Thoughts on the Forever Lock

The Forever Lock was introduced back in April by LockMan28 as an "unpickable lock". It quickly picked up a lot of steam being featured on Digg, The Telegraph, Business Insider and other places.

I never paid it much attention until I was out drinking with a friend and he brought it up. Whenever I hear something is unpickable, unbreakable, or any other unsomething marketing term, I only roll my eyes. With my involvment in TOOOL, I have had the opportunity to see quite a few amazing openings and attacks. When I see something new I have to refrain from getting all excited about what the attacks will possibly look like.

While I keep hoping that it will be an amazing technique, something magickal, the reality is that most of these fall to some of the same old time honored methods.

So it is the case with the Forever Lock.

My first impressions on the Forever Lock were "wtf?" followed by a "oh dear god why?"

To me it is a complete useability nightmare. I couldn't imagine fiddling with that mechanical condom after work when I just want to get on my bike and ride. I'm not a fan of adding complexity to what should be simple every day objects. Especially when the complexity offers no real benefit and gets in the user's way.

So onto the attacks!

First up is a video by evva3ks in which he demonstrates a bump key attack. Bumping is a simple concept that takes advantage of Newton's Third Law. I'm not going to explain it here but the Lock Wiki has a good write up. This is a great attack as if you can successfully make a bump key you can easily open other locks using the same bump key without modification. This is a particularly devastating attack in my opinion since with practice it can be done quickly and once made does not require additional equipment.

Next up is a series of videos posted by Deviant Ollam in which he demonstrates attacking the Not Quite So Forever Lock, through a foil impressioning attack. If you are not familiar with Impressioning attacks, he does a great job of demonstrating the process here against a different kind of dimple lock and here against the Forever Lock.

Deviant also points out that the lock has poor tolerances in this video. Many locks suffer from this. Machining is expensive and one of the primary differences between cheaper (i.e. less secure) locks and higher security locks is how tight the tolerances are. The Forever Lock also suffers from this making it possible to potentially open the lock with an unmodified key that shouldn't. This also has implications for normal wear and tear, especially something that is designed for frequent outdoor use and is going to be jostled around. I can only imagine how the lock will function after a year.

In Information Security, we often need to learn how malicious actors work, the tools they use, the methodology they use, their mindset, before we can even hope to defend against them.

There is an ever growing library of knowledge out there on attacking locks. If you are designing a lock please, step back, take a look at the different attacks that are a Google search away and ask yourself how you could apply these attacks to your lock.

The same for locks and physical security in general. Otherwise, we are doomed to keep repeating past mistakes.