The Ethical Lock-Picker
Bloomberg Businessweek|December 27, 2021 - January 03, 2022 (Double Spread)
Dominic Villeneuve figured out a simple way to bypass a widely used door lock, and he told the manufacturer how he did it. A year and a half later, he’s telling the world
Adam Bluestein

Early one morning in June 2020, Dominic Villeneuve woke up and went to his basement workshop to play with a new toy. A friend had given Villeneuve, the director of cybersecurity and infrastructure for a midsize insurance company in Drummondville, Quebec, a lock from a door in a building he was renovating. It was a good one: a Schlage CO-100 commercial- grade, keypad-operated deadbolt, which retails for about $400 and carries a Grade 1 security rating, the highest bestowed jointly by the American National Standards Institute and the Builders Hardware Manufacturers Association.

The locks on most homes are Grade 3, maybe 2. Grade 1 locks are tested to withstand, among other things, 1 million open-close cycles, eight blows starting at 80 joules (comparable to a jackhammer), and five minutes of grinding with a bolt saw. All of the CO-100’s electrical and mechanical parts are also certified by the Underwriters Laboratories for resistance to wear and tear, weather, and abuse. But Villeneuve knew he could unlock it without the keypad code. He knew he could beat it.

In his day job, Villeneuve analyzes and blocks malware attacks on his company’s network. Smaller financial- service companies and insurance businesses such as his are a preferred target of hackers, because they often have personal and financial data stored in undersecured networks. His favorite part of the job is playing “red team”— attacking his employer’s network with the tricks and gadgets of a better than- average hacker—to find vulnerabilities. (“Penetration testing” is the technical term.) This also includes looking for ways to covertly access an office or computer and, say, plant a spy pen that has a camera or a USB keylogger to steal logins and passwords. “Every security I see, I try to bypass or find an unexpected way to open it,” Villeneuve says. “It’s in my DNA.”

Villeneuve’s father taught him how to assemble and disassemble carburetors when he was 5. Soon, he was taking apart everything in the house. He started picking locks as a teen, practicing on old padlocks and the door of his family home, using paperclips and filed-down Allen keys. At some point, he acquired a photocopied book purporting to be a declassified CIA field manual on lock-picking.

Today he’s part of a subculture made up of software types, tinkerers, survivalists, locksmiths, and lawyers and other professionals who enjoy the same three-dimensional puzzles. (He’s also co-founder and co-minister of a reform Baptist church in his town.) Members gather for meetups and “sport-picking” competitions that showcase undetectable—“nondestructive,” in lock-picking parlance—methods of opening locks for which they don’t have keys or codes. “It’s better than chess,” says Marc Weber Tobias, a lawyer, security consultant, and well-known lock-picker. “It’s tactile, it’s intellectual, and there are some locks you’re just not gonna open.”

Interest in recreational lock-picking has surged during the pandemic: What better way to get through being stuck inside than with hours of online tutorials? For inquiring minds, the endless corners of YouTube and Amazon.com provide access to information and tools that until recently were generally only available to locksmith guilds, cat burglars, and safecrackers. “In the old manuals on safe manipulation, there’s always a note at the end saying, ‘Now that you’ve read this book, make sure you destroy it,’ ” says Michael, the principal of e-commerce site Sparrows Lock Picks, who goes by only his first name professionally. “Now everything is posted on YouTube.”

This has helped enthusiasts master the art of the bypass at dazzling speed, accelerating an age-old cat-and-mouse game between lock-pickers and makers as locks are bypassed and videos of triumphs spread online. (The r/lock picking subreddit, with about 169,000 members, maintains a belt ranking of hundreds of locks; those who crack the hardest ones are black belts.) Pickers are playing red team en masse, exposing weaknesses in products that people trust to keep them safe. It’s forcing manufacturers in what analysts at Verified Market Research call the global physical security industry—a market of at least $125 billion—to live up to their own standards. The relationship between the two camps is uneasy.

One of the most famous names in the community is LockPicking-Lawyer. In spring 2020, he had about 200,000 subscribers to his YouTube channel, and today he has more than 3.6 million. The retired attorney, who lives in the Washington, D.C., area and asked that his real name not be used, has made almost 1,400 demos, many with hundreds of thousands of views, in which he dissects everything from cheap padlocks to high-security deadbolts to explore their inner workings.

Among other thrills, viewers can watch him best a ubiquitous Schlage doorknob lock with a “low skill” attack in about five seconds, open an RFID gun safe with a fork or a spoon, and bypass an allegedly tamper-proof Chinese keypad lock with a Swiss Army knife and a paperclip. LockPickingLawyer’s friend and neighbor, Bosnianbill, who retired from uploading videos in September, had posted more than 1,900 demos since 2007 and has more than 560,000 YouTube subscribers. The Lock Noob, an up-and-comer from the U.K., has over 80,000 subscribers to his channel, which focuses on beginner and intermediate lock-picking. His almost 20-minute Learn Lock Picking: EVERYTHING You Need to Know! video has 1 million-plus views.

LockPickingLawyer has no qualms about exposing the illusion of security lockmakers sell. “I understand people who think that secrecy is desirable in the security community,” he says. “But the secrecy of locksmiths and security professionals for literally hundreds of years is the reason why our security is so bad. There are very few widely used, consumer-grade locks on the market that would even put up an adequate level of resistance to nondestructive entry methods. Consumer education can do nothing but improve that situation.”

This isn’t a new idea. In 1868, Connecticut locksmith and inventor A.C. Hobbs wrote in Construction of Locks and Safes that if a lock was “not so inviolable as it has hitherto been deemed to be, it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.” The question is: How do you spread the knowledge without empowering the dishonest?

The rules of ethical disclosure are complicated. In a deliberately vague example, LockPickingLawyer describes finding a “zero-skill exploit that could be executed by anyone with a small piece of knowledge” on a lock that law enforcement uses widely. He says he emailed the company that made it, and the company ignored him. He emailed again, giving it a year to patch the problem before he went public. “I just ran out the clock on a year, and I publicized it,” he says, leaking his findings to locksmiths groups. “I don’t want to create any dangers or exploits that would be used in the field. However, if a company is not willing to change their product, there’s only so much I can do.”

Continue reading your story on the app

Continue reading your story in the magazine

MORE STORIES FROM BLOOMBERG BUSINESSWEEKView All

Bottom-Fishing Can Be Scary

In a rough year for stocks, it’s tempting to try to grab bargains now. Just be careful

6 mins read
Bloomberg Businessweek
May 09, 2022

RETHINKING FAIR PAY

Companies are overhauling compensation amid an uptick in relocations

4 mins read
Bloomberg Businessweek
May 23, 2022

MAKING CONTACT

Getting close enough to touch an animal usually isn't a great idea. But in a quiet lagoon on Mexico's Baja Peninsula, the whales are happy to oblige

6 mins read
Bloomberg Businessweek
May 23, 2022

BUILD BACKS BETTER

In a scoliosis market where treatments have changed little since the 1970s, even new brace technology shows how far we still have to go

10+ mins read
Bloomberg Businessweek
May 23, 2022

ASTRONOMICAL HARASSMENT

A long-term survey of women in astronomy reveals a sordid culture of discrimination and inequality in academia

4 mins read
Bloomberg Businessweek
May 23, 2022

The Teen Who Defied DeFi

How a young math whiz nabbed $16 million by exploiting decentralized finance | Index Finance was one of the great hopes of decentralized finance, the blockchain-based movement challenging Wall Street's gatekeepers. With one swift set of transactions, an 18-year-old math prodigy liquidated $16 million of its assets and opened a new legal frontier

10+ mins read
Bloomberg Businessweek
May 23, 2022

Nigerian Projects Stall as Chinese Loans Dry Up

President Buhari's legacy could be marred by Beijing's waning appetite for costly public works abroad

4 mins read
Bloomberg Businessweek
May 23, 2022

The Twitter Deal's Big Debt Bill

If the acquisition goes through, the company will face mounting interest expenses as it tries to grow

3 mins read
Bloomberg Businessweek
May 23, 2022

The Very Last of Lehman Brothers

The bank whose collapse marked the beginning of the 2008 financial crisis is only mostly dead. Meet the people attending to its final remains

10+ mins read
Bloomberg Businessweek
May 23, 2022

This Time Is Different

The slump that startups thought would never happen has arrived

6 mins read
Bloomberg Businessweek
May 23, 2022
RELATED STORIES

Traditional Fumed Finish for White Oak

A simple approach to this classic finishing technique.

4 mins read
Popular Woodworking
June 2022

Run Confidently When You're Just Starting Out

PEP TALK

3 mins read
Runner's World
Issue 03, 2022

OUT OF THE ELEMENTS

KNOWING HOW TO BUILD A SHELTER IS GOOD. FINDING ONE READY-MADE IS BETTER

5 mins read
American Outdoor Guide
April 2022

WAR TRANSFORMS UKRAINIAN BROTHERS' GAMING YOUTUBE CHANNEL

Starting out with funny videos and chat over Mario Kart racing games, two Ukrainian brothers have added a somber tone to their YouTube channel popular with young Japanese with updates from their country that bring the harsh realities of war closer to Japan.

3 mins read
Techlife News
April 02, 2022

4 Reasons Your Brand's Video Content Is Weak (and How To Fix It)

Video marketing has increased significantly over the years, and will undoubtedly continue to do so in 2022. According to research from Wyzowl, roughly 86% of businesses use video as a marketing tool — a dramatic increase from 2016, when only 61% of brands did so.

3 mins read
Innovation & Tech Today
Winter 2021

The Best Work-From-Home Cities for 2022

Working from home for good? These US and Canadian cities offer an ideal mix of affordability, livability, and connectivity.

10+ mins read
PC Magazine
April 2022

Blocked

Luke came out as trans when he was 11, hoping to start hormone therapy as a teenager. Instead, he was held hostage in a political and medical battle that’s far from over.

10+ mins read
New York magazine
March 28-April 10, 2022

Stitched Together - For the Birds

This British crafter is inspired by the beauty of the natural world.

1 min read
Country Woman
April/May 2022

BETTER THAN THE PREDATOR

The InfiRay MH25, a Capable, Handheld, and Mountable Thermal You Can Actually Afford

4 mins read
Recoil
March - April 2022

Piper Rockelle Is Here to Bring the Drama

Piper Rockelle wants to be clear: she does not consider herself famous.

5 mins read
Girls' Life magazine
February/March 2022