Over the last five years, a device called the “bump key” has surfaced in the media of specialized industries as well as mainstream media. Not only has it been mentioned in locksmith magazines and bulletin boards (especially those frequented by “lock hackers”), it was featured in several local newscasts and even mentioned on the USA Network TV series “Burn Notice” (Season 3, Episode 5).
Consider these two important questions: How many of you have locks at your facility that can be opened with a bump key? And what can you do to prevent this from happening at your site? The answer to the first is easy: Almost all facilities contain locks that can be easily opened with a bump key. Every operator ought to be able to answer the second question, since it addresses customers’ security concerns. First, here’s a little more background on the device itself.
What Is a Bump Key and How Does It Work?
The bump key is a tool that allows even a novice to quickly compromise a pin-tumbler keyway in a padlock or disc lock. It can open a pin-tumbler disc lock just as easily as it can open a pin-tumbler padlock.
The bump key was highlighted in Newsweek’s August 2006 Web edition, in an article titled “Beware the ‘Bump’ Key.” The story featured Barry Wels of The Open Organization of Lockpickers, a group whose members partake in the hobby of locksport, the study and defeat of locking systems. Wels said members pick locks “not with criminal intent, but more in the spirit of puzzle-solving.” He and an associate, attorney Mark Tobias, explained the potential vulnerabilities of locks the bump key exploits.
A standard pin-tumbler keyway is based on a set of five to seven pins as shown in the accompanying image. The teeth of the key raise and lower the pins. When the key lines up the pins, the “shear line” is aligned, and the cylinder rotates to open the lock.
The teeth on a bump key are ground down to the lowest level. The filed down key is inserted into the lock, held with tension, and then struck with a hammer. (You can even buy a special bump-key hammer online.) The pins bounce, and the lock opens. You can see how this works in dozens of video demonstrations on YouTube.
Even if you don’t think a bump key is common knowledge, it’s still critical to understand how it works and how to prevent it from being used at your facility. You may have customers who are familiar with or hear about it and have concerns that there’s a tool enabling thieves to enter a unit without evidence.
According to cryptographer Barry Schneier, “Lock-picking information, until very recently, has been hidden, not from the bad guys, but from us, the consumers. There’s no economic motivator for anyone to make a better lock because you, the consumer, don’t know [how vulnerable your lock really is].” Thanks to the Internet, however, your customers―along with those thieves who missed the boat on the first round of publicity―might just be finding out about the bump key.
Security experts talk about a technique called “security through obscurity,” meaning that if a security flaw is unknown, it isn’t a flaw. That concept protected pin-tumbler locks since the 1920s. It doesn’t protect them any more.
Padlocks vs. Disc Locks
Most self-storage operators these days realize that a padlock provides little more than a nuisance to an amateur thief, because its shackle can be cut with an ordinary bolt-cutter. Because a disc lock has a protected shackle, many operators and security experts believe it to be a significant security upgrade to the padlock.
That may have once been the case, but if the disc lock uses the same kind of key and keyway as a standard padlock, the bump key has changed the game. It easily opens any lock that uses a pin-tumbler keyway, the keyway found on most disc locks. With a bump key, disc locks are just “round padlocks” to a thief. You need to know this, and you need to have a response for your customers.
A bump key can open a pin-tumbler disc lock just as easily as it can open a pin-tumbler padlock.
Locks That Cannot Be Bumped
The bump key compromises the standard pin-tumbler keyway, found in the vast majority of “thief-resistant” disc locks on which the self-storage industry has come to rely. A disc lock can provide a powerful physical barrier, but with a vulnerable keyway, that barrier is little more than an illusion.
“Bumping is a vulnerability to many standard locks, and that’s why we educate experts on proper steps that can be taken to minimize the risk,” says Clyde Roberson, director of technical services at Medeco High Security Locks, an international lock manufacturer. “Not all locks can be bumped. Consumers need to know the difference.”
Fortunately, there are locks that cannot be bumped. These work through rotating detainer discs and a sidebar rather than pin tumblers. The detainer-disc keyway, developed nearly 100 years ago, is built around a series of seven to 11 discs. Each must line up with a sidebar to rotate the cylinder and open the lock. There are no pins or springs to bump. A detainer-disc keyway works in a padlock, a disc lock or a cylinder lock.
A lock such as the Medeco “biaxial,” which requires the pins to be lifted and rotated precisely, is described as “bump- and pick-resistant.” Medeco developed the biaxial in 1985 to defeat the bump key. With teeth and pins cut at angles, the pins must be rotated just so to open the lock.
This year, Master Lock introduced its version of a bump-resistant keyway. It’s important to note that both the Medeco and Master Lock solutions are recent developments, and there are hackers who insist they have defeated the Medeco biaxial. Only the detainer-disc sidebar system has been successfully field-tested for nearly 100 years. According to Frank Minnella, CEO of Lock America International, the system was invented in Finland in 1914, and has never required modification to prevent bumping.
Meet the Challenge
Google the term “bump key” and watch the videos. Then contact a lock manufacturer and ask about the bump key―in particular, what products it has designed to meet this challenge. It’s a good idea to do this before one of your tenants asks you the same questions, and certainly before an intruder or one of your customers decides to try out key-bumping at your facility. Of course, since there will be hardly any evidence that a lock has been bumped, you may not have to account for key-bumping until a customer reports a mysterious theft.
Rich Morahan is a marketing consultant for Lock America International. He frequently writes and conducts seminars on self-storage marketing and security. To reach him, call 617.240.0372; e-mail [email protected]; visit www.laigroup.com.
Best practice or tips on disc-lock cutting? [Self-Storage Talk]