What Learning to Lockpick Taught Me About Digital Security
Until you pick a lock, or challenge a password, you'll never know if it's really secure.
Image: Tomas Urbina
Tucked in an alley behind an old church in downtown Toronto, there's a makerspace called Site 3: Two stories crammed with workbenches, retro video game consoles, art projects, a mannequin, and an incinerating toilet that torches human poop, turning it to ashes. (Site 3 doesn't have running water, although the toilet wasn't working anyway when I visited.)
Once a month, Site 3 hosts the Toronto chapter of The Open Organization of Lockpickers (TOOOL), a group with chapters across North America and beyond that's dedicated to achieving "openness through security," by picking locks.
Physical locks, I mean—the kind that guard your front door when you're away, or keep your bike safe when you leave it at a bike rack out on the street. We spend a lot of time thinking about our digital security (even if most of us still use terrible passwords), but before that, there was physical security. And there's actually a lot of overlap between the two.
Until you try to pick a lock—or until you challenge a password or encryption algorithm—you'll never really understand how secure it is.
Watch more on Daily VICE:
I dropped in on TOOOL recently to learn how to lockpick. What I found out was that many of the locks we rely on, just like bad passwords, are alarmingly easy to bypass. Yet we take them completely for granted, and assume we (and our belongings) are secure.
Jacob Botden is a member of Site3 and organizer of TOOOL Toronto. He met me upstairs, and scattered a pile of practice locks across the table. There were padlocks, and the type of lock that's probably on your front door, as well as a transparent lock: When he pushed a key into it and turned, I could see the pins moving inside.
He'd brought some simple tools with him: A handful of tension wrenches (basically a cheap S-shaped piece of metal), and lockpicks, which look like a thin file with a hooked end.
"When you start picking a lock, you learn how poor some locks are, and how good some are. It's not about picking the lock," Botden said. "It's about understanding the security of it all."
Botden told me about conversations he's had with tech guys who oversee digital security for their companies, and started looking into the physical locks and barriers that guard their offices, too. It's a growing hobby. At Toronto's Maker Festival recently, "seven or eight hundred people came through" to practice picking locks with TOOOL, including plenty of kids and teenagers, he said.
Lockpicking is really based on the feel of the lockpicking tools in your hand, and requires a weird mix of focus and relaxation, a sort of controlled zoning out. Botden, an engineer who has dabbled in locksmith work, likes to practice while watching TV.
We got down to picking some locks. I started with one of the most basic ones, with just one pin inside (the standard lock on the front door of a house will have five pins, he told me, and industrial locks can have six or more). Working in the way Botden showed me, I inserted a tension wrench into the lock, and applied gentle pressure. Then I slid the lock pick through the hole, and pushed the pin upwards. It clicked open—an immensely satisfying feeling.
Botden cheered me on. When lockpickers pick a lock, they like to yell "Open!," he said.
I worked my way up to a two-pin lock, performing the same maneuver. It took a little bit of practice, pushing the pins up and down. But eventually, the lock slid open. I did it over and over again.
It's a rush to bypass a lock without a key. But every responsible lockpicker (including members of TOOOL) must abide by two rules, Botden explained.
"The first one is, don't pick locks you don't own," because then you could be guilty of breaking and entering. (While it isn't illegal to carry lockpicking tools in Ontario, if you're caught with them and suspected of a crime, it could bump up the charges, just like if you had a sledgehammer or crowbar, according to Botden.)
"The second is don't pick locks you rely on," he continued, partly because picking a lock will eventually wear it out.
When TOOOL's members find a vulnerability in a lock, they'll let the manufacturer know. Botden pointed to certain models of Kryptonite bike locks, which could be hacked with a hollowed-out Bic pen. (In response, Kryptonite replaced bad locks and updated its design.)
Then there are padlocks that could be busted with a shim, basically a fingernail-size piece of metal made from a beer or pop can, or bought online. Locks are now advertised as "shim-proof," Botden said. (I managed to pop open a padlock with a shim a few times during our visit.)
A cheap lock is like a shoddy password, Botden said. "If you pay $5 for a lock, you won't get good security. And if you get a free app, you're not guaranteed good security. By going to a group like TOOOL, and challenging the locks, you know what's good."
In the same way, "you can say you made an [encryption] algorithm that no one can break. But until someone challenges it, you don't really know."
The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.