Electronic door lock bypass trough static electricity

As many of you might know, I have a passion for clever ways to bypass electronic locks (YouTube).

And I just got a mail from a ‘blackback informer’ that pointed me to a highly interesting YouTube video.
The only problem with YouTube video’s is that you never know if it is a hoax or not.

However this video seems genuine and I believe the following trick could work!

On the video we see a euro profile cylinder, supposably a ‘Uhlmann & Zacher‘ electronic door lock, that seems to open when charged with static electricity.

When a metal ring is turned clockwise the lock seems to be charged, allowing it to open and close, even when no transponder key is present.
Turning the ring counterclockwise seems to discharge the static electricity and the lock remains closed.

I would like to thank the blackbag informant who reported this great and interesting video.
Now all I need is one of these locks to see if this really works or not …

31 Responses to “Electronic door lock bypass trough static electricity”

  1. Jean-Claude says:

    I wouldn’t doubt it. Personally, I loathe purely electronic keys. I would like to know what the primary and secondary ring is made out of, and what amount of static charge is required. Thanks again, Barry!

  2. I pose that static electricity is not involved. I can’t see how twisting a metal ring would generate static electricity, or why that would somehow produce a different effect depending on which way it’s turned.

    What’s going on here is pretty much the same thing that happens in any generator: a magnet (that’s what the ring is) is turned in/around a coil, and electricity is generated. The little motor inside the lock turns and latches the bolt. Generate the other polarity and the motor turns the other way.

    This should work on more locks of this principle with coils in them, and these coils could even be the motor windings themselves. Maybe one could modify a hand held drill to turn some ‘todesmagneten’ or other strong magnets around a lock much faster for more power.

  3. That metal ring looks like a magnet that is polarized radially, so that when you turn it around the lock, the locks internals are subjected to a changing magnetic field and that induces voltage in coils and in this case it probably runs the locking motor in small increments, because you have to turn the magnet fast and long enough for the little motor to open the lock or close the lock.

  4. Hmm, now that I read Rops answer above, I kind of told the same thing as he did 😛 Oh well 🙂

  5. Jean-Claude says:

    Hrmm, it seems that the magnetic field theory may be correct, but somehow the ring is bypassing the actual locking mechanism, allowing the inner ring to operate the bolt at will. Very neat!

  6. Jean-Claude says:

    Maybe I should say knob instead of inner ring, sorry.

  7. Jean-Claude says:

    On another note, if the knob is made out of plastic, maybe the ring could generate some sort of static?

  8. michael groves says:

    I doubt its static electricity and would go for the magnet theory. The video supports this in that you will note the ring is rotated many times in one direction which perhaps temporally results in the magnetising of parts of the internal mechanism causing them to grab and operate the latch while rotating the magnet in the opposite direction would have the effect reversing the magnetism previously induced returning the lock to normal.

    Many loudspeakers have circular magnets that could be used to test this theory. Although the ring shown seems to be nickel plated which is common of super magnets so the speaker magnet might not be strong enough.

  9. Romstar says:

    Of course you can generate static electricity in this fashion.

    Anyone who has ever worked with static balls knows how this works.

    The spinning ring causes a charge to develop on the inner surface of the drum. No magnets required. Just the friction between the two pieces of steel.

    Depending on the mechanism involved, this is either acting as an attractor, or building enough of a charge to activate the mechanical latch which allows the lock to be opened and closed.

    Spinning the ring in the opposite direction removes the charge, and returns the lock to normal function.

    I’ve said this for years. Electronics and crypto are the realm of the hacker, and it will be a long time before they come up with an electronic only lock that can’t be easily bypassed.

  10. mh says:

    +1 what Rop and Jaakko said.

    It shows once more that many of these locks are not tested well enough by creative people.

    So now they made a mechanism that can’t be bumped or manipulated by a magnet because a *turning* action is involved. Great!! No one can turn that from the outside!! 😛

  11. Jean-Claude says:

    Okay, now I’m confused. I’ve watched this thing a few dozen times, and it seems on the entry they reverse the direction of the spin at least once or twice. Maybe the rapid spinning and reversing of the magnetic field confuses the lock internals. And it also seems the knob is clad in a metal sheath, and if so, that would make me doubt the static theory. If it is a magnet, where do you get one? The ring seems especially well machined.

  12. Marci says:

    Uhlmann & Zacher responded to the video on their website saying that it is possible to open the lock with a “special manufactured tool” so its not a hoax.
    They also say that a firmwareupdate of the lock-software will solve the problem.

    The full message can be found here (in german):

  13. Jean-Claude says:

    Danke, Marci. However, it seems that this is a flaw, and not just a “special manufactured tool.” Given the sophistication that German magnet manufacturers have, not to mention steel manufacturers, unless the ring has some sort of RFID inside (and U&Z use the notorious Mifare chipset, among others,) I wouldn’t use this on my front door, much less in a commercial context.

  14. Jean-Claude says:

    On the other hand, U&Z should be commended for their response. I’m anxious to see their fix.

  15. This could be the exact magnet, atleast the proportions are about the same: http://www.kjmagnetics.com/proddetail.asp?prod=RZ0Y0X0

  16. Jean-Claude, I watched the video several times and I didn’t see that they switched the direction of rotation. They turn clockwise to open and counterclockwise to close it.

  17. Jean-Claude says:

    Jakko: Without an actual video, it’s hard to step through it (YouTube) but watch the thumb.

  18. Jean-Claude, I watched and they are still turning it as I described. It also makes sense, because if the ring is a powerful magnet and the lock has a small motor in it to operate the locking element, the turning actuates the motor to either direction depending on the rotation direction of the magnet.

  19. mh says:

    so the firmware update will probably check for the attack and the turn the little motor the opposite way and log the event – thus draining the batteries prematurely…

  20. Or could it be possible to short-circuit the motor windings, thus stalling it? I mean, if it is some small motor with its winding connections running from a microprocessor of some sort, the microprocessor probably just turns both of its power outputs to same level, thus short-circuiting the motor and thus preventing it from turning.

    Just a thought 🙂

  21. mh says:

    so Jaakko, which type of small motor can you block by short-circuiting the windings?
    Actually, depending on the physical effect, a current flow through the windings might actually be desired for the attack. In that case *really opening* the windings could help against the attack; but if the outside magnet just interferes with a permanent magnet rotor, you would need to actively compensate for it.

  22. mh, I think I might have confused one thing and the short-circuit idea came from stepper motors, which do not like to turn when short-circuited 🙂 But yes, opening the connections might help. Usually if the motor is a small DC-motor, it has a stator magnets and rotor is the coil, so the magnet attack would require voltage across the coil which ain’t happening if the coil is open. Good point 🙂

  23. pk says:

    I don’t think that a firmwareupdate will fix that. The ring seems to attack the hardware. And whats the matter in logging the manipulation when the robber takes all your money and also steals the cylinder lock?

  24. Well, can’t be sure about the exact working principle of this attack, but if it indeed the way mh and I have desribed, a simple firmware update will solve the problem.

  25. ch says:

    1. if the metal ring is affecting the mechanism of the cylinder, updating firmware wont solve the problem, because it’s a mechanical design flaw.

    2. if updating firmware will solve the problem, then try remove the battery and try again with the metal ring, see if the motor still can be triggered.

    it’s plain mechanical problem in my view.

  26. william says:

    That looks like a speaker magnet high end speaker magnets are so powerful that some cannot be shipped air.
    It sounds like the magnet being rotated around causes a small amount of current from the windings of the dc motor to back feed. after all what is a generator, magnet passing by wire
    yeah looks like something a firmware upgrade would fix.

    Now the real question is can this be used on other motorized locks

  27. Steffen says:

    The Ring of Devil is aviable at the Company WENDT in Germany,
    for 29,15 EUR plus Transport.

    http://www.zieh-fix.com/shop/de/dept_14.html Shop / Neuprodukte

    And … it works without a Battery inside the Lock, too.

  28. IF (and I really mean IF) the motor is hooked up the way I described earlier, then the firmware fix probably will fix the issue. For example, the motor windings may be now in the short-circuit condition because the microprocessors outputs are at the same level, but with a firmware fix they could alter this condition so that they are not shorted by default. It is a simple matter of flipping an output bit.

    But, as I don’t know the lock or the exact working principle 100%, I can’t be 100% sure, so I am just assuming.

  29. pk says:

    Did someone try to disassemble a cylinder to see how it works? Must be a hard hit for the manufacturer, or not?

  30. Viper2006 says:

    How common is this magnetic lock in the U.S.? Also, is the ‘ring’ available domestically?

  31. DWizzy says:

    A magnet was my first thought as well