Missteps Physical Security Security

Misstep 4: Pretty Friggin’ Suite

A door showing a locked deadbolt and exposed hinges

Another example of “A chain is as strong as its weakest link”, this door was inside of my suite during my stay in Los Angeles. I assume it is for cleaning supplies, coffee supplies, or similar so that the room service folks can save time not transporting all of this without an elevator.

But lets just pretend for the sake of this blog that they store some fine Chicago-style pizzas, millions of dollars of money, and some Cinnamon Coke behind here. First of all, I wouldn’t have wrote this blog because I’d have broke in already. But, here we are.

The deadbolt was locked with what strikes me as a Kwikset KW1 keyway (may be a 6-pinner, no idea). Let’s just say I can’t pick a lock? How else can I breach this door non-destructively?

A door hinge

Generally you’ll have an “unsecured side” and a “secured side”, or “sterile side” in FAA parlance. This delineates the side that is public, and a side that is private (boarding area for aircraft, or this sweet pizza closet in my suite).

In this case, these hinges are on the unsecured side. I can easily drive the hinge pins out of the door and gain access to this closet. The two halves of the hinge will easily slide apart in this case.

Because I didn’t want to trespass, I did not verify if this was implemented securely. In order to have the hinge pins on the unsecured side, you can use “security pins”… These tiny devices will replace some of the hinge screws in the door or frame, and recess into the mating surface. In this way, the hinge halves will not slide among each other — increasing the security of this approach.

Here’s some on Amazon (these may not be the cheapest, I don’t know. It’s also not a referral link):

Missteps Physical Security Security

Misstep 3: Flow Freakin’ Way

Unprotected water control valve
Sweet Cage Decoration

From my trip to LA, I’ve seen several of these water control valves placed above ground. (Must be nice, in Chicago, these guys would turn into ice and destroy themselves).

An oddity is the choice of security — a wire mesh that stops folks from disabling the water. This could affect fire systems, but those usually have a standpipe or external outlet for sprinklers, but what this can mean is — when your coworkers are coming back from the company Chipotle outing, they can’t evacuate the sinister remnants effectively.

The cages are a minor obstacle, since these are quarter-turn ball valves, they only have to be rotated 90Ā° in order to turn off (or on) flow.

Inserting a stick, pipe, or some other rigid instrument and biasing it against the wire cage would create plenty enough of a lever to force the valve shut.

Solution? Lock the valves like everybody else, except this water main, since it uses a hilariously deficient “warded Master Lock” that can be trivially bypassed in several ways (shimming, warded picks, keys that accommodate wards, etc)

Water main showing a Master Warded Lock
See the bottom of the chain between the valves
Missteps Physical Security Security

Misstep 2: Security-As-An-Annoyance

A locked door at a hotel pool where the gate allows easy access to the opposite handle.
So ez

I’m in Los Angeles, CA this week and my hotel has a pool. Like many hotel pools, they lock it down at a silly early hour. They also keep the area locked to ensure that the pool isn’t being abused by non-guests.

With several different shifts of hotel operators, and this hotel’s nature of having several outdoor buildings for rooms, it would be very difficult for a hotel employee to identify who is a guest and who isn’t.

While there isn’t anything of value behind this gate, it does demonstrate an oversight in design. My hands were only slightly too fat to fit next to the handle, to turn the “inside” handle and gain access. People with smaller hands, those who are clever enough to bend a wire coat hanger, and those who also really need to swim can bypass this sort of gate easily.

I’d argue that this isn’t a big deal here, since the gate is there to prove trespassing and deny liability if you didn’t belong there in the first place. Either way, an interesting conversation piece.

It should be noted that these types of lever handles are required by ADA standards (in the US) to enable people with advanced arthritis, or other physical ailments to open doors where they cannot grasp a knob. That is why replacing these with knobs is not a workable solution.

Missteps Physical Security Security

Misstep 1: A Chain is as strong as its weakest link

A Trek Hybrid for the low cost of a front tire

I wanted to start a new blog feature where I share occasional security missteps just sitting in public.

These bikes are not cheap, generally starting at $500 and climbing rapidly.

This bike is held in place by a typical U-bolt lock, but the front tire is held in by a quick connect near the bottom of the rim, through the spokes (meaning it takes no tools and only a flick of your finger to release the tire, and thus: the bike).

Say you wanted to save some additional funds and you carry a Leatherman? Cut a few spokes and ride off on it. Later, order a few replacements … Or if needed, a rim.

You can have the world’s strongest lock. It means nothing when the entire situation isn’t considered.

Physical Security

Part 1: Outdoor Security Lighting (The Attack)

Building exteriors are often well lit to keep out physical attacks and to enable CCTV footage without requiring infrared emitters on the cameras. Often times, these will use “electric eyes” to detect light, and when present, turn off exterior lights to conserve energy.

Typically these sensors are made with a CdS cell (cadmium sulfide). They act by increasing the resistance of the cell in the absence of light. This is why they are often called photoresistors, light sensors, photocells and similar.

To prevent moisture from entering the cells, they often point either parallel to the ground or somewhat towards the ground, and are often located away from the light sources on the building (since the security lighting will interfere with the light sensed). Street lighting, for example, will often have the sensor located on the top of the unit, allowing it to detect daylight without detecting the street light.

Typical LED streetlight with photocell from SuperiorLighting

If each fixture has their own photocell, this technique may quickly become ineffective, however there are many buildings that use one central photocell to control all exterior lighting (generally, you’ll see all lights go out at once). Some other building require an employee to manually turn off a breaker or a switch, or better yet — rely on a timer.

A well-lit parking lot or building is typically going to experience less crime since a criminal is more likely to be spotted at the building’s exterior. Photocells are inexpensive and testing many models is a cheap endeavor. In the street light pictured above, the photocell is the small black device on the top of the fixture. The clear cutout is the aperture where light interference will disable the light.

A small light sensor, with the CdS cell visible in the circular aperture between the male and female threads.

So I decided to buy a cheap light sensor, it was about $5 at the local hardware store. I also bought a cat toy, the mystical disabler of lights.

A cheap $4 laser pointer can work — if the batteries are decent

The first thing I did was bend the triangle wire that holds the laser pointer to a keychain, we won’t need that anymore.

I also loaded up the button cells. Next, I attached a 1/4″ x 20 NyLock nut to the bottom. These are the standard threads used on a tripod, which will help use this tool. I learned a technique from a guy named Marty in Australia who makes over Matchbox cars (Marty’s Matchbox Makeovers) that you can use baking soda + superglue to quickly cure the glue and build up a sizeable “weld” between two objects.

First, you apply superglue to the items you want bonded, then you sprinkle baking soda onto the glue:

A 1/4″x20 NyLock nut glued to a laser pointer

Once you add the baking soda, give it few moments before removing the excess and then repeating until you feel the bond is strong. In this case, I attached the NyLock side to the laser pointer to give a malleable thread to stop the tripod from hitting the laser pointer body. You can go without using a NyLock, it just is what I had on hand and made me feel ingenious using it. Also: Instead of tightening the threads of the laser pointer into the base, you just need to tighten it to the NyLock threads.

This really should be enough

Yeah, you can sand and paint the glue at this point, but given its purpose, I’m happy with that.

Now, this laser can be mounted onto a tripod and pointed at a light receptacle:

Laser Tripod

The one I built here had dead batteries, requires you to force the button down with a clip of some sort, and uses button cells. Overall, it may work if you win the laser lottery. But, since I wanted to talk more about this, I’ve ordered some laser diodes and battery packs. I also have a real tripod and plan on doing additional research into the efficacy of this technique. I will also talk methods of remediating the risk of this attack.

So What?

Yes, you can do the same thing with a flash light, head lights, even the sun. A laser is less likely to be spotted since the light is concentrated, powerful, and very portable. This can disable exterior lighting or trigger security cameras to turn off night vision infrared emitters (effectively blinding even these).

Now what?

Keep an eye out for a followup! I will build a better demo unit in the coming weeks and talk options on preventing this attack. I find it unlikely this will ever be used, it is more a think piece about trusting external output (the environment) to control security features. Something a lot of folks in application development aren’t doing that well.


Irritate Hotels with this One Simple Trick

It is still July and I’ve already been on 22 flights this year, even more nights in hotels. I’m not the most traveled person year over year, but I’ve learned a few tricks that might help you out. This isn’t really security related but I’ll try pulling a few elements in to make it interesting.

TSA Pre-Check

Yes. If you travel, this is fantastic. I leave all my belongings in a bag, the lines are short and even when you get pulled into secondary to see if your laptop is explosive heroin, you still come out way ahead of the regular lines. I won’t say buy this if you’re flying primarily international, or not often. But if domestic flights are your weekly chore, this saves an amazing amount of time.

Taxi, Uber or Lyft?

I stopped taking taxis. I’ve found that they are often just dirty and there’s no really good way to ensure the rate is understood and you may not even get a receipt.

I live in the range of MKE (General Mitchell Airport, Wisconsin), MDW (Midway Airport, Chicago IL), and ORD (O’Hare International, Chicago IL). Because of that, I try to take the smaller airports if possible… But the most cost economical option as far as ride sharing apps go that also offers several non-stop domestic and international flights will be ORD. MDW offers Southwest (which I love), but the rideshare fares there are usually $85 each way. Uber tends to surge price up to $135 each way. Lyft is pretty consistent and I ended up taking them during the surge pricing.

Last week I noticed that surge pricing when I flew from ORD to LAX. Today I decided I would check into the pricing when flying from ORD to BOS, and here’s what I seen:

Lyft vs. Uber
Lyft vs. Uber

Right there is nearly $20 savings for no other reason than selecting Lyft. Really a shame since I have so many points with Uber and over 50 rides, but the numbers don’t lie. On a side note, Lyft won’t let you book a ride without tipping, rating and writing a review about your last ride. Pretty annoying when you just got off a plane an to the rideshare area, but still, worth it.

Texting, E-Mailing or Working on the plane

Yes, I can pretend to look down at the endless clouds and also see you typing up E-Mails with your Apple ID, the profit margins of your doctors office, or anything else you’re typing. You don’t know who you’re sitting next to, so remember that before pulling up information that can easily be compromised by strangers.

Not all heros wear capes

Plug Splitters
Plug Splitters

Here I am at the Godfrey Boston, finding a great way to turn one outlet into 5. You can plug in phone chargers, laptops, whatever you want… And TSA allows these and they will make you have an easier time at the hotel, and a friggin’ hero at the airport when tons of people can share an outlet (or, an outlet sticker ;)).

Backup Batteries

Great for when you’re away from an outlet, I have a wireless battery brick that’s right at the TSA limit and juices up my phone. These are allowed not in your checked luggage, but your carry-on. This is due to the lithium batteries. They don’t want the luggage compartment to go up, they’d rather notice sooner than later.

First Class Seats

Unless you’re a “person of size”, first class is a gimmick. Those seats are only marginally bigger than economy and you’re better off just sucking it up for the few hours you’re on a plane. There’s very little interesting about sitting next to folks just like you who feel stupid for paying an extra $230 for a 1st class seat.

You can lockpick on a plane… Seriously!

Picking on a Plane
Picking on a Plane

Here I am cracking open a Master 140 and a few 142s in the middle of California airspace. Over and over again. (I’m still working on getting a 570 :(). TSA is perfectly fine ( with them (just use something to protect the sharp parts of your picks, such as a water bottle, endmill sleeve or bubble packaging). These are fidget spinners for folks in security and really helps to pass the time.

Turbulence Ain’t Nuffin’

I’ve flown through nasty thunderstorms (they look really pretty from ~37k feet, really dark and flashy at about ~10k feet, and really wet around 6k feet). I’ve been in 19-passenger jets as well as American 777-300’s with high-300 person capacities. All of them tend to have some bounces in mid air, while landing, and sometimes take their sweet time pulling up in the air. Oddly enough, I’m still alive. Pretty neat.

Real ID Act

October 1st, 2020, the TSA will require “Real IDs”. Read up on the Real ID act if you’d like. Illinois, like usual, isn’t onboard with much and has pushed off moving to real IDs for some time. You can submit the plethora of documentation to get a Real ID, or in my case, you can just get a passport card. A rarity for American families, my wife and kids all have traveled internationally and have passports and passport cards. They’re good for 10 years (5 if you’re really young) and work just fine. Passport cards are only good for domestic flights, or boat/land borders. International travel still requires the good ‘ol book.

I don’t know it all

I’d love to hear your traveling tips in the comments, maybe I’ll add them to this document as well! Safe travels!

Physical Security Vending Devices

Jackpotting Parking Meters: A Series

I usually spend quite a bit of time talking about security problems I’ve identified, and a little less time talking about solutions to those problems. I don’t often talk about quantifying risk or products that I’ve identified as being particularly secure. Today, this changes.

Duncan Miller Parking Meter
Duncan Miller Parking Meter

I walked into a local antique shop hoping to find some old locks laying around that I can use for picking / gutting practice. As I walked into the shop, the friendly lady at the counter tells me that anything sports related is 20% off, as well as anything made of metal (except coins).

Well that works perfect for somebody like me, looking for locks. I ended up leaving with this parking meter that she posits is from Lake Geneva, WI before they upgraded to their far superior multi-spot parking system. I asked if she had keys, she did not but assured me that they are a common key.

Well — I didn’t Google it, assuming that either she was right or I’d just pick my way in. I got it out to my vehicle and shoved a tension wrench and a pick in the front and immediately had my soul crushed — this is a slider keyway which I can’t pick and even LockPickingLawyer has struggled with in the past. So I turn to E-Bay, which has replacement keys and cylinders, but they’re ~$50-75 each. Even still, I’m stuck with a unit I probably can’t open before my “disinterest cutoff.”

So, the first thing I do is call a local locksmith and ask them if he can decode and cut slider keys. He said he can, but to save time, send him a photo of the keyway.

Restricted Slider Keyway
Restricted Slider Keyway

I seen the word “Restricted” on there, but I’m like “words man”

He replies that it is restricted, and he can’t cut the key. So, I hopped on Google to learn exactly what that means. Turns out the key blanks are restricted (meaning he would need to have the blanks, the authority to cut them, and the software to tell him the bitting). Since I found it unlikely that I would find those services for a good price, I decided to start looking for bypasses.

Bypass #1 — Roll Pin

Roll Pin Hinge
Roll Pin Hinge

The first thing I notice is this roll pin acting as a hinge at the top of the meter box. This would be way too easy!

I was right — it would be too easy. I did some research and it turns out that the roll pin is retained with a set screw, meaning it won’t slide out without destroying the meter:

Set Screw on Hinge
Set Screw on Hinge

So that bypass will not work.

Bypass #2 — Access to the hex nut

In the real world, meters are attached to a pole and this approach would absolutely not work since this access point would be blocked by it. But, mine has been removed, so maybe I can remove the nut that retains the lock:

Hex Nut Under Cover
Hex Nut Under Cover

This nut was so loose I could almost knock it off with a firm stream of water. But I back it off with a screw driver until…

It stopped moving. The distance between the cover and the tailpiece would not allow enough distance for me to get the nut completely off. So, Bypass two was out.

Bypass #3 — Hacking

I’m not proud of what comes next.

Since I was able to back the nut off enough, I was able to expose the face of the lock by almost 1/4″.

At this point, I thought I could potentially file the threads down and then slide the filed down area into the cover, allowing me to rotate the entire lock. I couldn’t find my file, it was midnight, and I needed success:

Using Hacking Tools

At this point, I had to use a hacksaw to get through this. Even with that old, coarse-toothed saw, I was able to get through the lock with just a few moments of work. I’m not proud at all that this was my solution, but I wanted to get in and learn more. Sadly, there are two locks on this unit — and this one just opens up the cash cup. The other lock opens up the mechanism. I’ll have to figure that one out some other time.

If you liked watching Dexter, this is like a locksmith’s blood spatter pattern. These parts are a testament to my lack of picking skills. The $1.75 next to it? That was still inside the meter. Guess I got a discount šŸ™‚

Balancing Risk: A Security Practitioner’s Prerogative

Security isn’t about making things impenetrable, it is about making it secure enough that the value spent getting around it exceeds the potential value gained. That’s why you don’t have gun turrets outside your house, but the military does.

In my professional opinion — this device demonstrates the output of a successful risk analysis and defensive design.

This is how I know:

Meter & Money
Meter & Money

The small can you see near the top of the quarters is the cup that retains the coins that you put into the meter. I happen to have had $75 in quarters in those blue bags and a few rolls, so I decided I would see what your potential earnings would be for breaching one parking meter.

50 Dollars in Quarters
50 Dollars in Quarters

Above is $50 in quarters. Not quite there. It turns out that to fill this can up, it would take:

Exactly $75. Meaning that if you were to breach a meter, ignoring the obvious legal fees, you would only walk away with $75.

But wait, there’s more!

So, in this meter, one quarter represents 30-minutes of time. There are 300 quarters in $75, so therefore ((300×30)/60)/24 = 6.25 days of continuous 24-hour parking. This also means that the meters were never emptied in that period. If the city comes by and empties the meter, that value gets reset. To maximize your profit, you’d have to track the meter maid, and be one meter in front of them with a hack saw and spend at least 20 mins in broad daylight trying to breach the thing. Once you breach one, they will notice and you won’t be able to do it again in this area.

With this said, yes you can jackpot a parking meter. But it isn’t like Grand Theft Auto, where you run it over and pick up money. In this case, the risk far outweighs even the fully potential maximum return. Therefore, as of this blog, I consider these a secure device.

I will continue exploring the security of these devices when I can get the mechanism open. So this may change.

Thanks for reading.

Physical Security Uncategorized

Lockboxes and Key Space Exhaustion

On a rare occasion, I’ll have a chance to check out a thrift shop or antique store and see what sorts of locks or security equipment they have for sale. I’ve wanted to check out those realtor lockboxes for some time, but didn’t want to spring $25 for minimal entertainment value.

Today, I stopped in a Goodwill and seen a Kiddie KeySafe unit for sale for $4.99. I decided that price point is exactly what I’d pay for an otherwise useless toy. The first thing I did was open the manual it came with:

Kiddie KeySafe
Kiddie KeySafe

The instructions state right away that “KeySafe is a convenience product, not a security product.”

Boy they couldn’t be more correct.

What is “Key Space”?

In cryptography, key space expresses how many permutations are available within the boundaries of a key. To put it plainly, if you can only have a PIN number that is four digits, then you can choose anything between 0000 and 9999. This gives you 10,000 possible permutations (or a key space of 10,000).

What is “Key Space Exhaustion”?

When you don’t know a password or PIN number, you’ll generally start guessing numbers. You may start with “0000”, then “0001” and keep going. Banks will see this sort of activity and freeze down an account, but lock boxes are not like that. You can try every single number until it opens. Key Space Exhaustion is when you go through, iteratively, each permutation until you get an “unlock” state.

What do Lock Boxes have to do with this?

I gave myself a rather relaxed time trial and found that I can enter a code (whether wrong or right) on average in around 5.25 seconds for a 5-digit code. Most people would assume that is probably pretty good, after all a lock that takes a 5-digit code has 100,000 permutations, right? That would mean I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked. I’d argue that’s reasonably secure.

I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked.

Except one little funny thing: Lockboxes do not have permutations that spread across the entire spectrum of possibilities. Some lockboxes have limiting factors, such as:

  • Numbers can only be entered once, so 1-2-3-4-5 is a valid code, but 1-1-2-3-4 would not work.
  • Number Ordering is Irrelevant, so 1-2-3-4-5 is equivalent to 5-4-3-2-1, which greatly brings down the key space.

Identifying Lock boxes with this Fault

You can identify the first issue (entering each number once) by pressing it and listening for a click. If it only clicks once, it probably only accepts the combination once. For the second issue — I do not know a way currently without actually testing it, but it is probably safe to assume most are designed this way.

As for my lock… This lock can accept either 5, 6 or 7 digit combinations. For sake of clarity, I am operating under the pretense that folks are going to use 5-digit codes (Pro-tip: It is probably the address of the building).

With those constraints in mind, how much does that reduce the Key Space?

Key LengthFull Key SpaceActual Key SpacePermutations

Yikes! That deescalated quickly.

As I mentioned before, I did a time trial. I set my lockbox to 01279. As you can see in my permutation lists on GitHub, that is the 20th 5-digit code available. It took 1:45 for me to “breach” the lock by going code to code, trying and clearing each one. So, remember when I said it would take 6 days to breach that 5-digit lock? Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes. That’s insanity. 22 minutes infers that I will hit your code last.

Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes.

This is a complete design fault and is something manufacturers should look to improve upon. The actual time it would take to breach this lock can vary, as I would have to try the 5, 6 and 7 digit lists. With that said, there are ways to make the breach more rapid for these variable-length locks. Stay tuned.

Lockpicking Locksmithing Physical Security Security

Rekeying a Kwikset Deadbolt

I’ve been largely an information security-heavy person, I’ve decided that I need to start getting “physical” with physical security. I’ve bought a bunch of padlocks, picks, pins, tension wrenches, keys and the like. I’d love to show you how to lockpick, but I’m a novice at best and there are much better videos out there.

Today, I’m going to show you how to use a handy re-pinning kit on a Kwikset Deadbolt (I’ll do a door handle later on)

Before we start

  • I am not affiliated nor compensated by Kwikset, or from the Change-A-Lock folks
  • I actually did a Schlage kit first, but I wanted to have Kwikset tools as well.
  • I bought the locks and kit for this blog, yes you shouldn’t post pictures of keys — I’m okay with a blog being public :). The door knob and deadbolt kit was $21.99, the key change kit was $7.99 at Menards (A Midwest version of Home Depot).
  • I was distracted and blew my lock up (driver pins and springs everywhere). Imagine my surprise, however when I seen two spool pins — IN A CHEAP LOCK! Thanks Kwikset!
  • If your lock is a Kwikset SmartKey product (the keyhole has a small slit next to it) — there are much easier ways to rekey your lock. Don’t follow this advice.
  • You will need one of the following to rekey, even if it is unlocked:
    • Mad lockpicking skillz
    • A working key for the lock

Reasons to Rekey

Rekeying makes all old copies of your key useless. If you have friends, family, or neighbors you once were crazy enough to give a key to — you are a candidate. If you are a landlord and want to save the expense of locks on your building, or if you are moving into a new residence — these kits are about $1.25 per cylinder (most houses have a locking doorknob and a single-cylinder deadbolt. — so about $2.50/door. This is much cheaper than the $21.99 I spent on the lockset used in this blog.

Enough about me!

KwikSet Door Knob and Change-A-Lock Kit
KwikSet Door Knob and Change-A-Lock Kit

I will do a rekey right out of the package — you will need to remove the knob from your house to get started. If you can’t fire up a screwdriver and knock out two screws, you’ll need to call an ambulance because you might need help.

The Change-A-Lock Kit

Change-A-Lock Kit
Change-A-Lock Kit

The Change-A-Lock kit comes with colored/coded pins, a plug follower, a clip remover, new keys, instructions, and sometimes a few other tools (a spring tool or an allen wrench, for example). You can get away without these tools (using pliers and a socket, for example) but for the price the kit is totally worth it. You can also buy large pin assortments from Amazon or E-Bay, but then you’ll need to visit a locksmith to get a key cut. Your typical hardware store can only -duplicate- keys, not originate them from a code. So there’s that too.

I had a key cut by a locksmith yesterday from code for a later project — He charged a $6.00 code fee and then $2.80 for each key blank I wanted. With tax, out the door was $9.02 for one key. So you’re looking at ~$11.50 for a set.

Removing the cylinder

Rim Deadbolt in escutcheon plate
Rim Deadbolt in escutcheon plate

Slam a bottle of bourbon and then say “escutcheon plate” five times fast.

This picture shows a typical Kwikset cylinder without “SmartKey”, no little notch next to the keyway. What we will do is remove the escutcheon plate by sliding it down the tailpiece:

Escutcheon aside cylinder
Escutcheon aside cylinder

Next, breathe in a lot of air, because you will probably say a few dirty words in this step. Use the E-Clip remover to remove the clip and tailpiece:

Removing E-Clip
Removing E-Clip

The E-Clip is the dark (black oxide) metal ring around the base of the tailpiece. Hold the cylinder and press the indentation around the lock to push off both sides of the e-clip. Now, set the tailpiece, removal tool, and e-clip to the side:

Insert key, turned 45 degrees to the right

Next, insert your original key and turn the lock 45 degrees to the right (if you go left here, you may lock the cylinder down by dropping the driver pins into construction holes. Don’t do that.

At this point, be VERY CAREFUL. If you pick it up by the key, you will extract the cylinder and the driver pins and springs will go everywhere and take you about 42 minutes to find (some idiot I know did this by accident. It was me).

Without pulling the key or cylinder out, use the plug follower to push the back of the cylinder out of the bible (the bible being the remainder of the lock).

Plug Follower
Plug Follower

You’ll see the cylinder come out of the bible, and you won’t have springs and driver pins go everywhere.

The five brass pieces you’re seeing here — those are your original key pins. Keep them if you ever want to rekey to the original.

Original Key Pins
Original Key Pins

If you insert your original key and push back down on the brass key pins, you’ll see they all sit level. This is how a lock checks your key.

Repinning the Lock

Repinning a Cylinder
Repinning a Cylinder

The above picture shows the pin order from the instructions (with the key code visible on the head of the key). Remember — the pin at the tip of the key as at the rear of the cylinder — being pin #5.

The top key and colored pins are from the replacement kit. The bottom are the original. The color has no use except to make identification easy for you.

Insert the pins into the cylinder, and then insert your key to make sure they sit level:

New key pins

If you find that your pins are NOT LEVEL — being over or under this shear line, make sure you’re using the -new- key. If they are still not level, dump them out and try again. You may have reversed the order. You also want to make sure the pointed end goes -into- the hole first. That is the part that contacts the key. If they are level — great, lets go ahead and push out your plug follower with the new cylinder.

Make sure you hold your cylinder like you did before — 45 degrees to the right of the top of the cylinder, and then push out the plug follower with the cylinder:

Reinsert Cylinder
Reinsert Cylinder

At this point, you may re-attach the e-clip (remember the tail piece). Then, move your key so the teeth point up (0 degrees) and remove the key — it is now locked!

You have rekeyed a lock!

Once you do this a few times, you will be able to knock these out under five minutes a lock.

If you want to blog about keys — feel free to, but my new project highlights why you should be very careful posting pictures of keys online.

Lockpicking Physical Security Security

Cheap Lockpicking Tools

Lockpicking, or Locksport isn’t the most expensive habit to start up. Often times, you have locks laying around (old computers have them, so do old file cabinets, etc). If you’re willing to put in a little elbow grease, you can avoid the expensive tools. Buy a few of the common picks, and tension wrenches, and then use fine sandpaper and polish to make them as smooth as you can. Makes a huge difference when it comes to feeling the lock internals.

Where is the cheapest place to get tools?

AutoZone Storefront
AutoZone Store front

AutoZone? Yes… Or any other auto parts store. You see, most of the ones that have modernized now install some components for free. Bulbs, batteries, as well as windshield wipers.

But those have nothing to do with lock picks!

You haven’t looked into the image close enough. If you had, you’d see this:

I said cheap, when I really meant to say “Free”

Winter Wiper Blade in AutoZone Garbage Can

Now — if you’re as unlucky as I was, you’ll find one of these winter wiper blades. These have a large blade of steel inside. If you’re lucky, the rubber will not be glued to it and you’ll be able to use it. In this case, rubber was glued to it, so I simply discarded it.

Mix of Winter and Summer Wiper Blades

I totally lucked out though, I found some normal summer blades (if you’re in the South, this is all you’ll have). These usually have two inserts (Which is why folks like LockPickingLawyer call them “Wiper Inserts”).

Wiper Inserts Extracted

It really helps to carry a Leatherman or similar… The ends are barbs, so you’ll want to ease them out of the metal carrier frame, then tear the rubber wiper off the metal backing. At that point -carefully- remove the two metal inserts. This is spring steel, and is quite rigid.

Here is the inside of a Winter blade — not all are like this, but the ones that are, toss ’em.

Make sure to do the right thing and toss the wipers back in the can. Sometimes you’ll find wipers in the grass from other folks who were too lazy to toss ’em out. These can be harvested too.

Here’s the take from two summer blades, and two winter blades

The four silver strips on the bottom are the summer blade inserts, the 2nd from the top is a winter insert (that would work pretty well for picks and rakes), and finally, the glued-on wiper blade on the top. That one is trash unless you’re really hard up.

Useless Tension Wrench

With a small section of a summer blade, I made a tension wrench. I doubled it up which resulted in ~0.068″ thickness on the insert portion. Needless to say, this isn’t fitting in many locks so was really a waste. The summer blades I grabbed were 0.110″ by 0.030″, but YMMV.

Others will want to make actual picks and rakes out of this. I already have a pick set, so that would have been useless for me. If you decide you do, you can get nice scalable vectors from GitHub (

If you’re getting into locksport — check out my new project: — Each week there will be a challenge where you use images of keys to figure out the type of key, and then decode the bitting order for points. Meaningless internet points, but points nonetheless.