Threat modelling case study: bicycles

August 2020

How to avoid buying your bike again every 6-12 months and tips for how to apply the same reasoning to other things, like computers

Some very commonly repeated advice on preventing someone from nicking your bike:

Buy a good [~10% of bicycle value] lock, ideally one with a high "SoldSecure" rating and lock your bicycle somewhere inside the rear triangle and the rear wheel.

I've seen this advice repeated in cycling magazines, in quality newspapers, sometimes even by the police and of course on internet forums.

The above would imply that if you own a £400 bicycle (a typical price in the UK) you'd buy a £40 lock and put it in the right place.

However, it is a cold fact that a cordless angle grinder can defeat any bicycle lock, no matter how expensive (see this video for a demonstration). You can buy a used cordless angle grinder on eBay for less than £100. Even U-locks - traditionally thought to be the strongest type of lock - are opened in seconds with a sub-£100 angle grinder.

There is other advice floating around of doubtful value, for example:

Add your bicycle to a national register

But cases where BikeRadar manage to reunite bicycles with their owners seem to be the exception rather than the rule. Probably this is because, as with cars, the first thing you do with a stolen bicycle is take it across a border to somewhere different.

Lock your bicycle inside a secure building or place, away from sight

This prevents opportunistic theft but if this space is shared with others (apartment blocks and offices) it in fact serves to increase the economies of scale for prepared thieves who break into your storage area late at night with a van. It's not uncommon for office bicycle stores (with many fancy, expensive bikes inside) to be emptied out completely overnight by professional thieves.

A threat model, by user persona

I think the advice above is poor because it doesn't come from a systematic consideration of the problem from the point of view of thieves.

To come up with better advice requires a threat model, which is a piece of jargon for taking a holistic view of the danger posed by attackers. I think one of the simplest and most straightforward ways to do threat modelling is by user persona, whereby you consider each kind of attacker in turn, making some reasonable assumptions about their level of motivation and methods.

As far as bicycle theft is concerned there are three basic types of thief.

"No-tools Nigel", the rank opportunist

Nigel has just his two hands and is simply looking for a ride home or maybe something he can sell to a friend for some quick cash.

Nigel will steal any unlocked bicycle.

Nigel is also able to take any bicycle parts that can be removed without tools. That means any quick-release wheels or thumbscrew saddles. In an urban area your parked bicycle may be passed by a Nigel as often as a few times an hour so anything that is not bolted down won't last very long.

"Rucksack Rupert", the thief with a few hand tools

Rupert has a small pair of shears; 4, 5 and 6mm Allen keys and a 15mm spanner for wheel nuts.

Rupert will make his way through cable locks with his shears. If there is a valuable part that can be removed with hand tools he will take it. He is particularly keen on premium saddles and name brand wheels.

"Powertool Percy", the professional with a complete set of tools

Percy has a small collection of electric and air tools including an angle grinder as well as bolt-cutters and an air-jack. He has access to criminal fences which he can use to sell stolen bicycles quickly. Percy often arrives in his van and this allows him to steal multiple bikes at once.

No bicycle is safe from Percy. No lock can hold against his angle grinder. Often he finds if he's wearing a hi-vis jacket he can even get away with using his power tools in broad daylight. He's willing to chance that if the bicycle seems valuable enough.

Coming up with better advice based on Nigel, Rupert and Percy

In order to keep your bicycle safe you need to take steps against all three levels of imaginary thieves.

"No-tools Nigel" will be warded off simply by:

• Locking your bicycle whenever you leave it - even if just for a minute
• Ensuring you leave nothing on your bicycle that can be removed without tools
  • replace quick-release wheel skewers with bolts
  • take your lights with you when you park in public
  • make sure your saddle is not on a thumbscrew

"Rucksack Rupert" will be deterred by:

• Not using a cable lock!
• Making sure that nothing good can be removed from your bicycle with hand tools
  • Lock both wheels and the frame to the bike stand - don't rely on bolts

"Powertool Percy" will be kept at bay by:

• Nothing, save ensuring that your bicycle doesn't look valuable enough to be worth his time
  • this probably means keeping its value down below a few hundred pounds

The virtue of the "bicycle shaped object"

Valuable bicycles (>£1000) have an extremely short half-life in urban areas. The sad truth is that the Percys of the world are common enough and resourceful enough that a bicycle worth over a thousand pounds isn't really safe anywhere in a large town. This includes most e-bikes. You might notice that cycle couriers who have e-bikes tend to eat lunch while looking directly at their locked e-bike, so that it never goes out of their sight. Few people in other lines of work can do the same.

If the tyres are inflated, my own commuter bicycle is probably worth £30 to the right buyer. My bicycle is so low-end that cycling snobs refer to it as a mere "bicycle shaped object". Rather selfishly I am glad that such snobs exist as having a lot of more valuable bicycles around provides me with good ambient security. No thief is going to bother cutting my locks when there is a Campagnolo on the next rack.

One father I know had his primary-school-age daughter "decorate" his commuting bicycle with girly stickers and pink glitter. If anyone examines his bicycle closely he looks like a complete loon but I think his motivation is right: it's going to be much less appealing to steal when it's covered in Miffy stickers.

Insurance - not usually worth it

What about bicycle insurance? It's fairly expensive here in the UK, usually 10-15% of the bicycle's value annually and insurers typically only pay out when the whole bicycle is taken (so if if your front wheel is nicked, you're on your own) and when you can demonstrate that it was locked to their standards. Often these standards require that it is locked up indoors which means you're chancing it whenever you park away from your home or office.

Lists of "best practices" vs having your own threat model

The same thing goes for securing your bicycle as for securing other things: pat, concrete pieces of security advice are something to treat with a bit of doubt.

In bicycles the common mantra is "spend 10% on a lock" but in computing the mantras are slogans such as "use a strong password", "back up your important data" or "use encryption" but these can all be just as vapid.

"Strong passwords!" as a slogan fails to address the fact that the average internet user has hundreds of logins for various sites (my own password manager has over 700 sites recorded). The majority of internet users decide on a single "strong password" and then use it everywhere. They are only a single bad sysadmin or javascript injection away from losing access to every account on every website they have.

Backing up your important data is only an aid to your security if the backup is stored as securely as the original. Much user data is stolen or exposed through poorly secured backups on shared fileservers. A huge number of people have passport and utility bill scans in their Dropbox - again, behind the same email and password they use everywhere. Companies can be surprisingly sloppy with backups too: often dumped into cloud storage somewhere once before the Big Migration and never removed.

Encryption is troublesome as it can give undue confidence that can backfire spectacularly: a quarter of a million American diplomatic cables were inadvertantly published in unredacted form when a Guardian journalist included the password for an widely-distributed encrypted file in his book. Apparently he thought the file's password was somehow temporary. It wasn't.

Instead of following such "best practices" it's much more intellectually robust to come up with your own threat model - then you can decide your own concrete steps instead of just following the security steps of others which might be inapplicable or even wrong.

Some hints on coming up with your own threat model

Most useful examples are simple for the purposes of illustration and that's true of bicycle anti-theft too. The main object as far keeping your bicycle on the rack is just to deter and prevent thieves. In other contexts you might also want to detect them, delay them, alert the relevant people and perhaps even respond somehow.

One distinct advantage of having an explicit threat model is that it keeps the security nihilism at bay. When discussing specific defenses there is a tendency to get lost in absurd what-ifs - things that would require levels of ability and determination out of all proportion when considered coldly in the context of your situation. Conversely you will rightly feel like a complete space cadet if you put "foreign intelligence services" on the threat model for a curtain retailer, and that keeps things a bit more rooted in the plausible (as opposed to the technically possible).

One big difference between bicycle security and most other things is that in bicycle security there is no fraud element. No one is going to try to persuade you to ride an imposter bicycle for their own profit. However, fraud should be a big part of most security thinking and a honest set of user personas for a real world computer system is likely going to include several different kinds of fraudsters - everything from customers who try to start the free trial anew each month to people who try to use your internal account credits to launder money. In computing, hackers are much discussed but fraudsters probably cause far and away more grief.

One thing I would love to try is treating the attacker user personas with the same primacy as those of the customer user personas - putting them on a wall in the office and having everyone conversant in their "needs". Sadly in many places, if there is a threat model, the circulation of it is kept very restricted. When I was working on an (otherwise well run) government system it took ages to get permission to see the threat model. Once I saw it, it made a bit of sense but it clearly had been created in isolation from people who understood the system. Depressingly, I think a secret and outdated threat model is only a bit less common in practice than having nothing at all.

Contact/etc

See also

• Sheldon Brown's lock strategy page is on the same subject and very influential. Despite that I think some of the advice is wrong:

  If you use both the U-lock and the cable lock, you are more than twice as safe as you would be with either of them alone. Either type of lock can be defeated, but each requires a different large, bulky tool which is useless against the other."

  In fact both can by cut by an angle grinder, which can be carried in a rucksack. At any rate the cable lock can be cut with a simple pair of shears which our "Rucksack Rupert" is carrying. You have an excellent chance of losing whatever a cable lock is securing - see the header image for an example of that.

• Ross Anderson's book Security Engineering. The user personas here are based on his coverage of threat modelling for physical protection (section 11.2.1 in my 2nd edition, 13.2.1 in the forthcoming 3rd edition. I really recommend this book. Although it is a absolute doorstop it is very readable and I learned a lot from it.

• The first of HMG's Government Design Principles broadly says to start with user needs and work from there. When threat modelling, a good starting point might be take your attackers "needs" and then instead of striving to 'surprise and delight' you instead strive to "bore and frustrate".