http://www.wired.com/news/culture/0,1284,64987,00.html
A 50-year-old lock design was rendered useless last week when a brief
post to an internet forum revealed the lock can be popped open with a
cheap plastic pen.
On Sunday, bike enthusiast and network security consultant Chris
Brennan described opening an expensive Kryptonite bike lock using a
ballpoint pen.
"Your brand new U-Lock is not safe," warned Brennan in a note posted
to Bike Forums.
Wired News tested Brennan's claims. A brand new Kryptonite Evolution
2000 was opened in seconds using a Bic pen. After cutting four small
slits in the end of the pen's barrel to ease it in, the lock opened
with a single twist.
Brennan, 24, of San Francisco, said he successfully opened two
Kryptonite locks, an Evolution 2000 and an older Kryptonite Mini lock.
Subsequent posts to Bike Forums and other websites report the
vulnerability applies to many of the company's cylindrical-lock
products, including some from Kryptonite's vaunted New York series.
The New York line carries a $3,500 replacement warranty in the event
of theft, and Kryptonite claims the locks are resistant to "bolt
cutters, saws, hammers and chisels."
"That's the absurdity of it," Brannan said. "It's not picking the lock
or smashing it open. It's the absurdity of a small piece of plastic
breaking your unbreakable lock."
"They're worthless," he added. "I don't trust them anymore."
Kryptonite declined to comment, but in a statement, the company said
it is rushing to market a new "disc-style cylinder" design that is
more secure. The disc-style cylinder is used in the New York products.
"Kryptonite will provide the owners of Evolution and KryptoLok series
products the ability to upgrade their crossbars to the new disc-style
cylinder, where possible," the statement said. "This cylinder provides
greatly enhanced security and performance. Kryptonite is finalizing
the details of this upgrade process and will publicly communicate
these details as soon as possible."
Brennan said he will not be buying a new lock from Kryptonite.
"That's a slap in the face," he said. "They're looking to profit from
a series of mistakes they made. They need to replace their faulty
product."
The vulnerable Kryptonite locks use an axial pin tumbler, a common
cylindrical design used in a wide variety of products. The lock's
design was invented at least 50 years ago by Chicago Lock, said
attorney and security consultant Mike Tobias, who claims to have first
publicized the design's vulnerability five weeks ago.
In early August, Tobias' website, Security.Org, claimed laptop
security locks by Kensington Technology Group, Targus and Compucage
International could be easily compromised with a pen or a toilet-paper
tube.
"It's the same problem," said Tobias. "Isn't it incredible? There are
millions of people who are reliant on these locks. The problem for
Kensington and Kryptonite is that everyone knows it now."
Tobias said not all axial locks are vulnerable, depending on several
factors such as the lock's diameter (to match the pen) and the lock's
engineering tolerances. He claims to be a veteran lock-and-security
consultant who has worked for lock manufacturers, government agencies
and law enforcement.
Kryptonite and CompX International, which now owns Chicago Lock,
didn't respond to requests for comment.
When told of the vulnerability, Tom Volk, owner of American Bicycle
Security, which makes bike lockers and racks, expressed surprise.
"That's not good for them, but other companies are using the same
lock. They all use a seven-pin tumbler lock."
Volk noted that several cylindrical lock picks have been available
online for more than a year. Volk said they apparently work well,
opening locks in seconds.
The lock's flaw was apparently first publicized in 1992 in the United
Kingdom, according to BikeBiz.com. The BBC even covered it, but the
news apparently didn't resurface until a dozen years later.
"We read about it online like everyone else," said Leah Shahum,
executive director of the San Francisco Bicycle Coalition. "It's
amazing, but a lot of people have heard of it. The news is definitely
out there."
Brennan said his experience in computer security gave him no doubt
about publicizing the vulnerability.
"The problem's not going to go away," he said. "Keeping it quiet just
gives thieves more time to use this to their advantage. I wanted to
let people know they are vulnerable. It's an illusion of security."
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
