the kryptonite lock-picking incident

procrastinating at work on september 13, 2004, i read a thread posted on a non-bicycle-related message board by Chris “unaesthetic” Brennan saying, somewhat cryptically, “your Kryptonite lock isn’t safe and can be opened with a pen”. he referring readers to the thread on bikeforums.net.

the thread, somewhat alarmist in tone (any internet posting containing “please tell everyone you know” should be carefully vetted before actually telling everyone you know), stated that it was possible to open any Kryptonite u-lock which used a barrel-style key by inserting the barrel of a Bic-type ballpoint pen and turning it.

a few readers posted followups claiming trouble opening their locks, but a poster named Peter Hedman was able to open his Kryptonite u-lock using the described technique. he uploaded a video of him opening a Kryptonite u-lock with a pen, providing visual proof. click here to see that video.

as more people tried to pick their own locks, more and more reported success and the discussion quickly grew into the dozens of pages.

the technique involved the use of a common, white, plastic-barrel Bic pen. you remove the cap and the tip, including the writing nib and ink storage tube. the remaining plastic cylinder is then inserted into the round-barrel of the Kryptonite lock, mashed down a bit, and turned to open the lock. it so happens that the barrel of the pen is both the correct diameter to fit the lock, and made of plastic of moderate hardness so the body of the pen can deform enough to push into the lock’s tumblers, while retaining adequate rigidity to turn the mechanism.

the reports i was reading had one problem - the caliber of the locks being opened. Hedman, and then others, had succeeded in opening a $30, base model, u-lock. this was not a product that i, or anyone else in a major city, would trust to secure an expensive (or any) bike on the street for more than a minute. i’ve seen first hand how these cheaper locks can be popped open in just a few seconds using a small crowbar, or even the bike frame itself (picked up and twisted, acting as a lever), to leverage the lock and pull it apart.

i needed to know if the high-end Kryptonite EV disc lock, the ubiquitous yellow lock supplied with the Kryptonite nyc chain could be broken. it was the lock recommended by every bike shop in the city, and the lock used by almost every serious new york cyclist who locks their bike outside, myself included.

i posted my question, but no one on the bikeforums thread could answer me regarding the vulnerability of this product, so i went home that night, got out my lock and a bic pen and went to work. half an hour of grinding a plastic pen into the lock proved fruitless, so i went to bed.

the next morning, not being one to give up on pointless and frustrating things until i’d either succeeded or broken enough skin that it’s too painful to continue, i gave it one more shot. sure enough, twenty minutes later, open pops the lock.

a few more tries, and i had it down to 20 seconds. with two minutes left before i had to run off to work, i pulled out the digital camera and made the movie that started all the commotion. click here to see that video.

the bikeforums thread was getting enormous and i got no work done with all the questions i was fielding. that night, i was back at with the pen, and could now open the lock in a few seconds, the same time it took using a key. i made a new video of that. click here to see that video.

by mid-day, my website stats showed tens of thousands of hits on the videos. i was moving gigabytes of data every hour. thanks to dreamhost web hosting, it was no problem and the videos were always online.

that evening, the internet questions had turned into calls from newspapers, magazines, radio, and tv stations. it started with a call from an Associated Press reporter (thanks to Emily from Philly, really), and a day later, the NY Times, Daily News, Post, NPR’s All Things Considered, a variety of bicycle and security trade magazines, a number of local New York talk radio stations, and smaller publications from across the country were calling and emailing me for interviews.

sitting at work and doing radio interviews by phone is a great feeling.

it was an entertaining week or so, and i racked up quite a bit of publicity, which i may or may not have actually deserved, but i suppose i was local and accessible.

it also seemed to bring everyone i’ve ever known in the last 15 years out of the woodwork.

in the end, Kryptonite, which is owned by Ingersoll-Rand, a huge corporation, handled the incident well. they sent out replacement locks with reasonable speed, and rushed their almost-ready new product line to the market.

a lot of people have asked me if i thought Kryptonite knew their products were so vulnerable. I’m not sure. their new locks do not use barrel keys, indicating they believe cylindrical locks were inferior, but i’m not sure if they knew the problem was so severe.

i’ve spoken with a lot of people about this, including a number of longtime bike messengers, who claim to have known about this problem for a decade or more. sure enough, a newsgroup posting from the early 90s surfaced, suggesting this was possible. not much was made of it, however.

Kryptonite never contacted me directly, except routine calls about lock replacement.

excerpts from my website and screenshots from my video are going to appear in the following textbook, scheduled for publication in early 2007.

Cases in Public Relations Management
Author: Patricia Swann
Publisher: The McGraw-Hill Companies, Inc.

 

media

» view the original video (quicktime).

» view the fast video (quicktime).

» All Things Considered interview with Michele Norris (mp3).

scans of the ny times piece. click for a larger view.

» click to read the ny times article

» click to read the article from CSO magazine

scan of the hard-hitting daily news article. don’t i look shocked? click for a larger view.

stills from the video

thirdrate dot com

archives:
December 2006
S M T W T F S
« Aug    
 12
3456789
10111213141516
17181920212223
24252627282930
31  


recent posts