A quick browse at the hardware store reveals a variety of key and combination padlocks. But which meet the customers’ needs? Organizations of all sizes face the cybersecurity parallel every day. Should they rely on a router or a next-generation firewall? Is encryption at rest required? Is HTTPS good enough or should a VPN be implemented?
Many padlock designs have not changed significantly in the past thirty years. A cursory look around the gym locker room reveals many of the lock models used at schools in the 1980s. But instead of protecting books, they are now securing expensive watches, credit cards, keys, building access cards, USB flash drives, and smartphones containing sensitive personal and corporate data. Sadly, most of these locks can easily be broken or shimmed. The vast majority of lock owners are likely unaware of the vulnerabilities and have not stopped to consider that they are attempting to protect thousands of dollars with a proverbial $5 lock.
Studying padlocks is a great way to learn security concepts. They are readily available, inexpensive, and explored with relative ease. In addition to the lock itself, there are issues with surrounding hardware and the overall intersection of physical and cybersecurity. For example, are physical security controls aligned with information security objectives?
The Canadian padlock market is dominated by Master Lock Company LLC., which also owns American Lock, Dudley Canada, and Sentry Safe. They have a virtual monopoly in Canadian hardware and home improvement stores. Many locksmiths carry Abus, Abloy, and LSDA products, the latter of which are only available through locksmith channels. A larger selection is available from Amazon.
ATSM International, founded in 1898, publishes ASTM F883 – 13 Standard Performance Specification for Padlocks and related standards. In theory, international standards makes good sense, but products are generally tested by the manufacturers themselves or subcontracted to locksmiths instead of qualified third-party laboratories. The American National Standards Institute (ANSI) and the Building Hardware Manufacturers Association (BHMA) also publish standards for locks, but their focus is on door locks, not padlocks.
There is also a practical issue: Readily available padlocks seldom include ATSM, ANSI, or BHMA ratings. Manufacturers tend to invent their own instead. Master Lock appears to prefer describing product characteristics with phrases such as “hardened steel shackle for extra cut resistance” and “5-pin cylinder for maximum pick resistance.” Abus, in addition to descriptions, labels their locks with a “security level” from 1 to 10, but fails to explain their rating criteria.
Overly simplistic relative ratings also ignore the fact that the best padlock for one application may provide insufficient security for another. For example, gym members require a lock that cannot be rapidly shimmed or easily broken open. On the other hand, it should be assumed that criminals seeking entry into a parked truck will possess bolt cutters. Consumers are unfortunately provided very little information to help them choose the right lock.
The large padlock manufacturers do not appear to want to talk about their products either. Abloy and Master Lock would not respond to email inquiries. An Abus representative replied, and promised to provide answers via email, and then failed to do so. Greg Waugh, President of Pacific Lock Company (better known as PACLOCK), was an exception. He was pleased to talk about his firm’s products and the padlock market in general.
PACLOCK is a California-based, family-owned lock manufacturer. They purchase some made-to-specification components from overseas, but machine and assemble their locks in the United States. The company produces a variety of products and were happy to send me a few to examine. PACLOCK knows their business; they have sold more than four million locks to the U.S. military.
“Most of our advancements come because we’ve looked at the problem differently than our competitors, “ Waugh explained. “Or we may have applied our products in a way that the others have not. Our first step in our innovation process is to do our best to ignore ‘how it’s done today.’ Instead, we look at the security problem in its entirety, not just at how we can design a padlock to be bigger, better, or stronger. We look at the entire security solution to see where the weakest link might be in the chain.”
Waugh, who worked in IT before taking over the family business, explained that customers often overlook critical details. “The most common example is one wherein a padlock is affixed to some sort of a metal hasp or clasp that has been permanently attached to a door or a gate…but what is most often overlooked is the fact that the hasp to which the padlock is secured is flimsy, poorly constructed, or not well-suited for its job.” It doesn’t make sense, he pointed out, to spend “$100 or more on an ultra-secure padlock only to attach it to a $8 hasp that is held on with three sheet metal screws.”
I was pleasantly surprised with the quality and value of PACLOCK products. Their 90A aluminum padlock with a 6-pin rekeyable cylinder sells for less than US $20 and is clearly superior to most similarly-sized padlocks on the market. Alternating spool and serrated pins make them as pick resistant as pin-tumbler locks gets. With the potential exception of a skilled locksmith willing to spend half an hour picking it, this lock will only be removed by destroying it.
Customers concerned about advanced picking threats will need to spend at least three times more from another vendor to obtain a practical improvement. If cutting is a concern, PACLOCK and other manufacturers offer hockey-puck style locks that do not expose the shackle. As in cybersecurity, selecting the right product for the job, and considering the entire security chain is the key to padlock selection.
Have a security question you’d like answered in a future column? Email email@example.com
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…