Skip to content
Menu
menu

Illustration by iStock; Security Management

11 Design Rules for More Secure Locks

When locks fail, there is often an element of insecurity engineering at play. This term denotes deficiencies or failures in the design of locks, safes, and security hardware. These failures can compromise systems and the facilities they protect. Their identification can be difficult or impossible without the proper expertise until a breach occurs.

Locks are often the primary defense for most facilities and an integral part of most access control systems, so their secure design is critical. IT, risk managers, and security officers must understand insecurity engineering and how to assess the actual protection that a system can provide. While there is an integration between locks and information technology, I have found that most IT professionals need a better understanding of how locks work and how to defeat them.

For the past 40 years, I have examined hundreds of lock designs and security systems for vulnerabilities and the potential to defeat them.  Manufacturers that produce high-security locks that meet UL 437 and BHMA 156.30 can fail to identify issues that can lead to the compromise of critical elements of even the most complicated or sophisticated mechanisms. 

The ANSI/BHMA Standard 156.30 (American National Standard for High Security Cylinders) has three criteria for a high-security rating: key control, forced entry, and covert entry. Testing for standards compliance often does not examine or contemplate certain bypass methods, especially for hybrid attacks. Defeats can frequently be simple and can ultimately circumvent even the highest-security systems. In simplest terms, insecurity engineering is a lack of expertise and understanding of how bad actors can cause a system to fail.

The issue is a failure to “connect the dots” from simple design errors that allow the exploit of design deficiencies that can lead to compromising critical security elements. A design engineer often lacks the creativity and imagination to consider “What if?” scenarios. It connotes a lack of understanding or knowledge of past mistakes in similar lock designs. The functional components and basic operating principles within mechanical locks have not markedly changed in 200 years. Knowledge of defeats from hundreds of years ago is often applicable today and instructive for current designs.

Insecurity engineering is also about legal liability and failing to understand that defective designs will ultimately invite lawsuits and damage awards.

As the term implies, insecurity engineering highlights the need to forecast, discover, and prevent insecure products from reaching the end user. The design of locks and systems is only part of the equation. Testing protocols and vulnerability assessments are equal, and real-world attacks can occur if those processes are insufficient.

The 3T2R Rule

To make understanding standards simpler for users, I coined the 3T2R rule as a way to assess the vulnerability of a lock or system against attack.  The rule considers three primary criteria: time, tools, and training. How much time is required, what type of tools (simple or sophisticated), and what training is needed to execute an attack? If a system can be compromised, two more factors must be considered: reliability and repeatability of the exploit. The score for each criterion will determine the risk associated with hardware or its system.

Locks and access control systems fail for two fundamental yet interrelated reasons: those involved in the design and assessment process may lack the imagination to anticipate potential and actual security vulnerabilities, and they may lack engineering expertise in bypass techniques. An understanding of how locks are picked, for example, does not equate to the needed expertise to properly analyze a design unless the engineer knows how to pick and is proficient at it.

Six primary methods of compromising locks exist, whether mechanical, electromechanical, or electronic. I identify these methods as picking, impressioning, decoding, hybrid attacks, applying the laws of physics, and specific attacks on key control. Each technique must be thoroughly investigated, especially when methods of attack are combined, because these techniques are often not obvious.

Design Rules for Locks

I have developed 180 rules for the design and operation of locks. The most important of these should be considered by anyone responsible for assuring the security of the hardware they specify and implement.

The key never unlocks the lock. While it may be counterintuitive, the key does not, in most cases, unlock the lock but rather actuates the mechanism that allows for unlocking. If design engineers consider what controls the critical components rather than focusing on the key or credential, they gain a different perspective on defeating security.

All locks are mechanical.  Whether the lock is purely mechanical, electromechanical, or electronic, something must move to cause locking or unlocking of critical elements. Even if there are software-controlled components, everything comes down to one or more parts. That is why we always attack the interface between hardware and software: it can be the most vulnerable.

Just because it is patented does not mean it is secure. The patent office does not assess the security of a design, only whether it meets the criteria for patentability. This means that patents do not mean that a lock design is secure; they only ensure that it is unique and has not been invented before.

Do not rely on standards. Access control systems are often not secure, even though they meet all the UL, BHMA, VdS, or other specifications. Standards do not guarantee security; they are only one measure and are not determinative.

Every lock and system can ultimately be compromised. Remember the 3T2R rule. A system's security is based on the time delay and difficulty of executing an attack. It is always a question of difficulty and expertise required.

All security is about liability.  If a design defect in an access control system or its primary components results in a loss, someone will likely be liable for damages.

Any opening in a lock creates a vulnerability.  Even a few thousandths of an inch of access can allow the insertion of bypass tools, which can provide for manipulating critical components.

Imagination is critical to conceiving and identifying vulnerabilities. Consider “what if” scenarios to compromise a system, no matter how unrealistic they appear. Hybrid attacks, which combine two or more methods, must also be considered.

In electronic-based locks, electrons don’t open doors, mechanisms do.  Credentials and encryption schemes have nothing to do with compromising the interface between software and hardware, which is always the primary target.

Key control can often be easily defeated. All exploits replicate what the key does. 3D printing and using simulated keys, magnetics, and special materials are often easy methods of defeating key control schemes.

Laws of physics always control the movement of components. Critical parts can be actuated through shock, vibration, magnetics, or other forces.

The takeaway: High-security locks and access control systems may appear secure but can be subject to compromise. It is vitally important that risk managers and security officers fully understand historical and current methods of bypassing locking mechanisms to analyze and discover vulnerabilities in current and proposed systems effectively. Understanding and correlating different attack modes in current or proposed designs is a prerequisite for imagining vulnerability.

 

Marc Weber Tobias, JD, is a lawyer and physical security expert specializing in designing, analyzing, and compromising locks and related hardware. He and his colleagues work for many lock manufacturers in the United States, Europe, and the Middle East. They are tasked with finding security vulnerabilities in current and new designs. Tobias has written eight books and has received 32 U.S. patents. He has been a member of ASIS for more than 30 years and a member of FBI InfraGard for more than 10 years. His latest book, Tobias on Locks and Insecurity Engineering, was released in 2024, , published by John Wiley & Sons. Some of the material for this article was taken from this new book.

 

arrow_upward