A group of researchers has cracked the security features in what are supposed to be some of the world’s most secure locks — locks that are used at the White House, the Pentagon, embassies and other critical locations.

The researchers presented their findings for the first time at the DefCon hacker conference this weekend and showed how they could easily bump and pick the newest high-security M3 locks made by Medeco, a company that owns an estimated 70 percent of the lock market.

In addition to bumping and picking Medeco’s M3 cylinder locks, the researchers also succeeded in the last few weeks to crack a Medeco M3 deadbolt lock — considered to be one of the highest security locks in the world. They showed Wired News how to open the deadbolt in less than a minute using nothing more than a modified $2 screwdriver and a wire shim. They asked, however, that we not publish the details.

"Medeco invented the pin tumbler lock that lifts and twists the pins," says Marc Weber Tobias, one of the researchers and an investigative lawyer and author. "It’s a brilliant idea and basically these are unpickable locks. But we can pick them. Everybody in my profession has been trying to break these for 30-35 years. And frankly, I can’t believe that we’ve come up with this and nobody else has."

He says the deadbolt crack is especially concerning.

"The deadbolt is really a serious security problem," he says. "I don’t want to create a panic, but this needs to get fixed."

The M3 is a new high-security lock that Medeco launched in 2005 to improve upon its previous Biaxial locks. The key for unlocking Medeco’s M3 lock has a patented bar on the side of it that has to make contact with a slider inside the lock. The feature is intended to heighten the lock’s security. But Tobias and his group found a way to simply bypass the slider with a paper clip and proceed to open the lock as if it were a previous-generation Biaxial lock.

"We wanted to (take) a picture of a sign outside the White House or the Pentagon that says ‘Security Warning: No cameras, no cell phones, no paper clips," Tobias says. "This is so ludicrous."

Tobias and his two colleagues, among them computer security researcher Matt Fiddler and a professional locksmith who asked not to be named, made headlines last year when they published techniques for bumping Kwikset locks — the standard brand of lock that is used in most homes. After a small media storm ensued, Medeco responded to the news that Kwikset’s locks could be bumped by saying that its own locks were bump-proof.

So Tobias and his colleagues decided to test this claim last April. They conducted extensive analysis of Medeco’s published key codes and within three months had made their first breakthrough toward cracking the security of the locks. They then spent the next 12 months perfecting their techniques and creating and testing a special set of keys derived from the published key codes for non-master key locks. They’ve since filed several provisional patents for their cracking techniques.

To demonstrate their crack of Medeco’s M3 lock for Wired News, Tobias took a lock and inserted one of the keys that he and his researchers designed from Medeco’s codes. Then he hit it several times with a bump hammer and turned the key.

The deadbolt was opened just as quickly with an even simpler technique using the wire shim and screwdriver. Tobias pointed out, however, that this cracking technique works only on deadbolts that have a single-sided key entry with a flip switch on one side, not on deadbolts that require a key on both sides of the lock.

Tobias says that his group provided Medeco with full documentation of their techniques as well as video showing them cracking the locks. He says that rather than comment on whether their techniques were plausible, Medeco said the researchers didn’t know what they were talking about and insisted its locks were still bump- and pick-proof. Tobias says he told Medeco that he was willing to sponsor a worldwide validity test to demonstrate his group’s ability to crack the locks, but Medeco hasn’t responded to his offer.

Tobias thinks there are a couple of possible reasons why Medeco hasn’t commented on the techniques they used to crack the locks.

"Either Medeco has known about this (problem) for a long time and just won’t comment on it, or the government has known about it for a long time and hasn’t told Medeco. Or (Medeco testers) just can’t replicate this (cracking technique) and don’t understand what we’re talking about. But the bottom line is that we’re opening the locks."

Medeco was unavailable for comment, but a call to the company’s main number produced a voicemail message addressing the bumping controversy and directing callers to this page on the company’s web site.

Tobias says he initially didn’t intend to release this information about the M3 locks at DefCon. He planned to simply write about it in the next edition of his book. But Medeco’s continued insistence that the locks are secure has prompted him to discuss the issue more publicly. He posted information about the lock cracking techniques on his blog and, three days ago, posted a security alert specifically about the M3 deadbolts to a restricted industry site for professional locksmiths. He also met with a representative of the Underwriters Laboratory and intends to speak in September at a meeting of the lab’s standards technical panel for UL 437 to discuss improving the standard for such locks. Currently the standards don’t test for bumping, Tobias says.

Photos: Dave Bullock

[This weekend at DefCon Tobias ran into Jennalynn, a 12-year-old girl who appeared in a YouTube video last year bumping a Kwikset lock. (Jennalynn’s mother declined to give her daughter’s last name because she preferred not to have it published.) Tobias asked her to try bumping Medeco’s Biaxial lock, a more secure lock. She did it three times. Below is a video showing her bumping the lock, with Tobias next to her.