Kensington Laptop Locks Not So Secure

eric434 writes "According to a security alert released by Security.Org, the Kensington laptop lock that many of us use and love isn't secure. In fact, it can be opened in 30 seconds after about a minute of practice with a $1 worth of equipment. (A Bic pen, and a pair of scissors. In the interest of giving people some time to stop using the locks, the actual method of opening the lock is left up to the reader.) To make matters worse, Kensington's 'We'll give you $1500 if someone steals your laptop' guarantee doesn't apply -- because the process of opening the lock doesn't damage the lock or cable." Mind the source, though -- security.org wouldn't mind selling you a book on locks and safes.

1500 dollers

[satanicat]

well. . I mean I guess it wouldnt matter to me wheather it was a len or a wire cutter. 1500 dollers might cover a good portion of the hardware costs, but usually the information on the drive itself is far more sensitive. What they need is a lock that causes the computer to self distruct.=) it not only protects the programmer, but teaches the thief a good lesson!

Hmm.....

[Doppler00]

I've seen those computer "locks" on the back of computers that need those special round keys. They replace screws to try to prevent someone from opening the case. What I found over time when working with them, is that you can just use a set of small pliers to twist them off. Not very secure at all.

Re:I can attest to this fact.

[Rosco P. Coltrane]

Thing was so insecure that I was playing with it in the airport on a business trip one day and I realized all I had to do was to push the pin inwards and it immediately came off.

I had one of these and they're a waste of $70.

Here's another good one: pick the thing up very very slowly, so it doesn't start screaming, lift it about 10" off the table, then slam it flat on the table, battery down, as hard as you can. The motion sensor will be busted right out and the thing won't peep a sound. If, by some misfortune, it does start beeping, press your thumb real hard against the hole underneath, where the piezo is, to silence it.

These things are crap, honestly. Stay away from it...

Re:1500 dollers

[Anonymous Coward]

well. . I mean I guess it wouldnt matter to me wheather it was a len or a wire cutter. 1500 dollers might cover a good portion of the hardware costs, but usually the information on the drive itself is far more sensitive. What they need is a lock that causes the computer to self distruct.=) it not only protects the programmer, but teaches the thief a good lesson!

Australian Defence Force laptops (all thinkpads, that I've seen) have this. Try to break in and various parts of the laptop burst into flame.

See how easy it is getting data off a hard drive that's protected by a lithium/oxygen lock.

I'm curious...

[weiyuent]

...about the durability of the slot where one inserts the standard laptop locks. Though I'm not about to try it myself, I imagine that one could easily shear the lock off with the right amount of leverage and separate it from the laptop. Now it might take a bit of work to repair the chassis to re-saleable condition, but it's still possible, no?

Funny lock story from Australia

[HonkyLips]

This reminds me of one of my favourite pieces of Australian TV.
I'm sure you are all familiar with steering wheel locks, the most well known in Australia is called a Club Lock.
A magazine called "Choice", which reviews and tests products, reviewed all available steering wheel locks and claimed that the Club Lock could be defeated in less than 30 seconds by someone with no experience at car theft.
The manufacturer responded by modifying and improving the lock mechanism, but the magazine repeated their claim that it could be defeated easily.
This went on for about 4 generations of Club Lock and saw the introduction of a "star shaped" key to making picking the locks "impossible", as well as other developments. But Choice maintained that the Club Lock had not been fixed and anyone could defeat it in under a minute.
A local TV current affairs show filmed a carpark showdown between the manufacturer of the Club Lock and a reporter from the magazine, as the manufacturer prepared to release their latest model and the magazine claimed it would be able to defeat it in less than 30 seconds.
They were screaming at each other in a car park and honestly looked like they were going to hit each other. The manufacturer claimed (in near hysteria) that it was impossible for someone to pick their locks, and that the magazines claims were wrong. The magazine denied this, and so were challenged to demonstrate their claim on TV.
A brand new model Club Lock was placed on a car steering wheel.
The magazine reporter got in the car, grabbed it, and gave it a good hard yank, and it came off easily.
The manufacturer went very very quiet.

The funny thing about this - and the reason I remember it - was that the people who made Club Locks never asked the magazine HOW they'd been defeating their product. They all assumed that the locks had been picked. Practically all the improvements they made to the product over 4 years were in improving the lock mechanism. They never expected that the piece of metal which hooks around the steering wheel was so weak it could be easily bent. They shouldv'e thought laterally.
Anyway it was very funny. Trust me, I still remember it and it was about 15 years ago.

Re:I can attest to this fact.

[DaveJay]

>or I lock them in a locker or the trunk of my car

Don't try the trunk of your car in Chicago, even in the good neighborhoods. I've had windows broken and trunks entered for a duffel bag with a schoolhouse rock video tape. I've had trunks punched open with a screwdriver for some books. I once caught two kids in my car trying to pry an $18 tape player from under the dash. Hell, I once even left my car -- with nothing in it to steal, AND THE WINDOWS ALL HALFWAY DOWN -- and someone still punched a hold through the door skin to open the *unlocked* door with the *open* window.

So what lock to buy

[Unregistered]

I have a powerbook. what loc should i buy if the Kensington one sucks?

Re:How to make the warranty work for you

[Frogbert]

Okay lets weigh up the options.
1. File correct police report, don't get $1500, chances of police finding your laptop... none.

2. File a slightly incorrect police report, get $1500, by some random stroke of luck the police do find your laptop. Chances police believe that the thief is lying and just cut the lock with some bolt cutters... good

I know which one I would choose.

Re:Wire Cutters

[merlin_jim]

I've worked with steel wire a bit in the past doing chainmail for SCA stuff. Graduated into chainmail jeweler, then just plain jeweler.

The particular wire they use is a strandad high tensile strength steel. The individual strands are probably 12-16 guage, the cable as a whole cladding included might be 4 guage.

To cut 16 guage half-soft steel wire takes a medium sized pair of bolt cutters and a lot of elbow grease. You could PROBABLY worry the cable through with those, but because you can't close the jaws on each individual strand, it's going to be more of a sawing motion.

To get through that cable you'll need a pair of bolt cutters whose jaws are large enough that the entire cable fits between them with no more than a 15-20 degree angle. And the leverage is going to be immense; 2-3 feet at least.

Not exactly a tool you could fit in your pocket :) The tool *is* available, you can probably find it for under $20. Most every hardware store will have one. They're used in construction to do exactly what the name implies; cut bolts :)

"Guarantees replacement"

[httpamphibio.us]

From the Kensington product description page [kensington.com] linked in the article:

Guarantees replacement of any locked laptop that's stolen

Sounds pretty specific, huh? ANY locked laptop that's stolen... Which is quite different than what it says when you click the warranty link [kensington.com] on the page...

If theft of your laptop computer results from the Kensington Guaranteed Notebook Replacement MicroSaver computer lock being broken or opened by forceful means Kensington Technology Group will pay you the replacement value of your laptop up to US $1,500.00.

It goes on to say:

Kensington Technology Group will NOT be liable if the theft occurred because: ... ... D. The laptop was stolen by any means other than violating or breaking the Kensington brand Guaranteed Notebook Replacement MicroSaver Lock.

Now... that seems pretty vague to me. Are they talking specifically about the locking device? Or are they talking about the entire thing and calling it the Guaranteed Notebook Replacement MicroSaver Lock because that's the name of the product? Vague vague vague...

Re:How to make the warranty work for you

[Anonymous Coward]

Right... for Warranty Replacement Plans . This is "buy a $20 lock/cable, if someone cuts/breaks it, get $1,500." Something tells me they're not going to shell out $1,500 in the name of "better customer service."

Use the Bike Messenger warranty method

[mr_rangr]

Kryptonite has a similar warranty. Though if your bike is stolen, they often steal the lock, as well, leaving you with no evidence of a broken/compromised lock. So bike messengers will keep a spare Kryptonite lock. If their bike is stolen, they beat the crap out of the lock, busting it open, and then use this busted lock to claim their warranty.

Lock Picking

[dicepackage]

In the Summer 2004 issue of 2600 Magazine there is an article on lock picking with less common types of picks. They talk about how to pick a lock with a pen, bobbe pin, sciccors, and everyones favorite the paperclip.

Re:I can attest to this fact.

[PunchMonkey]

A couple years ago I was spending the weekend in Montreal and had left an empty laptop bag in my back seat. The next morning I came out to find the car window had been broken... I spent a little while trying to figure out what they had taken before realizing they probably looked inside the bag, got pissed off and threw it back in the car!!!

It was a very cold and noisy drive home and cost a few hundred bucks to fix though :-(

Re:I can attest to this fact.

[devilspgd]

Mine had a 3-option sensitivity setting. At it's most sensitive it would go off over nothing.

In the least sensitive setting you had to tilt it 45 degrees before it would go off.

In the middle it wasn't too bad, but it was still tilt sensitive -- I lifted it straight up, unscrewed the battery case, removed the batteries (to expose the unit's screws), then unscrewed it and reset it to a known code after a friend of mine decided to change it on me.

I could have just smashed it I guess, but that wouldn't have been as fun as stealing my own laptop.

The whole thing took about 5 minutes -- You'd have to have balls to walk into an office and do it, but you could probably pull it off if you tried.

Re:I can attest to this fact.

[Technician]

I knew a radio operator that had an amplifier that used a seprate 1500 volt power supply. The vehicle was locked and the equipment was properly marked Danger High Voltage and Lock out remote power supply before servicing. Because it was properly marked and locked, the judge threw out the manslaughter case against the amature radio operator by the family of the deceased.
You shouldn't try cutting 1.5KV cables with a pocketknife when the supply is still on.

It's not as bad in my car. The Hybrid battery is only 264 volts nominal and the 1KW inverter is 120 volts. I don't recommend messing with either while the power is on. The inverter is on most of the time. I plug the computer into it to charge batteries while on the road. I seldom bother to shut it off since its nominal unloaded draw is just a few mA.

i go by a different theory

[prockcore]

I subscribe to the famous "If I can't have it, no one can" theory.

If I see an unguarded locked laptop, I dump a cup of coffee onto the keyboard.

Ok, not really.. but I wonder if anyone does this. I remember Denial of Service was a huge thing to do in highschool. People would beat the shit out of random combination locks on peoples lockers, you couldn't get your locker open. Bastards.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Applies to barrel-key type locks, not combinati

[Anonymous Coward]

Combination locks are usually just as easy. It took me a couple of hours to work out how to open these Targus Defcon CL locks, but now I can do it in under a minute, with no tools, and find the combination. Or, I can find a digit in 15 seconds and come back later.

These days I get emails in my work when people forget the combination on their locks to come and remove them. It's really easy, and I think if everyone knew it would be barely worthwhile using them.

Re:1500 dollers

[TheLink]

Backup data and use encryption e.g. pgpdisk, drivecrypt.

To prevent nontargeted theft, make your PC very distinctive. This reduces the "fencing" price significantly. If they obviously can't sell it to a fence they won't even bother touching it. Get/Pay an artist to make it permanently distinctive AND look nice at the same time.

But if you really want to teach the thief a lesson, try semtex and a pager. You may wish to make sure it only blows up on a particular pager message and not because of a wrong number ;). Note that this makes it risky to take your computer with you to certain places esp aircraft/airports.

Re:I can attest to this fact.

[Anonymous Coward]

Hell, I once even left my car -- with nothing in it to steal, AND THE WINDOWS ALL HALFWAY DOWN -- and someone still punched a hold through the door skin to open the *unlocked* door with the *open* window.

You need to move to a place with more intelligent criminals. I used to have a bomb of a convertible, never locked the doors and put a sign in the window: "Not locked: no radio, no gas, no brakes." Never had anyone cut the ragtop to get in (lived in Queens at the time). Don't know if anybody ever "broke in." Somebody had stolen the 3 remaining hubcaps at some point (lost one to a monster pothole once).

Re:How to make the warranty work for you

[devilspgd]

Maybe in the US -- In Canada if the theft is over a certain amount ($1000 or $1500 rings a bell, but a) that might have changed since I was in highschool, b) I'm really not sure, and c)I'm definitely too lazy too look it up) the police will go out and will finger print the evidence.

Whether they'll actually catch anyone or not is another question, of course, but at least they try.

It really depends on the crime and the situation I suspect, but they definitely won't do DNA for something that size though.

However, you also have to consider that the private insurance company MIGHT decide to "investigate" on their own -- 99.99999% of the time they won't, but every once in a while some insurance companies will send someone out (even though it probably costs more then the claim) to investigate, just to look like they're doing due diligence and to discourage fraud. (Or so says a friend of mine who works in the insurance industry -- Take it with a grain of salt)

Re:How to make the warranty work for you

[devilspgd]

15.7" Gateway laptop, actually. Sweet beast too, completely replaced my desktop for several months.

40GB drive, 2.2GHz P4, ATI Radeon 9000 (independant video memory), CDRW+DVD, and 4-6 hours of battery life with the display dimmed, 802.11B.

It's not exactly brand new anymore (so don't bother showing where you could get a better one for less today), it was priced competitively when I bought it. In fairness the $4000 price includes the docking station, additional battery, an additional charger and a carrying case. That's $4000CDN.

Re:Clean take-away vs Vandalism?

[IOOOOOI]

I've had much damage done to cars for little apparent gain for the thief.

I used to keep a flashlight in my glove box (needed it for my job). Then, one of the local crackheads coat-hangared his way into my car and stole it.

I replaced the flashlight and not too long after that it was stolen again. This happened three or four more times until I got fed up and locked the glove box. Bad move. Next morning, my dash board was busted up and the flash light gone.

I presume that the crackhead needed the light to assist him in burgling. The funny thing is, that if he had simply reached under the steering wheel and popped the trunk, there was at least $200 worth of tools and parts that I kept in there in case the piece of crap car broke down.

After that, I just left the doors unlocked and the flashlight on the seat in plain view.

Re:I can attest to this fact.

[Technician]

You have a short somewhere buddy.

Um, no. I have several clocking circuits running. One inverts the low voltage into high voltage (not a lossless circuit) and another drives the output bridge for 60 HZ AC (driving transistrors still requires power) and the regulation and protection circuits are active. The noise suppression absorbs some power and the LED draws some power.

No short here.

Re:I can attest to this fact.

[kaszeta]

they probably looked inside the bag, got pissed off and threw it back in the car!!!

Indeed, I had a similar thing happen once. A guy broke into my apartment, apparently with the goal of stealing my CD collection (a common theft item in that area, since they were so easily liquidated). He quickly found my CD rack in the living room (with >400 jewel cases in it), and quickly discovered that almost all of the cases were empty, the CD's were in my two CD changers, which were virtually inextractable from the metal equipment rack I was using as an entertainment center. He quickly got frustrated, decided it was time to leave, grabbed the fews CD's that were out in the open, broke a bunch of stuff out of spite, and left.

The cops caught the guy, too, since I could tell them *exactly* which CDs were missing, and the guy that had turned in those exact three CD's at the local used CD store showed up on their store video camera, and they linked him to the apartment with fingerprints (he also had a long rap sheet of B&Es, too).

Alas, it probably would've been easier for me if he had just stolen the CD's (hey, I had insurance), since cleaning up the mess he made and getting the stuff he broke fixed was a hassle.