Red Team Operations: Lock Picking and Physical Security by Blackhat Pakistan 2023
Today in this article we will learn about Red Team Operations: Lock Picking and Physical Security.
Introduction [Red Team Operations]:
In this article we discuss the wonderful art of lock picking and explore the different types of locks and tools that Red Teamers can use to make it happen. Finally, we will discuss a practical guide on how to successfully pick the famous pin lock.
Overview
Locksmiths over the years have defined lock picking as the manipulation of lock components to open a lock without a key. This is an art that is practiced as a career for both locksmiths and security professionals as well as criminal entities.
Before we explore the different types of locks and how to pick them, let’s try to understand why one would even want to learn this skill as a member of the Red Team.
Why should red team members learn how to pick locks?
In Red Teaming and Penetration Testing, physical security is generally an underrated area. Security professionals tend to focus on other affected areas such as vulnerable applications, networks and social engineering. This may not be the case, as physical security is also a significant attack vector for many organizations.
This is because lockpicking is studied and implemented in the numerous multi-layered attack simulations that are part of Red Team exercises.
Different types of locks and their common function
There are many different types of locks that rogue attackers and Red Team members will encounter during their encounters. Locks can generally be divided into two broad categories:
Locks with physical keys
These locks require the correct key to be used to unlock them. Various techniques have been developed over the years and have resulted in a number of lock implementations. Let’s discuss a few:
Pin locks: Pin locks have a set of pins that prevent the lock from moving unless the correct key is inserted. Below we will discuss in detail how these locks work and how they can be picked using the right lock picking tools in the next section.
Security locks: These are the simplest locks we have today. They work simply by having obstacles in the lock that require a key with the correct and matching combs that effectively sit on the obstacles. Bypassing such locks is so simple as it only requires a basic key with combs matching the available obstacles.
Wafer mortise locks: These locks use a similar principle to the pin mortise locks discussed above. However, instead of having a row of pins (making up different pieces) like the pin tumbler implementation, this one has what’s called a wafer, which is a single piece. These are mostly used in vehicles and cabinet locks
Disc tumbler locks (Abloy): These locks are often confused with the blade tumbler locks discussed above. Slotted rotary retaining discs are used in this type. It is really difficult to pick these locks with conventional tools, making them one of the most secure locks available today
Also read:Contemporary UEFI Bootkits by Blackhat Pakistan 2023
Lever deadbolt locks: This is probably the simplest lock implementation in use today. Here a set of levers are used to prevent any movement of the bolt in the lock. Bypassing this lock is simple, it is enough to raise the tumbler to a certain extent (height). This in turn would allow the bolt to slide past and achieve a successful selection. These really simple locks can be found in old padlocks
Magnetic Key Locks: As the name suggests, these locks use magnets that either push or pull the tumblers inside the lock. Once the correct orientation is achieved, the lock will open as needed.
Locks With Electronic Keys
Electronic locks: These types of locks use electricity and are connected to an access control system. Occasionally they may be self-contained and only have an electronic control assembly that is mounted directly on the lock. When electronic locks are connected to access control systems, they become capable of performing various additional functions such as key control, fine-grained access control, and transaction logging.
Card locks: These locks implement a flat card design with similar dimensions to credit cards. The keycard and signature must match for access to be granted. They can also be implemented in the vehicle door, where the setup includes a smart key radio transmitter and a valid code is randomly generated. A combination of card locks and pin tumblers can be used in the vehicle door design
Smart locks: These locks are completely electronic and receive commands to lock or unlock the door from a device that uses a combination of an encryption key and a wireless protocol. Such locks usually have phone apps that act as remote controls. These types of locks cannot be picked with normal lock picking tools
What are the different types of withdrawals today?
There are different types of picks for different locks. Although there are categories of locks that cannot be opened with conventional tools (pumps and spanners), there are still many. The selection will generally resemble the following design:
The nib will have different patterns, often with a front and back angle, and the nib will connect the handle and nib.
Below are examples of picks that can be used to grab individual pins:
When it comes to collecting more skittles, you can collect a set that includes rakes. These will have multiple ridges that allow you to rake more than just one cone, or bounce the cones until they are positioned above the skid line. (We’ll see more about this in a minute.) The image below shows an example of a rake, commonly referred to as a snake.
Picking locks with pick pins is much less complicated compared to picking individual pins. There are also several different designs of rakes that are shaped to mimic the height of the pins in the lock. Check out the rake below.
Pin Tumbler Locks Illustrated With and Without a Key Inserted
One of the most common types of locks today are pin locks. These locks are based on the common cylinder lock design from which many locks are inspired, the main difference being the implementation of the puzzle in the lock itself.
The figure below shows the general design of a pin lock, showing the body that houses the plug and pin retention mechanism, the plug itself, and the pin structure, which consists of a spring, an actuator pin, and a key pin.
A mortise bolt lock with key inserted is shown above. Notice in the picture and to the right, when you turn the key, the key pin is inside the plug and the driver pin is in its chamber in the trunk.
Understanding the Functionality of a Pin Tumbler Lock
A pin and latch lock consists of a pair of pins that pass through a cylinder and into a central plug. The pair of pins consists of a drift pin (over which there is a spring) on the upper side and a key pin on the lower side, the purpose of which is to touch the key when the key is inserted. The key pins are of different lengths and once the correct key is inserted into the key hole, the pins will slide up according to their length, turning the plug.
When the wrong key is inserted into the keyhole, the pins will not line up properly and the plug will not move. When the pins are not aligned with the skid line, the plug is prevented from moving. However, when the correct key is inserted, all key pins are pushed to the correct height, effectively lining up with the skid line and allowing the plug to move.
Pin lock picking
Lock picking can be done using a variety of tools. For us, what we’re really interested in is the wrench and the pick. We will follow these steps:
a) Using a tension wrench
A tension wrench is used to align the key pins to the correct height and ensure they line up with the shear line. Spanners can come in several designs, from light, medium, solid and double-sided. Your choice of tool will depend on the lock you choose. We went with a light spanner for this exercise.
Insert the tension wrench into the bottom of the keyhole and turn it slightly. Once the key pins reach the shear line, you want to apply some force to turn the plug a bit. When the correct amount of force is applied, the follower pin moves up above the shear line and the plug rotates slightly. You should do this with all the pins until they are all raised above the skid line. Note that this is done for each of the pins, one at a time – a tedious but rewarding effort.
If you bend the spanner too much, you can end up with the driver pins locking up, and that’s what you don’t want.
b) Using a pick
At this point you can use any pick, either choosing to manipulate the pegs one at a time or using the rake pegs to simultaneously manipulate all the pegs at once. We will use the Bogota rake, which has three ridges. This should be inserted into the upper part of the lock. (Remember we put the spanner at the bottom.) See image below:
c) Simultaneously move the tension wrench and rake
As you are slowly turning the tension wrench in the direction to unlock, push the rake back and forth, scrubbing the pins. See below, the positions of the driver pin and key pin.
d) Repeat the process
Make sure you repeat this process until when the key pins are released, they drop and rest onto the plug and it can fully turn.
However, you may notice that the plug does not rotate. If you notice this, you may have used too much force when using the spanner. If you find yourself in this situation, remove the wrench and rake (letting the pins rest) and start again.
The key to mastering this procedure is to keep practicing. You can also get a clear lock for practice.
Unpickable Locks
You may come across some HYT locks once in a while. These are perhaps the most difficult locks to pick because of the hundreds of moving parts in the lock itself. The unlocking mechanism works by turning the key inside the keyhole to fit the pins properly and unlocking the lock. You can find a great video about it in practice here.
These locks can be picked as documented here, but with some really hard work and maybe some home made pick tools, as you most certainly won’t find conventional picks on this lock.
Conclusion
This article focused on locks and how to choose one particular type, the pin lock. Picking locks is an interesting area that will not only teach you patience as a red team, but also show you how locks really create the illusion of security. If you enjoyed this article, take a deeper look to learn how to pick the more challenging locks.
Sources
- An Introduction to Lock Picking, The Art of Manliness
- CIA Lock Picking: Field Operative Training Manual
- Why hackers learn to pick locks, IT News
- How Lock Picking Works, howstuffworks
- MIT Guide to Lock Picking, Theodore T. Tool
