November 26, 2020

Bike Lock Fiasco

Kryptonite may stymie Superman, but apparently it’s not much of a barrier to bike thieves. Many press reports (e.g., Wired News, New York Times, Boston Globe) say that the supposedly super-strong Kryptonite bike locks can be opened by jamming the empty barrel of a Bic ballpoint pen into the lock and turning clockwise. Understandably, this news has spread like wildfire on the net, especially after someone posted a video of the Bic trick in action. A bike-store employee needed only five seconds to demonstrate the trick for the NYT reporter.

The Kryptonite company is now in a world of hurt. Not only is their reputation severely damaged, but they are on the hook for their anti-theft guarantee, which offers up to $3500 to anybody whose bike is stolen while protected by a Kryptonite lock. The company says it will offer an upgrade program for owners of the now-suspect locks.

As often happens in these sorts of stories, the triggering event was not the discovery of the Bic trick, which had apparently been known for some time among lock-picking geeks, but the diffusion of this knowledge to the general public. The likely tipping point was a mailing list message by Chris Brennan, who had his Kryptonite-protected bike stolen and shortly thereafter heard from a friend about the Bic trick.

I have no direct confirmation that people in the lock-picking community knew this before. All I have is the words of a talking head in the NYT article. [UPDATE (11 AM, Sept. 17): Chris at Mutatron points to a 1992 Usenet message describing a similar technique.] But if it is true that this information was known, then the folks at Kryptonite must have known about it too, which puts their decision to keep selling the locks, and promoting them as the safest thing around, in an even worse light, and quickens the pulses of product liability lawyers.

Whatever the facts turn out to be, this incident seems destined to be Exhibit 1 in the debate over disclosure of security flaws. So far, all we know for sure is that the market will punish Kryptonite for making security claims that turned out to be very wrong.

UPDATE (11:00 AM): The vulnerability here seems to apply to all locks that have the barrel-type lock and key used on most Kryptonite bike locks. It would also apply, for example, to the common Kensington-style laptop locks, and to the locks on some devices such as vending machines.

Comments

  1. O-Pen-ing Your Kryptonite Lock

    Freedom To Tinker is joining in the discussion on the ease of o-pen-ing Kryptonite bicycle locks that use cylindrical keys. Apparently there is some question of how long this has been known. Reasonable proof of this being known for a while might be thi…

  2. More information about prior knowledge:
    http://www.bikebiz.co.uk/daily-news/article.php?id=4637

    In 1992, journalist John Stuart Clark – the cartoonist with
    BicycleBusiness magazine, the print version of BikeBiz.com – teamed up
    with a Nottingham bike thief to show how easy it was to break in to the
    majority of bicycle locks then on the market. One of the methods he
    revealed was the Bic pen method.

    His article in New Cyclist magazine led to follow-ups in bigger
    circulation bicycle magazines such as MBUK, and a BBC consumer
    rights programme also carried a feature on the Bic method.

    Despite the apparent ease of the method, most bicycle thieves, then and
    now, prefer swifter, more strong-arm tactics, such as prising locks open
    with car-jacks. Savvy consumers also use more than one type of lock,
    thwarting the opportiunist thief only carrying tools for one type of
    lock-busting.

  3. Joshua Solomin says:

    I think this shows that clearly the only option here is to immediately make Bic pens illegal. Anyone found carrying one on the street will be assumed to be a bike thief, and as such will be liable to be sued by the BIAA (Bike Industry Association of America).

    (Oh, wait — you mean that Bic pens have non-infringing uses, too?)

  4. I found out that the medium grade U-lock I had on my bike 5 years ago could be pried open with a medium-sized screwdriver. I now have a cable lock with a key which could be cut but should be okay because it’s teamed with one of the best safeguards — a relatively worthless bike.

  5. Guns have non-infringing uses…

  6. Guns have non-infringing uses…Do assault weapons?

  7. The Kryptonite vulnerability seems to vary with generations of locks. I have six Kryptonite locks of varying ages, only two of which I’ve been able to pick with the Bic Trick. Both picked locks have pins whose length (judging by the keys) varies less than 2mm from the shortest to the longest. The other four have pin lengths which vary significantly in length, one by as much as 4mm (sadly that’s on a much older model which is trivial to attack with by “piping”).

    QrazyQat’s suggestion about the worthless bike remains the method I’ve found most effective over the years. I have bikes for racing which range up into the multi-thousand dollar range, and which I lock with Kryptonite locks. Inside my home.

    The bike which gets locked up outside Fenway Park cost $200 new 15 years ago and is now painted with avocado green latex house paint. I’m not sure if the latex or the green is the bigger theft deterrent.

  8. J.B. Nicholson-Owens says:

    Are common, garden-variety, unexceptional bicycles being stolen? If so, why are they? If it’s for transportation, how about supplying unexceptional bikes to people just for the asking? Perhaps if inexpensive easily-repaired but uninteresting bikes were easy to obtain legally, the desire to steal one would decrease. Call it municipalized biking or something.

  9. I think they’re usually stolen for resale.

    Some cities have tried supplying cheap bikes to the general populace for free. The example I know of is Portland (OR)’s “Yellow Bike” project. IIRC, the project eventually shut down, but it didn’t fail as badly as a pessimistic view of human nature would suggest.