem," said Tobias. "Isn't it incredible? There are millions of people who are reliant on these locks. The problem for Kensington and Kryptonite is that everyone knows it now."
Tobias said not all axial locks are vulnerable, depending on several factors such as the lock's diameter (to match the pen) and the lock's engineering tolerances. He claims to be a veteran lock-and-security consultant who has worked for lock manufacturers, government agencies and law enforcement.
Kryptonite and CompX International, which now owns Chicago Lock, didn't respond to requests for comment.
When told of the vulnerability, Tom Volk, owner of American Bicycle Security (http://www.ameribike.com/), which makes bike lockers and racks, expressed surprise. "That's not good for them, but other companies are using the same lock. They all use a seven-pin tumbler lock."
Volk noted that several cylindrical lock picks (http://www.lockpicks.com/index.asp?PageAction=VIEWCATS&Category=220) have been available online for more than a year. Volk said they apparently work well, opening locks in seconds.
The lock's flaw was apparently first publicized in 1992 in the United Kingdom, according to BikeBiz.com (http://www.bikebiz.co.uk/daily-news/article.php?id=4637). The BBC even covered it, but the news apparently didn't resurface until a dozen years later.
"We read about it online like everyone else," said Leah Shahum, executive director of the San Francisco Bicycle Coalition (http://www.sfbike.org/). "It's amazing, but a lot of people have heard of it. The news is definitely out there."
Brennan said his experience in computer security gave him no doubt about publicizing the vulnerability.
"The problem's not going to go away," he said. "Keeping it quiet just gives thieves more time to use this to their advantage. I wanted to let people know they are vulnerable. It's an illusion of security."
Original article in its Wiredy goodness (http://wired.com/news/culture/0,1284,64987,00.html?tw=wn_tophead_7)