The Lock-Picker, the Lockmaker, and the Odyssey to Expose a Major Security Flaw
Dominic Villeneuve figured out a simple way to bypass a widely used door lock, and he told the manufacturer how he did it. A year and a half later, he’s telling the world.
Early one morning in June 2020, Dominic Villeneuve woke up and went to his basement workshop to play with a new toy. A friend had given Villeneuve, the director of cybersecurity and infrastructure for a midsize insurance company in Drummondville, Quebec, a lock from a door in a building he was renovating. It was a good one: a Schlage CO-100 commercial-grade, keypad-operated deadbolt, which retails for about $400 and carries a Grade 1 security rating, the highest bestowed jointly by the American National Standards Institute and the Builders Hardware Manufacturers Association.
The locks on most homes are Grade 3, maybe 2. Grade 1 locks are tested to withstand, among other things, 1 million open-close cycles, eight blows starting at 80 joules (comparable to a jackhammer), and five minutes of grinding with a bolt saw. All of the CO-100’s electrical and mechanical parts are also certified by the Underwriters Laboratories for resistance to wear and tear, weather, and abuse. But Villeneuve knew he could unlock it without the keypad code. He knew he could beat it.