I love a good caper film. When I was a wee lad my father introduced me to The Great Train Robbery. Over the years I’ve seen several memorable others Rififi, A World Without Thieves, several by David Mamet like The Spanish Prisoner. Just the other day I watched Inside Man.

Numerous vulnerabilities like Spectre, Man-in-the-middle, SQL injection, keyloggers, phishing and a legion of others have loomed over the IT sphere for decades. Seems like every month there’s a new, “largest ever”, high profile security incident.

The never ending struggle has given rise to a bevy of best-practices and technologies: asymmetric cryptography, penetration testing, salting hashed passwords, numerous VM enhancements (like SEV), two-factor authentication and countless others.

Locks and Lock Picking

Many people working in IT are accustomed to the idea of a (climate-controlled) server room with limited access. Anyone that’s needed to restore root/administrator access (and perhaps keeps a bootable USB drive of associated tools on their person) understands the fundamental risk.

In most cases, these are protected by locks controlled via keypad, access card, or biometrics. But the pre-cursor to them, the humble pin tumbler lock, is still found in a variety of settings like doors and cabinets that likewise protect equipment.

About a year ago I became curious about lock picking. I can’t remember which movie I was watching, but someone is locked in a basement and manages to remove their restraints and escape- seemed like a useful skill to have.

Numerous resources exist for budding locksmiths such as The Complete Book of Locks and Locksmithing. It covers the design of several types of locks, how to duplicate keys and design a master-key system, and lockpicking among other topics relevant in the trade. Additionally, there are an assortment of educational tools such as practice locks:

After which you can graduate to over-the-counter locks available in any hardware store:

Most surprising to me was that even with inexpensive, entry-level picks, anything less than “high security” locks take little practice. NB: possession of lockpicks by unlicensed individuals may not be legal where you are.

Continuing with my cinematic theme, The Next Three Days features Russel Crowe’s failed attempt to use a “bump key”. A variety of lockpicking using a specially cut key for particular locks.

Does Physical Security Really Exist?

Over the years, researchers have demonstrated borderline outlandish, largely theoretical attacks that don’t even require physical access. For example, using hard-drive acoustics, screen brightness, and several others.

And more recently, the article that inspired this post, Researchers Can Duplicate Keys from the Sounds They Make in Locks.