Kryptonite lockpicking


This
bikeforums thread
explains that it is trivial to pick a
cylindrical-key Kryptonite U-lock in a few seconds with a Bic pen. One
poster provided a movie (mirrored by Engadget) of how quick it works.


The ten-page thread turns out the way you expect — lots of people
upset that they were counting on this lock to protect their bike, some
others reporting thefts in their area where the U-lock was left locked
on the pole and the bike removed, lots of people angry that whoever
discovered it went public, and so forth.


The people who are angry about it going public haven’t thought very hard
about the reports of bikes going missing around an “unopened” lock.


It’s a little physical-security microcosm of the full-disclosure debate
that comes up regularly in the data world, and it’s a particularly clear
example of how things work out. If you have a Kryptonite lock, are you
thankful that someone broke the news, or are you annoyed because now
you can’t use the lock alone anymore?


More practically, if you use a cylindrical-keyed Kryptonite lock, this
would be a good time to start locking up your bike with two locks.


11 responses to “Kryptonite lockpicking”

  1. Ouch. Give Kryptonite a call, at least — a bunch of people in that bikeforums thread did and were at least promised calls back once Kryptonite figured out what the heck they were going to do. It’s worth a chance for a cheap upgrade to one of these, which has a much better cylinder (look at the keys).

    If nothing else you could combine what you’ve got with a good woven cable with a good pick-resistant padlock, which would probably make other bikes around more attractive. There seems to be some truth to the observation that bike thieves tend to travel equipped to defeat one kind of lock at a time.

    I’m probably going to pick up a second bike in the next little while (this is the time of the year to buy!) since my road bike is a bit too nice and too inconvenient for errands. This episode has convinced me to find a good but unremarkable beater for around town.

  2. Alot of the “bad guys” probably already knew about this before it was disclosed. So while I can understand the “you disclosed this, now my expensive device is worthless.”
    Would you rather wait to find out you had a worthless expensive device when your bike was stolen but the locked lock was left behind to taunt you and to mystify how it was done. Especially if you then locked replacement bike with the same kind of lock.

  3. More practically, if you use a cylindrical-keyed Kryptonite lock, this would be a good time to start locking up your bike with two locks.

    Presumably not two Kryptonite locks? :D

  4. I once knew a courier who had a really nice $2000 bike, but if you looked at it without noticing too closely (i.e. expensive components) you thought you were looking at a $100 beater. He had the frame painted an ugly orange color by an artist friend to make it look old, ratty old handlebar grips, didn’t clean the rims, stuff like that.

  5. It’s likely that some people knew of it. My major concern now is that bored teenagers are going to go around taking bikes with Bic pens just because they can.

    For what it’s worth about the first thing I did when I read this was go down to my garage and get my ULock out. Of course then I realized that we didn’t have a single Bic pen in the house. I managed to find some Schwaggy pen of the right size and lo and behold, my KryptoLok was defeated. Moving the lock back to the normal position was kind of tricky as my pen was ruined, but I guess that is sort of moot, since the lock is about worthless. I guess I should lug my cable lock around too more often.

  6. Your concern is well-founded, as I’m sure plenty of people saw the movie and thought “Cool! Free bike!”. On the other hand, it really is best to know there’s a problem and handle it. With the information now disseminated, everybody knows. The “bad guys” already knew, and yes, now the bored teenagers know, but at least you can protect yourself.

    Remember: knowing is half the battle.

  7. I agree with you 100% about security by obscurity. But I can still be sad to see the bar to stealing a bike lowered to a visit to OfficeMax!

  8. But it was lowered when the first guy found out that this worked. Posting it all over the internet raised the bar by telling everyone that they can’t trust that lock anymore.

  9. I think over the longterm the bar might be raised, but for the near term it is definitely lowered. I am certain that there will be some poor souls who will get their bikes stolen over the next few weeks because not everyone will have heard that their lock is not secure, but some miscreant will.

    I really wonder what Kryptonite and the other manufacturers are going to do about this? Can they afford to do a recall?