The Lockdown: The Medeco m3 meets the perilous paper clip
by Marc Weber Tobias 
posted Jul 19th 2007 at 2:53PM
Noted security expert Marc Weber Tobias contributes The Lockdown, exposing the shoddy security you may depend on.
Medeco is the predominant high security lock manufacturer in the United States and has been trusted for more than thirty-five years to provide cylinder and hardware security for the private, commercial and government sectors. According to Medeco, their locks are utilized in such venues as the White House and Pentagon to afford the maximum in cylinder lock security. The m3 cylinder, released about 2005, is the Medeco star product, the flagship in the security company's state-of-the-art, designed to resist almost any form of attack. The lock touts its key control attributes based its unique integrated slider that adds another level of security to the lock. But if you are using these locks and think you're secure, you might just be surprised by what you can accomplish with a paperclip and a custom-cut shim.
The Medeco m3 cylinder was originally developed primarily to extend its Biaxial patent (which expired in 2005); the company aimed continue domination of the US high security lock market and protect its unique rotating tumbler technology. The m3, which replaces the Biaxial, is UL 437 and ANSI 156.30 certified, which Medeco touts as a guarantee that its security can be relied upon for the most sensitive of installations. It appears that UL, ANSI or Medeco ever thought about the perilous paper clip as a bypass method.
Beginning last August after Matt Fiddler and I lectured on the threats of "Lock Bumping" at DefCon, high security lock manufacturers including Medeco was quick to announce the heightened security of its cylinders against bumping and picking.
I have always thought Medeco to be one of the most innovative and secure lock designs of this century. The company has been a remarkable success story and provides locks of the highest quality. The inventors and founders of Medeco set the standard in high security mechanical locks, offering an incredible array of hardware solutions. The Medeco engineering staff is as clever and innovative as any in the industry.
As soon as the original design was introduced it was the mechanism to attempt to attack by covert means. Many have tried (and failed) to develop methods to pick and decode these locks. So how is it that one of the best locks in the industry can have part of its security bypassed with a piece of wire? Unfortunately, Medeco is not the only manufacturer that fails to perceive even the simplest forms of bypass. It's yet another example of a failure of imagination.
The security problem: bypass the slider and simulate the key
Medeco offers several levels of key control to insure that its patent protected blanks cannot be copied, replicated or simulated. In many systems, proprietary keyways are available to further ensure that keys cannot be improperly compromised. Although the m3 is a very secure lock, we were able to simulate Medeco keys that can be made to bypass the keyway and slider protection of almost any system -- all without infringing on any Medeco intellectual property.
It turns out that a standard paper clip will depress the slider precisely to the correct position. A wire or paper clip, fashioned as shown, is inserted into the keyway and wedged at the end of the body of the slider.
The ability to neutralize the slider in this fashion with the simplicity of a paper clip raises significant security concerns with regard to key control and the capability to deter or protect against unauthorized replication of keys. It also allows us to pick and bump certain configurations of these locks, often with relatively little difficulty (although certain caveats have been noted in this piece's accompanying articles). The only other thing necessary to open the an m3 is an easily fabricated simulated key, like the one shown above.
One of the primary requisites of the ANSI specification (but not the UL rating) is the ability to implement three levels of key control: provide patent protected blanks to control its manufacture, prevent unauthorized duplication, and control the generation of keys by code with appropriate safeguards. We believe the ability to bypass the m3 key control scheme places all three rating criteria at risk.
How were we able to simulate a key to open the lock? Medeco has made the m3 keyway slightly wider than normal, which allows our special key to bypass the protrusions in the side of the keyway, called wards, without difficulty. In fact, we tested our theory on locks in certain cylinders where restricted or proprietary keyways were in use. Our simulated key with the correct rotational pattern worked perfectly. In the image above, the arrow indicates how the clip offsets the slider. The slider is positioned to allow the sidebar (shown above the slider) to retract when the proper key is inserted. Note how the protruding tabs of the slider can mate with the gates that are cut into the sidebar. In other words: the m3 is paper clip-hackable.
To make matters worse, we were able to create a bump key with our simulated blank, that would open an m3, (although bumping is, in fact, much more difficult in this scenario). This capability may raise serious security concerns, especially in commercial and government installations where master keying may not be allowed. Don't buy it? Check out the video, here (WMV).
Conclusion
The bottom line: the m3 key control with respect to key profile, step position, key configuration and ability to replicate a known bitting and sidebar code can be compromised relatively easily.
We have demonstrated the ability to bypass the security of the m3 with the use of a piece of wire or paper clip, and to simulate Medeco blanks and cut them to the correct bitting and rotational angles. We believe this could have serious consequences for protected systems where key control is an important part of the overall security plan.
Although the Medeco m3 is more than secure for the vast majority of applications, risk managers, security officers and others charged with security responsibility may want to consider the potential risks from a failure of key control if the m3 is in use. In a very small percentage of cases, especially high value and critical targets, the ability to covertly replicate keys may place personnel and assets at an unacceptable risk.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org and his blog is in.security.org. Marc welcomes reader comments and email.
The Medeco m3 cylinder was originally developed primarily to extend its Biaxial patent (which expired in 2005); the company aimed continue domination of the US high security lock market and protect its unique rotating tumbler technology. The m3, which replaces the Biaxial, is UL 437 and ANSI 156.30 certified, which Medeco touts as a guarantee that its security can be relied upon for the most sensitive of installations. It appears that UL, ANSI or Medeco ever thought about the perilous paper clip as a bypass method.
Beginning last August after Matt Fiddler and I lectured on the threats of "Lock Bumping" at DefCon, high security lock manufacturers including Medeco was quick to announce the heightened security of its cylinders against bumping and picking.
I have always thought Medeco to be one of the most innovative and secure lock designs of this century. The company has been a remarkable success story and provides locks of the highest quality. The inventors and founders of Medeco set the standard in high security mechanical locks, offering an incredible array of hardware solutions. The Medeco engineering staff is as clever and innovative as any in the industry.
As soon as the original design was introduced it was the mechanism to attempt to attack by covert means. Many have tried (and failed) to develop methods to pick and decode these locks. So how is it that one of the best locks in the industry can have part of its security bypassed with a piece of wire? Unfortunately, Medeco is not the only manufacturer that fails to perceive even the simplest forms of bypass. It's yet another example of a failure of imagination.
The security problem: bypass the slider and simulate the key
Medeco offers several levels of key control to insure that its patent protected blanks cannot be copied, replicated or simulated. In many systems, proprietary keyways are available to further ensure that keys cannot be improperly compromised. Although the m3 is a very secure lock, we were able to simulate Medeco keys that can be made to bypass the keyway and slider protection of almost any system -- all without infringing on any Medeco intellectual property.
One of the primary requisites of the ANSI specification (but not the UL rating) is the ability to implement three levels of key control: provide patent protected blanks to control its manufacture, prevent unauthorized duplication, and control the generation of keys by code with appropriate safeguards. We believe the ability to bypass the m3 key control scheme places all three rating criteria at risk.
To make matters worse, we were able to create a bump key with our simulated blank, that would open an m3, (although bumping is, in fact, much more difficult in this scenario). This capability may raise serious security concerns, especially in commercial and government installations where master keying may not be allowed. Don't buy it? Check out the video, here (WMV).
Conclusion
The bottom line: the m3 key control with respect to key profile, step position, key configuration and ability to replicate a known bitting and sidebar code can be compromised relatively easily.
We have demonstrated the ability to bypass the security of the m3 with the use of a piece of wire or paper clip, and to simulate Medeco blanks and cut them to the correct bitting and rotational angles. We believe this could have serious consequences for protected systems where key control is an important part of the overall security plan.
Although the Medeco m3 is more than secure for the vast majority of applications, risk managers, security officers and others charged with security responsibility may want to consider the potential risks from a failure of key control if the m3 is in use. In a very small percentage of cases, especially high value and critical targets, the ability to covertly replicate keys may place personnel and assets at an unacceptable risk.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org and his blog is in.security.org. Marc welcomes reader comments and email.
Reader Comments (Page 1 of 2)
Mike @ Jul 19th 2007 3:16PM
Not sure whether posts like this are informing, alarming, or tools to assists thieves.
carterman @ Jul 19th 2007 3:22PM
I think that it is better be knowledgable about the dangers we face than to live in blissful ignorance and have to face disaster when it strikes.
And besides, I'm sure that anyone with an interest in breaking into these locks knows this already. When we know about it, then we can prepare ourselves to defend against it.
Alexandre Souza @ Jul 19th 2007 3:29PM
Security thru obscurity? Nah...Better to know where the problems are, so we can create better locks and protect better our promises.
Grant @ Jul 19th 2007 3:27PM
its not an asset to thieves, most of this sort of info is readily available in the seedy under belly of the internet.
besides, malicious users are usually on the forefront of these types of things.
Evan @ Jul 19th 2007 3:31PM
I think it is fairly doubtful that this is news to thieves and is more of a general warning to consumers. Just like his past article on gun locks, I found it pretty insightful and and a good warning to consumers.
I honestly believe the things Marc writes about thieves most likely already know and I thank its great he exposes the reality. Do you honestly believe any of these lock manufacturers are going to come out and say this stuff? I doubt it.
Your-Locksmith.com @ Aug 21st 2007 10:23PM
I think that when you buy a high-security lock, you should get features that make it harder to pick and manipulate, in this case Mt. Tobias showed how easy it is to bypass Medeco newest feature with a 15 cents item. We need to know that before we spend a fortune on a lock…
kojo87 @ Jul 19th 2007 3:26PM
i picked a lock with a paper clip once! ok it was a really cheap lock on a firebox but boy did i feel like McGyver
Pirateinmymind @ Jul 19th 2007 3:29PM
+1 point for the McGyver Multitool reference
Grant @ Jul 19th 2007 3:31PM
as have i.
most people don't understand locks, but when you do, you realize they are pretty simple beasts.
anyone with enough patience and the right tools can pick a simple tumbler lock.
Grant @ Jul 19th 2007 3:32PM
as have i.
most people don't understand locks, but when you do, you realize they are pretty simple beasts.
anyone with enough patience and the right tools can pick a simple tumbler lock.
T_R_J @ Jul 19th 2007 7:24PM
I double posted once, but then felt very ashamed.
PEZ @ Jul 19th 2007 5:21PM
The problem is, most of these companys develop these locks and try to improve upon them by trying to find the best metals to keep them from breaking easily, not to keep them from being picked.
Cylendar locks are 100% pickable 98% of the time.
Mikko Tikkanen @ Jul 20th 2007 3:35AM
Hahah! I welcome you to Finland. Be my guest and pick Abloy Protec. Or even Exec which, in here, is practically everywhere.
If my memory doesn't fail me, Protec has something like 2 billion combinations. I wonder if your lifetime would be sufficient to pick that one... I mean even if you _would_ somehow have the appropriate tool.
PS. Medeco - the most innovative and secure lock designs of this century? Their top-of-the-line key is still a basic key with notches n'all! Pfft. Compare to Abloy Classic (which came ), Exec and Protec...
Mikko Tikkanen @ Jul 20th 2007 3:49AM
Bleh. Forgot that I was still writing that one. Shouldn't get coffee while writing something.. :)
I ment to add that the Abloy Classic came in around the beginnings of the last century (~1910) and it was, even then, un-bumpable (what a word :P) and a bitch to pick. So I guess the real innovation comes from Finland. ;)
John Gegier @ Jul 20th 2007 8:29AM
Alright Mikko, Don't be too sure of the Abloy Protec locks. I have impressioned an Abloy classic before so it is possible to circumvent. And besides as other readers have suggested a lock is just a deterrent it is not the end all of protection to anything. Anything better than a padlock is just as good a deterrent to a non locksmith as an Abloy Protec lock. The criminal that wants in your house/car can always find a window or drill the entire lock out of the door, or remove the hinges. Unless it's a safe and even then all you need is the schematics from the safe company and a very skilled hand. Locks are there primarily to make us feel safe and to stop the casual criminal and nothing more.
In my opinion at least.
Mikko Tikkanen @ Jul 23rd 2007 1:18AM
I know that John. ;) My reply was aimed to the post where someone stated that cylinder locks are 100% pickable etc. It was merely an question of picking the lock, not if there is huge-ass glass window next to the door.
And yes, Classic is possible to circumvent AFAIK, but that's past the point. Classic is from 1910ish (that's 100 years old technology!), Protec is of today hence Protec is the one you are competing with or Exec, at minimum.
PEZ @ Jul 23rd 2007 8:07AM
Mikko Tikkanen + fact of the matter is - ALL locks are pickable, regardless of the difficulty level. ALL locks.
Mikko Tikkanen @ Jul 24th 2007 2:57AM
Indeed they are. In theory, that is. But to theory it doesn't matter if it'll take a century (hell, lets make it plural while we're at it) to pick a lock, it's still pickable. Where as to human, to a real person, that is definitely not the case, without some considerable leaps and bounds of anti-aging technology. What I'm referring to is real world performance. (And yes, there is always the huge-ass glass pane next to the lock, but that's past the actual point.)
Then there is, of course, the infamous luck factor. If somehow you could get to picking action and with some streak of wild luck you'd snap the lock open, to actually consider it pickable you should be able to perform consistently, picking the lock at will.
Hence, I'm not considering the Abloy Protec as _pickable_. In theory, yes; it is possible to pick any lock but the deal is completely different to a real person. (At least to my knowledge, since I still haven't seen any real evidence of Protec being picked.)
Roy Planalp @ Jul 31st 2007 11:01AM
Let's give equal credit to the ASSA series of locks as regards unpickability. Just by chance they happen to come from Sweden right next door to the Abloy guys.
Jman @ Aug 1st 2007 7:57PM
Mikko, Medeco is actually an Assa Aboly company, surprisingly....
Roy Planalp @ Aug 2nd 2007 8:25PM
yeah. A little research shows Assa Abloy group owns many of the high-security lock manufacturers and some of the vanilla ones as well. The word Abloy came from the combination of Finnish and Swedish company names and now it's a Swedish company. fascinating.
doh! @ Jul 19th 2007 4:04PM
I heard about bump keys and thought, CRAP! My house is vulnerable. Some douche could come in and take my PS2 and new vice city!!!
So i was going to run off and buy a medeco lock. But then my buddy looked at my front door, looked at me, looked at the BIG GLASS PANEL in the stupid door and said, "hey, can't they just break the glass and unlock it from the inside?"
the point is, there is ALWAYS a way around things. Just ask ol prez bushy.
jolly wood @ Jul 19th 2007 6:42PM
my medeco needs key on both sides,
but thats ok
thieves broke thru a back window, bypassing any locks
-> get motion detectors, & an alarm co /police.
+ insurance.
Ray-- @ Jul 19th 2007 4:20PM
but if they break the glass its easier to get an insurance claim... if they turn the lock on your door... not as easy.
BoZs13 @ Jul 19th 2007 4:25PM
+69 for the bushy comment :)
and yep...there's always another way
craig @ Jul 19th 2007 4:31PM
Of course, Ray, because it's all about the insurance claim, not about preventing the theft in the first place. I suppose you would argue it's better to have glass available to break than it is to have a secured residence.
mooglemoogle @ Jul 19th 2007 6:19PM
I think that's a little unfair. What it sounds like Ray is actually saying is that you SHOULD increase the security of your door locks. If a break-in is going to happen, it's better that the thief breaks in through the glass than through bumping the door lock.
Daniel Ross @ Jul 24th 2007 1:59PM
That's a really specious response, Craig.
Ray's point is pretty clearly not that the vulnerability of the glass is a good thing, it's that a vulnerable lock is much worse. If they turn the lock, and especially if they do it without damaging the tumblers, then you may not even be able to prove to your insurance company there was a burglary.
Eventually, it comes down to the fact that a sufficiently determined thief can get at ANYTHING, even if he has to rent a backhoe under an assumed name. The thing to keep in mind is that not every thief is sufficiently determined- they're mostly opportunists. Many of them won't willingly use destructive force because that's evidence for the police, and they can always move on to some other poor chump who they can victimize without it. Even if they do, well- the broken stuff IS evidence for the police. Infinitely preferable to having them just walk through the front door because a poorly designed lock was the weakest link in your security.
James @ Aug 2nd 2007 2:10AM
Funny, I would have said "buy a Rottweiler" or "buy a 12-gauge", but maybe that's more a commentary on me than you...
Ogdru @ Jul 19th 2007 4:34PM
Can't Medeco just ask congress to ban paper clips because they can be used to circumvented Medeco's IP?
paul34 @ Jul 19th 2007 5:08PM
Exactly - perhaps they can write it into the next patriot act! Imagine... terrorists running loose with paper clips! Paperclips are surely the enemy of "freedom"!
Sam @ Jul 19th 2007 5:35PM
...Stocking up on paper clips and registering: blackmarketpaperclips.com
obiwan @ Jul 26th 2007 4:21PM
@Sam - liar, there is no such site as blackmarketpaperclips.com!
Matt B @ Jul 19th 2007 4:36PM
Mark Weber is Tobias against normal locks.
paul34 @ Jul 19th 2007 5:06PM
I'd like to thank Mr. Tobias for actually having the decency and maturity for actually opening comments for his articles - unlike that other guy that writes for the "switched on" series (I believe that's the name), who is too afraid to accept comments about his often irrelevant and useless articles.
Regardless, thank you for this article. I suppose it gets rather easy to forget about the easy forms of circumventing locks when you get to thinking of more advanced methods. However, whenever I get a house, I think I'll be using Medeco locks anyway. I'm sure that Medeco will address this issue in whatever their next lock model is.
CaptSaltyJack @ Jul 19th 2007 5:44PM
Geez, are we still in the stone age or something? When are we gonna get biometric locks on doors where you swipe your thumb and it unlocks one or more deadbolts?? Hell, even a 10 digit numeric keypad is better than a key.
David @ Jul 19th 2007 6:27PM
None of these other technologies make you more secure, they just challenge thieves to be smarter. Eventually, those technologies will be no more secure than a key. Then we are just left with smarter thieves. It is sort of like drug resistant bacteria. You keep challenging it, it just grows more resistant over time. Where does it end?
nikster @ Jul 19th 2007 7:06PM
Thieves are only ever so smart. 99% of them are just plain dumb, actually. The rest, you never hear of (and they won't bother breaking into your house either).
There are about a zillion better/easier ways to make money than to break into somebody's house. Most of them perfectly legal. People who don't realize that - e.g. thieves that do break into your house - are stupid.
Meaning, you have to defend yourself from stupid thieves only. Barking door bells work pretty well.
paul34 @ Jul 19th 2007 9:29PM
But those all still depend on electricity, and as of yet, we still haven't come up with reliable, durable, fully independent and small, permanent power sources which would be required for those types of locks.
Ed @ Jul 26th 2007 3:45PM
Unfortunatly, all fingerprint locks have a key as well...so while you have the added security of limiting the number of keys to your door running around, you don't need to crack the biometric part to break into the house....just use a bumpkey on the keyway part!
Ed
web/gadget guru
David @ Jul 19th 2007 6:02PM
I'm just wondering.. I don't know much about locks but on the site he has a bunch of cutaway pictures, wouldn't that make it MUCH easier to pick once you had seen the inside? I realize anyone can go out and buy the lock and take it apart but I think that if a certain lock was only available to say the government it'd ba fairly secure.
TechnicalDreams @ Jul 19th 2007 7:53PM
We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.
Are you an idiot?!
The only establishment of ownership of government property should be that government property = public property.
Don't be so quick to give up your rights.
If everything that is in government is protected so carefully that no civilian could get access then the "government" would get lax with security making it easier for someone who wants to spy on our "government" catch-22
iRepo @ Jul 20th 2007 1:18AM
What a waste. Brilliant article and it doesn't look like any one gets it. Medeco is "RELIED" upon to be tamper proof. They have been doing this for years. You can't even make a copy of the key without a card that gets sent back to Medeco. Every single key that is made from that card is recorded. It certainly is no ordinary Pin Tumbler lock and is very resistant to picking. If it can be picked at all has been debatable. For someone to be able to fashion a key for this lock and bypass this type of security is HUGE because no one would be aware of the breech and it could continue relentlessly causing far more damage and expense than a single "Break In" would typically do. And folks, this really only applies to Institutional Security were key control is "CRITICAL". To pull off what the article describes would not be easy. I would imagine that the value of the target would have to be BIG to make that effort worthwhile.
Phil @ Jul 20th 2007 7:44AM
Wow. This is supposed to be a high security lock? This looks pretty yesterday to me.
In Switzerland we have locks that combine mechanical (aka the normal lock) and electronical features (read: a key with a microchip) like the Kaba elostar
izeman @ Jul 20th 2007 7:58AM
@phil
i had the same thought. those keys/locks are real medieval style. ;) that a look at this link : http://keso.com/neu/PHPCatalog/index.php?sel_category=2
THOSE are really good locks. (only mechanical though. add a microchip and you are ultrasave). i would never trust a simple mechanism like the one from the article above ....
Dave Haupert @ Jul 20th 2007 11:22AM
Each time I see an article in this series, I hope it will answer the question I think most people interested want to know- is there a lock system available in the US that is resitant to bump-keying and picking? I guess I'm not as much interested in what doesn't work, as what does, so if I ever want to make my home ultra secure I can make an investment in that brand. Perhaps they don't exist?
Lock Bumping @ Jul 20th 2007 12:32PM
Public site about lock bumping and how to protect against it!
http://lockbumping.org
bumpkeys @ Jul 24th 2007 3:49AM
Regarding the Abloy Protec, I believe it is considered the most secure lock. As far as I have heard, there is NO pick available for it at this time. There was a pick available for the Disklock Pro system, but not the Protec.
This site has a short video about how the Abloy Protec system works, it's definitely worth a watch as it explains how the system works:
http://www.bayarealocks.com/info.php?file=abloy
Thanks
John T @ Jul 28th 2007 5:51PM
Locks have their limitations
Glass panels have THEIR limitations
BUT you can have high-security clear window film
applied that makes it VERY difficult to bust through
glass -- and almost impossible to do so quietly --
I have this film mounted on every accessable window
in addition to Medeco locks
Bill @ Jul 30th 2007 2:02AM
When paperclips are illegal then only criminals will have paperclips ? Paperclips don't kill people, people...... oh,did I say that out loud ? Damn it. It may be a form of Turrets syndrome I think. my bad. Peace, L8r.