Abus Lock opened with Blue Tac
This really is a great example of discovering and exploiting a lock’s vulnerability.
In late 2007, Jaakko Fagerlund absolutely crushed an online competition hosted by LP101. The competition was simple: submit a novel article on locks and win a vehicle lock out set.
Jaakko's submission was so strong that it forced Abus to alter their manufacturing process.
The target lock was an Abus 8850 padlock. Being deep into the hobby of lock picking since 2005 in Finland, Jaakko has taken apart thousands of locks. What makes the Abus 88/50 special is it is a disc lock. For those who are familiar with disc locks, you can skip the next paragraph.
Disc locks are very different from your standard pin tumbler locks. Instead of lifting pins into position, the key is turning wheels like in a safe. When the wheels (discs) are in the correct position the lock can open. Picking disc locks can be very difficult and requires special tools such as our Disc pick to maneuver these internal wheels into position.
For the Abus 88/50, each key and lock have their own code. This code relates to the cuts in the key. An example would be a key code of 4363144, each number related to the depth of the cut in the key. A 6 would be no cut at all and a 1 would be the deepest cut.
Inside the lock, the discs would also have to match with the cuts in the key. When a key is cut 4363144 the lock must be assembled from bow to tip with discs that are also 4363144.
This is where is gets interesting: Jaakko noticed that for the Abus 88/50 each disc had a number stamped into it to aid with assembly in the factory. When being assembled in the factory, the key card would be placed on the work bench and the discs laid out in a way that they could verify a match with the key. By having the number stamped into each disc this ensured the correct discs were being added in the correct order.
All you needed was a tool to see these numbers inside the lock. If you could see the numbers, you could make a working key.
Using a thin T-shaped wrench with a small amount of Blue Tack, Jaakko was able to probe inside the lock and press against the discs, getting an impression of the number on the tack. It would not be a full impression but enough to decipher what it was—half of a number 6 is unique enough that you would not interpret it to be a 4.
By repeating this process for each disc, Jaakko would get the code for the key. With the code of the key, it just takes a bit of time to duplicate the key.
It cannot be understated as to how large of a vulnerability this exposed. Abus, a company known for engineering some of the greatest high-security locks, was defeated by gum on a stick.
When the paper was published it was a tie for first place in the LP101 competition and Jaakko received an invite to present it at the Dutch open (Lock Con) that year. A few months later he also received a call from Abus who had learned of his gum on a stick exploit.
WE NEED ANSWERS
SPARROWS: First off, a long overdue congratulations of the win and article.
Jaakko: The paper I wrote actually shared first place with another submission, I think the guy's handle was "UWSDWF" or similar. As I wasn't into locksmithing yet, more of a hobby picker and being that the other guy was in USA, I said that I'm happy to have him get the automotive door opening kit, as I didn't have use for it and would be cheaper with the shipping. As a side note, I have no regrets for letting go of the prize even though I later would have had use for it, I was just happy to participate and happy for the community to appreciate my work to get a shared 1st place :)
SPARROWS: UWSDWF reach out we need to know what you wrote to get the tie!
SPARROWS: Lock picking was a hobby that turned into a profession then. You went from lock picking to become a Safe Technician.
Jaakko: Yes, originally started lockpicking as a hobby roughly in 2005, made the ABUS discovery two years later, got into machining as a hobby and that turned to profession in 2009 as a tool & die maker. I got interested in safe locks and learned manipulation quite quickly and opened my first safe on 25th of July 2015. This inspired me to set up a website offering safe opening service, as I noticed that nobody else in Finland advertised such a service. I got a few jobs here and there and in April of 2018 I set up a company and started getting more and more work, which now is almost a full-time job for me, roughly a hundred openings or service calls per year.
SPARROWS: I have to ask how did Abus contact you and did it take a while or was this within a few days of the paper being published?
Jaakko: It took a little while. I released the paper in late July 2007 and then gave a talk on it at Dutch Open, nowadays known as LockCon on November 24th 2007 about the exploit. Originally it was username 'mh' from Germany that contacted me and asked if I had talked with ABUS yet. I hadn't, so he asked permission to talk to the factory on my behalf. First, he got the normal customer service answer 'our products do not have any numbers inside them', but when he asked to escalate and sent the paper, I remember it took a few days or a week that I was contacted directly by the head of R&D or some other higher up on December 10th 2007. He understood the implications and thanked me and that it would take them 2-3 months to fix the issue. And so, they did, they removed the numbers or moved them far off from the keyway opening area to be effective to spoil my attack. He sent me their flagship lock, model 37/55 with no keys and said that there are new discs inside and if I can send him the keycode without destroying the lock, I get the keys for it. This took me quite a long time, as I built a picking tool out of brass and parts from an Abloy Classic lock and spent many hours to get it open and decoded. I got it correct and got the keys, still have the lock, keys and I think I have the original tool also.
SPARROWS: This sounds like the next Journal entry "Jaakko VS ABUS II" .... we want details and pictures.
Jaakko: Ok I will see what I can find. This is from some time ago.
SPARROWS: Was Abus upset in anyway with your exploit?
Jaakko: Overall contact from ABUS was calm, professional and very friendly, hats off to them for their conduct!
SPARROWS: This is one of my favorite bypass stories. Do you have another one that you find to be clever in its attack?
Jaakko: I think the ABUS thing was my 15 minutes of fame so to speak, haven't had such a eureka moment afterwards at least when it comes to bypasses, but have had fun with safe key locks and developing tools and decoders for them, like the RKL-10 decoding tool (Restricted to trade professionals) that was a hit on the market for fast and reliable opening of the lock compared to other tools. For certain mechanical combination lock used in Diplomat safes I've developed a method to get all the possible combinations from just doing couple of measurements with the dial. Nothing fancy, just have had fun and tried to get better in everything :)
SPARROWS: Any other attacks you wish to share or things you're working on?
Jaakko: I'm making professional tools for other professionals and also to hobby pickers. The opening tools I build, and sell are all built by me, here in Finland and each has been tested by yours truly. My best seller is a decoder pick tool for the Abloy Classic locks with a very unique and sturdy case for it. I sell them directly and soon they should be available from Wendt (zieh-fix) also. For those interested they are 300 EUR each (VAT excluded) plus shipping.
SPARROWS: Great work start to end Jaakko, a brilliant exploit and turning a hobby into a full-time profession. Best of luck going forward.
For those interested below is a link to Jaakko's company it includes a photo section with his safe opens. Items are not posted on the site for sale. If you interested reach out to him directly at email@example.com
NOTE: Allow Jaakko 72 hours to reply to your emails. He has a very demanding schedule. Some of his tools are restricted to trade professionals.
All the photographs provided by Jaakko Fagerlund.