by : Dominic Villeneuve figured out a simple way to bypass a widely used door lock, and he told the manufacturer how he did it. A year and a half later, he’s telling the world…


Early one morning in June 2020, Dominic Villeneuve woke up and went to his basement workshop to play with a new toy. A friend had given Villeneuve, the director of cybersecurity and infrastructure for a midsize insurance company in Drummondville, Quebec, a lock from a door in a building he was renovating. It was a good one: a Schlage CO-100 commercial-grade, keypad-operated deadbolt, which retails for about $400 and carries a Grade 1 security rating, the highest bestowed jointly by the American National Standards Institute and the Builders Hardware Manufacturers Association.

The locks on most homes are Grade 3, maybe 2. Grade 1 locks are tested to withstand, among other things, 1 million open-close cycles, eight blows starting at 80 joules (comparable to a jackhammer), and five minutes of grinding with a bolt saw. All of the CO-100’s electrical and mechanical parts are also certified by the Underwriters Laboratories for resistance to wear and tear, weather, and abuse. But Villeneuve knew he could unlock it without the keypad code. He knew he could beat it.

relates to The Lock-Picker, the Lockmaker, and the Odyssey to Expose a Major Security Flaw
Photographer: Alexi Hobbs for Bloomberg Businessweek

In his day job, Villeneuve analyzes and blocks malware attacks on his company’s network. Smaller financial-service companies and insurance businesses such as his are a preferred target of hackers, because they often have personal and financial data stored in undersecured networks. His favorite part of the job is playing “red team”—attacking his employer’s network with the tricks and gadgets of a better-than-average hacker—to find vulnerabilities. (“Penetration testing” is the technical term.) This also includes looking for ways to covertly access an office or computer and, say, plant a spy pen that has a camera or a USB keylogger to steal logins and passwords. “Every security I see, I try to bypass or find an unexpected way to open it,” Villeneuve says. “It’s in my DNA.”

Villeneuve’s father taught him how to assemble and disassemble carburetors when he was 5. Soon, he was taking apart everything in the house. He started picking locks as a teen, practicing on old padlocks and the door of his family home, using paperclips and filed-down Allen keys. At some point, he acquired a photocopied book purporting to be a declassified CIA field manual on lock-picking.

Today he’s part of a subculture made up of software types, tinkerers, survivalists, locksmiths, and lawyers and other professionals who enjoy the same three-dimensional puzzles. (He’s also co-founder and co-minister of a reform Baptist church in his town.) Members gather for meetups and “sport-picking” competitions that showcase undetectable—“nondestructive,” in lock-picking parlance—methods of opening locks for which they don’t have keys or codes. “It’s better than chess,” says Marc Weber Tobias, a lawyer, security consultant, and well-known lock-picker. “It’s tactile, it’s intellectual, and there are some locks you’re just not gonna open.”

relates to The Lock-Picker, the Lockmaker, and the Odyssey to Expose a Major Security Flaw
His kit for competitions and “penetration testing” at work.
Photographer: Alexi Hobbs for Bloomberg Businessweek

Interest in recreational lock-picking has surged during the pandemic: What better way to get through being stuck inside than with hours of online tutorials? For inquiring minds, the endless corners of YouTube and provide access to information and tools that until recently were generally only available to locksmith guilds, cat burglars, and safecrackers. “In the old manuals on safe manipulation, there’s always a note at the end saying, ‘Now that you’ve read this book, make sure you destroy it,’ ” says Michael, the principal of e-commerce site Sparrows Lock Picks, who goes by only his first name professionally. “Now everything is posted on YouTube.”

This has helped enthusiasts master the art of the bypass at dazzling speed, accelerating an age-old cat-and-mouse game between lock-pickers and makers as locks are bypassed and videos of triumphs spread online. (The r/lockpicking subreddit, with about 169,000 members, maintains a belt ranking of hundreds of locks; those who crack the hardest ones are black belts.) Pickers are playing red team en masse, exposing weaknesses in products that people trust to keep them safe. It’s forcing manufacturers in what analysts at Verified Market Research call the global physical security industry—a market of at least $125 billion—to live up to their own standards. The relationship between the two camps is uneasy.

One of the most famous names in the community is LockPickingLawyer. In spring 2020, he had about 200,000 subscribers to his YouTube channel, and today he has more than 3.6 million. The retired attorney, who lives in the Washington, D.C., area and asked that his real name not be used, has made almost 1,400 demos, many with hundreds of thousands of views, in which he dissects everything from cheap padlocks to high-security deadbolts to explore their inner workings.

relates to The Lock-Picker, the Lockmaker, and the Odyssey to Expose a Major Security Flaw
Villeneuve uses specialized picks and “tensioning” tools to bypass a lock.
Photographer: Alexi Hobbs for Bloomberg Businessweek

Among other thrills, viewers can watch him best a ubiquitous Schlage doorknob lock with a “low skill” attack in about five seconds, open an RFID gun safe with a fork or a spoon, and bypass an allegedly tamper-proof Chinese keypad lock with a Swiss Army knife and a paperclip. LockPickingLawyer’s friend and neighbor, Bosnianbill, who retired from uploading videos in September, had posted more than 1,900 demos since 2007 and has more than 560,000 YouTube subscribers. The Lock Noob, an up-and-comer from the U.K., has over 80,000 subscribers to his channel, which focuses on beginner and intermediate lock-picking. His almost 20-minute Learn Lock Picking: EVERYTHING You Need to Know! video has 1 million-plus views.

LockPickingLawyer has no qualms about exposing the illusion of security lockmakers sell. “I understand people who think that secrecy is desirable in the security community,” he says. “But the secrecy of locksmiths and security professionals for literally hundreds of years is the reason why our security is so bad. There are very few widely used, consumer-grade locks on the market that would even put up an adequate level of resistance to nondestructive entry methods. Consumer education can do nothing but improve that situation.”

This isn’t a new idea. In 1868, Connecticut locksmith and inventor A.C. Hobbs wrote in Construction of Locks and Safes that if a lock was “not so inviolable as it has hitherto been deemed to be, it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.” The question is: How do you spread the knowledge without empowering the dishonest?

The rules of ethical disclosure are complicated. In a deliberately vague example, LockPickingLawyer describes finding a “zero-skill exploit that could be executed by anyone with a small piece of knowledge” on a lock that law enforcement uses widely. He says he emailed the company that made it, and the company ignored him. He emailed again, giving it a year to patch the problem before he went public. “I just ran out the clock on a year, and I publicized it,” he says, leaking his findings to locksmiths groups. “I don’t want to create any dangers or exploits that would be used in the field. However, if a company is not willing to change their product, there’s only so much I can do.”

In most of the U.S., it’s legal to possess lock-picking tools, as long as they’re not used in crimes. On, for example, LockPickingLawyer sells a 20-in-1 set called the Covert Companion for $90. Law enforcement tends to apply the “kitchen knife theory,” Michael says. “It’s fine until you point it at someone and start yelling.” Still, sport-pickers and security experts note that few criminals ever bother to pick a lock. According to 2019 FBI Uniform Crime Reporting statistics, about 38% of burglaries involved nonforced “unlawful entry,” and only about 4% of these incidents involved lock-picking. Most home burglaries are sloppy, forced jobs involving screwdrivers, crowbars, and hammers. In commercial burglaries, the latest trend is to smash a stolen vehicle through a wall.

Which isn’t to say that locks don’t matter. When lock-picking is used in a crime, it’s often on a high-value target. The Watergate break-in, for instance, hinged on successfully picking a 4-pound brass lock securing a stairwell. If there’s something valuable to protect, a well-made lock is table stakes. Generally, lock quality goes up with price—and even with the videos available online, or bypasses revealed at annual hacker conventions such as Def Con, discovering quick and easy ways around a Grade 1 lock remains rare. But not impossible.

In his orderly basement, surrounded by 3D printing equipment that he uses to make parts and prototypes of lockpicking tools, Villeneuve considered the CO-100. He was hoping to add it to the overflowing box of locks he’d defeated.

A humdrum-looking piece of office hardware, the CO-100, introduced in 2011, is a simple, rectangular steel box with a lever handle and a 12-button keypad. It’s not connected to the internet, so it can’t be reset remotely like a smart lock. It has to be programmed with a three- to six-digit PIN by someone with physical access. The CO-100 typically comes with a traditional keyed lock, too, should the owner need to override the PIN. Allegion, which owns Schlage, touts the lock in marketing materials as durable, affordable, and “versatile enough to use anywhere.” And the CO-100 and similar CO-200 models are widely used—in offices, commercial facilities, schools, and multi-unit residential properties. Allegion doesn’t break down sales information by product, but these models are perennial bestsellers.

relates to The Lock-Picker, the Lockmaker, and the Odyssey to Expose a Major Security Flaw
Popular locks that secure offices and other commercial and residential properties, such as the Schlage CO-100 lock, could be vulnerable.
Photographer: Alexi Hobbs for Bloomberg Businessweek

Villeneuve could have gone directly at the keyway. But it was more interesting—less tedious—to find a way to manipulate the internal mechanism directly. Removing the CO-100’s cover, Villeneuve homed in on a lever beneath the keypad that, when pulled, slid open the deadbolt. Replacing the cover, he considered how to pull the lever from the outside.

He tried using a magnet to see if it would move a critical spring, but the one he had wasn’t strong enough. Then he looked for openings that might let him slide a tool inside. He could get a thin wire through the edge of the keypad but couldn’t pull the lever with it. And he didn’t like that it left a tiny mark—it was not a truly nondestructive method. Next, he tried a tiny drain hole at the bottom of the lock housing, there to let moisture escape. When the lock is attached to a door, the hole is almost unnoticeable. Villeneuve started probing it, first with thin strips of metal, and then with various-size zip ties, until he found a fit. Then he cut a notch into one end of the zip tie to hook the lever.

At about 6 a.m., two hours after he started working on the lock, he pushed his homemade tool through the drain hole, caught the lever, gave a gentle tug, and the lock sprung open. When he reinserted the zip tie and pulled again, it locked. It worked again, and again, and again. Bursting with energy, Villeneuve worked out in his home gym and showered. He could barely contain his enthusiasm at breakfast when he revealed yet another hack to his wife. He says she was unfazed. “Cool, it sounds easy,” she responded.

At his office that day, Villeneuve walked down a hallway, passing a dozen or so CO-100s on doors. He stopped at one, pulled out his zip tie, and unlocked it in about five seconds. It’s one thing to execute a bypass under controlled conditions, another to do it in the wild. And another altogether to do it with a tool that costs basically nothing and was everywhere he looked, since zip ties are used to wrangle computer cords. “I’ve found many vulnerabilities in my life,” Villeneuve says. “But this one is so easy, and so dangerous, that it’s different from the others. Even if an alarm goes off, police will find no trace of an infraction.”

relates to The Lock-Picker, the Lockmaker, and the Odyssey to Expose a Major Security Flaw
Villeneuve picking a lock that has been removed from a door.
Photographer: Alexi Hobbs for Bloomberg Businessweek

A search on the internet and dark web convinced him that he’d found something new, and as a self-proclaimed “ethical” lock-picker, he reached out to Schlage. Founded in San Francisco in 1920 by German immigrant Water Schlage, the company had some important early patents; five years later, it was making 20,000 locks a month. When Ingersoll Rand Inc. acquired the company in 1974, it was the largest manufacturer in the city.

In 2013, Schlage and the rest of Ingersoll Rand’s security technology business was bought by Allegion. Headquartered in Dublin, the company has 30 global security brands. It took in $2.7 billion in revenue in 2020, and its stock price has climbed from about $80 in early 2019 to about $125 today. In North America, Allegion is the No. 1 maker of products that control how people enter and exit buildings—locks and locksets, doors and door frames, hinged door closers, push bars, electronic access systems, and more. Unlike software manufacturers, who make it easy for hackers to report bugs, most lockmakers don’t have a formal channel to receive tips about vulnerabilities. Villeneuve says it took him a few days to find someone to take down the details of his discovery.

On June 27, 2020, he sent an email with the subject line “Major vulnerability in CO-100 (maybe CO-200)” to Allegion’s head of public relations. He attached two videos demonstrating his bypass. “I want to be honest and give you the opportunity to offer a fix to your clients before someone found it and make it public on Internet,” wrote Villeneuve, whose first language is French.

Two days after he sent his email, he was put in touch with Allegion’s global director of cybersecurity, Frank Kasper. In emails, calls, and video chats, Villeneuve explained the bypass. He taught Allegion engineers how to duplicate it and brainstormed fixes. On July 10, Kasper wrote that engineers were working on a snap-in part to plug the drain hole that wouldn’t require removing locks from doors. At the end of August, he sent Villeneuve a prototype. Three days later, Villeneuve wrote back to say he’d removed the part in about 10 seconds with a handmade tool.