I am just having dinner when the phone rings. It is X from Israel.
The one who tried to recruit me. Hanging up the phone is fruitless.
It rings again seconds later … Sigh. I tell him to leave me alone me and
hang up again.

It was to be expected these guys don’t take no for an answer, but it
sure as hell is annoying.

Now a mail comes in about a lock they send me. As if nothing happened.
Are they trying to play dumb?

Anyway, I send back the lock and hope the problem goes away.

If I get hit by a piano that fell from an airplane you know who is
behind it …

 

Something strange is going on in the city of Stadskanaal (Groningen).
Police got a lot of complaints from people who had stuff stolen from
their car. The strange thing is the thieves did not damage the car or
the locks while taking out stuff. Police guesses there is a
vulnerability in the electronic opening mechanism and the burglars
somehow exploit it. The interesting fact is that many different makes
and models where opened. A journalist who just called me told me there
was a big list of brands involved, ranging from cheaper models to
Mercedes and Jaguar. Police is now investigating if there is a device
on the market that will crack the remote control codes or otherwise
opens the cars without damage ….

Of course we are all curious what this could be. Maybe it is indeed
some device that will try to guess (brute force) the right remote
control code. It could also be there is something else going on. A
weakness in the electronic system of the car that will do an
’emergency opening’ if you zap the car with a cattle prod or tazer.

 

 

 

I have been an expert witness in a court case concerning a specific
car theft in The Netherlands a couple of years ago. And I did study
the subject of remote controls then. One of the things I found out was
most modern remote controls use a so called ‘rolling code’. Meaning
you can not record the bits from the control and ‘replay’ them to the
car. The only weakness I found then is that some remote controls will
start at the beginning of the sequence when the battery is changed.
And the cars will open if the beginning of the sequence comes by. But
I am not convinced this is how the thieves gained access.

Small update: If an high-power transmitter would be used that spits
out a random bitstream at the remote control frequencies (around
433.920 Mhz) you might have a chance of accidentally opening a car.
This just would depend on the amount of correct bits needed.
Especially in an area where you would find lots of cars (like a
parking garage or big square filled with cars) you might get lucky.
Again, depending on the amount of correct bits needed to open a car.

I posted this question on nl.radio.scanners and hope a local radio
enthusiast can be found that is willing to scan the small range for
long uninterrupted digital transmissions that sound like this one
blackbag.toool.nl/images/remote-keypresses-433950mhz.wav

 

More updates: 13 september 19:10
Did you ever hear about the trick where people could open a Mercedes
with a ping-pong or tennis ball? It is an urban legend from years
ago. The complete Mercedes lock could not be manipulated with hooks
etc because it was completely shielded. In fact so sheilded it was
almost air thight. If you would smash a pingpong ball or prepared
tennis ball to the lock the air that is blown into the lock can only
escape by lifting the buttons up and unlocking the car. This is an old trick
and does not work anymore. One of my informants thinks it might still
be possible with a portable air pressure device. Currently small
compressors are one the market that can deliver 8 bar of pressure.
Maybe these locks where ‘blown open’? Sounds feasible to me ….

BTW: should I create a new article when I update or do readers like it when I paste in an existing posting?

To be continued …

I do not want to insult the people from Denmark by using an image of
the famous ‘Swedish Chef’. A long item about bumping aired in Denmark
recently and today I received a copy. I can understand as much of the
item as I could understand the Swedish Chef in his hilarious
Muppet-show performances. My wife Charlotte was creative with
Photoshop and did the rest. For those speaking Danish and those collecting info
worldwide about bumping the video can be found here (WMV, 33 Mb, 25 min)

 

 

The bumpkey story also broke in the US. Check this TV item broadcasted by CBS.

If you read all the comments on this page you could have known I
visited Koln (cologne) this weekend. We visited the DOM factory and a
meeting organized by Ssdev. The weekend was wonderful. Maybe I will
write something about it one of these days. It was nice to meet my
friends again and exchange information with knowledgeable people.

One person I met was André. He visited this page and went to the
junkyard to collect some car locks. In particularly Opel locks in
order to test the 13 song’s tool I bought in Las Vegas.

To make a long story short: the tool works. The lock he brought could be
picked in minutes. Click the image to see a video of the tool in action.

 

 
Accidentally André also owns an Opel. The lock in his car offered more
resistance and did not open at all. We think it might have to do with
jagged edges on the newer models wafers. These edges act like mushroom
or spoolpins in an ordinary lock. Once they hook you get the false
impression the lever is set. Clemens from Ssdev sportgroup Moers
figured out the 13 song’s tool is not 100% perfect either. The problem
with it is that you can only push levers up, not down! If you overlift
a lever the only way to push it down (or drop it) is by fully releasing tension.
Combined with the latest generation jagged edged levers this might cause problems.
Depending on your point of view of course ….

I will have to practise some more. Anyone has an Opel I could borrow?

This weblog is not only about lockpicking, it is also about my life.

I have an interesting hobby. And my work, developing cryptographically
secure non-tapable phones, is a little out of the ordinary too. Both
bring interesting people on my path, and I am very aware of it.

A couple of weeks ago I was contacted by some people from a small but
turbulent country on the mediterranean coast. They had some nice locks
and lock technology to show and happened to be in the Amsterdam area
for a couple of days. Curious as I am I decided to meet them. Nice and
friendly people, and the lock and lock technology they showed was
indeed very interesting and entertaining.

All was nice and well until this morning … the phone rings:

I politely answer the phone. It is the person I met a couple of weeks
ago. In a friendly voice he tells me he is back home and a package is
on it’s way with some more locks. His second question caught me off
guard: They where looking for someone who could ‘open doors throughout
Europe’ for them. It was obvious they did not meant a 24-hour opening
service kind of job. The payment for these jobs would be good and make
me happy. I told him I am already happy and in no way interested in
being recruited for some foreign organisation to do their dirty work.
When I tried to end the call he persistently asked if I did not knew
other talented people that could help them, or give him other leads
that might be of interest. I had to disappoint him (and his
organisation, whoever they are). And I am still puzzled as to why he
made me this offer over the phone….

 

 

Many people do not realize the consequences of doing business with
these type of organisations. First they will be friendly and give you
all you can dream of. But at the end of the day you become an
instrument, a pawn in a game where you do not know the rules and can
be sacrificed for a higher goal without the blink of an eye. Not to
mention the famous line: “If things go wrong we don’t know you”.

I did send an e-mail to the Dutch Toool list about this incident, as a
warning. These people are obviously looking for ‘talent’ and pawns for
their game. I would hate to see hobby lockpickers getting in trouble
because of this. I hope you consider this posting as free advice ….

Barry

P.S.: I know having a weblog called ‘blackbag’ (slang for illegal
break-in) might be asking for things like this to happen. I hope this
posting makes clear that I am not interested….

We sometimes feel we have a Russian fanclub.

But to be honest, the people behind locks.ru are interesting and ok.
They did put a lot of time and energy in learning to bump locks
themselves, and even bumped locks I had never heard of. Their online
video library is impressive and worth visiting.

Their motivation to learn and share is sometimes a little over the
top. They shamelessly copy and translate in to Russian everything from
our website. And I mean everything. The complete spoken text of the
‘what the hack’ bumpkey presentation (two hours!) was translated in
Russian and transcribed. Pretty mind boggling to read your own words
in Russian. And I do not even read Russian! I hope they did a better job then
ripping our ‘consumer reports’ report apart. Hours after the results
came out it was translated in Russian and available on their site. We
noticed it was not a one-on-one copy but a modified one. Instead of
the 80 (or so) locks we tested, their list contained over 100 locks. Every
lock we did not open in the test they kindly ‘re-tested’ for us and
mixed in some popular Russian brands as well. So instead of having an
80% success rate with our test their copy of the article had a 120%
one. But still I believe their intentions are ok and they mean well.

So far they have not translated my weblog yet. If they ever do I am
curious how this article will come out …

WOW. When we set up Toool.nl a couple of years ago we could not have
imagined to be where we are now. Lots of people know about our crazy
hobby and passion for locks. And it is good to see our positive
attitude attracts people with the same open mindset. Currently some
very capable and trustworthy people are setting up Toool lockpick
sport clubs in the US. They are very aware of the pitfalls on the
road, and I am sure they will do fine.

They sure know how to build a website and give structure to a club.
Check out the site of Toool.US that went live today!

 
I am real curious where this is heading…. World domination 2009?!?

To be continued …

Lambert, a Toool Eindhoven member, was kind enough to send me a DVD
with the German RTL item I announced but missed myself. It covers some
interesting car opening techniques. One of them is decoding a brand
new BWM X3. I also demonstrated this German tool at hope number six. I
assume most of you missed that presentation so I combined some video
and mixed in some fresh close ups from the tool. See for yourself:
 http://blackbag.toool.nl/video/bmw.wmv (WMV 76 Mb )

The problem with these wafer locks is that they have sloppy
tolerances. Theoretical each individual lever could be in four
different positions. If this really was the case all eight levers in
the lock would create a keyspace of 65.536 possible keys. The big
weakness is that if you cut a key to ‘one and a half’ it will open
both a 1 and a 2 cut. And a key cut to ‘three and a half’ will open
both levers 3 and 4. So instead of four combinations we now have only
two, limiting the total keyspace to a lousy 256 possible keys. To make
things worse each side of the key will only operate four levers
instead of eight. Normally four levers would be good for 256 different
combinations but now that is reduced to 16. This is why it is possible
to have a set of 16 setup keys simulate all key combinations possible
on this specific BMW lock.

Testing is fun. Especially testing locks and tools. And it is even
more fun when people claim locks can not be opened and you show it can
be done. Without damaging the locks of course.

I received a mailing (PDF) from the Wendt lock tools company in Germany. As
far as I know they are the biggest and most complete lock opening tool
supplier in Europe (in the world?). I try to visit their yearly ‘open
house’ meeting as often as I can. Walking around there and looking at
all these magnificent tools is always a great pleasure. And their catalog (PDF) is a ‘must read’.

They supplied tools and expertise for a big test on cars and car locks
for the famous Auto Bild magazine in Germany. My German is a little
rusty, but here is a rough translation from part of the mailing Wendt send
around a couple of days ago:

“together with us Auto Bild tested in what time modern cars could be
‘hacked open’. The challenge was to open the cars free of damage. We will
not give the exact details of the test but on ten tested models the
results where rather shocking.”

I do need to get my hand on this magazine of course. So stay tuned for
a scan. (update 17:00 the magazine was sold out, will try other ways)

An for the people in Europe: an item on German television about this test will be aired Sunday.
To be more precise: Sunday 20.08.06, RTL, SPIEGEL-TV Magazin 22:35

I bet you have never seen this lock before.

If you have you are either a Russian ‘diplomat’, have worked as a high ranked officer on a
Russian nuclear submarine or operated a nuclear plant there. Or you are a member of Toool or Ssdev.

Little is known about the lock, only that it is (was?) in use at the
most critical parts of the Russian government and military. Fact is
this lock is extremely rare. A US DOD lock specialist has been trying for
years to get his hands on one, without success. He only located three
of these locks in the world. Safe technician Paul Crouwel owns one of
these three locks. He will show you on the ins and outs of this very
special lock in an exclusive blackbag video (wmv 77 Mb).

The lock has a seal function. It does not take much force to
break the lock open. The design goal was obviously to prevent
unauthorized and surupticious access. The story we heard was that the
lock was in use at Russian embassies. Instead of importing heavy safes
from Russia they just bought a decent model on the local market. They
secured the entrance of the original key hole with this lock. So in
order to open the safe you first need to get passed this ‘seal lock’.
To open it you need to dial a combination and use a key. So it can also be
used in a system where two people are needed to open a specific safe.
One person knows the combination and will dial it while the other
person only has access to the key and operates it. The other story we
heard was that is was used in nuclear facilities and submarines. But
we do not know for sure. We do know it is a lock with a strong ‘spy vs
spy’ smell.

If you know more about this specific lock we would love to hear from you!

(* More info is available here )
(** and you might want to read the comments …)