Medeco High Security Lock Picking

Despite, Hack a Day seeming to be fairly lock heavy lately, we’ve yet to cover a major story from The Last HOPE. At the conference, [Jon King] talked about vulnerabilities in Medeco locks and presented his Medecoder tool. Medeco is really what makes this story interesting; unlike the EU, the US has very few high security lock manufacturers. You pretty much have to use Medeco and it’s found in many government agencies.

The Medeco locks have a vertical row of six pins arranged like most pin tumbler locks. Unlike your average lock, the rotation of the pins is important. When the key is placed in the lock, it not only moves the pins to the correct height, it also rotates them to the correct orientation. A sidebar blocks the cylinder unless the pins are rotated properly. Each pin has three possible orientations. They’re biaxial as well, which means the pin’s offset point allows for three more possible positions.

[Jon King]’s Medecoder tool helps deal with the sidebar issue. Each pin in the lock has a groove running up the side. When the pins are in the correct orientation, these grooves are all perpendicular to the lock body and the sidebar can slide into place. [Jon]’s Medecoder tool is a thin piece of wire with a sliding scale to help you position these grooves correctly.

To pick the lock, you first set all the pins to the correct height. Then, using the Medecoder you find each pin’s individual groove. All Medeco locks have the pins at the same distance from the lock face. The scale on Medecoder indicates where the pin currently is and where the pin should be. You can see [Jon] using this technique to open a lock onstage at The Last HOPE in under three minutes.

This pin vulnerability has been known in Medeco locks since 1974. With the recent release of the Medecoder, Medeco has started manufacturing ARX pins again. ARX pins don’t have the groove cut all the way to the keyway, so they can’t be manipulated by the tool. As we mentioned earlier, unlike software companies, physical security companies have no perceived obligation to patch their install base… even if they’ve known it was broken in some form for 30 years.

The latest issue of NDE has just been released and features a full write up on the Medecoder. It also details the different kinds of ARX pins that have been developed.

[photo: blackbag]

11 thoughts on “Medeco High Security Lock Picking

  1. I’m so jealous! i wish i could have gone to the last hope. :(

    at any rate, isn’t it amazing that even though vulnerabilities like this are known, nothing is being done about them. I work for a company that deals with network security, and it never ceases to amaze me how lax some of our clients are about getting things fixed. Most are ready and willing, but others, wow….

    And as far as featuring a lot of locks lately, i don’t mind… keep up the good work, hack-a-day!

  2. When I was involved in a small retail store we had Medeco locks on the door – not because we thought the locks provided any real added security (most thiefs would just bust the doors / windows to get in), but because the odds of a key being copied by an employee was dramatically reduced. To get a key copied without our permission you either had to have the hardware yourself, or have it in good with a locksmith who did.

    By contract (again, not 100% enforceable), locksmiths would only copy Medeco keys if proper documentation (including a special card) was presented to authorize the copy.

    This gave us reasonable assurance that we knew:

    a) how many keys existed for our building
    b) since each key was numbered, and we tracked who we gave what numbered key to, we also had a list of people who were responsible for the safe keeping of the key.

    When a staff quit or was let go, they had to turn in their key and we could be reasonably certain they didn’t have a spare to use later on. (Failure to turn in a key cost them, as we would rekey the locks and deduct the cost from their final paycheque).

  3. One more comment about Medeco locks. About 12 years ago, one of the places I worked at had an IBM server with a Medeco lock on the case – except the company lost the keys. No worries, until we needed to upgrade the hardware.

    In small town Winnipeg, we could not find a lock smith willing (or able?) to pick / drill the lock out for fear of damaging the server.

    IBM was going to charge us a few hundred dollars to come out and replace the lock. After speaking with the technician about what was involved (he would use a large screw driver to force the lock and then replace both the lock and case) – I decided to see what I could do.

    Turns out that the case had enough play in lid that I was able to use my pocket knife to pry the lid far enough from the lock’s striker to slide it past and open the case. Once open, the back of the lock could be unbolted and removed from the case. So much for using such high tech security!

    Upon explaining to the tech that we didn’t need him to replace the deadbolt on the screen door, he shrugged and gave us the replacement lock (and keys) for free!

    So I put it all back together and gave the keys to my manageer (noting that I didn’t need them).

  4. “no percieved obligation to patch their install base”

    Yes, basically a lock is simply one form of defense, in reality you should understand how easy it is to circumvent.

    Software vs hardware:

    In reality there is a huge difference, a physical location can only hold so many people, and only so many people can actually access the location. Imagine 1,000 people trying to pick a Medeco at the same time, or even within a week/month. Now imagine 10,000 people trying to access a network, from anywhere on the globe.

    Besides, anywhere that doesn’t have a window or vent to get into probably isn’t secure with just a lock on the door, like ehud42 says. It is technically obfuscation at this point.

    @3, yeah, I picked up an old HP Desktop (flat) PC once that had a “lock”, but the cover was made of plastic (lined with flimsy metal for rf sheilding), it flexed enough to allow the cover completely off without the key.

  5. The little bit of research that I have done suggested that medeco locks were hard to pick. Now I am confused. I need locks for my house that I can feel halfway secure with. Some person or persons are getting into my house. I had new locks put in, but that doesn’t deter. I’m the only one with the keys. Are Medeco good locks, or better than average?


  6. mamagirl:

    99.99% of breakins have nothing to do with the lock. They will break down your door, smash a window, etc. The main use for fancy locks is the fact that you need authorization to copy them legally, so employees cant go out and make themselves copies…

    Pretty much any standard lock should be fine for your home. It is the door itself you should be worried about, as well as windows etc.

  7. mamagirl – if people are entering you house AFTER you have replaced the locks, it is possible that they are not entering through a door. Other possible avenues are windows (especially cellar/basement), sliding doors (often easy to lift out of their track), and the attic. Do you have a dog door? Kids can fit through pretty small doors, and a little kid can open a door from the inside and let bigger kids in.

    Are you calling the police when the break-ins happen? You may want to talk to someone in the sexual crimes unit to see if there have been any similar break-ins in your area. I hate to say it, but this could be a stalker or predator.

    Your local police department should have someone available who can advise you on how to secure the property — possibly even come out for an on-site visit. If they don’t, ask if there is a nearby community that would have someone you could call to discuss security with.

    Consider setting up a Nanny-cam or hook up a web cam that you can use to record video of the room(s) they visit, or monitor it online from work. There are free open source software packages that let you capture video only when something changes, like when someone walks into the frame. Other commenters may have experience with specific packages – I only used one that came packaged with some security cameras my brother-in-law bought to keep an eye on my mother-in-law while he was her caregiver.

    You can set triggers to identify where they are getting in, unless you already know. Stretch a thin thread across the inside of a doorway at ankle height, loosely wrapped on pins stuck into the side of the door moulding — loose enough so they won’t notice if they walk through it. Use spit to stick a hair from the top of the door to the frame. If it is still stuck there when you get back they didn’t open that door. A light dusting of baby powder on a linoleum or tile floor will reveal tracks.

    Perhaps other commenters can suggest other techniques of surveillance or “locking down” your house.

    Now if you confirm that your house is really locked up tight and cameras and other surveillance tricks don’t reveal intruders, consider the possibility — and I DO NOT mean this in a rude way, or even consider it to be the likeliest case — that you could be facing the onset of paranoia. If that’s the case, and you can still make a rational choice about seeking care, you can recover and have a much better quality of life than the likely outcome of an unchecked mental illness.

    I wish you the best, and hope you will take all necessary actions to ensure your health and safety.

    1. I fully understand the situation where the security system are being disabled by a signal jammer and the cameras are being zapped by a laser beam. They also use a tool that finds the red lens of the hidden cameras. The initially were releasing the overhead garage doors and getting in that way, then cellar windows, second floor screen windows. and I swear they are like mice that can squeeze through a dime size hole. I was being tracked via my cell phone and a tracker put in the door of my car.

      I have Medeco and Mul-T locks installed, they waltz right by them. All the windows are nailed shut, hard wired and wifi cameras on two different systems haven’t stopped them.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.