Eating Abloy Protecs for breakfast

This is one of these topics that I wanted to write about before, but never managed because of my little break last year.

As you might know Abloy’s Protec cylinder has quite a reputation as being an outstanding lock. For the moment it is very difficult to pick/manipulate (although there are rumors someone developed an opening tool). One other feature is keycontrol: it is quite difficult to have copies made if you do not have the certificate. And in case you need it for a high security installation the housing of the lock can be delivered in an extra strong steel body that is difficult to break and drill. All in all it is a very nice and secure cylinder that many people in the locksport community use on their front door 😉

shortcut to youtube video to bypass Alboy protec

But … as always: if a product becomes ‘too popular’, some clever person will come up with a tool to defeat it. Unfortunately (for us lockpick tool lovers) the clever person came up with a destructive opening technique (instead of a non-destructive method).

But the method of opening the lock is extremely simple and effective (as you can see in this youtube video). In less then a minute the lock is open. Ok, it might not be completely silent, but it sure is fast! … And to make things worse: the tool even seems to work on the hardened version of the lock.

If clever tools show up on youtube, they most of the time can be ordered at Wendt ….

25 Responses to “Eating Abloy Protecs for breakfast”

  1. Mitch Capper says:

    Yea that tool is pretty vicious, although at $100 a pop + $200 for the lock I figure not too many locksmiths will turn to this unless they can’t get in another way. People were talking about this in Essen, I believe the credit goes to Klaus Drumm as the credit person who came up with this one:) I will say it certainly illustrates the benefit of having his Geminy Shield infront of your Protec cylinder. I guess on the plus side atleast if brute force is the only way to get through a Protec Lock they are doing something right:) Han also mentioned the fact that you can stamp or custom paint your cylinder to atleast know if someone has drilled your cylinder out;)

  2. Mitch Capper says:

    Sorry there, meant to say as “Klaus Drumm as the clever person”, its been a long day:)

  3. Ben Costello says:

    I wonder if this would work on the deadbolt version of the lock with all the hardened pins and cylinder?

  4. Basically the drill bit is just a regular holesaw, except it uses braze welded carbide tips (as do many other tools such us table saws). The diameter is just the right size, meaning the same size as the inside cylinder that houses the detainer discs. In the center is probably a spring forced rod that centers the drill bit and guides it and also stops at a certain depth (just at the first disc).

    If one knows how to braze carbide tips and has a way of sharpening them like they want (diamond cutter), then that tool could be made easily 🙂

  5. Pieter says:

    At least this tool (toool?) will give breaking-and-entering damage, not something like an undetectable bumping tool for some other locks. Every lock can be busted with enough force, even a Geminy Shield will not keep out an intruder with heavy equipment.

  6. mh says:

    Jaakko,
    Maybe you can save your brazing skills for that 3-in-1 pick I’m still waiting for? 😉
    The holesaw is an off-the-shelf item (see http://de.hoffmann-gmbh.de/K39/images/pdf/118400.pdf ), just the retracting pin is custom-made.

    Pieter,
    Undetectable – that’s difficult to judge, after all the housing could easily be replaced around the original disks.

    I believe Klaus has tried this technique long ago, he just decided to market it only recently, obviously because it helps promoting the sales of strong hardware around the lock cylinder. Similar to what happened with U&Z locks and the “devil’s ring”.

    What worries me is that other inventors of such techniques, such as e.g. John Falle, have different motivations and do not publish their attacks, yet they are clever, too. So who knows how many Protecs have been opened before without the owner even noticing it.

    The only concept that helps in the long run is an “Open Source”-like approach, where the best physical security penetration testers available (I’m referring to the locksport community, of course) thoroughly test a lock that has an “open” design without secrets or obscurity. The result will of course not be indestructible, but will have a well known and documented minimum opening time and effort, that should be way more secure than what we saw in that video up there.

    Cheers,
    mh

  7. Pieter says:

    mh,

    For my situation, I would think that an ordinary burglar will not drill out my front door lock and then replace the housing of the lock. (BTW, for that the lock must be removed from the door).
    But, you gave me an idea, I will go and mark my lock housing to be able to detect this.

    One of the problems with the Geminy is that it looks ‘odd’.
    Having one of those on a normal residential house (my front door is in plain sight), will have the neighbors asking themselves what that odd thing on my door is. (I have though about putting one on my door, by the way. No, I am not paranoid, although I would not tell you that, would I? 😉 )
    It might even attract some unwanted people…

    Second, I think that the Geminy is not really nice for a normal front door, as the usability of the door will diminish…

    Thirdly, I thing that using such a class of device on a Geminy will also allow entry.
    Something with a center-point and tips will slice the shield and then allow access to the lock.

    I like the idea of an ‘Open Source” lock (I will read the http://www.theopensourcelock.org link, sounds very interesting), but I don’t know how an ‘Open Source” lock will protect from such a drill attack.
    (Looking at your first post on that page, how about something like a Kaba Mas X-09 on your front door? 😛 )

    Grt,
    Pieter.

  8. mh says:

    Pieter,
    I think replacing the lock is not what ordinary burglars do – someone who is afraid of this would typically be someone who thinks he might be spied upon…

    Anyway, how can a lock protect longer against such drill attack?
    I think by adding more steel. Such as with this system:
    http://www.knocknlock.com/knocknlock/products/EL-PAGES/EL_PS_CL320.pdf
    http://www.google.com/patents?id=KpwTAAAAEBAJ&dq=6865916
    In this concept, the whole outside part of the lock can be made of strong steel, filled with hardened inserts and the like, no need to place a weak key testing mechanism there.
    The rest of this concept is closed source, so I don’t like it, but it is indeed strong against drilling…

    Cheers,
    mh

  9. Mitch Capper says:

    Pieter does make a point, and I think thats something certainly to consider here too. Open source can help a lot of things but some attacks you just don’t see, and everything can always be physically attacked. This tool is certainly nothing amazing, it is simply something that speeds up the process of drilling the lock. As Pieter said someone with enough determination to probably make a tool to help split open the shield (although with all that metal one can only assume atleast some additional protection time).

    Physical locks are meant to slow down entry, and depending on your setup there will almost always be a weaker point than the lock itself when using a high security lock like the protec. Security in layers is always important, and if someone is coming up to your door with a protec drill bit and a drill as thats the only way in you should certainly consider yourself decently secured:) If you want something more, and already have the alarm system, the safes, etc then pickup a Geminy Shield it certainly can’t hurt and is certainly what Klaus Drumm wanted when he came out with it:)

  10. “Maybe you can save your brazing skills for that 3-in-1 pick I’m still waiting for? ;)”

    Heh, I’ve thought about the idea and I came to conclusion that a 2-in-1 works also, it just needs a little thinking when using it 🙂 3-in-1 is hard to make in the sense that the diameters are getting very small in the innermost part of the tool and it is to be tested if it holds enough 🙂

  11. Viking says:

    :/ Just spent hundreds on Abloys for my house and sheds! What should I have gone for? Assa twin / Evva 3ks?

  12. Mitch Capper says:

    Viking this isn’t like a vulnerability with abloy, any other euro profile cylinder would be just about as easy to drill;) The point was while there may be other ways to pick or attack a 3KS or twin, this is one of the few ways to really attack a Protec, by shear force. You are still drilling through hardened steel. Your recent investment is well protected:)

  13. mh says:

    A lock cylinder that is tested to VdS B specifications has to be secure against opening after a drilling attack of 6 minutes.
    That attack is specified to use an electric hand drill max. 1000 W, max. 3000 min^-1 and HM or HSS drill bits with 2 – 7 mm diameter.
    Not applicable for the Protec, but it tells me that there are pin tumbler mechanisms on the market that should stay closed a few minutes longer.
    Cheers
    mh

  14. Travis says:

    very interesting tool. but that drill would require a lot of power, i don’t know if a portable drill would work well unless you had a lot of batteries and it would be a noisy break it.

  15. Pieter says:

    mh,

    The knocknlock lock is interesting, I wonder however how easy it is to record the knocks.
    It seems that there is not a two way connection. That would mean that a replay attack is possible.
    Also, it is not clear to me how the distribution is done of the numbers in the knock-key.
    Are the numbers shifting over the number space? Or in fixed positions for a certain lock and the rest is random?
    That would allow an attacker to record multiple entries and find the key numbers…

    About your remark for VdS B specs: I would think that the Protec would stay closed longer to the specified items.
    Just using a 2-7 mm drill bit would not work. It is actually this special drill tool which allows the speedy entry.
    Using a lock specific drill for a specific pin tumbler mechanism will allow the same advantage…

    Of course, Abloy could add more metal or extra hardened pieces in the front housing.
    So Han, when can I order that version?

  16. mh says:

    Pieter,

    Pin tumbler mechanisms typically protect until they have been drilled all the way through, i.e. you can put a lot more volume of hard material into the lock than the Protec can have in front of the disks, at least in that 30mm Euro cylinder configuration. Protec padlocks e.g. do have thick metal in front of the disks.

    About the KnockNLock – if you trust the manufacturer, it’s a cute concept. Of course the knocks can be recorded, after all that’s what the lock does. I don’t know why the manufacturer keeps telling me otherwise. What you can do with the recording is another thing:
    One way transmissions can be protected reasonably well from replay attacks with large counters that will ensure that each transmission can be used only once. There is one vulnerability in a system without synchronized clocks (the KnockKey doesn’t have one) and that comes up if you program multiple locks to the same pin code – a 2nd lock will not know if the one-time-code has been already used (and maybe recorded) on the 1st lock.

  17. Han Fey says:

    Abloy Finland is constantly working to improve their locks in all areas including physical attack. Abloy has been working the past months on a more hardened drill resistant cylinder. Within a few weeks I expect to have more details about it.
    I believe they will show this solution first to experts who can give an opinion about its resisting against various physical attacks (including this one). If these people are convinced that it’s ok, they will start producing this solution and then it will take at least 6 months before you can buy it is my estimation.

    At this moment all the Abloy Protec Euro-profile cylinders I sell have a unique engraving. It starts with “HFLT” followed by 6 numbers. I put these numbers on the securitycard. In case of doubt, people can remove the cylinder and look if the extra number on the card, matches with the number on the lock. This number has nothing to do with the actual keynumber.

    An example of the engraving you can find on http://www.securitysnobs.com which offers this service.

    Imagine that somebody should enter your premises with this drill bit and drill, he first must have bought that drill bit and beware of the fact that you have an Abloy Protec lock on your door. If he then manages to drill open your lock (with a simple pull-out protection in front of the cylinder you can already prevent this) he has the drumm with discs in his hand.

    OK, he can now read the discnumbers. If he then replaces the steel housing with another housing, he first has to remove the cylinder out of the door, build the cylinder together again and then the next problem comes. He needs a key to mount the lock in the door again.

    If he has a portable Abloy Protec keymachine with him and he has the blanks(which is why having a Ruby or Diamond key profile is good) for that specific keyway he will manage to do it.

    Then we have the unique engraving. This engraving is made with a dot printer. The dots this printer makes are unique (as you will see on the pictures on the security snobs website). Use of the drill and replacement will in my opinion always be visible, if you have a clear picture of the engraved numbers.

    An example to prevent the drill from centering is the use of a thicker front-profile plate. Just like they use in the old disklocks. The thick hardened frontplate, on the same height as the housing prevents centering of the drill. These are only a few solutions.

    I assume Abloy will come with a more permanent hardware solution.

    Han Fey

  18. Pieter says:

    mh,

    It is true that all pins must be removed to allow the plug to rotate, on the other hand, most pin tumblers keyways are ‘open’ at that side, what would allow drilling…

    About the KnockNLock: Somewhere in the sparse info available on the website (under the ‘Major Benefits link) it is written that the last several hundred operations can be read out using a PC. This implies the lock keeps several hundred entries. (Duh).
    If I would build that system, I would read back in that buffer to check if I found a duplicate key and reject it.
    However, that would mean that on busy entrances, such as an apartment building, that code cache would be flushed rather fast…
    An other possibility, if the lock just keeps a serial number counter for each key and accepts only keyknocks that have a higher serial number, this would not occur, but the maximum number of keys will then be limited, as for each key this number must be stored. This number should not be small, otherwise it would roll over too fast.

    What I can not find is if the KnocKey must be programmed for a lock. They write that it can open an unlimited number of locks, so it seems it is the other way round, the lock is programmed.
    How many keys can be programmed into a lock?
    I would expect the lock not ‘care’ about the pincode: I think it is just appended to the KnockKey and sent out as one long number, (as used with a SecurID login to a computer) or used in the KnockKey itself to retrieve the KnockKey serial number (as used in an iButton). Give a wrong pincode and it will generate a code, but respectively the final code will not match or have a random ‘key code’ (It would of course be bummer if it then generated a valid key ;-P )

  19. Pieter says:

    Han,

    I agree with you that the chance of someone reassembling a cylinder happening is remote, so I will sleep well tonight 😉

    However, I might be interested in the newer version if it comes out, so I will check for it in about a year…
    (Then my current front door lock will be handed down to the back gate. Almost low enough to climb over, but hey, layered defense is good 😉 )
    Is the Protec Cliq version already ‘interesting’ or still much too expensive?

    I see that the securitysnobs.com had the same idea I had when I ordered my lock with you, of having a different inside as outside key (The Emergency Key option), did you tell them? You gave me the impression you had not done (heard?) that before.

    Pieter.

  20. pk says:

    I think that the problem with the codereading is another. In many objects you have cylinders with the same code. Also on vending machines. You could drill the first machine, decode the key, get the money out. Afterwards you can empty the cash of the other 49 machines which have the same key.

  21. Mitch says:

    PK is this not true for any mechanical lock? If you can drill say a medeco and remove the pins and can make a new key then you can open anything the key can open. I would say that cutting a medeco key is lifetimes easier than cutting an Abloy key on a restricted blank, (unless you have some magical Abloy abilities:)). I would almost certainly say it would be easier to just buy multiple drill bits and drill the other machines than try and duplicate an abloy key without the original key.

  22. Benjamin says:

    Hi, I see all of are specialists in this branch. Recently I’ve got a catalogue of the company Mauer Locking Systems, it seems to be considerable company in central-east Europe. Anyway, from here and there I understood that they are developed one very special lock, named NW4. I saw some brief info in their website: http://www.mauerlocks-bg.com/index.php?ch=3&tr=3&id=125&lang=en.
    I’d like to have this in my hands, but have not seen anywhere till now.

  23. Sergey says:

    Fresa BOSCH or Makita.
    http://www.locks.su/images/freza.jpg
    Price 10 – 20 euros each.

  24. Parautoptic says:

    Seem to me that this tool is no different in concept to the tubular saw I was using thirty years ago on fruit machine locks… With a bit of care the pins did not get damaged and the lock could be decoded to save having to destroy all the locks on the machine. The internal parts could be put back into another body and so reused.

    The real threat of this Abloy attack would seem to be if a little used lock (perhaps on an emergency exit ) in a larged suited system were removed and temporarily replaced with a similar dummy that operated with any key, The lock decoded, and new lock + key made to replace the dummy. The attacker now has all the information he needs to come and go as he pleases…

  25. Scientistically says:

    Do you know if this attack would word on a Abloy DisckLock / Dislock Pro ?
    Like this cylinder => http://lh4.googleusercontent.com/-mTp6DerR83Q/U6hMfdP4nMI/AAAAAAAABt0/pFFf_-KfxOg/w851-h638-no/170%20Abloy%20DiskLock%20Pro%20-%20Euro%20Cylinder.JPG
    Thanks !