Physical Access: The Lockpicking Audit and the Logic of the Vulnerable Perimeter

You double-encrypt your laptop, route everything through a VPN, run a password manager with sixty-character strings. Then you walk out your front door and turn a key in a lock that someone with $15 of tools and a free afternoon on YouTube can open in under thirty seconds — without a scratch, without a sound, without you ever knowing they were inside. All that digital armour, guarding a door anyone can walk through.

The short version: A standard pin-tumbler lock isn’t really a security device — it’s a short time delay, vulnerable to picking, bumping, and shimming, often defeated in under a minute. RFID access cards are worse: they broadcast a static ID that a Proxmark3 or Flipper Zero can clone from about 5cm away as someone brushes past you. Real physical hardening means upgrading to high-security cylinders (Medeco, Abloy, Mul-T-Lock), reinforcing your strike plates against shimming, shielding access cards in Faraday sleeves, and auditing your own perimeter the way an incidenter would. The goal isn’t an unpickable fortress. It’s making your place a harder target than the one next door.

Why your lock isn’t a security device — it’s a time delay

The belief that gets people robbed: “a heavy door and a good key means I’m safe.”

A pin-tumbler lock has no cryptography in it. None. It’s a mechanical puzzle — five or six spring-loaded pins sitting at different heights, and the right key pushes each one to exactly the line where the cylinder is free to turn. That design is roughly 2,000 years old, and it was never built to stop a determined operator. It was built to discourage a casual one.

Here’s the turn most people never make: your lock isn’t asking “can this be opened?” — it’s only ever answering “how long does this buy me?” And the honest answer for a hardware-store deadbolt is almost none. Apply gentle rotational tension to the cylinder, feel for the one pin that binds harder than the rest, nudge it up until it sets, then move to the next. Locksmiths call it single-pin picking. An untrained person learns it in an afternoon; a practised one is through in under thirty seconds. The lock did its real job — it discouraged the casual passer-by. It just never did the job you thought you’d bought.

How pin-tumbler locks actually work, and why that’s the flaw

To audit something, you have to understand it — so here’s the mechanism in plain terms.

A pin-tumbler lock has a keyway (where the key goes), driver pins and key pins stacked on springs, and a shear line — the boundary between the rotating cylinder and the fixed housing. Insert the correct key and every pin stack rises to the precise height where the shear line runs clean through all of them. The cylinder turns; the bolt moves. That’s the whole machine.

The incident just reproduces that state without the key. Apply tension to the cylinder and one pin will bind first — its spring pushing harder than the others. That binding pin is touching the shear line. Push it up with a pick and it stays set. Repeat down the row. The vulnerability isn’t a defect someone forgot to fix — it’s the exact property that makes the lock cheap to manufacture and easy to rekey. Pickability and affordability are the same coin. You were sold the cheap side of it.

The spare-key problem: the copies you don’t control

Walk through where your spare keys actually are. Under the mat. With a neighbour. In a drawer at the office. Photographed on your phone “just in case.” Every one of those is a vulnerability you no longer control.

It gets worse, because a key is just data. Anyone with a clear photo of yours can order a blank and file it to match — no picking skill required — and most duplication shops will cut a key without ever checking ID. A photo and $5 buys someone your lock.

The fix is mechanical, not behavioural. Restricted keyways — Schlage Primus, Medeco, Mul-T-Lock — use blanks that are legally controlled, so only an authorised locksmith can cut them. You can’t grab a copy at the hardware store, which means neither can anyone else. That single property turns a lock from a discouragement into a genuine access-control device.

Beyond picking: bumping, shimming, and RFID cloning

Picking gets the headlines, but it’s rarely the fastest way in. The real perimeter audit covers the methods that need no skill at all.

• Bumping. A “bump key” is a blank filed so every groove sits at maximum depth. Insert it, tap it sharply, and the impact can jolt every pin to the shear line at once. Seconds. Works on most standard pin-tumbler locks.
• Shimming. On a basic strike plate, a thin strip of metal slipped between door and frame can push the latch back — bypassing the lock entirely rather than defeating it. A reinforced strike plate with a guard stops this completely.
• Impressioning. Coat a blank in soot, turn it gently in the lock, file where the marks show, repeat until the blank becomes a working key. No original needed. High-security internal geometry makes it nearly impossible.
• RFID cloning. Your access card broadcasts a static UID at 125kHz or 13.56MHz. A Proxmark3 or a Flipper Zero reads and copies it — about 5cm with a basic antenna, up to 1m with stronger gear. Someone brushes past you on a crowded platform and walks away with your building access in their pocket.

The physical hardening checklist

You can’t eliminate every physical risk. You can clear the low-hanging fruit and force an incidenter to spend real time and real tools — which is usually enough to send them next door.

• Upgrade the primary lock. Swap pin-tumbler deadbolts for Medeco, Abloy, or Mul-T-Lock high-security cylinders, which use telescoping pins, rotors, or sidebars that defeat standard picking. Roughly $200–$400 per lock with professional installation.
• Reinforce the strike plate. A reinforced plate with a guard reaches deep into the frame, stopping shimming and resisting a shoulder-bump forced entry. Fit it on every exterior door.
• Shield RFID credentials. Faraday sleeves — aluminium-lined pouches — block both 125kHz and 13.56MHz entirely. A good one costs $10–$30 and is the cheapest, fastest hardening step you can take.
• Audit your spare keys. Inventory every copy. If you don’t know where one is or who holds it, the lock is already compromised — rekey, or move to a managed key system.
• Add door sweeps and seals. Gaps under doors let bypass tools through; sweeps make shimming harder too.
• Skip cloud smart locks for your main door. A network-connected lock adds Bluetooth, Wi-Fi, and biometric-spoofing risk surface. If you want one, pick a local-only model (no cloud, no app, PIN pad only) — and keep a high-security mechanical lock as your real perimeter.

How to run a physical access audit on your own perimeter

The reframe that makes this safe and useful: before an incidenter tests your perimeter, you do it. On your own property, that’s not breaking in — it’s penetration testing, and it’s legal, educational, and genuinely revealing.

Identify your lock. Standard Schlage, Kwikset, or Weiser? Assume picking in under a minute. Marked “high security” or branded Medeco/Abloy? Much harder, but still worth checking.

Walk the bypass routes. Circle the building. Windows near locks? A strike plate that could be shimmed? A weak frame? Missing door sweeps? Could someone simply push through the frame itself?

Test your cards. If your building uses RFID, assume the cards clone. Treat one like a public credential — something you’d lose no sleep over if it vanished — and don’t keep it in an easy outside pocket.

Document and prioritise. Write down every weakness and rank it by speed of misuse: shimming (fastest), picking, cloning, then structural bypass (slowest). That ranked list is your remediation roadmap — fix the thirty-second holes before the thirty-minute ones.

Why physical access undoes your digital security entirely

Here’s the connection that makes a lockpicking article belong in a digital-sovereignty toolkit at all: nearly every digital defence assumes the incidenter is remote. Encryption, VPNs, password managers — they’re built to stop someone reaching you over a wire. Physical access throws that assumption out.

Once someone is inside — at your desk, with your machine — the risk signal model changes completely. They can attach a hardware keylogger between your keyboard and the port that no software will ever see. They can clone a drive while you’re at lunch. They can plant a tampering device in firmware that survives every OS reinstall you’ll ever run. The “evil maid” who slips into a hotel room and modifies a powered-off laptop is exactly this incident: physical access converting your encrypted, hardened machine into a leaking one, silently. A thirty-second lock is the single cheapest way to undo a thousand dollars of digital hardening — and it’s the layer most sovereign setups forget.

This is why the perimeter audit isn’t a separate hobby from your digital security. It’s the floor the rest of it stands on. A reinforced door and a high-security cylinder aren’t about keeping out burglars who want your television. They’re about denying the one thing that makes the rest of your stack moot: a few unobserved minutes with your hardware.

The same audit-your-own-baseline instinct runs through the rest of the sovereignty work — the Levels Health review and the Aura Ring review apply it to your body’s data, and the wider health-sovereignty library carries the pattern further. If you want the hardware named here in one place, the hardening toolkit collects the locks, sleeves, and audit tools worth owning.

Frequently asked questions

Is it legal to own lockpicks and learn to pick locks?
In most places, owning picks is legal when your intent is auditing your own locks or pursuing locksmithing. Picking someone else’s lock without consent is illegal everywhere — the legal line is intent, not the tools. If you practise on your own property, keep simple records (photos, dates, what you found).

Can I really pick a standard lock in 30 seconds?
A skilled operator can, on an ordinary pin-tumbler lock. Hardened cylinders like Medeco or Abloy take ten-plus minutes with specialised tools, and some are genuinely pick-resistant. That gap is the entire argument for upgrading: you’re buying time the cheap lock never gave you.

What’s the best alternative to a traditional lock?
A high-security mechanical cylinder (Medeco, Abloy, Mul-T-Lock) paired with a reinforced strike plate — still the gold standard for real security. Smart locks add convenience and wireless risk surface; use mechanical for your primary door and reserve smart locks for low-stakes secondary entry, if at all.

Do I really need Faraday sleeves for my access cards?
If your building still runs 125kHz cards, treat them as clonable at short range. 13.56MHz is marginally better and still vulnerable. A $15 sleeve neutralises the risk completely — it’s the highest-value, lowest-effort step on this list.

You don’t need to turn your home into a vault, and you were never going to stop a state actor with unlimited time and budget — that’s not the game. The game is the math an opportunist runs at your door: thirty seconds and nothing here, or thirty minutes and $500 in tools? Harden the lock, reinforce the frame, shield the cards, audit the spares, and you flip that calculation against them. This isn’t paranoia. It’s removing the blindspots — doing once what most people only assume, then maintaining it twice a year. You stop trusting a 2,000-year-old puzzle to guard a digital life it was never built for, and you become the person who actually checked the door.