Early one morning in June 2020, Dominic Villeneuve woke up and went to his basement workshop to play with a new toy. A friend had given Villeneuve, the director of cybersecurity and infrastructure for a midsize insurance company in Drummondville, Quebec, a lock from a door in a building he was renovating. It was a good one: a Schlage CO-100 commercial- grade, keypad-operated deadbolt, which retails for about $400 and carries a Grade 1 security rating, the highest bestowed jointly by the American National Standards Institute and the Builders Hardware Manufacturers Association.
The locks on most homes are Grade 3, maybe 2. Grade 1 locks are tested to withstand, among other things, 1 million open-close cycles, eight blows starting at 80 joules (comparable to a jackhammer), and five minutes of grinding with a bolt saw. All of the CO-100’s electrical and mechanical parts are also certified by the Underwriters Laboratories for resistance to wear and tear, weather, and abuse. But Villeneuve knew he could unlock it without the keypad code. He knew he could beat it.
In his day job, Villeneuve analyzes and blocks malware attacks on his company’s network. Smaller financial- service companies and insurance businesses such as his are a preferred target of hackers, because they often have personal and financial data stored in undersecured networks. His favorite part of the job is playing “red team”— attacking his employer’s network with the tricks and gadgets of a better than- average hacker—to find vulnerabilities. (“Penetration testing” is the technical term.) This also includes looking for ways to covertly access an office or computer and, say, plant a spy pen that has a camera or a USB keylogger to steal logins and passwords. “Every security I see, I try to bypass or find an unexpected way to open it,” Villeneuve says. “It’s in my DNA.”
Villeneuve’s father taught him how to assemble and disassemble carburetors when he was 5. Soon, he was taking apart everything in the house. He started picking locks as a teen, practicing on old padlocks and the door of his family home, using paperclips and filed-down Allen keys. At some point, he acquired a photocopied book purporting to be a declassified CIA field manual on lock-picking.
Today he’s part of a subculture made up of software types, tinkerers, survivalists, locksmiths, and lawyers and other professionals who enjoy the same three-dimensional puzzles. (He’s also co-founder and co-minister of a reform Baptist church in his town.) Members gather for meetups and “sport-picking” competitions that showcase undetectable—“nondestructive,” in lock-picking parlance—methods of opening locks for which they don’t have keys or codes. “It’s better than chess,” says Marc Weber Tobias, a lawyer, security consultant, and well-known lock-picker. “It’s tactile, it’s intellectual, and there are some locks you’re just not gonna open.”
Interest in recreational lock-picking has surged during the pandemic: What better way to get through being stuck inside than with hours of online tutorials? For inquiring minds, the endless corners of YouTube and Amazon.com provide access to information and tools that until recently were generally only available to locksmith guilds, cat burglars, and safecrackers. “In the old manuals on safe manipulation, there’s always a note at the end saying, ‘Now that you’ve read this book, make sure you destroy it,’ ” says Michael, the principal of e-commerce site Sparrows Lock Picks, who goes by only his first name professionally. “Now everything is posted on YouTube.”
This has helped enthusiasts master the art of the bypass at dazzling speed, accelerating an age-old cat-and-mouse game between lock-pickers and makers as locks are bypassed and videos of triumphs spread online. (The r/lock picking subreddit, with about 169,000 members, maintains a belt ranking of hundreds of locks; those who crack the hardest ones are black belts.) Pickers are playing red team en masse, exposing weaknesses in products that people trust to keep them safe. It’s forcing manufacturers in what analysts at Verified Market Research call the global physical security industry—a market of at least $125 billion—to live up to their own standards. The relationship between the two camps is uneasy.
One of the most famous names in the community is LockPicking-Lawyer. In spring 2020, he had about 200,000 subscribers to his YouTube channel, and today he has more than 3.6 million. The retired attorney, who lives in the Washington, D.C., area and asked that his real name not be used, has made almost 1,400 demos, many with hundreds of thousands of views, in which he dissects everything from cheap padlocks to high-security deadbolts to explore their inner workings.
Among other thrills, viewers can watch him best a ubiquitous Schlage doorknob lock with a “low skill” attack in about five seconds, open an RFID gun safe with a fork or a spoon, and bypass an allegedly tamper-proof Chinese keypad lock with a Swiss Army knife and a paperclip. LockPickingLawyer’s friend and neighbor, Bosnianbill, who retired from uploading videos in September, had posted more than 1,900 demos since 2007 and has more than 560,000 YouTube subscribers. The Lock Noob, an up-and-comer from the U.K., has over 80,000 subscribers to his channel, which focuses on beginner and intermediate lock-picking. His almost 20-minute Learn Lock Picking: EVERYTHING You Need to Know! video has 1 million-plus views.
LockPickingLawyer has no qualms about exposing the illusion of security lockmakers sell. “I understand people who think that secrecy is desirable in the security community,” he says. “But the secrecy of locksmiths and security professionals for literally hundreds of years is the reason why our security is so bad. There are very few widely used, consumer-grade locks on the market that would even put up an adequate level of resistance to nondestructive entry methods. Consumer education can do nothing but improve that situation.”
This isn’t a new idea. In 1868, Connecticut locksmith and inventor A.C. Hobbs wrote in Construction of Locks and Safes that if a lock was “not so inviolable as it has hitherto been deemed to be, it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.” The question is: How do you spread the knowledge without empowering the dishonest?
The rules of ethical disclosure are complicated. In a deliberately vague example, LockPickingLawyer describes finding a “zero-skill exploit that could be executed by anyone with a small piece of knowledge” on a lock that law enforcement uses widely. He says he emailed the company that made it, and the company ignored him. He emailed again, giving it a year to patch the problem before he went public. “I just ran out the clock on a year, and I publicized it,” he says, leaking his findings to locksmiths groups. “I don’t want to create any dangers or exploits that would be used in the field. However, if a company is not willing to change their product, there’s only so much I can do.”
Continue reading your story on the app
Continue reading your story in the magazine
Bottom-Fishing Can Be Scary
In a rough year for stocks, it’s tempting to try to grab bargains now. Just be careful
RETHINKING FAIR PAY
Companies are overhauling compensation amid an uptick in relocations
Getting close enough to touch an animal usually isn't a great idea. But in a quiet lagoon on Mexico's Baja Peninsula, the whales are happy to oblige
BUILD BACKS BETTER
In a scoliosis market where treatments have changed little since the 1970s, even new brace technology shows how far we still have to go
A long-term survey of women in astronomy reveals a sordid culture of discrimination and inequality in academia
The Teen Who Defied DeFi
How a young math whiz nabbed $16 million by exploiting decentralized finance | Index Finance was one of the great hopes of decentralized finance, the blockchain-based movement challenging Wall Street's gatekeepers. With one swift set of transactions, an 18-year-old math prodigy liquidated $16 million of its assets and opened a new legal frontier
Nigerian Projects Stall as Chinese Loans Dry Up
President Buhari's legacy could be marred by Beijing's waning appetite for costly public works abroad
The Twitter Deal's Big Debt Bill
If the acquisition goes through, the company will face mounting interest expenses as it tries to grow
The Very Last of Lehman Brothers
The bank whose collapse marked the beginning of the 2008 financial crisis is only mostly dead. Meet the people attending to its final remains
This Time Is Different
The slump that startups thought would never happen has arrived
Traditional Fumed Finish for White Oak
A simple approach to this classic finishing technique.
Run Confidently When You're Just Starting Out
OUT OF THE ELEMENTS
KNOWING HOW TO BUILD A SHELTER IS GOOD. FINDING ONE READY-MADE IS BETTER
WAR TRANSFORMS UKRAINIAN BROTHERS' GAMING YOUTUBE CHANNEL
Starting out with funny videos and chat over Mario Kart racing games, two Ukrainian brothers have added a somber tone to their YouTube channel popular with young Japanese with updates from their country that bring the harsh realities of war closer to Japan.
4 Reasons Your Brand's Video Content Is Weak (and How To Fix It)
Video marketing has increased significantly over the years, and will undoubtedly continue to do so in 2022. According to research from Wyzowl, roughly 86% of businesses use video as a marketing tool — a dramatic increase from 2016, when only 61% of brands did so.
The Best Work-From-Home Cities for 2022
Working from home for good? These US and Canadian cities offer an ideal mix of affordability, livability, and connectivity.
Luke came out as trans when he was 11, hoping to start hormone therapy as a teenager. Instead, he was held hostage in a political and medical battle that’s far from over.
Stitched Together - For the Birds
This British crafter is inspired by the beauty of the natural world.
BETTER THAN THE PREDATOR
The InfiRay MH25, a Capable, Handheld, and Mountable Thermal You Can Actually Afford
Piper Rockelle Is Here to Bring the Drama
Piper Rockelle wants to be clear: she does not consider herself famous.