Yesterday Han and myself visited an Abloy service center. This is a
highly restricted area where no strangers are allowed in. But when Han
is in the house all doors open. Especially when he reveals tricks to
them they never heard of before. His knowledge on Abloy is truly
overwhelming and keeps amazing them, over and over and over again.

Yesterday he wanted to know if an asymmetric key pair could be
designed for the Abloy Protec. With asymmetric I mean there is one key
that can only open the lock (only turn counter clockwise), and the
other key can only close the lock (only turn clockwise). A master key
can be cut that will open the lock in both directions.

View the exclusive “behind enemy lines” blackbag video to learn how
individual abloy protec and diskclock keys are cut, and how asymmetric
key cutting for Abloy locks is done.
http://blackbag.toool.nl/video/abloy-keycut.wmv (80 Mb)

You could also use the video to explain people the theory behind
public key cryptography with this video. But you better leave out the
blue key that can both open and close the lock.

Somehow we lost our old stack of stopwatches. Meaning that we did not
score many good times at the ‘continues competition’ last Wednesday at
the Toool club evening in Amsterdam. We only had two or three
stopwatches left. Having said that, it was a very good day for Marnix
and Paul Boven. They both opened the Medeco Axial lock (number 14) for
the first time. Paul even improved my time on the lock. grumble …

 

 

Back to the stopwatches. We lost ours and I was looking for new ones.
Jos pointed out some local e-bay add, and yesterday at 22:00 I bought
95 pieces of high quality stopwatches. It is a good thing I could buy
so many at the same time … after all, the Dutch Open lockpick
championships are going to happen real soon now. Within a few days you
can read all about the schedule of the Dutch Open 2006 on the Toool page.

 *Small update: Walter (Toool Eindhoven) recovered the stopwatches…

A small update on some of the articles on this site.
There is one in English, one in German and one in Dutch.

 

 The first update is on the website of our campaign against voting computers.
We now have an English page on our website. And the newsletters are translated
into English too. The last one came out today.
http://www.wijvertrouwenstemcomputersniet.nl/Newsletter_4_-_23_September_2006

The second update is on the German car test in the Auto Bild magazine.
A scan is now available thanks to a loyal reader of this blog.
http://blackbag.toool.nl/images/auto-bild.pdf (PDF 1Mb)

The third update is a scan from the Dutch article in ‘De ingenieur’ about
bumpkeys. http://toool.nl/INGR10_11_p64_73_Sloten.pdf (PDF 1Mb)

I hope you enjoy the material…

Ebay has the policy not to sell burglary tools. And therefore nobody
can sell our beloved lockpick sport sets on Ebay. Bummer, but we will
have to live with that. Having said that, they do not seem to have a
problem selling bumpkeys. As long as you specifically mention it is
_not_ a bumpkey but a ‘depth key’ they do not mind. The nice thing for
the seller of these *cough* depth keys is that people who enter ‘bump
key’ in the search screen on ebay will find these keys for sure … sigh …

 

 

 

And talking about Ebay … Han Fey is offering his Drumm shield and Abloy
protec lock on there. It is the original lock used for his Drumm article.
I think he will autograph it free of charge if you win the bid.

 Click on the images to be redirected to the ebay bids….

 

 

Mauer sure has/had some interesting products to offer. I must
admit I like it when people think outside the box. And that is what
the engineers of Mauer did when designing some of their locks. The
keys to some of their models are twice as long as conventional keys.
That is because they run trough both sides of the core on a euro
profile cylinder. That is right, pins on both sides of the lock have
to be in the right place before the lock will open. This improves
security quite a lot. Picking becomes very hard since all standard
picks are way too short. Using a pick gun? Forget it.
Can they be bumped? I think so but have not tried …

The first generation of these locks made use of an ordinary key. The
big disadvantage was that the keyway on the inside was a mirror image
from that on the outside. In order to lock the door from the inside a
smaller key was used (only 5 pins), that would not even fit the front
of the lock since that keyway was a mirror image.

Later models used dimple key. This was a symetric keyway, and the long
key that would close the lock from the outside could also be used on
the inside.

I am sure Han Fey will write an article about these magnificent locks
someday. Until then you will have to live with these images (zip 7Mb)

Currently (in Europe) burglars have tools and techniques to break your
euro profile cylinder in half. These Mauer locks are protected against
that too. If you take a good look on the image above you can see they
‘pre cut’ the lock. If someone tries to break the cylinder only 50% of
one side of the lock will come out. A second try will release another
25% but leave the lock intact and closed. So picking or breaking the
first part of the lock will not do you any good.

 

As some of you may have noticed there is some media attention in the
US about the Bump key technique. Aloa, the biggest locksmith
association in the world, tried to downplay the seriousness of the
threat. And some big companies like, for example, Mul-T-Lock also
address the issue. Maybe they did not read the Consumer reports test
2006 where, two out of three of their locks were opened. Even by layman.

Read their comforting words and feel safe and secure again:

http://aloa.org/pdf/bumpkeys.pdf

http://www.mul-t-lockusa.com/newsdetails.asp?newsid=51
 

Marc Tobias took the time to address these ‘nothing to worry folks’ messages.

Read his point of view in an open letter to Aloa and the lock industry.
I fully agree with him. The only thing that is missing is the word ‘AMEN’.

http://www.security.org/middle_RESPONSE_ALOA.htm 

In het dagblad van het noorden stond gisteren een artikeltje over de
mysterieuze auto inbraken te stadskanaal.

Ben benieuwd of we er ooit achter zullen komen wat de truuk is …

Klik op het artikel om het te lezen.

(English: Dutch local media report about the mysterious car burglaries)

 

I am just having dinner when the phone rings. It is X from Israel.
The one who tried to recruit me. Hanging up the phone is fruitless.
It rings again seconds later … Sigh. I tell him to leave me alone me and
hang up again.

It was to be expected these guys don’t take no for an answer, but it
sure as hell is annoying.

Now a mail comes in about a lock they send me. As if nothing happened.
Are they trying to play dumb?

Anyway, I send back the lock and hope the problem goes away.

If I get hit by a piano that fell from an airplane you know who is
behind it …

 

Something strange is going on in the city of Stadskanaal (Groningen).
Police got a lot of complaints from people who had stuff stolen from
their car. The strange thing is the thieves did not damage the car or
the locks while taking out stuff. Police guesses there is a
vulnerability in the electronic opening mechanism and the burglars
somehow exploit it. The interesting fact is that many different makes
and models where opened. A journalist who just called me told me there
was a big list of brands involved, ranging from cheaper models to
Mercedes and Jaguar. Police is now investigating if there is a device
on the market that will crack the remote control codes or otherwise
opens the cars without damage ….

Of course we are all curious what this could be. Maybe it is indeed
some device that will try to guess (brute force) the right remote
control code. It could also be there is something else going on. A
weakness in the electronic system of the car that will do an
’emergency opening’ if you zap the car with a cattle prod or tazer.

 

 

 

I have been an expert witness in a court case concerning a specific
car theft in The Netherlands a couple of years ago. And I did study
the subject of remote controls then. One of the things I found out was
most modern remote controls use a so called ‘rolling code’. Meaning
you can not record the bits from the control and ‘replay’ them to the
car. The only weakness I found then is that some remote controls will
start at the beginning of the sequence when the battery is changed.
And the cars will open if the beginning of the sequence comes by. But
I am not convinced this is how the thieves gained access.

Small update: If an high-power transmitter would be used that spits
out a random bitstream at the remote control frequencies (around
433.920 Mhz) you might have a chance of accidentally opening a car.
This just would depend on the amount of correct bits needed.
Especially in an area where you would find lots of cars (like a
parking garage or big square filled with cars) you might get lucky.
Again, depending on the amount of correct bits needed to open a car.

I posted this question on nl.radio.scanners and hope a local radio
enthusiast can be found that is willing to scan the small range for
long uninterrupted digital transmissions that sound like this one
blackbag.toool.nl/images/remote-keypresses-433950mhz.wav

 

More updates: 13 september 19:10
Did you ever hear about the trick where people could open a Mercedes
with a ping-pong or tennis ball? It is an urban legend from years
ago. The complete Mercedes lock could not be manipulated with hooks
etc because it was completely shielded. In fact so sheilded it was
almost air thight. If you would smash a pingpong ball or prepared
tennis ball to the lock the air that is blown into the lock can only
escape by lifting the buttons up and unlocking the car. This is an old trick
and does not work anymore. One of my informants thinks it might still
be possible with a portable air pressure device. Currently small
compressors are one the market that can deliver 8 bar of pressure.
Maybe these locks where ‘blown open’? Sounds feasible to me ….

BTW: should I create a new article when I update or do readers like it when I paste in an existing posting?

To be continued …

I do not want to insult the people from Denmark by using an image of
the famous ‘Swedish Chef’. A long item about bumping aired in Denmark
recently and today I received a copy. I can understand as much of the
item as I could understand the Swedish Chef in his hilarious
Muppet-show performances. My wife Charlotte was creative with
Photoshop and did the rest. For those speaking Danish and those collecting info
worldwide about bumping the video can be found here (WMV, 33 Mb, 25 min)

 

 

The bumpkey story also broke in the US. Check this TV item broadcasted by CBS.