Bumping: Difference between revisions
mNo edit summary |
mNo edit summary |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 3: | Line 3: | ||
[[Image:Lockwiki_Bumping_Keys.jpg|thumb|right|text-top|350px|Bump keys for common US locks.]] | [[Image:Lockwiki_Bumping_Keys.jpg|thumb|right|text-top|350px|Bump keys for common US locks.]] | ||
'''Key bumping''' (or '''bumping''', '''rapping''') is a [[Covert_Entry|covert]] entry technique used to quickly open [[pin-tumbler]] based [[lock]]s. Key bumping uses a modified [[key]] blank to create a kinetic energy transfer between | '''Key bumping''' (or '''bumping''', '''rapping''') is a [[Covert_Entry|covert]] entry technique used to quickly open [[pin-tumbler]] based [[lock]]s. Key bumping uses a modified [[key]] blank to create a kinetic energy transfer between key and driver pins in the lock. Driver pins are momentarily "bumped" above the [[shear line]], which allows the [[plug]] to rotate. Key bumping is similar in function to a [[Pick_Gun|pick gun]]. | ||
__TOC__ | __TOC__ | ||
Line 12: | Line 12: | ||
In the 1970s, locksmiths in Denmark shared a technique for knocking on a lock cylinder while applying slight pressure to the back of the lock plug. When the pins would jump inside of the cylinder, the plug would be able to slide out freely, thus enabling the locksmith to disassemble the lock quickly. The use of a bump key was not recognized as a potential security issue until around 2002–2003 by Klaus Noch. After further research, a white paper was drafted in 2005 by Barry Wels & Rop Gonggrijp of The Open Organization Of Lockpickers (TOOOL) detailing the method and its applicability.<ref>TOOOL NL. [http://www.toool.nl/bumping.pdf Bumping].</ref> | In the 1970s, locksmiths in Denmark shared a technique for knocking on a lock cylinder while applying slight pressure to the back of the lock plug. When the pins would jump inside of the cylinder, the plug would be able to slide out freely, thus enabling the locksmith to disassemble the lock quickly. The use of a bump key was not recognized as a potential security issue until around 2002–2003 by Klaus Noch. After further research, a white paper was drafted in 2005 by Barry Wels & Rop Gonggrijp of The Open Organization Of Lockpickers (TOOOL) detailing the method and its applicability.<ref>TOOOL NL. [http://www.toool.nl/bumping.pdf Bumping].</ref> | ||
The technique attracted more attention in 2005 when a Dutch television show, Nova, broadcasted a story about bumping.<ref>[http://www. | The technique attracted more attention in 2005 when a Dutch television show, Nova, broadcasted a story about bumping.<ref>[http://www.youtube.com/watch?v=CiUh_BjIsUg Nova broadcast on key bumping].</ref> Bumping received further publicity from TOOOL presentations at security conferences. TOOOL and Dutch Consumentenbond, a Dutch consumer group, analyzed the technique on 70 different lock models with trained and untrained users in 2006.<ref>TOOOL NL & Dutch Consumentenbond. [http://www.toool.nl/consumer-reports-nl.pdf Report on key bumping].</ref> | ||
At the same time, several people in the United States began to talk publicly about the technique and its security implications. In 2006, Marc Tobias released two white papers regarding key bumping and its possible legal ramifications.<ref>Tobias, Marc. [http://www.engadget.com/2006/08/24/the-lockdown-locked-but-not-secure-part-i/ Locked but not secure].</ref><ref>Tobias, Marc. [http://www.engadget.com/videos/lockdown/bumping_040206.pdf A detailed technical analysis of bumping].</ref><ref>Tobias, Marc. [http://www.engadget.com/videos/lockdown/bumping_legal_mwt.pdf Bumping of Locks: Legal Issues in the United States].</ref> In 2008 Tobias also proved that various [[Medeco]] locks, thought to be "bump-proof," could in fact be bumped. | At the same time, several people in the United States began to talk publicly about the technique and its security implications. In 2006, Marc Tobias released two white papers regarding key bumping and its possible legal ramifications.<ref>Tobias, Marc. [http://www.engadget.com/2006/08/24/the-lockdown-locked-but-not-secure-part-i/ Locked but not secure].</ref><ref>Tobias, Marc. [http://www.engadget.com/videos/lockdown/bumping_040206.pdf A detailed technical analysis of bumping].</ref><ref>Tobias, Marc. [http://www.engadget.com/videos/lockdown/bumping_legal_mwt.pdf Bumping of Locks: Legal Issues in the United States].</ref> In 2008 Tobias also proved that various [[Medeco]] locks, thought to be "bump-proof," could in fact be bumped. | ||
Line 20: | Line 20: | ||
== Principles of Operation == | == Principles of Operation == | ||
Any pin-tumbler lock that does not include specific defenses against bumping is theoretically vulnerable, including many high-security pin tumbler locks. The process of bumping is to simply insert a properly made bump key and impact it lightly. If done correctly, | Any pin-tumbler lock that does not include specific defenses against bumping is theoretically vulnerable, including many high-security pin tumbler locks. The process of bumping is to simply insert a properly made bump key and impact it lightly. If done correctly, key and driver pins momentarily separate and the plug can be rotated. | ||
;Bump Key Creation | |||
A key blank or non-working key is obtained that has the same profile and cut spacing as a working key for the lock. The key is modified so that all cut positions are at their lowest possible cuts. This can be verified with manufacturer specifications or a manual [[Key_gauges|key gauge]]. Key specifications also contain other helpful information, such as the acceptable cut angles to prevent [[back cutting]]. Cutting the bitting positions to the lowest position completes a pull-out key; a bump key that must be withdrawn one pin position before being struck. To produce a minimal-movement key, the tip and shoulder of the key must have 0.25-0.75mm of material removed. This will allow the key to be fully inserted and then bumped. To confirm this was done correctly the bump key will be pushed back to normal position by the pressure of the springs, this effect is visible and provides tactile feedback. | A key blank or non-working key is obtained that has the same profile and cut spacing as a working key for the lock. The key is modified so that all cut positions are at their lowest possible cuts. This can be verified with manufacturer specifications or a manual [[Key_gauges|key gauge]]. Key specifications also contain other helpful information, such as the acceptable cut angles to prevent [[back cutting]]. Cutting the bitting positions to the lowest position completes a pull-out key; a bump key that must be withdrawn one pin position before being struck. To produce a minimal-movement key, the tip and shoulder of the key must have 0.25-0.75mm of material removed. This will allow the key to be fully inserted and then bumped. To confirm this was done correctly the bump key will be pushed back to normal position by the pressure of the springs, this effect is visible and provides tactile feedback. | ||
;Bumping Process | |||
* Insert the bump key into the lock, withdraw one pin position if the key is not a minimal-movement key. | * Insert the bump key into the lock, withdraw one pin position if the key is not a minimal-movement key. | ||
Line 32: | Line 32: | ||
* Strike the key with the bump hammer. Ensure the strike is directly on the back of the bow of the key. Do not strike from an angle. | * Strike the key with the bump hammer. Ensure the strike is directly on the back of the bow of the key. Do not strike from an angle. | ||
If done properly the | If done properly the driver pins will jump, and the plug will turn if they are all caught above the shear line. This may take several tries to accomplish. Consider lightly tapping the bow of the key after the initial hit to gently dislodge any key pins that may be [[binding]]. | ||
== Bumping Hammers == | == Bumping Hammers == | ||
Line 50: | Line 50: | ||
;Top Gapping | ;Top Gapping | ||
: | :Driver pins are tapered to prevent them from completely falling into the plug. This prevents a clean energy transfer between key and driver pins. | ||
;Trap Pins | ;Trap Pins | ||
:The shell contains a pin that triggers when the plug is rotated without holding the | :The shell contains a pin that triggers when the plug is rotated without holding the key pins in place (a function of the working key). When the trap pin is fired it blocks further rotation of the plug. Trap pins are problematic because a lock must be destructively opened once they trigger, usually via drilling. | ||
;Auxillary Locking Mechanism | ;Auxillary Locking Mechanism | ||
Line 67: | Line 67: | ||
'''Pros''': | '''Pros''': | ||
* A bump key aligns in the keyway naturally. Pick guns may have difficulty being inserted due to warding or keyway shape. | * A bump key aligns in the keyway naturally. Pick guns may have difficulty being inserted due to [[warding]] or keyway shape. | ||
* Bump keys can naturally include methods to bypass auxilliary locking mechanisms, such as the Schlage Everest side-pin. | * Bump keys can naturally include methods to bypass auxilliary locking mechanisms, such as the Schlage Everest side-pin. | ||
* Keys are relatively inexpensive to obtain and modify compared to pick guns (especially electronic or vibrational pick guns). | * Keys are relatively inexpensive to obtain and modify compared to pick guns (especially electronic or vibrational pick guns). |
Latest revision as of 21:11, 24 March 2022
Key Bumping
Key bumping (or bumping, rapping) is a covert entry technique used to quickly open pin-tumbler based locks. Key bumping uses a modified key blank to create a kinetic energy transfer between key and driver pins in the lock. Driver pins are momentarily "bumped" above the shear line, which allows the plug to rotate. Key bumping is similar in function to a pick gun.
History
The first known mention of a "bump key" is in Hiram Simpson's 1926 patent "LOCK DEVICE"[1]. Though the technique was known, it appears use was limited because it was considered a trade secret by many locksmiths.
In the 1970s, locksmiths in Denmark shared a technique for knocking on a lock cylinder while applying slight pressure to the back of the lock plug. When the pins would jump inside of the cylinder, the plug would be able to slide out freely, thus enabling the locksmith to disassemble the lock quickly. The use of a bump key was not recognized as a potential security issue until around 2002–2003 by Klaus Noch. After further research, a white paper was drafted in 2005 by Barry Wels & Rop Gonggrijp of The Open Organization Of Lockpickers (TOOOL) detailing the method and its applicability.[2]
The technique attracted more attention in 2005 when a Dutch television show, Nova, broadcasted a story about bumping.[3] Bumping received further publicity from TOOOL presentations at security conferences. TOOOL and Dutch Consumentenbond, a Dutch consumer group, analyzed the technique on 70 different lock models with trained and untrained users in 2006.[4]
At the same time, several people in the United States began to talk publicly about the technique and its security implications. In 2006, Marc Tobias released two white papers regarding key bumping and its possible legal ramifications.[5][6][7] In 2008 Tobias also proved that various Medeco locks, thought to be "bump-proof," could in fact be bumped.
Since then, continued locksport interest in bumping has encouraged many vendors to modify lock designs in order to combat bumping techniques.
Principles of Operation
Any pin-tumbler lock that does not include specific defenses against bumping is theoretically vulnerable, including many high-security pin tumbler locks. The process of bumping is to simply insert a properly made bump key and impact it lightly. If done correctly, key and driver pins momentarily separate and the plug can be rotated.
- Bump Key Creation
A key blank or non-working key is obtained that has the same profile and cut spacing as a working key for the lock. The key is modified so that all cut positions are at their lowest possible cuts. This can be verified with manufacturer specifications or a manual key gauge. Key specifications also contain other helpful information, such as the acceptable cut angles to prevent back cutting. Cutting the bitting positions to the lowest position completes a pull-out key; a bump key that must be withdrawn one pin position before being struck. To produce a minimal-movement key, the tip and shoulder of the key must have 0.25-0.75mm of material removed. This will allow the key to be fully inserted and then bumped. To confirm this was done correctly the bump key will be pushed back to normal position by the pressure of the springs, this effect is visible and provides tactile feedback.
- Bumping Process
- Insert the bump key into the lock, withdraw one pin position if the key is not a minimal-movement key.
- Place slight tension with a finger on the bump key.
- Strike the key with the bump hammer. Ensure the strike is directly on the back of the bow of the key. Do not strike from an angle.
If done properly the driver pins will jump, and the plug will turn if they are all caught above the shear line. This may take several tries to accomplish. Consider lightly tapping the bow of the key after the initial hit to gently dislodge any key pins that may be binding.
Bumping Hammers
A tool is used to lightly strike the bow of the bump key into the lock. Specially designed bumping "hammers" are available that aid in efficient energy transfer to the key. Bumping hammers are characterized by their hard plastic tip and flexible handle. Some hammers include accessories, such as weighted inserts to vary the striking power of the hammer.
Technically any striking tool can be used, but the bump hammers provide a more efficient energy transfer when compared to tools like rubber mallets or hammers. In general, a small amount of force is required to bump a lock. Using a hammer or similarly hardened tool may cause unnecessary damage to the lock or the bump key.
Bumping Defenses
Various defenses against bumping exist, some more effective than others. Following heightened media attention many companies began touting bump-proof or bump-resistant technologies.
- Shadow Drilling
- A random pin chamber is drilled higher than the others to prevent a bump key from touching all pin stacks. May cause problems with rekeying unless the position and height of the shadow chamber can be identified by the locksmith.
- Top Gapping
- Driver pins are tapered to prevent them from completely falling into the plug. This prevents a clean energy transfer between key and driver pins.
- Trap Pins
- The shell contains a pin that triggers when the plug is rotated without holding the key pins in place (a function of the working key). When the trap pin is fired it blocks further rotation of the plug. Trap pins are problematic because a lock must be destructively opened once they trigger, usually via drilling.
- Auxillary Locking Mechanism
- Additional locking mechanisms, such as sidebars or sliders, may thwart bumping. In many cases a bump key can be produced if the sidebar code is known. Other mechanisms provide little to no bumping resistance because of their design. For example, the Schlage Everest side-pin is of no help because it is a natural feature of all Everest keys.
- Non-pin Mechanisms
- A non-pin tumbler primary locking mechanism is enough to stop bumping. Disc-detainer, combination, wafer, warded, and lever based locks are all immune to bumping.
Bumping vs. Pick Guns
Key bumping and pick guns are based on similar entry principles, but there are various pros and cons to using a bump key over a pick gun. Both are similar with respect to skill requirements, noise created during entry, and forensic evidence.
Pros:
- A bump key aligns in the keyway naturally. Pick guns may have difficulty being inserted due to warding or keyway shape.
- Bump keys can naturally include methods to bypass auxilliary locking mechanisms, such as the Schlage Everest side-pin.
- Keys are relatively inexpensive to obtain and modify compared to pick guns (especially electronic or vibrational pick guns).
Cons:
- Finding a key for the lock may be difficult due to patent laws or distribution restrictions.
- Bumping causes pronounced deformation to the face of the lock. May be mitigated with various techniques.
- Bump keys are not universal due to keyway restrictions.
See also
References
- ↑ Simpson, Hiram. Bump key patent (1926).
- ↑ TOOOL NL. Bumping.
- ↑ Nova broadcast on key bumping.
- ↑ TOOOL NL & Dutch Consumentenbond. Report on key bumping.
- ↑ Tobias, Marc. Locked but not secure.
- ↑ Tobias, Marc. A detailed technical analysis of bumping.
- ↑ Tobias, Marc. Bumping of Locks: Legal Issues in the United States.