Over the last five years, a device called the “bump key” has surfaced in the media of specialized industries as well as mainstream media. Not only has it been mentioned in locksmith magazines and bulletin boards (especially those frequented by “lock hackers”), it was featured in several local newscasts and even mentioned on the USA Network TV series “Burn Notice” (Season 3, Episode 5).
Consider these two important questions: How many of you have locks at your facility that can be opened with a bump key? And what can you do to prevent this from happening at your site? The answer to the first is easy: Almost all facilities contain locks that can be easily opened with a bump key. Every operator ought to be able to answer the second question, since it addresses customers’ security concerns. First, here’s a little more background on the device itself.
What Is a Bump Key and How Does It Work?
The bump key is a tool that allows even a novice to quickly compromise a pin-tumbler keyway in a padlock or disc lock. It can open a pin-tumbler disc lock just as easily as it can open a pin-tumbler padlock.
The bump key was highlighted in Newsweek’s August 2006 Web edition, in an article titled “Beware the ‘Bump’ Key.” The story featured Barry Wels of The Open Organization of Lockpickers, a group whose members partake in the hobby of locksport, the study and defeat of locking systems. Wels said members pick locks “not with criminal intent, but more in the spirit of puzzle-solving.” He and an associate, attorney Mark Tobias, explained the potential vulnerabilities of locks the bump key exploits.
A standard pin-tumbler keyway is based on a set of five to seven pins as shown in the accompanying image. The teeth of the key raise and lower the pins. When the key lines up the pins, the “shear line” is aligned, and the cylinder rotates to open the lock.
The teeth on a bump key are ground down to the lowest level. The filed down key is inserted into the lock, held with tension, and then struck with a hammer. (You can even buy a special bump-key hammer online.) The pins bounce, and the lock opens. You can see how this works in dozens of video demonstrations on YouTube.
Even if you don’t think a bump key is common knowledge, it’s still critical to understand how it works and how to prevent it from being used at your facility. You may have customers who are familiar with or hear about it and have concerns that there’s a tool enabling thieves to enter a unit without evidence.
According to cryptographer Barry Schneier, “Lock-picking information, until very recently, has been hidden, not from the bad guys, but from us, the consumers. There’s no economic motivator for anyone to make a better lock because you, the consumer, don’t know [how vulnerable your lock really is].” Thanks to the Internet, however, your customers―along with those thieves who missed the boat on the first round of publicity―might just be finding out about the bump key.
Security experts talk about a technique called “security through obscurity,” meaning that if a security flaw is unknown, it isn’t a flaw. That concept protected pin-tumbler locks since the 1920s. It doesn’t protect them any more.