Lockpicking & The Physical Domain of Cyber Security
Physical security is part of the CISSP knowledge domains after all.
In 2015 I had a college professor who taught an Ethical Hacking class. A small part of the curriculum included lessons on physical attack vectors. A major part of asset security (especially on the CISSP) is the physical domain. Additionally, penetration tests occasionally will scope for physical attacks. This class also included a final that included lock picking a deadbolt on a fake door to get to the next stage of the simulated “penetration test” we had to complete to pass the course.
The lessons on lockpicking interested me more than I anticipated (possibly influenced by my lockpicking in Elder Scrolls Games…) and sent me down the path of picking it up as a hobby that I do from time to time.
Lockpicking As a Hobby
This is also known as “locksport” which basically means recreationally (legally) picking locks to challenge yourself to pick harder and harder locks. There’s even a whole Karate based belt system on the lockpicking subreddit. According to that ranking system, I’m an Orange Belt because I’ve picked the two Master Lock 570’s in my collection.
With that said, I’m pretty bad at lockpicking. I haven’t picked anything particularly difficult, and I don’t practice that often. Strangely, my favorite part of the hobby is…collecting lockpicks? Something about the variety of shapes, sizes, art styles, and mechanisms for SPP (Single Pin Picking), Raking, and bypassing (Comb Picks, Bump Locks, Traveler Hooks, etc.) all pique my interest for whatever reason.
So with that, here’s some neat pictures of my collection (the vast majority of them are Sparrows):
Lockpicking Vault-Tec Bobblehead for +1 to lockpicking Skill
All of the Master Lock #3’s in the center, as well as the “Fortress” locks have been opened, but were closed when I took this picture
Some bypass tools including comb picks, travelers hook, pin punches, a door jim (shim), a “shank”, a master switch, and of course a handcuff key
Some of the sparrows special edition picks some with fancy art
Sparrows mace picks + mace expansions
Some special edition Halloween sparrows picks, as well as some wafer and automotive try out keys picks
Sparrows dark shift + expansion
Various tension tools
Lockpicking Resources
Places I like to spend money:
YouTube Channels I like to watch:
- Bosnian Bill
- Lockpicking Lawyer (There’s a good chance you’ve seen this channel before on Reddit)
- LockNoob
Additional Information on Physical Attacks
I don’t know much about Kevin Mitnick as a person, but he has two fairly good books on Social Engineering and utilizing physical vectors to as a foothold for digital exploitation.
- The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin D. Mitnick
- The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick
There’s an excellent cyber security focused podcast called ‘Darknet Diaries’ and in particular, these two episodes are some of my favorites that deal with physical vectors
If you’re interested in other physical attack tools/devices checkout:
Personally, I have a small collection of Raspberry Pi’s that I pretty much ignore (sorry Mr. Robot), and a Wifi Pineapple that I’ve barely played with because I’m afraid I’ll go to prison if I spin it up. That thing is dangerous, for real.