Skip to content(if available)orjump to list(if available)

Enclave: An Unpickable Lock

Enclave: An Unpickable Lock

327 comments

·June 26, 2022

swighton

Interesting design. I made a lock a couple years ago that is quite similar in principle (though this design is different and has a couple nice improvements).

https://youtu.be/_7vPNcnYWQ4

One of my main goals is to be an inspiration, though if it was based by my design I wish they’d credit it. Especially since they’re patenting it.

harrisi

The interaction of engineering and "use" by the Lock Picking Lawyer (https://youtu.be/Ecy1FBdCRbQ) was fascinating - "use" here really meaning "exploiting". It's a problem many here are aware of, either by over-engineering things intended for use by non-engineers, or designing things to be used by customers when the designer isn't intimately familiar with the use. In this case it was sort of somewhere in between.

I'm currently an operator of heavy machinery in a factory making tools for the wafer industry, although my main career is in software development. I'm actively working with the tools and software used to get a better understanding of the disconnect between engineering and operations. It's been a great way to consider how to improve tools in ways that aren't just "better" from a software/engineering standpoint.

Also, holy cow. I've watched all of your videos multiple times. You are truly an inspiration. Thank you, and apologies for the fanboying.

franciscop

Def want to see Enclave's under Lock Picking Lawyer! If you make a "unpickable lock" you'd def want to send it to LPL, that's like the ultimate proof of how easy/hard it is to pick. The fact that there's no video, with how approachable LPL is and accepts random locks in his PO box, can only be seen as a red flag.

Do it in the open, like Stuff Made Here!

codezero

Check out another prominent lock sporter, Lock Noob. He has a recent video where he examines the lock and agrees it’ll be hard to pick.

Unpickable locks aren’t that unique or rare in the community but they tend to be too complex to make it to market at a reasonable price or with the ability to withstand years of wear and tear and still work.

https://m.youtube.com/watch?v=qNHFyc1oMwU

mlyle

> The fact that there's no video, with how approachable LPL is and accepts random locks in his PO box, can only be seen as a red flag.

He says he's going to make a small number of prototypes and send them to the locksport community. It's not a "red flag", it's just very early in his design cycle.

DominikPeters

LPL makes few videos with locks where he can't do anything. To me it's not a red flag but more likely a signal that he hasn't found an exploit (yet).

yebyen

I definitely remember seeing a design similar to this one not many weeks ago on LPL. I am looking for it now. The video on the landing page shows these little discs which can provide a false set, and a secondary mechanism that opens only when all the pins have a correct set. I am not an expert just watch a lot of LPL so don't take my word for it when I say this is the same design, this may be a completely novel design, but I'm looking for the video, it can't have been long ago...

Edit: ok, it wasn't on LPL, or a similar design at all, it was this lock and it was on Lock Noob, I found this was in my viewing history and it was just recently published, it must be the video I remember: https://www.youtube.com/watch?v=qNHFyc1oMwU (I see this was also linked down thread)

It looks like a very good design! I'd like to see it in front of Lock Picking Lawyer too

nielsbot

I think it's just too soon?

Grimburger

> that's like the ultimate proof of how easy/hard it is to pick

I would assume there's much better locksmiths on the planet than the most famous one on youtube who does it as a side job.

trompetenaccoun

Didn't know HN had so many lock experts and lawyers frequenting the site. Dozens of comments have already detected an IP violation, half the thread is recommending ways the lock can be tested or people it needs to be sent to for confirmation of the unpickable claim...

As someone who doesn't know anything about lockpicking, I feel like part of a weird minority here. What do I know but I'd assumed one would take it to a convention or competition where the best lockpickers in the world meet, not a youtuber. Something like this: https://www.wired.com/2014/12/international-competition-mast...

cvccvroomvroom

I can't be bothered to use YT anymore with all the ads. They're basically interactive, on-demand, corporate TV monetizing other people's content and nothing more. The world needs a co-op video sharing app and a microblogging app.

pwg

Just download the videos you want to watch:

https://github.com/yt-dlp/yt-dlp

The only "ads" you get will be the ones the video uploaders encode directly into the video itself. Plus you can watch using whatever playback software works best on your system, instead of the rather feature free JS player youtube provides.

shawnz

Firefox with uBlock Origin is effective at blocking them.

MattRix

You could also just pay for YouTube premium. I subscribed about a year ago and I don’t regret it.

Caboose8685

Using privacy front-ends makes the experience much more tolerable and completely eliminates ads. Then you can directly support your favorite creators via patreon, etc. There's invidious [0] and piped [1], with the major differentiator being that invidious doesn't require JS and piped having sponsorblock built in.

[0] https://invidious.io/ [1] https://github.com/TeamPiped/Piped

chiph

Having a PiHole on your network makes it tolerable. But doesn't fix their broken recommendation system.

dubswithus

I use Brave to block the ads. Also, Brave has the playlist feature on iOS which is quite nice.

null

[deleted]

twobitshifter

or just pay to avoid the ads?

mizzao

For others who might not have seen it, here's what the Lockpicking Lawyer had to say about that.

He picked a lock with the same concept by swighton (Stuff Made Here), but exploited a flaw that had nothing to do with the mechanism.

https://www.youtube.com/watch?v=Ecy1FBdCRbQ

I think one problem here is that the more complicated you make a locking mechanism, the more you suffer by increasing the attack surface with other potential flaws or just the lock being physically weaker (i.e. smashable).

Kinda like how the most advanced cryptography is usually broken because someone made an error in the complexity of implementing it.

dunmalg

The other problem with increased complexity is that the more intricate your mechanism is, the more prone to failure due to wear or contamination it becomes. A security measure is only as good as it can remain usable. As a locksmith for working in the industry for 25 years, I've seen a lot of high security designs come and go, and the stuff that sticks is the stuff that's simple and reliable. The fundamental fact of locks and security is that people just don't pick locks much. The vast overwhelming majority of unauthorized accesses are via an acquired key or via bypass attacks on other aspects of the locking hardware than the keyed cylinder.

To put it bluntly, all these fancy pick-proof designs people are coming up with have zero real world utility and are just toys for locksport enthusiasts to play with.

EDIT: and really, I'd say all the patent discussion is moot. A patent is only useful if there's a market for your product. This product has design shortcomings that render it a non-starter for most applications, i.e. no master keying capacity, which makes it useless in any institutional setting, and a design necessity of using critical precision parts that won't handle outdoor exposure well, and a physical size that makes it incompatible with even the largest north american cylinder format. This is a product without a profitable customer base.

todd8

Yes, and with more complexity comes more ways to fail to operate properly. I foolishly almost locked myself of my condo. I had a Medeco high security cylinder on the door and the condo was on the 22 floor so it was pretty secure.

Foolishly, I had used the sturdy Medeco key to cut through some packing tape on a package. The gummy adhesive left over on the key wasn’t that noticeable and would probably not interfered with the operation of ordinary pin tumbler locks, but high security cylinders are usually made to tighter tolerances making picking more difficult. In Medeco cylinders the pins have two degrees of motion (up and down and rotation on their long axis). The sticky key likely gummed up the operation of one or more pins so that I couldn’t unlock the door.

A trip to the hardware store for some spray cleaner/lubricant finally got me inside, but for a while I was afraid that the lock would have to be drilled out (difficult because of specially hardened elements designed to thwart drilling).

jsmith45

I don't see any fundamental reason why this design could not be master keyed (although it would be more of a pain than with traditional lock designs).

The key spools have a narrow section at the correct position. I see no reason why they could not have multiple narrow sections. The inconvenience is that you would need to stock 10 additional spool types to allow for 2 position opening. (or 6 if key spools are symmetric), and more if you ever need three valid positions for a pin. (These numbers get worse if the system is extended to more than the 5 positions of the prototype).

I'm not sure this is actually all that much more complex, or having more critical precision parts than some of ASSA ABLOY's offerings (like Medeco). The pin-stacks being too tall for standard US cylinder sizes though does seem to be a rather substantial problem.

hotpotamus

As usual there's an XKCD that's relevant: https://xkcd.com/538/

I assume that most people know that this is more of a hobby thing (and a cool one), but I also forget that not everyone has demolished a house with a handheld reciprocating saw.

joshcryer

I remember being annoyed by the end of that video with the backplate. swighton had already thought of that and machined for a backplate but it was just left out so the LPL could crack into it.

In any case, this guys design I think is a significant improvement over swighton's. swighton made it so that the key triggered the locking mechanism as you pressed it in, this guy made it so that you had to turn the key to test the locking mechanism, as well as adding a multipin stack.

nynx

It’s so cool that you’re on HN! I’m a huge fan of your work and it helped me feel comfortable with aiming to be a generalist.

matthewfcarlson

Agreed. I’m a firmware engineer and a writer for Hackaday and the Stuff Made Here videos are throughly enjoyed by both crowds.

ramraj07

You absolutely should sue them with prior art or something if they patent it. You had an amazing fairly well distributed YouTube video with this design anyway.

femto

Anyone here can submit prior art during the patenting process. No suing or courts involved. You only have to care enough to make the submission.

Interestingly, videos don't seem to count? It must be a written description?

https://www.uspto.gov/web/offices/pac/mpep/s2206.html

dvdkhlng

> Interestingly, videos don't seem to count? It must be a written description?

Wondering the same myself. Googeling for this issue turns up this power-point [1] which seems to imply on page 6 that "electronic publications, on-line databases, websites, or Internet publications" are also considered as "printed documents". But this is just a power-point so who knows which standard gets applied in practice.

I get the impression that the "printed document" language got written before digital documents and the internet were a thing.

I am not a laywer, don't know a thing about the topic, this is not legal advice etc.

[1] https://www.uspto.gov/sites/default/files/documents/May%20In...

elil17

The examiner is definitely allowed to consider videos but it might not be easy to submit. Video subtitles/transcript, thumbnails, and comments would definitely count though. I would just print to PDF the YouTube video with the transcript sidebar, that should be enough info for the examiners to reject any overly broad claims.

ramraj07

Samsung used 2001: space odessey as prior art for fighting iPad patents so not sure if that’s true.

renlo

Do subtitles count?

robmccoll

Yeah I immediately thought of your work when I saw this. The key insight is the same, even if the implementation is different. Everything you do is fascinating by the way!

LilBytes

I didn't know you were here on HN, though it makes absolute sense you would be.

Amazing content, your shows are some of the best YT has to offer.

thrdbndndn

Same. One of my fav content creator on YTB.

His shop is also any ME major's wet dream (and he totally earned it!).

pilaf

Although I've seen pretty much all of your videos, I'm ashamed to say I couldn't remember your name, so I googled "Andrew Magill" expecting your face to pop up.

throwaway14356

I loved the way the puzzle was presented in that video and loved the partial solution. It has been consuming idle brain cycles eversince.

First we should proudly make the key flat as security by obscurity is not done. We should solve the problem for real and it has to be easy to manufacture.

The real idea: put a tube around the cylinder. after rotating the cylinder by 45 deg it drags the tube along.

  [cylinder][ tube ][case
   key]||||||||[   ][     ]////
  [cylinder][ tube ][case
you have a pin in the tube with small discs on the key side. The inner cylinder can rotate freely for 45 degrees at which point it drags the tube along IF the pin is in the correct position thereby testing the correctness of the key used therein all pins simultaneously.

different keys can be had by changing the number of discs. No machining required.

Have fun

throwaway14356

Extra funny would be a second tube with a clock mechanism that delays a second attempt if the wrong key is used.

(Going to implement that one on all my enter password pages.)

binarymax

This looks very similar to the design[0] by Stuff Made Here (and collaborative hardening [1] suggestions by Lock Picking Lawyer)…an excellent set of videos.

https://youtu.be/2A2NY29iQdI https://youtu.be/Ecy1FBdCRbQ

julienfr112

StuffaMadeHere used friction to keep pin in place between setting and testing. Here, he used many small pin to translate to a discrete combination. Quite different ! And I think more resistant to wear for a real word application.

ryukafalz

Beat me to it. Yeah, the idea of separating the input step from the test step is something that was done in that lock as well.

asojfdowgh

Its the standard procedure for "unpickable" locks before SMH's lock too.

timhh

Yeah same idea behind my lock too:

https://youtu.be/7hUonUE1hEY

I'd guess many many people have had this same idea.

grecy

You might want to see to Stuff Made Here's comment in this very HN Post:

https://news.ycombinator.com/item?id=31880501

fossuser

There’s also a lock on that channel he can’t pick - the bowley I think? It has a wild key design.

chx

The Bowley has been picked last year.

https://youtu.be/ai5Hf-wPXFE and he mentions it's a collaboration at 4:29.

chongli

I think he has a whole box full of locks he can't pick. He usually doesn't show a lock until he has mastered picking it.

HWR_14

He showed the Bowley before he could pick it. Although he claims that box is locks he can't pick yet.

TrumpRapedWomen

He can't pick the Abloy Protect2 lock. Less than 10 people in the world can pick it actually.

sverhagen

On its surface, that sounds like a weird claim to make. Even if people would always advertise their ability to pick it, how would you have such an accurate count?

lrvick

I am a reasonably capable lockpicker and lock collector with hundreds of locks of every mechanism I can get my hands on... and as LPL often demonstrates, the vast majority of them, particularly the move clever seeming designs, are actually easy to pick.

I have one of the Enclave lock prototypes on my desk and can confirm the machining is brilliant and I have no idea how one could approach picking this. No feedback at all for correct vs incorrect.

I plan on taking it to my local SF Toool meetup to see if any of the true experts there can come up with anything.

rblatz

So looking at the lock’s YouTube video it may be susceptible to an attack where you set all the pins to their lowest, turn the key and then jolt the lock several times while continuing to turn the key.

scotty79

Compressing the springs by jolting the lock (hitting it with something?) might be very hard if springs are strong and pins are light.

D_Alex

Especially if the lock is mounted in a door.

_alex_

you're describing a bump key!

https://en.wikipedia.org/wiki/Lock_bumping

D_Alex

No, that won't work, because the pins cannot be bumped once the lock is partly turned.

hcrean

This kind of comment is why I read these sort of things: Elegant but unexpectedly simple solutions.

albrewer

From the video it looked like it would be pretty simple to lift the tiny pin wafers into the pin decoding region if there's nothing stopping you from over-lifting.

D_Alex

>I have no idea how one could approach picking this

Not sure how well the lock is made but it may be possible to detect when pins 1 and 6 are in correct position - because the slider is "stiff against springing apart" at those pins, if you get what I mean. The key might turn a degree or so more if those pins are correct, which may be detectable.. That would be only 36 positions to check.

Likewise, pins 2 and 5 should produce slightly more resistance than pins 3 and 4, but the difference would not be quite as pronounced. But if the difference is detectable, then it could be a possible attack strategy.

moffkalast

Didn't that guy stuffmadehere make something that's very similar in concept, sent it to LPL and he still managed to open it? I think the attack angle wasn't the mechanism though.

jiveturkey

would a robotic mechanism work? iterate through all the possible pin heights, turn, reset, try again. like those robotic safe crackers.

birdiesanders

LPU unite! This is birdie, I hope your day is excellent!

syotos2

Bird is da word

Cyclical

While very cool and seemingly well-designed, this seems like a derivative of the lock developed by the YouTuber StuffMadeHere. A little strange to see someone applying for a patent for a version of someone else's design.

infogulch

The principle is the same, but this design is different and better in some ways. Depending on the generality of the claims a patent may be reasonable. The Enclave design is more refined/compact, but I'm skeptical of the longevity/durability of the wedge mechanism.

The underlying principle that's common between the StuffMadeHere and Enclave designs is 1. Decouple setting the pins from testing them, and 2. Do not allow the keyway access to physically manipulate the set pins while testing them.

Interestingly this same principle is used throughout cryptography, e.g. in constant time comparison algorithms. Basically, any partial success information leak can be used to reduce the search space exponentially. And that's what single-pin picking is all about, so it's cool that this idea has (finally?) migrated to physical security.

IIAOPSW

Except this isn't a constant time comparison. You still reach the "no more turning" angle at whichever pin is incorrect first. This is more like forcing the password to be fully retyped after each failed attempt. A good feature, but not a feature which eliminates side channels which might be there.

infogulch

There's still no direct way to detect which pin blocks it from opening. Maybe you could determine if the failed pin is the same as a previous attempt by listening with a stethoscope, or very finely measuring the turning angle, but you can't directly feel out which pin. So there may still be a way to reduce the search space in theory, but that attack still seems very difficult to pull off, and for the complexity it seems vastly better than previous locks.

petra

If the core ideas are already in the public domain, it likely means that designs that bypass the enclave patent are likely.

espadrine

It is even closer to the design I published a year ago: https://github.com/espadrine/lock-designs/blob/main/commitme...

I don’t see how this patent has any legs to stand on.

dmoy

> don’t see how this patent has any legs to stand on.

Well USPTO did move to first-to-file under Obama.

Is there a patent filed before this one?

espadrine

My understanding of MPEP 2126-2128[0] is that prior art published to a website can be disqualifying.

I don’t like patents, because given the world population, any idea was had by someone that didn’t have the resources to file it. Publishing a timestamped design is, I believe, one of the least expensive ways to create prior art without creating patents.

[0]: https://www.uspto.gov/web/offices/pac/mpep/s2128.html

tzs

First-to-file doesn't mean what I think you think it means.

Prior art, whether from another patent or from some other source, will still establish that the applicant is not an inventor and not eligible for a patent.

First-to-file (FTT) only differs from first-to-invent (FTI) when there is an "interference". That's when two or more separate parties are simultaneously applying for patents on the same invention.

Under FTI your priority date was the date you conceived the invention if you then worked diligently toward reducing the idea to practice up until you filed your patent application. If you stopped working diligently on reducing the idea to practice and then resumed it, the date you resumed became your new priority date.

What counts as a break in working toward reduction to practice sufficient to reset your priority date? How much documentation do you need to prove you were working continuously on it from your claimed priority date?

Figuring all that out can be expensive and time consuming and often gives results that seem wrong. It's almost random whether the priority date by this method actually matches who seems to morally most deserve the patent.

FTF gives priority to whoever files first. It doesn't produce any worse outcome than FTI and saves a lot of time and money for both the patent office and applicants.

rocqua

That is for independent simultaneous discovery right? Which is a separate matter from 'does prior art exist' I would imagine.

leeoniya

would likely depend on whether the filing date was before or after this, but yeah, this would likely invalidate any claims for the most interesting improvements over the SMH designs

analog31

Need to see the patent or published application, and in particular the claims. I've got a few patents under my belt, but I'm not a patent lawyer. Typically when prior art is found during the preparation or processing of a patent application, the inventor can either argue for why their thing is new and different, or narrow their claims to the point where what's left satisfies novelty. Now at that point, one is left wondering if their idea is still worth patenting. But that's another matter.

Even as an inventor with some experience in the patent process, I still find it hard to second guess the patent office on what they will accept or reject as prior art. The lawyers are better at it than I am.

More than once I've rushed breathlessly to the lawyers with screaming hot obvious prior art, and they say: "Meh, it's not prior art because of X, Y, and Z, nice try."

PragmaticPulp

The concepts employed in the StuffMadeHere video were derived from techniques used in other pick-resistant locks. His implementation is unique, of course, but he also derived his lock from other existing techniques.

There’s a big world of lock design and research out there, and I doubt this company simply decided to rip off a YouTuber.

girvo

> and I doubt this company simply decided to rip off a YouTuber.

While you’re likely right, YouTubers are massive in terms of reach and popularity, and there are heaps of cases where companies have done exactly that…

threeseed

> A little strange to see someone applying for a patent for a version of someone else's design.

Apparently it's common depending on the country you live.

Some countries have a first-to-file versus a first-to-invent patent system. And so you end up with people (often inventors or retired lawyers) who spend their days filing patents for other people's inventions. The idea being that they only need one or two of the patents in their lifetime to result in a massive payday for it be all worth it.

pclmulqdq

Even in the US, which is first to file, your patent can be invalidated by published prior art that makes it obvious. The stuff made here video is a textbook example of an invalidating piece of prior art.

mNovak

It might invalidate aspects of the patent, but the two are different enough that certain aspects of this one are still patentable.

Bottom line, you don't always patent the whole device, sometimes just the small unique implementation details are valuable enough.

threeseed

The problem is that the patent system tends to just approve anything that meets a certain quality threshold. And then they leave it up to the courts to adjudicate whether a patent is invalidated due to prior act.

And so rather than litigate, roll the dice and potentially strengthen the patent's standing sometimes it's easier just to negotiate a deal with them.

rasz

and it will only cost you >$100K to invalidate

causality0

A little strange to see someone applying for a patent for a version of someone else's design

I'm pretty sure 95% of patent applications and 50% of granted patents are attempts to steal someone's invention out from under them.

iancmceachern

Like Steve Jobs famously Said - something about stealing

retcon

I actually think Zaphod Beeblebrox got there earlier. As he willonhavedone by whenever he followed through.

subtract-smiles

I agree, it seems a little strange.

I also seem to recall that the LockPickingLawyer was able to break that lock using two separate methods that I didn't see addressed in the article, so I wonder how much this person just copied StuffMadeHere..

dcow

LPL “cheated” when picking SMH’s lock but still provided valuable feedback. Both weaknesses he found are easily fixed. In one case he could walk the deadbolt back because of a precision error/oversight in SMH’s lock. The other he stuck a small shim between the door and the lock to tension the second tumbler which is not an issue with this lock and easily fixed on SMH’s lock by closing the back with a plate.

subtract-smiles

Oh, I see.

I'm no expert but at least I understand the things LPL did a but better now.

null

[deleted]

mNovak

A lot of people saying this is similar/same to the lock from Stuff Made Here. Certainly both use the same concept of preventing single pin picking by separating the pin alignment and matching stages, but this does appear to be a unique design. SMH used a pushing mechanism to bind the pins in place before trialing a set of gates via rotation; this one sort of does the reverse, with pins never binding (see stack of separable wafers on each pin) put a pushing mechanism trials the combination.

This one does seem potentially more compact / compatible to existing form factors. Though it also looks like it'd be vulnerable to just torqueing it, depending on how strong that zigzag bit is. But I guess then you can just break the door.

pclmulqdq

Torqueing a lock in a way that is visible is usually not a problem for the threat model a lock is attempting to address. However, this mechanism looks like it may be vulnerable to torqueing without external signs of damage.

hprotagonist

I’m looking forward to sometime next month or so: “Little click on one…”

hinkley

He's fun, but my favorite favorite ones are where they forget about inertia or magnets.

"All is fair in Love and War"? The Geneva Convention would like to have a word with you on that. And good luck keeping someone who finds out what you did for love (and if you do, then you deserve each other), but all is definitely fair in lock picking.

Magnets, mallets, plastic pens, soda cans, springs, electric toothbrushes, masking tape, string, cardboard, water, salt water, we have seen it 'all' and the world is full of items that haven't even been tried yet because those all work pretty damned well.

foobarian

What if Andrew Magill is lockpickinglawyer!

TaylorAlexander

Lol then it would be sold through his web store covertinstruments.com

hprotagonist

along with the pick that bosnian bill and i made

hangonhn

He needs to trademark that phrase. It’s so iconic of him.

flopit

A little bit of counter rotation on two...

xarope

nothing on three...

riekus

Four is binding

smoldesu

Binding on four!

upwardbound

I don't know if this is too slow of an attack to count, but you could build an automated lockpicking machine that would iterate over the possible pin height combinations. If a fast robotic machine could input & test one key pattern per second, it would find the correct pattern in 12.96 hours or less. One pattern per second should be quite feasible. Here's an example video that shows how robots can move very quickly while maintaining submillimeter precision: https://youtu.be/SVuOWwL410U?t=7

bryans

Exactly. And based on the test mechanism simply requiring a ~46 degree turn to fail, I think it could actually be done in ~300ms per attempt, which would make the maximum solution even lower at ~4 hours. That's of course still a lot better than a traditional mechanism, which even brute force robotic pickers can tear through rapidly, but it's far from "unpickable."

Ultimately, even lengthening the time per attempt wouldn't help save it from attack, because not only is this lock susceptible to robotics, it's easily pickable with audio analysis. Much like the traditional mechanisms that this lock hopes to replace, you only need to analyze one to build a matrix applicable to all of the locks.

It's not unpickable, and the creator doesn't claim it's unpickable, either. So the title really shouldn't include the word.

necovek

I am not sure if I would call trying all combinations "picking s lock" — wouldn't adding a couple of pins simply make that infeasible again? You could also bring all 46k key variations and try them out, and you'll open it with 23k attempts on average, but that would not make the lock pickable if I was to talk about it.

I have no clue about locks, but there's a difference between brute forcing a password and decrypting it from the hash.

bryans

> I am not sure if I would call trying all combinations "picking s lock"

Lockpicking is defined as opening a lock with an instrument other than the appropriate key. It is not defined by how many attempts it takes. Many of the most common lockpicking methods are nothing more than brute force, which are sometimes incredibly effective. They're also sometimes the opposite of effective, meaning they may take many thousands of attempts before stumbling upon success. That doesn't disqualify them from the definition of lockpicking.

> You could also bring all 46k key variations and try them out [...] but that would not make the lock pickable if I was to talk about it.

The entire point of lockpicking is that you don't need to make every key combination, and instead only need a small set of tools or a single device. The personal decision to make every key instead of using another method, doesn't mean the lock isn't pickable, it just means you spent a lot of time making keys. You could also make all of the keys for a basic $1 padlock, but that padlock is still pickable with a paperclip. It didn't become unpickable by creating the keys.

> I have no clue about locks, but there's a difference between brute forcing a password and decrypting it from the hash.

Yes, the difference is that one will definitely take longer than the other, but you don't actually know which until you've successfully completed the task. They're both still password cracking methods with the same end result. One doesn't magically stop being a cracking method just because it takes longer.

kortex

Those master cylinders are of specific dimensions, variable length and probably mass as well. I wonder if one could analyze the audio frequency spectrum, and/or mechanical impulse response, to deduce the length of the master and work out the bitting.

bryans

The fun part of audio is that there's multiple ways to do it. You can use spectrum analysis, impulse response, harmonic frequency, beamforming, triangulation and more. Some would be easier than others in this situation, but you could technically use any of them to pick this lock.

HellsMaddy

To counteract brute-forcing, how about adding a rate-limiting mechanism?

I could imagine each attempt to rotate the cylinder could partially compress a spring-loaded lever. There could be some sort of ratcheting return mechanism that allows the spring to decompress at a known rate (think a kitchen timer). Once the spring is compressed beyond a certain point (e.g. after 5 failed attempts), a mechanism locks out the cylinder until the return mechanism allows the spring to decompress back to its starting position.

If the lockout happened after 5 failed attempts, and the lockout duration was 10 minutes, an attacker could test at a maximum rate of 30 combinations per hour. It would take 64 days to check all 46,656 possible combinations, or 32 days on average to find the solution.

lexicality

Sounds like an interesting way to get locked out of your house.

You would need successful uses of the key to reset the ratchet or every 5 times you opened your door it would become inoperable for 10 minutes, assuming the spring for the timer hasn't rusted or got a bit of grit in it or whatever.

HellsMaddy

Revised:

- Each [failed] attempt to rotate the cylinder could partially compress a spring-loaded lever.

- The return mechanism would always return if not in its resting position, not only after each 5 failures.

- Successful attempts immediately reset the spring.

can16358p

I have zero knowledge about the topic and something in the video confuses me:

In the YouTube video explanation around 2:30, when individual positions (not sure if it's the correct word: talking about the different parts of the lock's inner array moving based on the position of the key/pick) are picked, why doesn't the inner mechanism at snap back to its initial state by the spring's force when key/pick is moved out of that position?

And how do they reset when lock is turned and unturned back to initial rotation state if they don't reset when individual positions are released?

(Sorry if I used a terribly wrong terminology)

Rechtsstaat

The pins usually don't fit exactly (because they still need to be able to move up and down), meaning that you can turn the lock slightly even without the pins at the right positions.

If a pin is pushed up completely, and you turn the lock slightly, the pin can get stuck in the right position. This is done with a torsion wrench, keeping torsion on the lock while trying to get the pins in the right position with picks, hooks, or rakes.

throwaway742

>torsion wrench

engineer confirmed

gzer0

Please send this to https://www.youtube.com/c/lockpickinglawyer

LockPickingLawyer has picked just about any and every single lock there is known to mankind. Would love to see him up against this!

Would make for some great content.

barrkel

He generally only shows locks he knows how to pick. Unlocking is the payoff to the video and I don't think I've seen a single video where he didn't succeed, but if you read between the lines on his older videos, you notice him talking about the locks he recently learned to pick, locks he's never been able to pick, and so on.

He's very good, but he's not infallible. He just doesn't show his failures.

timhh

The only one I've seen was the Bowley lock. But yeah I sent my unpickable lock to him and he never mentioned it. :(

https://youtu.be/7hUonUE1hEY

eszaq

Nice vid! You can print one of these for just 30 GBP? You know high end locks go for a lot more than that right? You could be printing money!

lqet

Upvoted you, because I think your design uses a very similar idea as the one posted by OP, but its design is more simple /elegant.

jacquesm

Very nice print job, wow.

airforce1

As far as I know he never picked his bowley. https://youtu.be/qV8QKZNFxLw

bricemo

I love how this follows the TED talk playbook:

1: “Here is a thing you are all familiar with”

2: “What if we thought about it DIFFERENTLY?”

3: “Here is the new yet intuitive way to think about it”

4: (Applause. Audience leaves with a easy-to-understand story to tell at cocktail parties)

Great work, and very cool lock.

LanceH

And, like TED, there is no actual implementation in existence.

Retr0id

Except, a (prototype) implementation does exist - and you can buy one (or at least, you can when they're in stock)

LanceH

"Please be aware that this lock is only a demonstration of the mechanism, and cannot be used to secure doors, chains, or anything else."

So, not actual implementation of a lock.

droidist2

Not the LockPickingLawyer (I hope he gets his hands on one soon) but here's a video review/demonstration: https://www.youtube.com/watch?v=qNHFyc1oMwU

elromulous

+1. LPL has disproven the claims of many "unpickable" locks.

If computer security has taught me anything, unhackable/impenetrable claims, cyber or physical, should be met with skepticism.

hangonhn

I used to be huge Abloy Protec2 fanboy until I found out that they are very litigious, which made me wonder if their locks have been picked but the results were just taken down. I think they are still great locks. If anyone is going to break into my house there are easier and faster ways than picking the lock. However, the notion of an unpickable lock requires a lot of convincing for me to accept now.

xzel

The middle part is always what I tell people, yeah you locked the door but did you lock your window panes?

birdiesanders

Kromer Protector, unpicked since the late 1800s. There are unpickable locks, you just can't afford them.

sathackr

I have always said "if someone made it, someone can break it"

Nothing is unhackable/impenetrable. period.

nemo1618

We've had theoretically-unbreakable cryptography for a long time now, particularly hash functions and encryption ciphers. There are still some weaknesses around timing attacks, and of course there's always the "wrench attack," but the algorithms themselves are as secure as we will ever need anything to be.

megalottachoc

Darn right there.

Is it can be opened with a key, there's nothing stopping something else emulating that key - even if resorting to brute force until the key pattern matches.

csours

What's the threat model? Does this lock secure a location that has no windows? Can a sledgehammer be used to open the door?

Ok, so maybe covert entry is harder. Do you care THAT much about covert entry? If you care that much about covert entry, do you also have video monitoring?

Security solutions need to be used in context.

andrewflnr

Your points are technically true but effectively vacuous, equally applicable to all possible door locks. Is there someone claiming that just because this lock is (allegedly) unpickable, it's a complete security solution, so that you felt you had to comment on the importance of other approaches to security?

csours

No, I'm saying that people have an irrational desire for an unpickable lock, perhaps not having considered their security/threat model.

tptacek

Everyone interested in lock picking has considered breaking the window. I promise, you're not the first person to think of that, and it doesn't bear repeating in these kinds of conversations.

Eji1700

I think it has narrow applications in government high security areas and some corporate things where covert access can be a catastrophe. Also large datacenters and what not where an unknown physical compromise, while VERY difficult to achieve, could have tremendous repercussions.

In 90% of situations a bad actor will probably just use brute force. There is something to be said if this isn't bump-able/pick-able, in that at least you won't have the situation where a potential bad actor gains "covert" access, and so people think they're supposed to be there, as opposed to them kicking down the door, but the number of scenarios where that actually matters is slim.

null

[deleted]

throwaway742

Overt, covert, and surreptitious entry all have their uses.

isatty

Well by your own logic you shouldn’t need a secure password for anything either since you can beaten with a stick.

null

[deleted]

asojfdowgh

besides the fact that dragging a sledgehammer into the department of defense is really obvious.

And that hitting something with a sledge or smashing a window would both activate alarms, and just, be really loud regardless.

Yes, there is places without windows and with reinforced doors

Even setting that aside, impressioning attacks require only seconds at a doorway for each step in the process, this defeats that attack.

bump keys only requires ~30 seconds if you are lucky, this defeats that

And yes DoD has security cameras, most places do actually.

xur17

> bump keys only requires ~30 seconds if you are lucky, this defeats that

Agreed - this is exactly the threat model that I'd be looking to block as a purchaser. Had a friend show me how to pick a cheap lock in < 30 seconds - it was laughably easy.

_ph_

Thinking about larger houses with multiple appartments, which is very common in Germany, lock picking is the number one way of entering, as it reduces the risk of detection and quite fast. Beyond the ground floor, no one would try to enter through windows anyway, and there the recommendation of the police is to have locks for your windows. It seems to be very uncommon that one tries to break through the glass. Good glass is tough, breaking makes noise and then there is quite some danger of injury. Any good lock can make quite a difference and these locks look very promising as they would defeat the typical picking.

birdiesanders

It moves the attack from being against the lock to being against the door/frame/walls.

paulpauper

if it's really important, then the lock is probably never going to be enough. you probably want a vault