Tor Sornes (1976)
Name: Punch card lock
Inventor: Tor Sornes invented the first electromechanical punch card lock in 1976, which became the basis for all modern hotel locking technology. The idea was radically new: it was no longer a physical key that coded the lock, but a punch card which, when inserted, activated electrical or mechanical contacts and thus released the door. The system was based on:
- a plastic or paper-based punch card with a defined hole pattern
- a reading mechanism that detected the punching electrically or mechanically
- an electromechanical locking unit that released the bolt
- a quickly changeable code principle (simply change the card = lock recoded).
For the hotel industry this was revolutionary: Lost keys were no longer a major risk, codes could be changed immediately, and guests no longer needed to carry metal keys. Sornes thus laid the foundation for today’s magnetic, chip, and RFID card locks.
Current locks of this type
Classic punch card locks according to Sornes are hardly produced today, but their successor technologies dominate worldwide:
- magnetic stripe hotel locks
- chip cards / smartcards
- RFID cards
- electronic access control systems with replaceable credential media
- NFC- and smartphone-based systems Many manufacturers (e.g. VingCard, later part of ASSA ABLOY) built directly on Sornes’ principle.
Lockpicking
• Exploiting manufacturing tolerances
Early punch card readers had typical production variances:
- uneven sensor triggering
- varying contact spring tension
- small deviations in the position of the reading pins
- slight misalignments caused by mechanical wear
These tolerances could mean that slightly bent or imprecise punch cards were still read as valid, which encouraged misuse.
• Mechanical feedback Because the card guidance was mechanical, there was some feedback:
- a noticeable “click” when inserting the card
- slight give in individual reading contacts
- audible differences with worn contact pins
Trained individuals could deduce where active reading contacts were located, which theoretically made it easier to copy a working card.
• Wear in operation Due to constant use, especially in hotels, typical wear effects appeared:
- worn contact pins
- reduced spring force
- corroded electrical contacts
- worn card insertion slots
This wear could lead to misinterpretation of the coding, making the lock more vulnerable to imprecise or manipulated cards.
Risk/Security
Highest risk: Destructive attacks:
forcing the door or lock case
prying attacks on the door frame
mechanical force against the card reader
Medium risk: Targeted partial destruction:
drilling or prying open the reader head
short-circuiting or manipulating the electromechanics
removing the card slot cover
Low risk: Fine manipulation:
analyzing the card via mechanical feedback
copying a valid punch card
tolerance-based decoding using test cards.
Insights
In 1976, Tor Sornes revolutionized the access control market with his punch card lock. For the first time, access was controlled not by metal mechanics, but by variably coded information carriers. The system was groundbreaking, even though from today’s perspective it was vulnerable to wear, tolerances, and electromechanical manipulation. Its greatest strength: immediate recodability – a decisive advantage over classic key systems. Sornes’ invention is the historical root of modern hotel and access systems and remains a milestone in lock technology.
Charles Walton (1983)
Name: Electronic RFID lock
Inventor: Charles Walton is regarded as the inventor of the RFID principle for security-related applications. In 1983 he filed a patent that, for the first time, described the contactless identification of a credential (transponder/card) for access control – the birth of the modern RFID lock. His system was based on: a passive or active RFID transponder, a reader that generates an electromagnetic field, a coded response signal that only the authorized transponder sends, an electronic control unit that releases the bolt after successful identification. Walton’s approach was revolutionary because, for the first time, it brought contactless identification into security applications. This laid a central foundation for modern hotel doors, company locks, access control systems, and smart locks.
Current locks of this type
RFID is now one of the world’s most important access technologies. Direct successors can be found in:
- hotel card locks (MIFARE, LEGIC, HID, etc.)
- corporate and government access points
- parking garages and barriers
- smart-home door locks
- industrial and laboratory access systems
RFID has evolved over several technological generations:
- LF RFID (125 kHz, early systems)
- HF RFID (13.56 MHz, e.g. MIFARE, NFC)
- UHF RFID (industrial access, longer ranges)
- cryptographically secured latest-generation RFID keys
Walton’s principle is now omnipresent and is the basis for almost all modern contactless access systems.
Lockpicking
• Exploiting manufacturing tolerances
Early RFID systems suffered from technical variances: unevenly sensitive antenna coils, varying ranges, slight inaccuracies in evaluating weak transponder signals, tolerance-based misinterpretation of interference signals. These deviations could, in rare cases, cause foreign or roughly copied RFID tags to be accepted, an effect seen in early systems with weak coding.
• Mechanical feedback
Mechanical feedback played only a minor role in RFID locks. There were only:
- audible relay or solenoid clicks
- slight vibration from the bolt motor
- almost no tactile response at the reader itself
For attackers this offered no useful manipulation points, since the security logic was purely electronic.
• Wear in operation Wear appeared mainly in:
- buttons or covers of the reader module
- oxidized contacts in hybrid readers
- aging coils or weakening transponder elements
- bolt mechanisms (in electromechanical setups) Electronic aging could favor misinterpretations, but was rarely exploitable in a targeted way.
Risk/Security
Highest risk: Destructive attacks:
forcing the door frame or lock case
prying tools, chisels, angle grinders
attacks on the door leaf or hardware instead of the electronics
Medium risk: Targeted partial destruction:
drilling or ripping off the reader
short-circuiting the electronics
cutting cables (depending on system)
bypassing the electric bolt by directly accessing the mechanics
Low risk: Fine manipulation / electronic attacks:
copying simple RFID tags (early 125 kHz systems especially vulnerable)
reading unencrypted transponders
replay attacks on very old models
jamming signals to trigger misinterpretation.
Insights
In 1983, Charles Walton created the foundation for a completely new security concept: contactless identification instead of mechanical keys. His RFID lock fundamentally changed access control and enabled flexible, rapidly adjustable authorization systems. Weak points of early models were mainly:
- unencrypted RFID transponders
- electromechanical components that were easy to attack
- destructive attacks on the door environment
Today Walton’s RFID lock is one of the most important predecessors of modern, digital, cryptographically secured access systems – a true milestone in security technology.
Paul E. Szabo (1985)
Name: Kaba Nova
Inventor: Paul E. Szabo developed the Kaba Nova system in 1985, one of the most advanced evolutions of the multi-row reversible key. While earlier Kaba systems such as Kaba 8 or Kaba 20 were based on radial pin arrangements, Nova introduced a complex multi-channel and multi-row coding, combined with increased key copy protection and extremely tight manufacturing tolerances. Core features of the Kaba Nova system: multiple rows of radial pins that are coded simultaneously, a highly complex reversible key profile that is asymmetrical and deeply guided, additional profile barriers that severely restrict the insertion of unauthorized tools, a cylinder core with minimal plug tilt and high precision, optionally integrated mechanical security elements against picking and key duplication. Szabo thus combined mechanical security, copy protection, and master-key capability in a way previously unseen. Kaba Nova became one of the most robust locking systems of the late 1980s and early 1990s.
Current locks of this type
The original Kaba Nova series is no longer produced in this form. However, the technology lives on in several successors, including:
- Kaba quattro
- Kaba quattro plus
- Kaba experT / experT plus
- Kaba pextra / pextra+
- modern DormaKaba high-security cylinders
All of these systems are based on Szabo’s design philosophy: radially acting pin rows, reversible key principle, complex profile barriers, high manufacturing precision, certifiable master-key system technology. Nova is therefore a direct predecessor of many modern high-security profiles.
Lockpicking
• Exploiting manufacturing tolerances
Even in the Nova system there are natural tolerances, although significantly reduced:
- minimally different positions of individual pin channels
- slight radial or axial play
- varying spring forces in heavily used cylinders
- differences in the microgeometry of the key
These tiny production variances could, in rare cases, provide minimal feedback, but only to extremely skilled specialists.
• Mechanical feedback Nova was deliberately designed to transmit as little feedback as possible. Nevertheless, a theoretically usable residual feedback exists:
- barely perceptible set points of the radial pins
- very slight torque differences when approaching the correct height
- slight friction changes in worn cylinders
Compared to classic pin tumbler systems, the feedback is extremely damped.
• Wear in operation Use leads to typical wear phenomena:
- worn pin tips (minimal, but noticeable)
- increased play in the core after many years
- slightly worn key grooves
- fatigue of springs in the multi-row layout
These factors increase mechanical readability with age, but the level remains clearly above that of many conventional systems.
Risk/Security
Highest risk: Destructive attacks:
breaking out, drilling, or milling the cylinder
angle grinders, striking tools
bypass attacks on door/frame instead of the cylinder
Medium risk: Targeted partial destruction:
drilling individual pin channels (historically possible without carbide inserts)
pulling the cylinder without protective hardware
milling the faceplate
breaking open the keyway
Low risk: Fine manipulation:
setting individual radial pins with minimal torsion pressure
decoding via rare production or wear tolerances
extremely demanding tool-based manipulation.
Insights
Paul E. Szabo’s Kaba Nova was a milestone in modern high-security cylinders. It combined radially acting multi-row systems, an asymmetrical key profile, and extreme precision in a way that massively hindered manipulation. Its weak points, as with all high-quality cylinders, were less in the mechanics themselves and more in:
- destructive attacks
- missing protective hardware
- aging-related wear
Nova became the basis of many later DormaKaba systems and is still regarded as a technically important step in the development of modern reversible key technology.
Klaus Abend, Dieter Wienert, Johannes Filthaut (1987)
Name: Winkhaus electronic lock
Inventor: In 1987, Abend, Wienert, and Filthaut presented a fully fledged electronic locking system for Winkhaus, one of the first solutions to cleanly combine electronic identification, access control, and mechanical locking. The system was based on: an electronically coded key (early transponder or chip technology), an electronic reader in the cylinder, a control electronics unit that checks whether the key is authorized, a mechanical lock that is only released after valid identification. This created one of the first genuine mechatronic cylinders in Europe. Winkhaus was one of the pioneers of the idea of merging mechanical locking technology with electronic access control, long before “smart locks” reached the mass market. The system was particularly relevant for:
- master-key systems with changing authorizations
- companies and public authorities
- large residential complexes
- areas where lost keys needed to be quickly blocked (lost key = immediately disabled)
Current locks of this type
The 1987 Winkhaus system is considered a direct predecessor of modern mechatronic cylinders. Successors are now in use worldwide:
- Winkhaus blueChip
- Winkhaus X-tra systems
- modern transponder and chip cylinders
- hybrid mechanical-electronic master-key systems
- time-controlled access profiles in companies and authorities
The basic principle “mechanically locked, electronically authorized” is now a standard in modern access control. The electronic Winkhaus lock was one of the most important European steps toward intelligent door systems.
Lockpicking
• Exploiting manufacturing tolerances
As with early electronic systems, certain spreads existed: different sensitivity of contact points or reading coils, minimal variations in key insertion depth, slight deviations in the position of electronic components, different reaction times of the control electronics. These tolerances occasionally led to misreads, but were rarely usable as manipulation vectors.
• Mechanical feedback Because the security-relevant check is electronic, the lock itself provides: hardly any usable mechanical feedback, only audible clicking of the release motor or solenoid, minimal torque changes on release. There were thus few attack points for classic manipulation attempts. Only the downstream, purely mechanical locking element was manipulable at all, and only after successful electronic identification.
• Wear in operation Wear mainly affected: electrical contacts, plug-in channels in the cylinder, key surfaces (with hybrid key types), motor/solenoid locks in intensive use. Aging could cause malfunctions, but only rarely be exploited as an attack method.
Risk/Security
Highest risk: Destructive attacks:
breaking the hardware or door frame
angle grinders, crowbars, chisels
attacking door material instead of the lock
Medium risk: Targeted partial destruction:
drilling or breaking out the electronics module
manipulating the release motor via direct physical access
milling the cylinder if mechanical protection is insufficient
Low risk: Fine manipulation / electronic attacks:
signal analysis (possible with early unencrypted systems)
replay attacks (relevant only for very early prototypes)
exploiting communication errors or interference signals.
Insights
The electronic Winkhaus lock of 1987 was an important milestone in access technology. With the combination of electronic identification and mechanical locking, Abend, Wienert, and Filthaut created one of the first mechatronic cylinder systems in Europe. Its strengths lay in:
- flexible authorization management
- high protection against lost keys
- very low manipulation feedback
Weaknesses appeared mainly:
- under destructive attacks
- in early unprotected electronics modules
- in age-related electronic disturbances
The system forms the basis of many modern access solutions and is one of the key innovations of the 1980s in lock technology.
Volker Ziegler (1988)
Name: CES alpha electronic locking system
Inventor: In 1988, Volker Ziegler developed CES alpha for CES, one of the first fully fledged electronic locking systems in cylinder format. It was one of the earliest systems to combine electronic identification and mechanical locking in the compact form factor of a profile cylinder – a genuine innovation of the 1980s. The system was based on: an electronically coded key (early chip or transponder technology), an electronic reading module directly in the cylinder, an intelligent control unit that checks authorization, a mechanical bolt core that is only released after valid identification, the ability to block lost keys via software without replacing the cylinder. CES alpha was thus one of the first digitally managed locking systems, long before electronic access control became standard in buildings.
Current locks of this type
CES alpha is no longer produced in its original form, but the principle lives on fully in modern CES systems. Current successors:
- CES OMEGA FLEX
- CES OMEGA ACTIVE
- CES eCLIQ / electronic CLIQ systems (cooperation)
- mechatronic and fully electronic cylinders with online and offline management
The core elements – electronic key, electronic authentication, mechanical locking – come directly from the alpha idea of 1988. CES alpha is now regarded as a forerunner of modern mechatronic and electronic locking technology in Europe.
Lockpicking
• Exploiting manufacturing tolerances
As with early electronic cylinders, certain production spreads existed: varying sensitivity of reading contacts, different identification range, deviating positioning of electronic components, slight mechanical tolerances in the combined electronics/mechanics area. These tolerances sometimes led to misreads or poor recognition, but offered hardly any usable manipulation window.
• Mechanical feedback Because CES alpha works primarily electronically, mechanical feedback is minimal: audible clicking of the release element, slight torque change when the core is released, no usable sequential feedback like in mechanical cylinders. For manipulators there was hardly anything to “feel”; the security logic was entirely in the electronics. • Wear in operation Wear affected both electronics and mechanics: contact wear between key and reading unit (for hybrid keys), aging electronic components, fatigue of the electromechanical release module, wear of the mechanical core. Aging components could cause malfunctions, but were rarely exploitable as an attack vector.
Risk/Security
Highest risk: Destructive attacks:
breaking out or drilling the hardware
angle grinders, chisels, crowbars
attacking door or frame instead of the cylinder
Medium risk: Targeted partial destruction:
physically drilling the electronics/mechanics unit
tearing off the electronic front modules
milling the cylinder without protective hardware
directly manipulating the release mechanics via force
Low risk: Fine manipulation / electronic attacks:
reading unencrypted chips (relevant for early prototypes)
replay attacks with weak authentication protocols
disrupting the electronics with targeted field manipulation.
Insights
The electronic CES alpha system was a visionary step in lock technology in 1988. Volker Ziegler created one of the first electronic profile cylinders in Europe, combining identification, access management, and mechanics in a form factor that is still standard today. Its strengths: immediate blocking of lost keys, flexible authorization management, high resistance to classic picking methods. Its weaknesses: vulnerable electronics modules under destructive attack, limited protection against brute force, early chip technology without modern cryptography. CES alpha is one of the most important milestones on the road to today’s mechatronic high-end cylinders.
Mijodrag Makivic (1992)
Name: EMZY electronic motor cylinder by EVVA
Inventor: In 1992, Mijodrag Makivic developed the EMZY for EVVA, one of the first fully motorized locking cylinders that not only combined mechanics and electronics, but actively powered the entire locking process. The EMZY was not just an electronic variant of a mechanical system, but a completely new approach: an integrated electric motor that turns the plug independently, an electronic identification unit (e.g. transponder, chip, or higher-level access control system), a sensor package that checks key status, position, and rotation, automatic locking and unlocking controlled by electronics, optional logging and integration into building management systems. The EMZY is considered one of the milestones of mechatronics: it shifted responsibility for the locking process from the user to the system – a decisive step toward today’s automated access solutions.
Current locks of this type
The EMZY itself and its successors are still in use. Modernized variants exist as: - EVVA EMZY generations - electronic motor cylinders in master-key systems - motor-controlled panic and access systems - integrated solutions in modern building management architectures Other manufacturers later adopted similar approaches, but EVVA remains one of the reference companies in this category.
Lockpicking
• Exploiting manufacturing tolerances Even early EMZY models had tolerances in:
- motor mounting
- sensor positioning
- locking paths
- force transmission between motor shaft and plug
In the worst case, these tolerances could lead to misinterpretation (e.g. “door closed” with the door slightly open), but they had hardly any manipulation value, since the motor and electronics strictly controlled the locking process.
• Mechanical feedback Because the EMZY is not operated in a classic mechanical way, virtually all pick feedback disappears. Only minimal feedback exists:
- a slight motor noise
- a change in torque when the plug is moved automatically
For manipulation attacks these signals are irrelevant; without electronic release the cylinder remains mechanically locked.
• Wear in operation The EMZY shows typical electromechanical aging:
- motor wear
- wear in the gear stages
- aging sensors or electronic contacts
- wear on the mechanical coupling
With increasing age, malfunctions may occur – for example, the motor stalls or misinterprets key states. This is hardly relevant for manipulation.
Risk/Security
Highest risk: Destructive attacks:
attacking the hardware or door frame
breaking out the cylinder
angle grinders, crowbars, striking tools
drilling the mechanical lock unit
Medium risk: Targeted partial destruction:
drilling motor/electronic components
milling the cylinder front
removing the electronic module by force
accessing the mechanical coupling after destroying the hardware
Low risk: Fine manipulation / electronic attacks:
pick or decoder attacks are practically irrelevant, since the plug cannot be moved without release
electronic attacks (e.g. protocol analysis) were theoretically possible on early EMZY models, but extremely difficult
interference signals could cause malfunctions, but rarely openings.
Insights
In 1992, Mijodrag Makivic created with the EMZY one of the first fully motorized locking cylinders – a system that uses the key purely as an identifier and leaves the actual locking process to the electronics. Its strengths: high resistance to manipulation, flexible integration into access control, automatic locking, integrated mechatronics. Its weaknesses: destructive attacks on door and hardware, material attacks on motor and cylinder body, electronic aging over long-term use. The EMZY remains an important milestone in motorized access technology and influences almost all modern smart-lock architectures.
Günter Uhlmann (1996)
Name: Electronic cylinder with transponder
Inventor: In 1996, Günter Uhlmann developed an electronic locking cylinder with an integrated transponder reader that combined mechanical and electronic locking technology in a compact, mass-market form. While earlier systems often required external readers, motors, or add-on modules, Uhlmann integrated:
- a transponder reader directly in the cylinder head
- electronics that check and authorize the transponder
- an electromechanical release unit that only decouples the core after successful identification
- a classic mechanical core, so doors can be operated with a key in the usual way – but only after electronic release.
This created a true mechatronic cylinder whose form, size, and installation largely correspond to a standard profile cylinder. The transponder-based approach was particularly attractive for:
- residential complexes
- companies
- master-key systems with dynamic authorization management
- users wanting electronic administration without complex infrastructure
Current locks of this type
The basic principle of Uhlmann’s development is widespread today and forms the basis of many modern mechatronic systems. Successors and further developments:
- CES OMEGA ACTIVE / ACTIVE 2
- EVVA AirKey and AirKey hybrid systems
- Winkhaus blueChip
- DormaKaba mechatronic cylinders
- eCLIQ / electronic CLIQ systems
- numerous modern transponder cylinders
The principle “transponder authorizes, mechanics lock” is still one of the dominant concepts in the electronic locking market.
Lockpicking
• Exploiting manufacturing tolerances
As in early mechatronic cylinders, tolerance variations existed: differences in transponder sensor range, minimal deviations in antenna position, slight variations in the coupling between electronics and mechanical core, tolerances within the mechanical pin mechanism (if used). These spreads could occasionally cause misreads, but rarely provided real manipulation leverage.
• Mechanical feedback Due to the electronic release, without a valid transponder there is: no rotational feedback, no set point, no mechanical attack path. After successful release, the cylinder behaves like a normal mechanical core, but manipulation would then be irrelevant anyway.
• Wear in operation Dual electronic + mechanical technology means dual wear: aging transponder contacts or antenna components, aging electronics, mechanical wear in the cylinder core, wear of the coupling mechanism. The crucial point: wear increases the risk of malfunctions, not of manipulation.
Risk/Security
Highest risk: Destructive attacks:
breaking hardware or door frame
angle grinder, crowbar, brute force
pulling or tearing off the entire cylinder body
Medium risk: Targeted partial destruction:
drilling the electronic modules
milling the cylinder
attacking the mechanical coupling after removing the cylinder head
short-circuiting or mechanically destroying the release unit
Low risk: Fine manipulation / electronic attacks:
transponder cloning (possible with older, unencrypted models)
replay attacks with simple protocols
signal disruption (e.g. shielding)
mechanical fine manipulation is useless as long as release is missing.
Insights
Günter Uhlmann’s electronic transponder cylinder from 1996 was a crucial step toward modern mechatronic cylinders. For the first time it compactly combined:
- electronic identification
- mechanical locking
- modular master-key capability
Its weaknesses lay less in the mechanics or electronics themselves and more in: destructive attacks on door/hardware, early unencrypted transponder technologies, and aging of electronic components. The basic principle lives on today in almost all modern access systems and forms the basis for many market-leading electronic cylinders.
Ludger Voss and Herbert Meyerle (1997)
Name: SimonsVoss System 3060 electronic cylinder
Inventor: In 1997, Ludger Voss and Herbert Meyerle developed the SimonsVoss System 3060, one of the first fully digital, battery-powered locking systems in the format of a profile cylinder. The innovation was so strong because the lock: worked completely wirelessly, integrated the power supply via a battery in the knob, used an RFID or transponder key as the identification medium, released an electromechanical coupling after successful authorization, could be seamlessly integrated into digital access control systems. System 3060 was thus one of the first locking systems that could realistically be managed both offline and online – without cables, without motor cylinder, without external power supply. Its key features: digital authorization management, immediate blocking of lost keys, full logging (depending on model), very compact form factor, modular expandability for large master-key systems. The system quickly became the standard in the commercial and government sectors.
Current locks of this type
The SimonsVoss System 3060 is still one of the most successful digital locking systems worldwide. Current or modernized successors:
- SimonsVoss 3060 (various generations)
- SimonsVoss AX system
- digital SmartHandles
- integrated online and radio gateways
- access software “LDB / WaveNet / SmartIntego”
The functional principle – wireless, battery-powered, electronic cylinder – is now a global standard based on the 3060 architecture.
Lockpicking
• Exploiting manufacturing tolerances
As with System 3060, there are typical production spreads: slightly varying range of the RFID antenna, tolerances in the position of the coupling mechanism, differences in spring and magnet mechanics in the knob, varying detection sensitivity in older transponders. These tolerances mainly cause misreads (e.g. key not recognized) – not security-relevant openings.
• Mechanical feedback Since the cylinder remains mechanically blocked without electronic release, there is virtually no pick feedback: no set points, no plug play, no opening signal through torsion. The mechanics only work after electronic release, which makes classic manipulation practically irrelevant.
• Wear in operation Wear mainly affects: battery contacts and electronics, the electromagnetic coupling, the mechanics of the knob control, the transponder key system in older variants. With wear, the likelihood of malfunctions increases rather than the chance of manipulation.
Risk/Security
Highest risk: Destructive attacks:
breaking hardware or door frame
mechanical force on the knob
angle grinder/chisel/striking tools
breaking out or fully pulling the cylinder
Medium risk: Targeted partial destruction:
drilling or destroying the knob electronics
milling the cylinder when there is no protective hardware
physical access to the coupling unit after hardware destruction
interrupting power supply by damaging the knob
Low risk: Fine manipulation / electronic attacks:
copying old, unencrypted transponder generations (mainly theoretical, practically rare)
replay attacks on very early models
interference signals to influence the reader (mostly ineffective)
classic picking methods completely irrelevant.
Insights
The SimonsVoss System 3060 was one of the most important developments in modern access control in 1997. Voss and Meyerle created a locking system that was:
- completely wireless
- battery powered
- digitally managed
- extremely resistant to manipulation
- mechanically more reliable than many predecessors
Weaknesses do not lie in the technology itself, but in:
- destructive attacks
- inadequate door or hardware security
- aging electronic components
System 3060 is still considered a milestone and forms the technical basis for both modern digital cylinder systems and smart-building architectures worldwide.
Kwikset (1998)
Name: Remote access lock system
Inventor: Kwikset, a U.S. manufacturer of door locks and security products. In 1998, Kwikset launched one of the first remote access lock systems – an early predecessor of modern smart locks. In contrast to classic mechanical or mechatronic cylinders, Kwikset relied for the first time on remote control and radio signals to lock or unlock doors. The system was based on: a wireless remote that sends an authorized signal by radio, an electric motor in the lock that moves the bolt, a control board that verifies the radio signal and releases the motor, an emergency mechanical function that could still be operated with a key. This design was a milestone because, for the first time, private homes were equipped with technical remote opening – long before smart-home solutions became widespread. Kwikset combined convenience (remote opening) with basic mechanical security.
Current locks of this type
Kwikset’s early remote access systems are considered direct predecessors of modern smart locks. Successors and further developments:
- Kwikset SmartCode series
- Kwikset Kevo (Bluetooth)
- Kwikset Halo (Wi-Fi)
- Z-Wave and ZigBee-compatible models
- modern motor locks with app and cloud integration
The 1998 remote access system was an important step toward today’s networked access solutions.
Lockpicking
• Exploiting manufacturing tolerances
Early radio-controlled locks had typical tolerances: different radio sensitivity, varying shielding effectiveness, inaccuracies in motor positioning, slight production deviations in the bolt mechanism. These deviations more often caused functional issues than opportunities for manipulation – they were rarely critical for security.
• Mechanical feedback Because the bolt is moved electrically, classical manipulation signals are barely present: no useful plug play, no set feedback like in pin systems, only an audible motor sound when opening. Attackers could not derive coded information from this. Without an electronic signal, the lock remained mechanically blocked.
• Wear in operation Typical wear points: motor bearings, gear shafts, battery and electronic contacts, radio receiver module. With increasing age, malfunctions occurred more frequently, but the mechanics did not become easier to manipulate.
Risk/Security
Highest risk: Destructive attacks:
forcing the door or frame
angle grinders, crowbars, chisels
breaking open or tearing out the motor block
Medium risk: Targeted partial destruction:
opening the housing and manipulating the electronics
short-circuiting the motor control
milling the bolt area
battery manipulation to disrupt the system
Low risk: Fine manipulation / radio attacks:
replay attacks (possible on early, unencrypted radio systems)
cloning simple radio remotes
minor interference signal attacks
classic picking attempts on the mechanical emergency cylinder (depending on model).
Insights
In 1998, Kwikset laid the foundation for modern smart-lock technology with its remote access lock system. For the first time, the locking process was controlled wirelessly, while a mechanical emergency opening remained available. Strengths:
- high user convenience
- early form of wireless access control
- combination of electronics + mechanics
Weaknesses:
- early radio protocols partly unencrypted
- vulnerable to material attacks on motor/mechanics
- strongly dependent on electronic condition
Despite these limitations, Kwikset’s system was a technological pioneer and paved the way for the networked access solutions that are now widespread worldwide.
Winkhaus (1999)
Name: Winkhaus BlueChip locking system
Inventor: Winkhaus introduced the BlueChip system in 1999 – an electronic locking system based on contactless transponder technology that was compact enough to be integrated into a standard profile cylinder. BlueChip was one of the first mass-market electronic locking systems that could be operated completely offline, wirelessly, and without a motor cylinder. The system was based on:
- a contactless transponder that transmits its identity by radio
- an antenna and evaluation unit integrated in the cylinder
- an electromechanical coupling that is only released by a valid transponder
- a classic mechanical cylinder core that is operated normally after release
The special feature: BlueChip combined the flexibility of electronic authorizations with the reliability of mechanical cylinders and was significantly more robust than many earlier systems.
It was suitable for:
- small and large master-key systems
- residential complexes
- corporate and administrative buildings
- area access with changing authorizations
Current locks of this type
BlueChip was a cornerstone for many modern Winkhaus systems and is still in use in various evolved forms. Successors / modern product lines:
- Winkhaus BlueSmart
- Winkhaus BlueCompact
- further developed transponder cylinders in profile design
- hybrid offline/online locking systems via gateway integration
The “BlueChip principle” – transponder authorizes, coupling releases – remains one of the central access concepts at Winkhaus today.
Lockpicking
• Exploiting manufacturing tolerances
In the BlueChip system, small tolerance-related variations existed: transponder range, antenna coil position, small clearances in the electromechanical coupling, different reaction times of the electronics. These spreads rarely led to security-relevant effects – more often to recognition issues or delayed releases.
• Mechanical feedback BlueChip completely blocked the cylinder core until a valid transponder was detected. This meant: no set points, no plug-tilt play, no classic pick feedback. Mechanical manipulation was therefore practically ineffective.
• Wear in operation BlueChip showed typical dual-wear effects of electronic/mechanical hybrid cylinders: aging of contacts or coils, worn coupling mechanics, wear of the mechanical core, battery wear in related system components (depending on version). Wear increased susceptibility to faults rather than manipulability.
Risk/Security
Highest risk: Destructive attacks:
forcing the door
attacks on hardware or frame
breaking out or pulling the cylinder
use of angle grinder, chisel, or heavy tools
Medium risk: Targeted partial destruction:
drilling the electronics front (possible in early models)
removing the reader module
milling the cylinder front without protective hardware
forced access to the coupling after mechanical destruction
Low risk: Fine manipulation / electronic attacks:
transponder cloning (theoretically possible on very early, simply coded BlueChip versions)
replay attacks on early protocols
interference attacks
classic mechanical manipulation practically impossible.
Insights
In 1999, Winkhaus BlueChip was one of the first truly practical electronic locking systems in profile cylinder format. It combined elegance, simplicity, and reliability and offered high resistance to manipulation alongside flexible management structures.
Its strengths:
- contactless transponder technology
- robust electromechanical coupling
- immediate blocking of lost transponders
- strong resistance to manipulation
Its weaknesses: as with all cylinders: attacks on door/hardware, early electronic systems partly without strong cryptography, material attacks still possible. BlueChip is one of the defining systems of modern electronic access control and was key for today’s Winkhaus product line.
