Breaking into a computer system is an art. It requires talent, patience, knowledge, and a lot of luck. While most of the probing, picking, and testing plays out in long lines of code on a computer screen, the process is the digital age’s equivalent of picking a lock — a skill that many hackers have as well.
At the Eleventh Hackers On Planet Earth conference, a gathering of programmers, hackers, and scientists in New York City, one of the largest sections of the conference’s main floor wasn’t devoted to computers. Instead, it was an open room with rows of long tables called “Lockpick Village.” Inside, sharp metal picks and angled “turning tools” littered tables laid with white sheets, and attendees sat hunched over padlocks, not keyboards. Volunteers, recognizable by their black t-shirts emblazoned with TOOOL, the Open Organisation of Lockpickers, strolled up and down the rows offering help.
The small clicks and scrapes of picks working on locks rustles through the room.
It’s “almost like elderly women’s knitting needles,” says Kristi Farinelli, a mid-twenties software programmer working away on a MasterLock padlock.
TOOOL is a 501(c)(3) nonprofit that promotes “locksport,” as hobbyists call it, with chapters in most major cities in the United States and a handful overseas. The organisation runs on two “golden rules”: Don’t pick locks you don’t own, and don’t pick locks you rely on. In other words, don’t commit felony breaking-and-entering, and don’t compromise a lock you need for your own security (if you break a pick in your front door, it’s a problem).
TOOOL’s American branch started at the HOPE conference in 2006, and has been a fixture at hacking conventions across the country since then. It turns out, computers hackers love breaking into physical locks as well. Most of the HOPE conference’s disciples see hacking as a mentality rather than a particular skill — at its essence, hacking is about pushing back, and questioning imposed limits, testing things to see what happens. This mantra applies just as much to locked doors as it does to closed computer networks (which, coincidentally, are often found behind locked doors), and so physical lockpicking has always been a part of hacking.
“It’s the same as digital security, except you’re looking at physical vulnerabilities,” says Max Power, a TOOOL member from the Boston chapter. Some lockpickers frequently participate in “pen tests,” or penetration testing exercises, where they use a combination of skills, including lock picking, to test the security of a facility for companies. Pen testing is common in both physical and digital security. Organizations including the Pentagon hire security researchers and “white hat” hackers to test their digital and physical defenses.
Here’s Power showing how to pick a lock:
“Locks are definitely the tangible equivalent to online and electronic security,” says David Fiddler, a security expert at SEREPick, a company that trains military and law enforcement professionals in escape and infiltration techniques like picking doors and opening handcuffs or other restraints. “In the same way cyber security experts focus on exploits and insecure points in the digital landscape, they see locks in the physical world the same. Locks are just potential security flaw in real life.” Fiddler said many penetration testers, like Power and his TOOOL cohorts, use social engineering to test their client’s security as well.
Like computer hacking, lockpicking is often grossly misrepresented on screen. The real thing isn’t a complicated process, but it requires a huge amount of skill and dexterity to master. Lockpickers typically use two tools: a pick, which is a thin piece of metal bent in different shapes (depending on the type) used to push the lock’s pins into place, just like a key. The turning tool, an L or S-shaped flat piece of metal slides into the bottom of the keyway, and is used to keep light pressure on the “plug,” the center of the lock that turns. When the picker eases the pins into the right place, the plug turns, and the lock is open. In real life, it’s a lot harder than that, but with a little patience, a complete novice can pop open simple padlocks and TOOOL’s one or two-pin practice locks after 10 minutes or so. Still, Hollywood usually persists in putting ridiculous depictions of the practice — plugs that don’t turn, locks that are picked with one tool. There are a few big exceptions, which Power and his colleagues Nite 0wl and Deviant Ollam pointed out during a HOPE convention panel on “Lockpicking On Screen Versus Real Life.” Linda Hamilton, star of Terminator 2, actually learned how to pick in preparation for the role, and the entirety of her escape scene was picked in real-time, using multiple takes until she got it right.
Another major exception, of course, is USA’s Mr. Robot, which has consistently nailed every detail of hacker culture, including lockpicking. In the fifth episode of Season 1, the protagonist Elliot breaks into a secure data center, picking a lock with both a pick and a turning tool. Except he then realizes it’s the wrong door entirely, and he has to retrace his steps.
Ollam roared with laughter after showing the audience this scene at the HOPE convention.
“I can’t even tell you how many times we’ve been pen-testing a facility and picked the wrong door, like, ‘well, now we’re outside!’” he said, while Power and Nite 0wl laughed. Like hacking, lockpicking isn’t flawless. When you open a door, it’s hard to tell what’s on the other side, but the hacker mentality means always having the skills and tools to find out.