Practical Lock Picking: A Physical Penetration Tester's Training Guide

Practical Lock Picking: A Physical Penetration Tester's Training Guide

3.8 5
by Deviant Ollam

View All Available Formats & Editions

For the first time, Deviant Ollam, well known lock picking teacher from DEFCON and Shmoocon is putting all of his knowledge into one book! Infosec professionals that need knowledge of lock picking will find this the perfect tutorial and later reference with solid and fast-acquired understanding of a variety of locks including electronic devices. You will find


For the first time, Deviant Ollam, well known lock picking teacher from DEFCON and Shmoocon is putting all of his knowledge into one book! Infosec professionals that need knowledge of lock picking will find this the perfect tutorial and later reference with solid and fast-acquired understanding of a variety of locks including electronic devices. You will find everything you need including quick-entry tricks like shimming, bumping, and bypassing, along with details on how ensure future access and how to cover your tracks.

  • Author has taught 1000s of individuals many at leading conferences like DEFCON and Shmoocon
  • Only up-to-date book available for the information security professional
  • This knowledge completes the penetration tester’s toolkit for internal and external audits of a company’s security

Editorial Reviews

From the Publisher

Winner of the Best Book Bejtlich Read in 2010--

"Practical Lock Picking (PLP) is an awesome book. I don't provide physical testing services, but as a security professional familiar with Deviant's reputation I was curious to read PLP. Not only is PLP an incredible resource, it should also serve as a model text for others who want to write a good book. First, although the book is less than 250 pages, it is very reasonably priced. Second, Deviant wastes NO space. There is no filler material, background found in other readily available texts, reprinted Web site content, etc. Third, the writing is exceptionally clear and methodical, with extreme attention to detail and a master's approach to educating the reader. Finally, the diagrams, pictures, and figures are superb."--Richard Bejtlich, TaoSecurity

"No matter what your background is, if you want a new and fascinating insight into this world, I don't think any book will give you a better introduction to this field than this one."--Barry Wels, Founder and President, The open Organisation Of Lockpickers

"You have exhausted your budgets on the myriad of high tech cyber threats and finally have time to take a breath. Just as you settle in your chair to review the dashboard which shows the fruits of your tireless effort, an alert hits your phone. The voice on the phone cries out 'The servers are GONE!' This book will show you what happens when attackers decide to 'get physical."--Chris Nickerson, Lares Consulting

"The clear explanation and plentiful diagrams leave the reader with a clear idea of how lock mechanisms work, and the practice exercises that follow build on this knowledge to allow the reader to quickly progress before moving on to the simpler techniques, shimming and bumping...Overall the book does much to dispel the myth that lock-picking is an arcane, difficult art and puts the reader in a position to carry out more effective physical security reviews...In summary this is an excellent practical introduction to the subject and the publishers are to be congratulated for producing another good niche penetration testing book."--Nick Dunn, BCS, The Chartered Institute for IT

Product Details

Elsevier Science
Publication date:
Product dimensions:
7.40(w) x 9.10(h) x 0.70(d)

Related Subjects

Read an Excerpt

Practical Lock Picking

A Physical Penetration Tester's Training Guide

By Deviant Ollam

Elsevier Science

Copyright © 2012 Elsevier, Inc.
All rights reserved.
ISBN: 978-1-59749-990-3



Fundamentals of Pin Tumbler and Wafer Locks


Pin Tumbler Locks 2
Wafer Locks 26
Summary 39

While there are a multitude of lock designs on the market today, produced by many different manufacturers, the bulk of these offerings are not in widespread use. Nearly all of the locks that you are likely to encounter on a day-to-day basis stem from just a few basic varieties, and the mechanisms inside of all of these devices operate in almost the exact same manner. If you can understand the basics of just a few styles of locks, I'm confident in suggesting that you should be able to open with great ease at least three quarters of the locks you're likely to encounter ... even more, as you become more skilled with time.

The overwhelming majority of locks that are in use today, particularly in North America, are either pin tumbler locks or wafer locks. A handful of other designs are prevalent in certain international regions. Lever locks, for example, are an older design originating in the 17th century with keys that tend to be larger and their operation more cumbersome than more recent designs. These are a common sight in Europe, central Asia, and parts of South America. Rotating disk mechanisms are popular in northern Europe and parts of the Pacific Rim, while some locks in Austria and Japan feature magnetic components. However, in all cases—even in the regions outside of North America—it should be understood that these designs are usually not nearly as prominent as basic pin tumbler locks and wafer locks, particularly as far as penetration testing is concerned.

Typical office doors, desk drawers, filing cabinets, and access panels will usually be equipped by default with lower quality locks because they are the easiest to mass produce, the simplest to service, and the most economical to replace or re-key should the need arise. Until furniture manufacturers and hardware stores cease ordering bulk shipments of locks with low production costs and lax quality standards, we are likely to continue encountering them for a very long time.


The style of lock with which the majority of people are most familiar is the pin tumbler design. I realize that many of you may already be somewhat aware of this hardware (and, indeed, diagrams and photographs of all shapes and sizes seem to abound on the internet and in other printed works), but I feel it would be helpful for us to analyze this mechanism briefly, from the ground up, in order to properly understand how it functions and how it can be exploited.

Pin tumbler locks come in many forms and styles and can be incorporated into hardware that appears in a number of different shapes. Take a look at the locks in Figures 1.1, 1.2, and 1.3.

While each lock is clearly a very different form factor, all three function with a traditional pin tumbler mechanism which is operated by means of a simple "blade" style key, shown in Figure 1.4, the likes of which you have seen multiple times before.

The pin tumbler mechanism is one of the oldest lock designs in existence and is still widely used today. Let's take a closer look at how the components of these locks are made and assembled, paying particular attention to how the lock attempts to hold itself shut without the key present. There are two primary large pieces that comprise the bulk of a pin tumbler lock: the housing and the plug. These are the two items that can easily be seen from an exterior perspective and are thus the most understood. We will now walk through the manner in which these two segments are fabricated and how they fit together.

The plug

The plug of a pin tumbler lock is constructed from a cylindrical billet, typically made of brass although occasionally steel is used in high quality models. Often the first feature to be added, after the metal is cut to the requisite length, is a small divot in what will become the front face of the plug. This helps to seat and align the key during user operation. See Figure 1.5 for a better understanding of how we shall look upon the various components of lock hardware. On the left is a frontal view, what the user would typically see from a straightforward perspective. On the right of the diagrams in Figures 1.5 through 1.12 we see a perspective from the side.

Given that the bulk of what concerns us takes place further inside of the lock, we will begin to focus our "straight forward" view (on the left side of these diagrams) further inward. In Figures 1.6 through 1.12, that image will correlate to a cross-section of the plug (or the lock as a whole) approximately 5mm in from the front face.

The plug will be milled with a small lip around the front facing edge. This is dual-purpose, in that it prevents the plug from sliding inward through the lock housing while also precluding a potential attacker's insertion of material that could penetrate the front of the lock and interfere with the operation of the pin tumblers within.

It is quite common for this front milling process to be more intricate, involving additional ridges or deeper grooves. Again, this is to prevent pieces of thin metal or other tools from being inserted and worked into the depths of the lock from the outside.

In addition to this front lip, the rear section of the plug is also typically milled with either a grooved notch or given a threaded end to accommodate a retaining clip or screw cap, respectively. While threading is typically produced at the end of the process, a clip notch can often appear at this time, as represented in Figure 1.8.

The next component to be milled is the keyway. The shape of the slot for the key is called the keyway profile. The primary reason for using more than a simple rectangular slot is the need to help seat and align the key as it is inserted into the lock. The curvature present in nearly all keyways results in protrusions of metal (called wards) that align with deeper cuts and bends on the key. These help keep the key level and raised to the appropriate height during operation.

The warding created in the design of a keyway has an additional function. As we will see in Chapter 4, the more complicated the curvature of the keyway profile, the more the wards will potentially interfere with the usage of picks, snap guns, and other tools that could potentially be used in attacking a lock.

A third consideration for manufacturers when designing a keyway profile is also one of intellectual property protection. If a specific pattern is unique and unprecedented, the lock manufacturer will enjoy copyright protection of this "new design" for a period of twenty years. This right is typically leveraged not for the prevention of knock-off or copycat locks, but is in fact used by hardware manufacturers to prevent the availability of unauthorized key blanks on the open market. When a design is still relatively new, the vendors can market that their locks incorporate "restricted keyways" for which there is not a widespread supply of blanks available to third parties.

As you may have seen when having a key duplicated at a hardware store, the large racks or drawers of uncut blank keys are not typically filled with name-brand components. Kwikset and Schlage may be among the most common logos stamped on our locks in North America, but take a look at the actual keys in your pocket. If I were a betting man, I'd wager that many (if not all) of them are embossed with names like Ilco or Hy-Ko (or bear no markings whatsoever). This is because manufacturers of locksmithing components and supplies now primarily handle the production and sale of blank keys to most hardware stores, strip mall kiosks, and key copying centers. While this often results in a savings in cost (passed on to consumers, who can typically copy a key nowadays for one to two dollars), the flood of "unauthorized" key blanks across the market can have security implications.

A number of tactics for defeating a lock are feasible only if the attacker has a supply of blank keys that can be inserted into the keyway. Bump keying and impressioning are two such methods of attack. (Impressioning is a bit beyond the scope of this work, but bump keying will be discussed in Chapter 5.) Even more basic is the risk of unauthorized copies of keys being made without permission. While it is possible to stamp "Do Not Duplicate" onto the bow of a key, this direction is routinely ignored ... particularly by non-locksmiths.

At this stage of production the keyway is typically milled into the plug blank. I have seen this done in person at the EVVA factory in Austria and it's an astonishing process. A large pneumatic ram forces the plugs along a track, exposing them to a series of fixed blades in an ornate and intricately-arranged jig. As the plugs pass each blade, the slot for the keyway grows deeper and wider and more intricate. The whole process takes mere seconds.

Often, additional milling and cutting takes place at the rear end of the plug, in order to accommodate and interface with tail pieces or cams. These are the components of the lock that actually interact directly with the bolt or latch mechanism which is holding a door or drawer shut.

Remember, it's not a lock's job to hold something shut. You can easily prevent someone from, say, accessing a particular room of your house by applying brick and mortar to the doorway. That will surely keep unwanted people out, right? What's the problem with such a solution? The answer, of course, is that such a solid wall of stone isn't the best thing to have if you're also concerned with allowing authorized people in. That is what locks attempt to do for us ... they assist in giving otherwise robust security a means of quickly, easily, and reliably opening when necessary. It is our deadbolts, our padlock shackles, and other similar hardware that actually provide the means by which things remain shut. Our locks are mechanisms that simply trigger the release of said deadbolts and shackles at (we hope) the appropriate time.

There are a number of attacks that we will discuss in Chapter 5 which focus on ignoring the lock mechanism entirely as one seeks to simply interact directly with the latch or bolt hardware deeper within the door. Many of these attacks focus on weaknesses in the way that the lock core (often, the rear of the plug specifically) interacts with a tailpiece or cam.

The final stage of fabrication of the plug (usually) is the drilling of pin chambers. These are often drilled from above, all to a uniform depth, and equidistant from one another. That is by no means a hard-and-fast rule, however. We will discuss some unique designs in Chapters 5 and 6 that vary from this norm. However, one feature that tends to be uniform in almost all locks is the alignment of the pin chambers from front to rear. Ideally, these chambers will be drilled in a perfectly straight line ... but, as we will see in the following chapter, that is unfortunately a very difficult thing to achieve with utmost precision.

There are some additional features that may be added to plugs by certain manufacturers. It is not uncommon for small additional chambers or holes to be fabricated near the front face of the plug. These are subsequently filled with ball bearings or ceramic inserts that can frustrate and impede drilling attacks. Such features are shown in Figure 1.12.

The other large component from which the core of a lock is constructed is the housing. This contains the plug and all other associated smaller elements such as pins and springs. Much as we did with the plug, let's take a look at how the housing is constructed in order to properly understand its function and role within the lock (see Figure 1.13).

One of the first components to be milled into a lock's housing is often the large, central bore that will accommodate the plug. It is typically fabricated straight through with an even diameter (see Figure 1.14).

An additional ridge is milled into the housing at the very front of the bore opening, to interface with the lip on the front edge of the lock's plug. Figure 1.15 shows this ridge from both the front and side view.

Pin chambers are then drilled into the housing from the top surface. As with the fabrication of the plug, every attempt is made to ensure that these chambers are uniform and that they align perfectly from front to rear. These chambers appear in Figure 1.16. As with our discussion of the fabrication of a lock's plug, the figure's "front view perspective" on the left side of the diagram now reflects a point approximately five millimeters in from the lock's face.

Excerpted from Practical Lock Picking by Deviant Ollam. Copyright © 2012 by Elsevier, Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Meet the Author

Deviant Ollam's first and strongest love has always been teaching. While paying the bills as a security auditor and penetration testing consultant with The CORE Group, he is also a member of the Board of Directors of the US division of TOOOL, The Open Organization of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted lockpick training sessions at Black Hat, DeepSec, ToorCon, HOPE, HackCon, ShakaCon, HackInTheBox, CanSecWest, ekoparty, DeepSec, and the United States Military Academy at West Point.

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >

Practical Lock Picking: A Physical Penetration Tester's Training Guide 3.8 out of 5 based on 0 ratings. 5 reviews.
Anonymous More than 1 year ago
Do you want to learn how to pick a lock? If you do, then this book is for you! Author Deviant Ollam, has done an outstanding job of writing a book that educates penetration testers and incorporates an additional level of expertise into their repertoire of skills. Author Ollam, begins by exposing you to the inner components of the most typical styles of locks in use today. In addition, the author examines the types of flaws that are commonly found in the locks people rely on day in and day out. He then discusses the basic types of equipment that are particularly helpful when starting out with a study of lockpicking, and presents information on the process by which this equipment can be serviced and reconfigured. The author then, provides an overview of some of the basic styles of pick-resistant designs that manufacturers will seek to introduce in certain products. He continues by focusing o quick-entry tricks like shimming, bumping and bypassing; with detailed emphasis on padlock shims, snapping and bumping, comb picks, American Lock bypass tool and door bypassing. Finally, he presents an overview of some of the most common alternative designs of pin tumbler lock and summarizes the tools and tactics which can be effective against them. The goal of this most excellent book, is to provide you with an overview of some of the basic tools and techniques for lockpicking. Perhaps more importantly, the author will walk you through a series of exercises and lessons that you can use when becoming familiar with these tools in your own hands as you develop your skill.
Anonymous More than 1 year ago
Anonymous More than 1 year ago
Anonymous More than 1 year ago