There is a new video on the Uhlmann & Zacher lock on YouTube.

It seems to show the effect of the much discussed firmware update. Problem solved?!?

Finally the list of scheduled talks for the ‘Last Hope’ conference is out.

Besides the bigger and better lockpick village that is going to arise at the conference, there sure are a lot of lock-related talks!

I am curious how many locksmiths and people from the lock industry are going to attend this conference. If they are even halfway clever they show up and pay attention….

The one presentation I am looking most forward to is “Maintaining a Locksporting Organization and Breakthroughs in the Community”, By Doug Farre and Jon King

“This presentation will go into detail about how to start and maintain a locksport organization and how groups like these can lead to influential research. You’ll learn how to keep everyone excited about lock picking and how to turn your club into a well oiled machine for years to come. In addition, you’ll find out what it takes to produce a good lock picker and see how anyone can influence the lock industry even after only a few months of being on the scene. Jon King’s research on high security Medeco locks will be revealed in detail. There will also be a demonstration on how to build a tool to pick high security cylinders, and how the responsible disclosure of exploits in the hardware world can make a positive impact for all involved.”

Second is a presentation that is not lock-related, yet given by a legend in his own field: “Technical Surveillance Countermeasures – A Brief Primer on the Arcane Art and Science of Electronics Surveillance and “Bug” Detection from a True Insider” by Marty Kaiser

“The spooky world of covert electronic surveillance and countersurveillance by governments, corporations, and individuals is veiled in secrecy, intrigue, and myth. Few people are well qualified to speak authoritatively about it, and fewer still are willing to. Hear firsthand from one of the most legendary and respected wiretap and bugging experts in the United States about some of the methods and technologies used, some case studies, and the future of privacy and surveillance from an insider’s viewpoint.”

Other interesting presentations that I will visit for sure are:

Escaping High Security Handcuffs By Ray

“Everybody knows normal police handcuffs are no real challenge for lockpickers, even though it helps to know the inner workings and tiny differences of the various models in use today. Less publicly known is that there’s also a variety of “high security” handcuffs on the market, used mainly for high risk prisoners and during transfers. But those also have their weaknesses… This talk will give an overview of the products in use today and their different attack vectors – not only focusing on picking but also bypassing some of the most advanced locking mechanisms used in this field.”

Safecracking by Eric Schmiedl

“Despite many appearances in film and television, fairly little is widely known about how safes can be opened without the proper combination or key. This talk will attempt to address some of the questions commonly asked about the craft, such as is it really possible to have a safe open in a minute or two using just a stethoscope and some clever fingerwork? (Yes, but it will take a bit more time than a few minutes.) Are the gadgets used by secret agents in the movies ever based on reality? (Some of them.) The talk will cover several different ways that safes are opened without damage, as well as the design of one lock that is considered completely secure.”

Strengths and Weaknesses of (Physical) Access Control Systems By Eric Schmiedl and Mike Spindel

“Access control systems are widely used in security, from restricting entry to a single room to locking down an entire enterprise. The many different systems available – card readers, biometrics, or even posting a guard to check IDs – each have their own strengths and weaknesses that are often not apparent from the materials each vendor supplies. This talk provides a comprehensive overview of 20 different access control technologies that focuse on weaknesses (particularly little known or not-yet public attacks) and other points that a buyer would not likely get from a vendor. Also presented will be a model for thinking about access control systems in general that will provide a useful framework for evaluating new or obscure technologies.”

Undoing Complexity – From Paper Clips to Ball Point Pens by Matt Fiddler and Marc Tobias

“This talk will be a systematic approach to dissecting and disabling multiple layers of physical security in locks. In this presentation, the focus will be on embedded design defects in high security locks, and how their discovery translates into security vulnerabilities and the disclosure of such flaws. The attack methodology for high security locks will be reviewed. Demonstrations will include case examples, examining tolerance exploitation, code design analysis, and leveraging the interaction of internal components within a locking system to achieve different types of bypass. The application of this program in the development of covert, surreptitious, and forced methods of entry will be examined. Also discussed will be the concept of responsible disclosure upon the discovery of security vulnerabilities, and how this concept applies to both those who discover flaws and to the manufacturer that produces them, and why the same concept becomes a technical, logistical, legal, and financial minefield for manufacturers. ”

And of course Han Fey and I will do: Methods of Copying High Security Keys

“In this two hour workshop you will learn some new and advanced opening techniques for high security locks from two key members of the locksport group Tool in the Netherlands. Special attention will be given to duplicating high security keys and detailed analysis of modern locking systems. After the presentation, some of the tools and techniques can be seen up close at the Lockpicking Village. You are invited to bring your complex locks or “impossible to copy” keys…. ”

The full list of (almost 100) presentations can be found here. Hope you can make it to the conference and see you there!

There has been quite some speculation about this video (YouTube) of a magnetic ring that is used to open some model of Uhlmann & Zacher lock. By now it is confirmed by the company itself the trick works. They claim a software update will fix the problem (and even log opening attempts).

(click on image for a high resolution version)

The ring used in the video now has a name: ‘the ring of the devil’ and is already available on the market (just 25 euro!).

And the questions now are: What is in the ring, how does it work and what locks are affected?

Well … I have some answers. Saturday I received my own magnetic ring and can give you some details.

Some people thought the ring was completely magnetic, but this is not the case. The ring is made out of aluminum and there are four strong magnets inside. The spacing is 90° and the magnets are mounted N, S, N, S. On this image you can see four metal keyrings that are stuck to the ring by the magnetic fields. So far I did not pry open my ring to see what it looks like inside.

The next question is why does this open (some) electronic locks? Electronics is not my strongest point (as you could have read in my previous posting), but by now I understand a little more about it.

Solenoid VS Electro motor

image: Winkhaus BlueChip solenoid vs electro motor from Burgwachter (ring will NOT open this lock!)

First things first: Over the years we have visited many lock companies, and if they had electronic (or electro mechanical) locks they all proudly showed us their lock was not using a solenoid. A solenoid is a metal pin that is being pulled into its housing by an electro magnet. So when current is applied to this coil, the electro magnetic field will pull the pin in, allowing the lock to open. The problem with a solenoid is that a nearby magnet can pull the pin down as well, and thus open the lock (like in the first generation Winkhaus BlueChip, problem fixed in later generations). On top of that vibrations also sometimes can bypass solenoids. So instead of a solenoid most manufacturers nowadays use a small electronic motor. If the motor makes a couple of rotations, a blocking element is pulled back and the lock opens. Turning the electronic lock the other way pushes back the blocking element and the lock is closed. A foolproof system…. until now.

The ‘ring of the devil’ is capable of attacking this kind of electronic motor lock on two ways.

Scenario 1: An electronic motor is nothing more then a metal part on an axe that turns because of a changing magnetic field. Turning electro magnets on and off will generate a pulling force on the metal part, making it rotate. The ring does the same thing. By turning the ring, the metal part in the electro motor starts turning, opening the lock. As Rop suggested in the comments of the previous posting, a bunch of bigger magnets and maybe a high-speed drill can amplify this effect some more.

Scenario 2: A dynamo is nothing more then a coil charged by a changing magnetic field. So any coil in the lock will start generating current when a magnetic field is rotating around it. If the coil is in the path of the electro motor, it might generate enough current for the motor to start turning.

Currently we are testing with this magnetic ring. Jord Knaap and Han Fey already found one other electro/mechanical lock that seems to open under some conditions with this technique. As with all problems we personally discover, we are first going to notify the manufacturer to give them some time to analyze the problem. But with the ‘devils ring’ out on the free market it will probably be a matter of day’s/weeks before other people will find (and report) locks that are vulnerable to it.

I can assure you this is not the last post about this new attack on electronic (and electro mechanical) locks on this weblog …..

As many of you might know, I have a passion for clever ways to bypass electronic locks (YouTube).

And I just got a mail from a ‘blackback informer’ that pointed me to a highly interesting YouTube video.
The only problem with YouTube video’s is that you never know if it is a hoax or not.

However this video seems genuine and I believe the following trick could work!

On the video we see a euro profile cylinder, supposably a ‘Uhlmann & Zacher‘ electronic door lock, that seems to open when charged with static electricity.

When a metal ring is turned clockwise the lock seems to be charged, allowing it to open and close, even when no transponder key is present.
Turning the ring counterclockwise seems to discharge the static electricity and the lock remains closed.

I would like to thank the blackbag informant who reported this great and interesting video.
Now all I need is one of these locks to see if this really works or not …

Han just received some locks from GeGe. It is nice to see people keep their promises…

This is what Han has to say about them:

The locks in the picture are some locks we got from Gege, from the left to the right: P-extra, AP2000, AP3000, ANS-2 and the AP4000.

They all have an exotic looking keyway, but besides that here is a lot to tell about the inner live of these cilinders, they contain for example horizontal sliders, undercuts, cogwheel, special anti-bump pins, key copy protection, spring loaded axial pins, carbide sintered steel insert, etc.

I intend to write an article about these high security locks, so that you will learn more about these cilinders.

Click the image for a high-detailed version.

The new NDE magazine is out. For the real die-hards nothing new, it has been out for a few days now.

But it is good to see the quality of the magazine getting better and better with each new number coming out. And it gives me a god feeling to see Schuyler doing so well. He came up with a crazy idea (NDE magazine) and instead of just talking about it simply executed his plan. And it seems he was able to find the right people to support him. I am curious where this will go to as it has the potential to get really big (with locksport getting big aswell). It brings back memories from a time I was involved in a small magazine that had trouble getting new numbers out in time ….

I surely enjoyed reading the ‘Medecoder’ story, and the tension they are building up, not to mention the fact Medeco is changing their production because of it. Something very special has been achieved with that! And to finally see Jaakko Fagerlund’s exploit against Abus Plus series out in the open. The rest you will have to read yourelf, but it is a must read for visitors of this blog.

On a personal level: I am done writing long pieces of text under time pressure. First there was the deadline on the foreword of Marc Tobias his book, and on Saturday I finally completed the article for 2600 magazine. The article came out nice, and is an introduction to my presentation at the ‘final hope‘ conference that will be about “high security key duplication”.

Yesterday we accepted an offer we could not refuse.

It was not cheap, but we managed to buy a medeco bi-axial key cutting machine and some bi-axial locks and blanks. Very nice material for the Dutch Open in Sneek.

The machine must be kept out of reach with children, as the metal particles that come from the keys are very sharp and nasty. I had to move the machine to a place with a concrete floor because cutting a few keys almost ruined my carpet 😉

But finally having locks, blanks and a key cutter will allow us to verify Marc Tobias his claims and play around with the system ourselves. And it is a great asset for the Dutch Open in Sneek ….

Now all we need is an ARX pinning kit to make things complete. Anyone got one for sale?

Locksport is really getting somewhere in the US.

We see some interesting copies of concepts we know all so well, and names that vaguely sound familiar …

Take for instance ‘Fools‘ (Fraternal Order Of Locksport). Looking on their website it is a small initiative, but hey … so were the European locksports groups when they started.

An other name that rings a bell is T.O.O.L. (Tennessee Organization of Locksmiths). Admitted, they are not a lockport group, but it is funny to see they coincidentally picked that name 😉

For now this short blogposting: I am currently busy writing a column for 2600, and Han and I are on a secret mission today (preparing for Sneek already!). More on that soon …

Tonight Marc Tobias will be the special guest in the “Off the hook” radio show.

Topics covered are his new book, and the role lockpicking is going to play at the ‘last hope conference’.

And on top of that, some special offers will be made that are only valid during the show!!

“Off The Hook” airs every Wednesday night at 7:00 PM EST in New York City on listener supported WBAI 99.5 FM. It can also be followed by this audio stream, or as a high quality podcast (only available one week from now).

Even tough I never met him, I am starting to like Ian Cecil.
In the comments of the previous posting read had a different theory about what actually happens when you bump a lock.

This is what he wrote:

—
Every theory even so called facts have to be challenged.

So here is an experiment everyone can do.

1. Make a cutaway cylinder so you can see the top pins.

2. When you hit the Bump Key, what would you expect to see? The current theory would suggest you would see the top pins fly up above the shear line, just for a millisecond. Also you would see the top pin with a large bottom pin fly up further?

3. So keeping the cylinder perfectly lined up bump away…

4. Anyone with a high speed camera should be able to photograph the pins separated. (personally i have not seen this). They only separate when slight turning pressure is applied no matter how hard you hit it.

I would also suggest that the practice of turning the bump key just at the right time is also not correct. It is better to have a constant pressure like picking.
No pressure at all dose not cause any separation of the pins. so no point trying to get the timing correct.
—

Now, I like this way of thinking. Never assume anything, test and see for yourself. It is the only way to learn and find out new ideas.

So I followed Ian’s advice and assembled a cut-away lock.

And Ian is right. If you just hit the key, you do not see the pins move. But …. does this mean the pins do not move?
I think it just happens too fast for you to see, and maybe the blow of the hammer on the key causes your eye to close for a split second …

Unfortunately I do not have access to a high speed camera, so now I had to figure a way to ‘capture’ events that occur in a split second.

In my first experiment I used a thin piece of wire and bended it in a L shape. Then I just hung it in the top of the spring, the
The little wire was so short it did not made contact with the top pin. Yet, when I bumped without turning pressure, the L shaped wire jumped right out of the plug.

So something was moving, and I suspected the pin to push it out. But in theory it could also be the spring.

My next experiment was using grease. I greased up the springs and clearly photographed the cut away lock. This is the ‘before’ picture.

After that I hit the key ten times (without tensioning the key), and the result is the image on top of this posting. As you can see, all the grease was pushed out severely (here is a ‘before/after’ image). And most interesting on pin 1 and 5, there was now grease on the side of the top pins!

The fact there is a grease residue on the pins prove to me the pins did travel. And you can also see by the way the grease was pushed out of the chamber.

Of course I could be wrong, but for now I am still convinced the bumping theory works as advertised ….