Lock Vulnerabilities and Their Solutions

• Without any question, the greatest vulnerability of any key-operated lock or system is the failure of its owner or the user to maintain meticulous key and core control. Key control means that the key custodian and alternate custodian at your facility can account for every key and core for which they are responsible. That includes broken keys and key parts. The key custodian also must be able to account for every assembled lock core. Lock cores must be as accountable as keys, because possession of an assembled core divulges enough information to enable an attacker to create a workable key.

A primary or alternate key custodian will:

• Be designated, in writing, to issue and receive keys and key cores and to maintain accountability for keys and assembled key cores.
  
  
• Ensure that any individuals designated to issue, receive, and account for keys and cores in his or her absence clearly understand Forest Service key control procedures.
  
  
• Maintain a key and core control register at all times to ensure continuous accountability for keys and cores of locks used to secure Forest Service property.
  
  
• Be authorized to instruct an approved locksmith to make additional keys.
  
  
• Be authorized to instruct an approved locksmith to provide additional assembled cores.
  
  
• Destroy worn or broken keys, key parts, and cores and document their destruction.

Keys must be signed out to authorized personnel, as needed, on a key control register. The key control register and inventory can be on paper or computerized. It must contain at least the following information:

• The unique and nonrepeated key control number stamped into each key blank.
  
  
• The date and time issued.
  
  
• The printed name and signature (if the control register is on paper) of the person issuing the key. If the control register is computerized, the register must be password restricted with unique passwords for each authorized user. The computer must be able to trace the user’s password to each key transaction.
  
  
• The printed name and signature (if the central register is on paper) of the person to whom the key is issued. If the system is computerized, a biometric ID (such as a thumbprint or iris scan) may be more meaningful than a signature.
  
  
• The date and time the key, or a broken key and all of its parts, was returned.
  
  
• The printed name and signature (or biometric ID) of the person who received the key and returned it to the inventory.

Cores must also be accounted for in a core inventory. The core inventory must contain at least the following information:

• The unique and nonrepeated core number stamped on each lock core.
  
  
• The date the core was received at the facility.
  
  
• The date the core was installed in a lock assembly and placed into use at the facility.
  
  
• The name of the person who installed the lock assembly.
  
  
• The location where the lock assembly was installed.
  
  
• The date the core was returned to the inventory.
  
  
• The date of destruction, if the core is destroyed.

Employees must understand just how grave a threat lost keys and cores represent to facility security. Supervisors must understand that after a certain number of keys have been lost (the exact number depends on the level of access granted by each key), the entire lock and key system must be replaced. Doing so will be very costly.

Key control procedures should include a requirement that any employee who loses a key must submit a written explanation of the circumstances of loss. The written explanation should be retained in a file that is subject to review by agency inspectors.

Keys should grant no more access than necessary to any particular employee. A properly designed master key system makes it easy to produce keys that provide just the access required. The loss of a key that grants limited access represents less of a security risk.

• Unrestricted keyways and key blanks make unauthorized key duplication far too easy. A restricted keyway system makes it far more difficult for any unauthorized person to duplicate a workable key. In a restricted keyway system, the user (in this case the Forest Service) has a uniquely shaped keyway in its lock cores and key blanks. The lock and key manufacturers are forbidden to supply this keyway and blank to anyone without written authorization from a very few designated officials. In very high-security locking systems requiring keys with special cuts and having pins with special features, the manufacturer also may be forbidden to deliver the special key cutter and pins to anyone except specifically designated locksmiths.
  
  
• Because of the way pin-tumbler locks are master keyed, master keying makes locks more susceptible to manipulation by picking or impressioning. Discussing exactly how that happens is beyond the scope of this Web site. A Certified Professional Locksmith or a Certified Master Locksmith whose certification testing included master keying will be able to work with you to design a master key system that will reduce this vulnerability as much as possible while still meeting the needs of your system.
  
  
• A variety of forcible attacks can be used on key-operated lock cores. The result of all these attacks is that all or enough of the lock core is removed to allow access to the components holding the lock closed. Then a suitable tool such as a screwdriver, a dental probe, or a knife can be used to operate the locking mechanism and release the lock.
  
  
• Picking is the best known and most romanticized method of compromising a lock surreptitiously. Picking involves duplicating the action of an authorized key by individually or collectively manipulating the lock’s pins, wafers, levers, or other components with small specialized tools (picks). Picking is more likely to be successful in master-keyed locks. Picking requires considerable practice, skill, and dexterity. Usually, it requires the tools, one in each hand. Most picks leave tool marks on the lock’s pins, wafers, or levers. Sometimes these marks can be detected, confirming an attempted surreptitious entry.

Impressioning is less well known as a method of compromising a key-operated lock surreptitiously.

Impressioning involves inserting a specially prepared key blank (no cuts) into the target lock and turning it, removing the blank and observing it, then making gradual cuts in the key. This process is repeated until the lock opens. The attacker who impressioned the key now has a duplicate key that will open that lock. It also may open other locks if the system has been master keyed.

Impressioning requires considerable practice and skill. The attacker need not necessarily remain on target for more than the second or two needed to insert the key blank, turn it, and remove it. He can make his trial cuts at another location, then return to the target and repeat the operation.

A person using an authorized key to operate a lock behaves in a certain way, a way that is familiar to most of us. If you receive a report that someone was behaving unusually around a Forest Service lock or seemed to be “fiddling” with the lock, contact Forest Service law enforcement.

The lock and the ground around it may have evidence of value (metal filings the size of dust particles, footwear impressions or prints, fingerprints, and so forth). The area and the lock should be processed carefully as a crime scene.

The lock should be removed carefully by a qualified professional locksmith under the immediate guidance of a forensic evidence recovery technician. Once removed, the lock should be taken to an indoor site, such as a forensic laboratory, where the locksmith can disassemble it under the immediate guidance of the evidence recovery technician. The lock must be removed and disassembled without making any additional marks or scratches on the lock and its components. Once the lock has been disassembled, the locksmith familiar with picking and impressioning can guide the evidence technician to search for evidence of someone trying to pick or impression the lock.

• Combination locks can be forcibly or surreptitiously compromised. The methods of attack are beyond the scope of this Web site.

Federal regulations have detailed specifications for combination locks used for high-security applications, such as storage of classified information. If these locks are to retain their security features, they must be installed by a qualified installer and maintained properly.

For less secure applications (such as locking the gate on the road to a radio site), disc combination padlocks may be used. The best known seems to be the Sesame padlock with four wheels on the bottom. Each wheel has digits 0–9. The combination can be set by anyone who can open the lock. Aside from the obvious bolt cutter attack on the shackle, the lock’s combination can be read surreptitiously by someone with knowledge of the lock’s internal operation and a tool easily made at home. Disc combination padlocks should never be used for moderate to high-security applications. Their use of a numeric combination is a convenience, not a security feature.

Consult a certified professional or master locksmith for appropriate combination locks when they are not specified by Government regulation.