Laptop Locks are often Easy Pickings for Thieves

Oct. 11, 2004
Design flaws make locks simple to pick using common materials like ballpoint pens, rolled-up cardboard

Marc Tobias played laptop thief one recent evening, showing how easily several leading anti-theft devices can be defeated using such simple materials as a ballpoint-pen barrel, a thin piece of plastic or rolled-up cardboard.

Such news is sure to set off alarm bells at corporations and on college campuses at a time when portable sales have outpaced desktop-computer sales and laptop security is a hot issue. This has made locks made by companies like Kensington and Targus commonplace.

But, according to Tobias, a Sioux Falls, S.D., attorney and lock expert, some of the leading lock models have near-fatal design flaws that make them absurdly easy to pick.

The devices' vulnerabilities vary widely. But Tobias demonstrated these often can be exploited in short order. A Knight Ridder Newspapers reporter replicated two of Tobias' procedures using Kensington and Targus locks the newspaper purchased independently.

Tobias' bottom line: While laptop locks costing less than $50 aren't intended to be burglar-proof, the ease with which leading models can be defeated seemingly contradicts makers' claims that the locks offer a reasonable deterrent.

"Kensington notebook security locks, like many other categories of lock ... are meant to be strong deterrents to thieves (both casual and professional)," the firm said in late August in a written statement. "Kensington stands behind our locks as a deterrent to notebook theft."

Tobias' revelations, documented on his Web site www.security.org, come as Targus and other firms are marketing laptop locks to college students returning to campuses with their trusty portables in tow.

In an Aug. 17 press release, Targus says of its Defcon CL combination lock: "Theft is no stranger to college campuses, and a cable lock is a wise investment for any notebook-toting student."

But the Defcon CL is simple to crack using a thin piece of paper or plastic to probe the device's four thumbwheels and glean its combination. After seeing Tobias demonstrate this with his Defcon, a reporter cracked a separately purchased Defcon in minutes.

Targus did not respond in detail to interview requests.

But one laptop-security expert said he will stop touting the Targus lock after learning of Tobias' findings.

Gregory Evans, author of "Laptop Security Short and Simple" and a laptop-security instructor at several Los Angeles-area colleges, said he planned to revise his book and e-mail tens of thousands of his readers and students about the Targus lock.

A Kensington key-based lock also has proven simple to compromise using a Paper Mate ballpoint-pen tube or rolled-up toilet-paper cardboard that simulate the small keys' rounded shape. A reporter was able to free a laptop from its restraint in seconds.

Tobias, author of "Locks, Safes and Security: An International Police Reference," is a lock-picking authority. But he credits Matt Fiddler, a Connecticut security consultant, with discovering the Kensington key-lock vulnerability and bringing it to his attention at a security conference earlier this summer.

Laptop thefts constitute about 48 percent of all computer thefts, followed by desktops at 26.7 percent and handheld computing devices at 13.3 percent, according to a computer-theft survey conducted last year by Brigadoon Software, a computer-security firm.

Laptops protected by a particular Kensington lock are covered by a theft-replacement warranty, but the firm's fine print says this would involve a lock broken or opened by "forceful" means. Kensington did not say whether that language would be modified.

A Master Lock product Tobias tested uses Kensington's key-lock mechanism, he said.

Tobias released information recently about two other devices he recently tested, a Kensington three-thumbwheel combination lock and a Compucage product consisting of a cagelike enclosure for bolting a laptop to a desk surface.

He said the Kensington combination lock can be compromised using tactile pressure and visual observation. Defeating the Compucage enclosures is more straightforward: All a thief needs is a shim to open a locking bar, Tobias said.

Canada-based Compucage said it was looking into Tobias' findings.

Tobias has tested other laptop locks. He says a PC Guardian combination lock appears to be well-designed. "It's a nice piece of work."

Some laptop users said Tobias' findings confirm what they already suspected: Laptop cable locks alone don't represent ironclad security.

Andy Lax, a San Francisco public-relations consultant, said he'll probably keep using such cable locks as a "casual deterrent" but places more stock in the sturdy locks on his office door and cabinets.

"I'm a bit disappointed" with the cable-lock makers, said Lax, who uses the Targus combination lock, after learning of the Security.Org warnings. But, he added, what do you expect for $35?