Posted Saturday, June 4th, 2016 at 1:51 pm under me.

Knog Milkman bike combination lock security flaw


[Note: This issue has been fixed by Knog – see final paragraph.]

I have a Knog Milkman combination lock for my bike. It’s not supposed to be high security – it could be cut through very easily compared to a robust D lock. It’s for when you leave your bike outside a cafe and you’re inside, just a few seconds away, keeping an eye on it. The idea is to prevent opportunistic bike theft.

I like the design and manufacture of the lock, but have realized there’s a security flaw.

The numbers on the lock are just painted on and, unfortunately, the paint comes off very easily. I’ve taken it on rides maybe 10 times. I carry the lock in a rear jersey pocket, perhaps with a gel or a powerbar, but never with anything you’d consider abrasive. You can see the state of my lock in the photos above.

At first I thought the paint coming off was just an inconvenience, but then I realized it will also (typically) greatly reduce the lock’s security.

The problem is that after unlocking your bike you’re most likely to put the lock away as is. Because the position on the lock where you line up the correct numbers to unlock is at the lock’s widest point, it’s that row of numbers that gets its paint rubbed off fastest.

If you look at the above front and back photos of my lock, you can see what I mean. The numbers 8578 on one side have been completely obliterated and (adding 5 to each number) 3023 are greatly degraded on the other.

Because I always just put my lock straight back into my jersey pocket, that means that my combination is being rubbed off! It means that anyone wanting to open my lock would only have to look at 16 different combinations (3 or 8 at the first position, 0 or 5 at the second, 2 or 7 at the third, and 3 or 8 at the last). Sixteen combinations to try is a lot less than 10,000.

You can mitigate this situation by giving your lock a random twist before putting it in your jersey pocket. But then over time all the numbers will have their paint rubbed off. Or you could always set your lock to 0000 after unlocking, so just 0000 and 5555 would get rubbed off.

Of course the best solution would be for Knog to improve the numbering so it doesn’t come off in the first place. I sent them a mail last week (via the form on their web site) to tell them of this issue, but they’ve not responded.

Update (June 22, 2016): Knog responded a day or two after I wrote the above. They asked for photos of the lock, and I pointed them to this page. I was a bit worried there might be a knee-jerk upset reaction because I’d posted images of the problem here, but there was nothing of the sort. Instead, I’m told the numbering issue has been fixed and they asked for my address to send me a new lock :-) Given how often companies react badly to things like this (even though this is a very minor issue, seeing as the lock isn’t supposed to be high security in the first place), it’s very nice to see a mature non-hysterical (or even legal) response. Thanks, Knog!

Comments are closed.