Those of you who follow news of physical security hardware development and are fans of interesting and unique locks are possibly already familiar with the “Forever Lock” product. Popularized by an ex-pat living in Taiwan, where they are manufactured, LockMan28 has been selling these to interested parties via the internet and they tend to pop up from time to time among the locksport and lock collector community.
The most popular model is a bicycle / motorcycle U-Lock design, featuring a long rubber-coated shackle and a thick cylindrical lock body. The lock mechanism itself is rather unique. The keys appear to be rather conventional pin-tumbler keys sporting bitting cuts on both their thin edge as well as “dimple” style cuts on their broad side…
But the element that makes these keys (and their operation) rather interesting is the fact that the user does not insert them into a conventional, exposed keyhole. Rather, the Forever Lock key is installed into a “drawer” mechanism which then delivers the key to the keyway out of the user’s view.
Schuyler Towne will correct me if I’m misapplying the term, but this appears to be a modern example of an older concept known as a “traveling key” design… once popular on safe locks in prior centuries.
This means that a user of the Forever Lock can operate it, open it, and interact with it… without ever actually seeing the lock mechanism directly.
NOTE – The Forever Lock company also appears to produce cable-style locks and also designs geared toward installation in conventional doors, as well…
Well, given that this vendor is advertising a product geared towards an audience who ostensibly wants “top security” and “pick proof” design, the Forever Lock has attracted some degree of attention in the world of competitive lock picking.
The noted sportpicker, author, researcher, and security expert from Germany, Oliver Diederichsen, was among the first to discover a valid attack vector for these locks, posting a video of him having successfully fashioned a bump key (which would be operated remotely via the traveling key drawer). That story was picked up on bike enthusiast sites and forums.
I thought about whether there would be another, perhaps easier and less jarring, means of attacking this lock, however. I used a foil impressioning attack, which is something that is often very effective against dimple style mechanisms.
The foil impressioning attack proved highly effective against the Forever Lock, once I discovered the need to modify one’s key slightly in order to account for the very tight keyway. Simply deep-drilling in all positions and then covering the attack key with foil was a recipe for trouble (see the “Behind the Scenes” video and summary below) but if you shave down the attack key on all sides slightly, this will give enough extra room in the keyway for the foil covering to still fit.
So it turns out, while the lock mechanism is very shielded from view on the Forever Lock and although there is little to no real “access” to the keyway from the outside, the lock mechanism itself does not appear to be very robust. I have yet to fully cut apart and disassemble one of these cylinders, but I’m willing to bet that no pick-resistant or impression-resistant pins are used. The foil key attack worked rather smoothly.
Indeed, in this next video you can see a problem that I identified with regard to the pins and apparent lack of great variation between cuts and differs.
… as you can see in that video, one of the very first attack keys which I created for the foil impressioning attempt managed to actually operate BOTH of the forever locks which I owned. They are not keyed alike, but there is simply such a lack of variation between bitting depths that in-between cuts (or extra deep cuts) will cause the lock to function and the plug to turn with enough jiggling and wiggling. That’s no good.
This attack was not difficult to execute once I discovered that the lock was vulnerable, but the actual research process was slightly messy and I lost use of one lock in the process. If you’re interested in seeing the gritty side of how much lock research happens, feel free to view this last clip…
… in it, you’ll see the very first attempt go awry since my foil-covered key had not yet been modified to slip more easily into the tight keyway. Things jammed up, and eventually the key snapped apart, requiring the NextFab staff and I to attempt cutting the lock open. To their credit, as you’ll see, the Forever Lock is actually made of rather robust steel. The band saws in the shop were able to cut through things somewhat, but eventually loose pieces inside (like the tailpiece nub) caused the blade to jump off its bearings and I finished the “disassembly” job using a pneumatic cut-off wheel.
Ultimately, the Forever Lock is a unique and interesting design. While I find the actual mechanism intolerable and frustrating from an ease-of-use perspective, the notion of hiding one’s keyway from potential attackers is not without merit. Personally, I feel that something akin to a Geminy Shield is a better means of approaching that style of protection (but of course that is not feasible on padlocks, only door locks) but the “traveling key” and “hidden keway” ideas are neat.
Of course, it appears that much more effort and resource could have been invested in the actual design and implementation of the lock mechanism itself. Use of pick-resistant and impression-resistant pins would have been a good idea and most likely could have frustrated this attack a great deal. Increasing the number of differs, too, between cut positions would also have been a benefit. Frankly, as “cool” as dimple locks are in some people’s eyes, I feel that a conventional vertical-blade key would be just as good if not better in this kind of a system for reasons of key space size.
When showing this attack to the noted sport picker and Lockpicking101.com moderator Squelchtone, he summarized his similar thoughts on the matter by remarking that:
They could easily make it much more secure by implementing a disc detainer mechanism, even a basic one such as found in Master Lock trailer hitch locks, I think they have 3 discs at the most. (but then you run into the issue where there is a finite amount of try out keys such as the S&G environmental padlocks have) but a disc detainer mechanism would make bumping and foil impressioning impossible, but other methods may eventually be found to impression the lock just like old Abloy classics could be impressioned using a half moon copper pipe, or at least that what Steve Hampton’s book eludes to.
And the aforementioned Schyler Towne offered similar remarks, as well:
The fact that they invested in quality materials and adopted a fairly novel delivery mechanism, and then completely phoned in the quality of the cylinder itself, is a great reminder that we always have to think about security in layers.
Ultimately, a hidden keyway and traveling key are always going to be thought of by some people as a form of security by obscurity… and I can see some merit in that manner of argument. Once an attacker purchases, disassembles, and examines a target lock, they can often develop a working attack using their own sample lock hardware as a basis.
In this case, all it took was me purchasing a couple of Forever Locks (cost: $279.98) and I was able to execute this attack within 20 minutes of opening the boxes.
NOTE – Thanks to NextFab in Philadelphia, whose terrific facility and tools made this process go a lot more smoothly. While I could always just tinker with things like this by hand in our office, having the full suite of gear and staff available to us at the fabrication studio is wonderful.
Thanks as well go out to Barry Wels and Mike Glasser, who presented on the topic of lockpicking at a 2600 HOPE conference in New York many, many years ago. It was during this presentation that I first witnessed an aluminum foil tape attack in person, and the lesson stuck with me!
Deviant Ollam is the Director of Education for and a co-owner of The CORE Group. Additionally, Deviant is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpick Village, and he has conducted physical security training sessions for Black Hat, SANS, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point. His nickname is often mispronounced (“Ollam” is a Celtic name and sounds almost exactly like “Olaf” when spoken aloud) but he doesn’t mind as long as he’s being greeted with a hug and a smile.