Han and I had an extremely good time in New York, and it was nice to see the people behind the nicknames and e-mail addresses. We made some new friends….

I am currently on a campsite with the family, being connected to the net over a very thin GPRS line. So I will keep this posting short for now, and continue to play with the medecoder tool Jon was kind enough to trade me.

In the meantime I will share with you a picture shot by Matt Fidler. It shows Marc Tobias in high security handcuffs. What makes the handcuffs high security? They have Medeco locks on them. And no, Marc did not get out of them in 30 seconds (evil grin).

We will see Marc and Toby again in less then two weeks as ‘the last Hope’ was not the last visit of the good old US of A this year. Next stop for Han and me is Defcon in Las Vegas …

Back to picking locks at the campfire for now. I will try real hard to write something worthwhile on Sunday, so fingers crossed …

Wow … that was one impressive talk!

Jon King and Doug Farre just finished their presentation on maintaining a locksport organisation and … the medecoder tool!

Over the last months there has been a lot of speculation on how this medecoder tool worked, and today Jon King released it. Besides explaining how it works in full detail, he also had the guts to pick a six pin medeco lock on stage. It does take a lot of guts to pick a lock on stage, even if you know it inside out. A couple of hundred people watching can make you quite nervous. But he kept his cool and opened the lock.

And I shot some video of it with my photo camera, so not the best of quality, but here it is. Click above the see the youtube video, or click here for the original AVI 83 MB. I am sure you will enjoy ….

The story is Medeco will come out with special ‘ARX’ pins that will prevent this tool to work…..

Now I am heading back to the conference, but not without sharing some of the images I shot from their presentation (10 MB zip).

*Update 26/07: Video of entire presentation is online here (50 minutes!)

In the comments from ‘about me’ , Martin Newton (a UK grandmaster of safe opening tools) is angry with me. Even calling me a ‘person of questionable character’. Something that really hurts coming from a person who’s tool making abilities I admire for a long time. The problem is I can not even blame him for calling me that….

Mr. Newton claims the design of the ‘last hope’ credit card pick is a cheap rip off on a business card designed by another legend in lock opening tools: John Falle. And I do not even want to tell you how I admire Mr. Falle’s tool making skills …

Now, to our defense, we never saw a business card with ‘John Falle’ or ‘Martin Newton’ on it. Babak received a ‘pick business-card’ from a US company called MBA at the Aloa 2007 convention in the US. And I received a similar (yet not really usable) business card from Kevin Mitnick beginning of 2007 too. The minute I heard the Toool.US crowd wanted to make a special ‘last hope’ memorabilia pickset inspired on an ‘MBA design’, I mailed MBA to ask their permission/opinion about it. There were at least three mails on this topic, and reading back my mails I can only say I really tried to do the right thing.

My big mistake on the previous ‘Last Hope pickset’ posting is I did not mention MBA (and/or John Falle & Martin Newton) for the design. And that was wrong.

People who visit this blog more often know I try to give credit where credit is due. And giving credit to Babak and the people who put the drawings in CAD, but forgetting to credit MBA (and/or John Falle) was plain stupid. And I sincerely want to apologize to MBA, Mr. Falle and Mr. Newton for this.

Gonna crawl under a big and heavy rock now …

Update July 16 09:30: Crawled from under the rock and found a reply to my privately mailed apology to Mr. Newton. It seems the matter is resolved now that he knows the full story. His final word were: “Thanks for understanding my point of view, no hard feelings.”. I must say I am very relieved by that!

This year Toool will be presenting two picksets at the Last Hope conference in New York next week. The first pickset is the one you see above. It is a credit card sized set, and the tools can be snapped off. And already guaranteed to become a collectors item.

It is called ‘the last hope’ emergency pickset, and the main idea is to carry it in your wallet. You will most likely use it when you lost your keys, or when you are assisting others who lost their keys.

If you look at the back of the set, you see the edges of the set can be snapped off too, and are actually four separate tensioners. If you snap off all tools, you will end up with and eleven (!) piece pickset. As you can see, there are three basic picks, designed with the novice pickers in mind. For the real pro’s there is three thin and slim hook picks. Very useful for those pesky euro profile cylinders with their zig-zag keyways….

The other Toool pickset is the new and improved ‘double sided picks series’. There will be eight double sided picks in this set. For the moment I will only show you one of the picks, but you can imagine what the other seven are going to look like. Both the credit card pickset as well as the ‘double sided picks’ are made of is the finest steel on the market. Extremely strong and gives the right feedback for the job …

My role in getting these picksets to Hope was modest. Of course there was a lot of input from me on the shape of the picks (and some other stuff). But the main work has been done by Babak Javadi, one of the driving forces behind Toool.us at the moment. Do not underestimate the amount of work and financial investments that go into a project like this. I would also like to thank Babak’s girlfriend Kari for having to put up with Babak investing so much time in this project.

A project that would not have happened without the help of two engineers from MIT who helped with the CAD. Thanks to Sam Duffley and Chris Pentacoff these picks came out the way we wanted them. A lot of work, but the end result is great. I am sure the Hope audience will love them….

* update July 16 on the source of the design.

During a little lockpick party a couple of weeks ago, I met my good friend Dr. Manfred Bölker in Hamburg.

Manfred is one of the people who also invests a lot of time and money in tools, so when ever we meet we always spend quite some time showing each other our latest treasures and tricks.

This time he showed me a tool I only knew from pictures on the internet: a chinese tool to open Ford Tibbe car locks. Now, I already did cover a Ford Tibbe pick made by John Falle (filmed at the 2006 Dutch Open), but this tool is different as it can rotate the discs in the lock individually. What is also different is the price: if you mange to order it straight from China you pay around 20 euro. Buying it from european sites will cost you around 70 euro.

All in all it is a very nice tool, and I am happy Manfred allowed me to shoot some video (Youtube or Quicktime 44 mb) of it for the kind blackbag audience.

As a blogger, I always enjoy the comments on my writing a lot. I do not always follow up on them as accurately as I would like to, but trust me when I say I do enjoy them.

A couple of days ago I received mail from Vaughan Armstrong. I met Mr. Armstrong once at Aloa and learned he is a well respected authority in the field of US military locks and safes.

So I was thrilled to read Mr. Armstrong took his time to answer some of my (our) burning questions. As frequent readers of this weblog might remember, I received a nice US DoD safe (GSA security container) some time ago. When I got it, there were a lot of questions (as you can read in the original post). But thanks to Mr. Armstrong we now know a lot more:

I have read the posts regarding Barry’s Christmas present (December 2006). My thanks to all who posted; I would like to contribute some information.

The present is a field safe, a GSA (General Services Administration) approved security container, for storage of classified material in the field. Federal Specification AA-F-358 (current revision H),(18 May 2000) and its most recent Amendment (3),(20 April 2007) give the requirements for this “Class 6, Size VIII 1-drawer, for field use.” To view the Specification, visit the Department of Defense Lock Program’s website, https://portal.navfac.navy.mil/go/locks . Put your cursor on “Documents.” Several choices will appear in the drop-down; click on “Federal Specifications and QPLs,” and scroll down to AA-F-358H.

This is a Class 6 container; as with all Class 6 containers currently produced, it provides 30 man-minutes of covert entry protection, 20 man-hours of surreptitious entry protection, and is not tested for forced entry protection. (For definitions of “covert” and “surreptitious,” see paragraphs 6.4.3 and 6.4.2.) Because it is for use in the field, paragraph 3.3.8 requires that “The Class 6, Size VIII cabinet shall be provided with 2 lift type carrying handles” and paragraph 3.3.8.2 requires that it have a dial knob protector (visible in the photograph).

The red-lettered label on the front of the drawer indicates that it was made between October 1, 1990 and present. The drawerhead is removable from the rest of the drawer.

Paragraph 3.3, Table I gives maximum dimensions and weights for containers covered by the Specification; the weight of the Christmas present is within the limit (maximum weight 138 lbs.) for field safes. Paragraph 3.3.2 requires that “The weight shall be permanently marked” on the container.

Paragraph 3.4.2 addresses the lock required. It now must be approved to the requirements of Federal Specification FF-L-2937. Previously, locks meeting Underwriters Laboratories (UL) 768, Group 1R were required. The lock must have a snap-on dust cover. This is to prevent someone “dusting” the dial and dial ring to determine the combination. (Some people use a thumb as a “brake” to steady the dial when approaching a target number. This leaves half a thumbprint on the dial ring and half a thumbprint in three locations on the dial. There are only six ways that these indications can be combined: A-B-C, A-C-B, B-A-C, B-C-A, C-A-B, and C-B-A, and these can be entered in a very short time.) The original lock on this container was the S&G 8560MP.

To visit Hamilton Products Group’s website, from the home page of the DoD Lock Program website, put cursor on “Links Index,” scroll down to “Hamilton Products Group” and click on it. You’ll see that the field safe is made in a single-lock and a dual-lock version.

I hope this has been informative, and possibly interesting.

Vaughan Armstrong

I would like to thank Mr. Armstrong for taking his time to answer the open questions (especially on the dustcover) on this little humble weblog. Hopefully it will not be his last comment here.

Wohoo … this is cool!

On Make magazine blog I read about a UK company called ‘flying pig’. This company came out with a collection of locking mechanisms that can be made from cardboard. Price: just £4.99 …

From their website:

A working Yale type lock to cut out and make. Print out the pages of this model onto thin card, follow the fully illustrated instructions and make your own working model warded lock. The download consists of one acrobat file which will take no more than a couple of minutes download. The file has four pages of illustrated instructions for the easy construction of your model and four pages which make up model sheets.

I think they mixed up ‘yale type lock’ with ‘wafer lock’, but that does not make these models less cool.

My kids will have six weeks of holiday next week, and as part of their education I am going to build these locks with them for sure …

There is a new video on the Uhlmann & Zacher lock on YouTube.

It seems to show the effect of the much discussed firmware update. Problem solved?!?

Finally the list of scheduled talks for the ‘Last Hope’ conference is out.

Besides the bigger and better lockpick village that is going to arise at the conference, there sure are a lot of lock-related talks!

I am curious how many locksmiths and people from the lock industry are going to attend this conference. If they are even halfway clever they show up and pay attention….

The one presentation I am looking most forward to is “Maintaining a Locksporting Organization and Breakthroughs in the Community”, By Doug Farre and Jon King

“This presentation will go into detail about how to start and maintain a locksport organization and how groups like these can lead to influential research. You’ll learn how to keep everyone excited about lock picking and how to turn your club into a well oiled machine for years to come. In addition, you’ll find out what it takes to produce a good lock picker and see how anyone can influence the lock industry even after only a few months of being on the scene. Jon King’s research on high security Medeco locks will be revealed in detail. There will also be a demonstration on how to build a tool to pick high security cylinders, and how the responsible disclosure of exploits in the hardware world can make a positive impact for all involved.”

Second is a presentation that is not lock-related, yet given by a legend in his own field: “Technical Surveillance Countermeasures – A Brief Primer on the Arcane Art and Science of Electronics Surveillance and “Bug” Detection from a True Insider” by Marty Kaiser

“The spooky world of covert electronic surveillance and countersurveillance by governments, corporations, and individuals is veiled in secrecy, intrigue, and myth. Few people are well qualified to speak authoritatively about it, and fewer still are willing to. Hear firsthand from one of the most legendary and respected wiretap and bugging experts in the United States about some of the methods and technologies used, some case studies, and the future of privacy and surveillance from an insider’s viewpoint.”

Other interesting presentations that I will visit for sure are:

Escaping High Security Handcuffs By Ray

“Everybody knows normal police handcuffs are no real challenge for lockpickers, even though it helps to know the inner workings and tiny differences of the various models in use today. Less publicly known is that there’s also a variety of “high security” handcuffs on the market, used mainly for high risk prisoners and during transfers. But those also have their weaknesses… This talk will give an overview of the products in use today and their different attack vectors – not only focusing on picking but also bypassing some of the most advanced locking mechanisms used in this field.”

Safecracking by Eric Schmiedl

“Despite many appearances in film and television, fairly little is widely known about how safes can be opened without the proper combination or key. This talk will attempt to address some of the questions commonly asked about the craft, such as is it really possible to have a safe open in a minute or two using just a stethoscope and some clever fingerwork? (Yes, but it will take a bit more time than a few minutes.) Are the gadgets used by secret agents in the movies ever based on reality? (Some of them.) The talk will cover several different ways that safes are opened without damage, as well as the design of one lock that is considered completely secure.”

Strengths and Weaknesses of (Physical) Access Control Systems By Eric Schmiedl and Mike Spindel

“Access control systems are widely used in security, from restricting entry to a single room to locking down an entire enterprise. The many different systems available – card readers, biometrics, or even posting a guard to check IDs – each have their own strengths and weaknesses that are often not apparent from the materials each vendor supplies. This talk provides a comprehensive overview of 20 different access control technologies that focuse on weaknesses (particularly little known or not-yet public attacks) and other points that a buyer would not likely get from a vendor. Also presented will be a model for thinking about access control systems in general that will provide a useful framework for evaluating new or obscure technologies.”

Undoing Complexity – From Paper Clips to Ball Point Pens by Matt Fiddler and Marc Tobias

“This talk will be a systematic approach to dissecting and disabling multiple layers of physical security in locks. In this presentation, the focus will be on embedded design defects in high security locks, and how their discovery translates into security vulnerabilities and the disclosure of such flaws. The attack methodology for high security locks will be reviewed. Demonstrations will include case examples, examining tolerance exploitation, code design analysis, and leveraging the interaction of internal components within a locking system to achieve different types of bypass. The application of this program in the development of covert, surreptitious, and forced methods of entry will be examined. Also discussed will be the concept of responsible disclosure upon the discovery of security vulnerabilities, and how this concept applies to both those who discover flaws and to the manufacturer that produces them, and why the same concept becomes a technical, logistical, legal, and financial minefield for manufacturers. ”

And of course Han Fey and I will do: Methods of Copying High Security Keys

“In this two hour workshop you will learn some new and advanced opening techniques for high security locks from two key members of the locksport group Tool in the Netherlands. Special attention will be given to duplicating high security keys and detailed analysis of modern locking systems. After the presentation, some of the tools and techniques can be seen up close at the Lockpicking Village. You are invited to bring your complex locks or “impossible to copy” keys…. ”

The full list of (almost 100) presentations can be found here. Hope you can make it to the conference and see you there!

There has been quite some speculation about this video (YouTube) of a magnetic ring that is used to open some model of Uhlmann & Zacher lock. By now it is confirmed by the company itself the trick works. They claim a software update will fix the problem (and even log opening attempts).

(click on image for a high resolution version)

The ring used in the video now has a name: ‘the ring of the devil’ and is already available on the market (just 25 euro!).

And the questions now are: What is in the ring, how does it work and what locks are affected?

Well … I have some answers. Saturday I received my own magnetic ring and can give you some details.

Some people thought the ring was completely magnetic, but this is not the case. The ring is made out of aluminum and there are four strong magnets inside. The spacing is 90° and the magnets are mounted N, S, N, S. On this image you can see four metal keyrings that are stuck to the ring by the magnetic fields. So far I did not pry open my ring to see what it looks like inside.

The next question is why does this open (some) electronic locks? Electronics is not my strongest point (as you could have read in my previous posting), but by now I understand a little more about it.

Solenoid VS Electro motor

image: Winkhaus BlueChip solenoid vs electro motor from Burgwachter (ring will NOT open this lock!)

First things first: Over the years we have visited many lock companies, and if they had electronic (or electro mechanical) locks they all proudly showed us their lock was not using a solenoid. A solenoid is a metal pin that is being pulled into its housing by an electro magnet. So when current is applied to this coil, the electro magnetic field will pull the pin in, allowing the lock to open. The problem with a solenoid is that a nearby magnet can pull the pin down as well, and thus open the lock (like in the first generation Winkhaus BlueChip, problem fixed in later generations). On top of that vibrations also sometimes can bypass solenoids. So instead of a solenoid most manufacturers nowadays use a small electronic motor. If the motor makes a couple of rotations, a blocking element is pulled back and the lock opens. Turning the electronic lock the other way pushes back the blocking element and the lock is closed. A foolproof system…. until now.

The ‘ring of the devil’ is capable of attacking this kind of electronic motor lock on two ways.

Scenario 1: An electronic motor is nothing more then a metal part on an axe that turns because of a changing magnetic field. Turning electro magnets on and off will generate a pulling force on the metal part, making it rotate. The ring does the same thing. By turning the ring, the metal part in the electro motor starts turning, opening the lock. As Rop suggested in the comments of the previous posting, a bunch of bigger magnets and maybe a high-speed drill can amplify this effect some more.

Scenario 2: A dynamo is nothing more then a coil charged by a changing magnetic field. So any coil in the lock will start generating current when a magnetic field is rotating around it. If the coil is in the path of the electro motor, it might generate enough current for the motor to start turning.

Currently we are testing with this magnetic ring. Jord Knaap and Han Fey already found one other electro/mechanical lock that seems to open under some conditions with this technique. As with all problems we personally discover, we are first going to notify the manufacturer to give them some time to analyze the problem. But with the ‘devils ring’ out on the free market it will probably be a matter of day’s/weeks before other people will find (and report) locks that are vulnerable to it.

I can assure you this is not the last post about this new attack on electronic (and electro mechanical) locks on this weblog …..