FBI Special Agent Wayne A. Barnes (Retired) worked Foreign Counter-Intelligence in the FBI in Washington, D.C. for many of his 29 year career. He was responsible for and handled the defection of many high-ranking Eastern Bloc Intelligence Officers, and debriefing them prior to their resettlement throughout the U.S.
As a result of several critical interviews of employee-applicants to the FBI who were interviewed by Barnes, the Personnel Security Interview format and protocol was developed and is in use by federal agencies since the 1980s.
Wayne Barnes was invited to lecture to the Florida International Bankers Association (FIBA) as a “Ted-X Talks” speaker in March, 2016. He spoke in detail about several cases which could have compromised internal security within the FBI if applicants had not been identified as potential spies.
Wayne Barnes now works as a private investigator for major corporate clients involving thefts, product counterfeiting, intellectual property infringement, insurance fraud, civil and criminal investigations, background investigations, and other major cases.
The SimpliSafe alarm package is a totally wireless system that can detect and transmit an intrusion, fire, or environmental alarm to a 24 hour monitoring center, via cellular connection. For many homeowners and renters, the system is all that is necessary to provide cost-effective detection and competes with the more expensive and traditional alarm reporting companies, such as ADT.
These are DIY systems and can be easily installed by consumers. However, in our view, they are not secure, and dependent upon perceived threats that may be present to homeowners. That means that if burglars are at all knowledgeable as to methods of system attacks, the hardware can be defeated and entry into a residence accomplished without tripping the alarm. Before buying such systems, homeowners should assess the potential for knowledgeable thieves to bypass their systems.
A communications gateway receives signals from all of the wireless trips within the system and then processes that information through the wireless keypad. If an alarm is detected, that will be instantly transmitted to the 24/7 monitoring center via a cellular broadband connection, using Verizon as a carrier. Phone lines can be used as a backup but are not necessary for the system to function.
The gateway also announces alarm status when placed in test mode, so the homeowner can verify that all trips are working properly. The system can be programmed, via the web interface, to send email or text messages for alarms and unusual occurrences, such as radio interference which could be affecting the proper operation of the system.
The gateway is battery backed up and will run for at least 24 hours in the event of a power failure.
The SimpliSafe system can be armed and disarmed with the provided key fob, as well as a panic alarm transmitted.
The SimpliSafe system is supplied with a variety of different alarm sensors. Shown is the entry level kit that was used for testing of the system for this report. It includes a wireless keypad, a motion sensor, a magnetic door trip, and a key fob combination on/off control and panic button. More expensive SimpliSafe systems contain smoke detectors, carbon monoxide detectors and other alarm sensors.
One or more motion sensors are supplied with all systems from SimpliSafe. Shown in the photographs is a standard sensor, and one that has been covered with a white mailing label. The effect of this action is to block any recognition of motion, thereby defeating the sensor completely. This means, for example, that a visitor to the home or business could unobtrusively place a piece of paper over the detector to defeat it later when the alarm is set.
The reason that the action of the sensor can be blocked results from the failure to incorporate anti-masking software or hardware so that the system can determine whether the infrared element within the motion sensor is obstructed. In the more sophisticated alarm systems, blocking of the sensor should not be possible. In our tests, we defeated the sensor with paper, and also by pointing it at a solid object such as a wall, in the case where, for example, the detector was simply placed on a shelf, rather than hard-mounted.
This fact was never detected by the system.
Magnetic trips are based upon simple reed switch technology, are not secure, and can be easily defeated by magnets, as shown in the video.
Kids and burglars have figured out how to circumvent the system by placing a small magnet next to the trip, which blocks the detection of the absence or the removal of the normal magnetic field that occurs when the door is opened.
Parents in Florida have found that after setting the alarm at night, their kids figured out the way to defeat the system and sneak out at night without setting off the alarm. Likewise, burglars can place very small magnets next to the door trip during business hours within a commercial facility, and then enter after hours. If no other detectors are in place for the protected area, then the door trips will not trigger an alarm.
The magnet that we used in the demonstration cost about $.25 at Home Depot. We placed it against the SimpliSafe trip with a piece of Scotch tape.
These photographs show the critical element in all non-high security magnetic trips: a reed switch. This is a sealed glass envelope that contains two metal leaves, spaced closely apart. They are normally biased by a magnetic field which causes them to touch each other and complete an electrical circuit. If the field is interrupted, the two leaves will separate and break the circuit, thereby triggering an alarm. We do not recommend the conventional reed switch magnetic trip for any significant security application because of the ease with which they can be defeated.
SECURITY VULNERABILITIES WITH WIRELESS SYSTEMS
Wireless systems like SimpliSafe and LaserShield can be easily defeated with an inexpensive transmitter, programmed to the operating frequency of the alarm system. If the transmitter is keyed, the receiver in the gateway unit will be blinded and will not detect any signal that is transmitted by the trips within the system.
In our tests of LaserShield and SimpliSafe, we were able to completely defeat these systems by keying a transmitter during our entry into the protected premises. In the case of SimpliSafe, the system detected the transmission after a predetermined period of time, which was easy for us to determined and defeat.
If the transmitter was keyed continually past this timing window that was set by SimpliSafe, a text message would be sent to the homeowner, advising of the detection of RF interference, and when such interference stopped. However, we could totally defeat this timing window and move through the protected premises without tripping any alarm, nor of the system ever knowing we were there. This is a fatal flaw within these types of systems, as shown in the accompanying video.
The security problem results from several factors, including a lack of “supervision” of the wireless trips. Normally, the trips communicate an alarm condition by a one-way transmission to the gateway. Presently, there is no method for the gateway to constantly interrogate all of the trips in the system to determine their operational status. When a radio signal is detected by the gateway, it will not see the transmissions from the individual trips, and thus, no alarm will be detected.
Compounding the problem: the operating frequencies of all of these wireless systems can be easily found on the FCC database on the Internet. It should be noted that even the latest home automation devices, also linked by wireless, can be defeated in similar fashion, or with radio jammers, which are illegal but are sold commercially.
In our view, all security systems should have hard-wired perimeter door trips which cannot be defeated by the transmission of radio frequency (RF) energy. Otherwise, these systems are vulnerable to attack. Unfortunately, even the largest alarm providers are using wireless because of the ease of installation. SimpliSafe has no way to integrate any hardwired trips, nor to connect to already installed alarm systems.
Unless the trips are two way and supervised, this is a prescription for insecurity. We tried contacting ADT repeatedly to discuss this matter, but they refused to return any calls.
When selecting an alarm system, it all comes down to what the consumer needs and expects with regard to an acceptable level of security. The SimpliSafe system is a good value to provide minimal protection for premises where wiring is impossible, and the homeowner wants some protection with minimal cost, without the necessity of contracts with an alarm company, and without the need for connection to a telephone line. SimpliSafe offers a viable solution, with several very clever enhancements, especially using their web interface. But all users must be aware of the potential security vulnerabilities that are inherent with such systems.
“Simply Safe” does not necessarily mean a high level of security. Clearly, the system is very simple and straightforward to install and operate. Each consumer must make a determination as to whether the methods of attack that we have demonstrated would be of concern. If they are not, then for many consumers, the system should provide adequate protection. The problem is that thieves may target premises protected with these kinds of wireless systems, especially when a homeowner advertises the use of an alarm by placing stickers on windows or doors or even in front of the residence, as shown in the photograph.
SimpliSafe alarm system normal setup
DETAILED REPORT ON THE INSECURITY OF GUN SAFES MADE BY LEADING U.S. MANUFACTURERS: STACK-ON, GUNVAULT, AND BULLDOG
See my corresponding article http://blogs.forbes.com/marcwebertobias
in Forbes that was published on Friday, July 27, 2012.
See the applicable disclaimers with regard to the information contained in this report at the end of the Alert.
This security alert provides detailed information about small gun safes that can be easily compromised. We conducted an analysis in our Security Lab of these containers. Some of these containers are utilized by law enforcement agencies. A PowerPoint presentation and video is available through the AFTE website for any agency, and was the subject of my presentation at the Annual Association of Firearms and Tool Marks Examiners conference in Buffalo, New York on June 28, 2012.
We provide information about some of the most popular gun safes that are produced by the leading manufacturers in the United States: Stack-On, GunVault, and Bulldog. We also looked at one of the small safes produced by AMSEC.
We tested safes from these companies to determine their vulnerability to simple, covert attacks. We did not test for forced entry techniques.
Every consumer that owns or is contemplating owning a small gun safe needs to understand that many of these containers are improperly designed, have little real security, and can often be opened in seconds with common implements such as paper clips, drinking straws, wires, and small pieces of brass. Some can also be dropped from a few inches onto a hard surface and opened because of the simple, cheap, and insecure mechanism that is used to block movement of the bolt work until the proper combination is entered.
All of these safes utilize electronic credentials to open them. While these manufacturers would like you to believe that the use of a keypad, push-button sequences, or fingerprint reader will somehow make their containers more secure, it is not accurate and everyone should understand it. It is merely for convenience.
What constitutes security in any container is the way the locking mechanism is designed to keep the container closed or to be opened. The problem is that none of these manufacturers seem to understand even the basics of security engineering and how to defeat their own products. In this report, we will provide detailed videos that demonstrate the problem for many safes that are sold by Walmart, Cabelas, Dicks Sporting Goods, Scheels,
In conjunction with our investigation we contacted and made available these videos to management at all of these companies. Only Walmart would even issue a statement, which essentially says â€œit is not our problemâ€ and we rely upon the manufacturer and the California DOJ standards.
The other companies, Cabelas, Scheels, and Dicks Sporting Goods had absolutely no response.
All of these companies continue to sell what we are claiming are dangerously security-defective products, but it evidently is all about money, not the safety and security of their customers that is of their primary concern. They have all been placed on notice of the defective security designs and all have chosen to ignore the evidence and instead rely upon what the manufacturer, Stack-On or others have represented to them.
Stack-On is headquartered in Illinois and by their own account, generate about $100,000,000 annually. They also indicated that they do not talk to the media, but they did issue a press release after I demonstrated opening four of their safes on KELO-TV in May, 2012.
Their Public Relations firm issued the following statement on behalf of their client:
â€œWhile Stack-On respects Mr. Tobias’s proven ability to pick the most complex of security locks, we strongly stand behind the safety of our products. Stack-On Personal Safes are certified by California Department of Justice (DOJ). This certification involves testing, by an independent laboratory approved by California DOJ, for compliance with adopted standards. We are proud of this designation and the protection we provide. In addition, our Portable Cases comply with TSA airline firearm guidelines.â€
Stack-On believes that their safes are secure. While their containers have been approved by California DOJ under their gun safety regulations, they are fully aware that the methods we demonstrated are not addressed in these standards, and thus the standards are not applicable. It is our opinion that Stack-On has chosen to continue to place every buyer of one of these safes at potential risk. Their safes are manufactured in China. While they may appear to be secure, they are not, as we demonstrate in multiple videos.
I spoke with their VP of Marketing, Steve Martin, in April, 2012. I asked to do an interview at their facility and was refused. When I advised him that we had tested several of their safes, he did not ask one question. I offered to send the links of the videos. He offered no response. The company has never followed-up with any inquiry.
Our opinion is that Stack-On should recall every safe that has security vulnerabilities and issue an alert to the public to warn every purchaser. They should also warn every vendor. To our knowledge, they have done neither. What they have done is to continue to sell what we allege are defective products to the public, knowing that many of these containers can be opened by kids.
I spoke with a spokesperson for Walmart and provided links to all videos. After two months, they finally issued the following statement:
â€œWalmart is committed to providing safe, quality products customers can rely on. After being made aware of your concerns, we reached out to the manufacturer of Stack-On products to discuss their compliance and quality programs. According to Stack-On, the product you mentioned is tested by a third party independent lab and those results are submitted to the California Department of Justice for certification as meeting their safety standards for this category of products.â€
It is also our opinion that Walmart is far more concerned about revenue than in protecting the safety and security of their customers, notwithstanding their claims to the contrary. According to their employees, the company has a security and safety testing team that analyzes products. That would indicated that they have the competence and skill to evaluate the claims that we made.
Walmart did not deny our allegations but rather are avoiding responsibility by hiding behind the representations of Stack-On. In our opinion, nobody should believe anything that Stack-On states with regard to the security of any of their products. It is very clear that Stack-On has no competence to design or test a container for security vulnerabilities.
While they may believe that they can avoid liability by claiming they meet the requirements of the California gun statutes, they may find that those standards offer no protection whatsoever. We believe they are producing dangerously defective containers that they are representing as secure for use by the consumer to store weapons. They are not secure, and nobody should rely upon them for any measure of security.
It is my opinion that any retailer, once on notice of the defects we have demonstrated, can and will be held liable if a customer purchases one of these containers and the result is that someone is hurt or killed.
We conducted undercover interviews at Cabelas and Scheels to document what their sales â€œexpertsâ€ were telling the public about these safes. It is precisely what you would expect: they are secure, kids cannot get into them, and you can safely store weapons in them without fear that they can be covertly compromised.
Unfortunately, each of these statements is false. The problem is that these sales personnel do not have a clue as to what is secure or is not. What they understand is profits and what sells, and it would appear that is all they care about, based upon the total lack of response from any of these companies to us.
While we only looked at about ten safes, we are quite sure there are dozens, if not hundreds of different models that are similarly insecure. Most of this junk is made in China and peddled by U.S companies. These safes are cheaply made, and the security engineering is essentially non-existent, as you will see in the videos and our detailed analysis.
As a result of another gun death involving a member of the Clark County Sheriffâ€™s Department in 2003, the Sheriff mandated that all deputies keep their weapons in designated Department safes at their homes. The Department, without any testing, initially purchased approximately 200 Stack-On Strong Boxes, shown in the video. It is clear that the CCSO relied upon the representations of Stack-On, and had no independent expertise to evaluate the security of these containers. It is incredible to us that the Department would entrust the lives of their officers and families to a container that reportedly cost $36.00 without any tests being conducted by the Department as to suitability, safety, or security.
Detective Ed Owens was a member of the Clark County Sheriffâ€™s Department since 2004. He was issued a Stack-On safe to store his weapons at home. On September 14, 2010 one of his four children was able to open the Stack-On Strong Box container that was located in the Master Bedroom. At about 9:50 P.M. three year old Ryan was shot and died four hours later.
We were asked by the Owens family and attorney to provide expert analysis of the suspect safe. We conducted an extensive analysis of a container from the same batch that was provided to the Clark County Sheriffâ€™s Office.
It is our opinion that these were defective containers, based upon the testing we performed and the videos we shot from inside the safe. The problem, quite simply, revolves around the solenoid mechanism that controls a locking pin. This pin when in its normal state blocks lateral movement of the bolts thereby preventing their retraction. When the correct code is entered, via the keypad, the blocking pin is retracted and the bolt can be turned to the unlocked position. The problem is the design of the solenoid and spring-biased locking pin. It can be bounced to allow the bolts to pass and leave the safe in an unlocked state. As demonstrated by the three year old in our video, this safe can then be opened by simply turning the knob.
As a result of testing this particular safe, we expanded our inquiry and tested virtually every Stack-On model of small safe. What we found was disturbing. Each could be opened in a variety of ways, as we demonstrate. We also tested similar containers from Bulldog and GunVault. We reached out to these companies as well, but they refused to return phone calls.
Any consumer that owns one of these containers should return it and ask for a model that has been fixed to made it secure, or demand a refund. In our view, no weapons or valuables should be stored in one of these containers.
We provide all of the video segments of our analysis as well as televised news reports and some of the undercover video that we obtained.
aired the accompanying story
Stack-On PC-650 Portable Case with Electronic Lock
Electronic lock allows for a 3 to 8 digit combination to be programmed into the case.
Includes a backup trouble key.
Slim line design of the case allows for storage in a briefcase, under the seat
of many cars and trucks. Foam padded bottom protects contents from scratching.
Meets TSA airline firearm guidelines.
Body is designed for safe to be secured with steel cable (1500 lb. test). Cable is included.
11â€ wide (27.9 cm)
8-1/4â€ deep (21 cm)
2-3/8â€ high (6 cm)
(dimensions include key pad)
Stack-On PDS-500 Drawer Safe with Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
2 live action locking bolts and concealed hinges.
Fastening hardware is included with each safe.
11-13/16â€ wide (30 cm)
8-5/8â€ deep (22 cm)
4-3/8â€ high (11 cm)
Stack-On PS-5-B Drawer Safe with Biometric Lock,
Stack-On PS-7-B Extra Wide Safe with Biometric Lock and
Stack-On PS-10-B Personal Safe with Biometric Lock
Great security for pistols, ammo and valuables at home, on the road or in the office.
Tested and listed as California Department of Justice firearms safety devices that
conform to the requirements of California Penal Code Section 12088 and the regulations
Solid steel, pry resistant, plate steel doors, steel live action locking bolts and concealed
hinges provide greater security.
Biometric lock can be programmed to accept up to 32 different fingerprintsâ€“provides
greater security and quicker access to the safeâ€™s contents. Also includes an electronic
lock and hidden trouble key.
13-7/8â€ wide (35.2 cm)
11-1/2â€ deep (29.2 cm)
4-1/2â€ high (11.4 cm)
17-3/4â€ wide (45 cm)
14-1/4â€ deep (36.2 cm)
7-1/8â€ high (18 cm)
13-7/8â€ wide (35.2 cm)
9-7/8â€ deep (25 cm)
9-7/8â€ high (25 cm)
QAS-1200-B Quick Access Safe with Biometric Lock
Tested and listed as a California DOJ Firearm Safety Device.
Biometric Lock can accept 28 different fingerprints with back up trouble key.
Biometric reader is easy to use and program.
Biometric locks provide greater security â€“ no combinations to remember.
Holds standard sized pistols and other valuables.
Includes a removable shelf. Foam padded bottom and shelf.
Safe has pre-drilled holes for mounting to the floor, wall or a shelf.
Fastening hardware is included with each safe.
10â€ wide (31.1 cm)
12-1/4â€ deep (30.5 cm)
8-1/4â€ high (21 cm)
(dimensions include key pad)
Stack-On QAS-710 Drawer Safe with Motorized Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
All steel construction and low profile design allows for storage in a drawer.
Lid pops up when the correct security code is entered for instant access.
Safe has pre-drilled holes for mounting in a drawer or on a shelf.
Fastening hardware is included with each safe.
10-1/4â€ wide (26 cm)
16-5/8â€ deep (42.2 cm)
3-1/2â€ high (9 cm)
Stack-On QAS-1000 Quick Access Drawer Safe with Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
Electronic lock allows for a 3 to 8 digit combination to be programmed into the safe.
Includes a backup trouble key.
Drawer pops out when locking mechanism is released.
Ball bearing drawer slide allows the drawer to slide in and out without binding.
Holds standard sized pistol and valuables.
Foam padded bottom protects contents from scratching.
Body is designed for safe to be secured with steel cable (1500 lb. test) or can be
mounted to a shelf or floor.
Cable is secured when drawer is in place.
Cable is included.
10â€ wide (25.4 cm)
12-1/4â€ deep (31 cm)
4-5/8â€ high (11.6 cm)
(dimensions include key pad)
Stack-On QAS-1200 Quick Access Safe with Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
Electronic lock allows for a 3 to 8 digit combination to be programmed into the safe.
Includes a backup trouble key.
Holds standard sized pistols and other valuables.
Includes a removable shelf.
Foam padded bottom and shelf.
Safe has pre-drilled holes for mounting to the floor,wall or a shelf.
Fastening hardware is included with each safe.
10â€ wide (25.4 cm)
12-1/4â€ deep (31 cm)
8-1/4â€ high (21 cm)
(dimensions include key pad)
GunVault MultiVault Standard GV 2000S
â€¢Protective foam-lined interior
â€¢ Extra storage capacity and removable interior shelf
â€¢ Tamper-resistant spring-loaded door
â€¢ 16-gauge steel housing
â€¢ Audio and LED low battery warning
â€¢Battery power provides portability
â€¢ Optional high-strength security cable secures GunVavult in a home, car, RV, office or hotel
â€¢ Mounts almost anywhere in any direction
â€¢Precise fittings are virtually impossible to pry open with hand tools
â€¢ Built-in computer blocks access after repeated invalid keypad entries (Digital models only)
â€¢ Tamper indicator alerts invalid entry attempts (Digital models only)
14″ X 10.1″ X 7.9″
Bulldog BD1500 Deluxe Digital Pistol Vault
Bulldog’s “Easy Guide” top pad features raised ribs that lead your fingers to the numbered buttons for quick and easy code entry. After 4 invalid keypad entries the electronics temporarily disable the control panel. In three minutes, the electronics automatically reset and will accept the valid code.
â€¢”Easy Guide” ribbed top pad for quick entry
â€¢”Smart Safe” technology remembers safe combination during power loss or while changing the
â€¢More than 1000 combinations available
â€¢Secure cylinder key override
â€¢Pre-drilled mounting holes
â€¢Pre-drilled holes for optional security cable
â€¢Deluxe foam interior with egg-crate bottom pad
â€¢Heavy-duty steel construction
â€¢Durable powder coated black matte finish
â€¢Mounting hardware included
â€¢Interior light when door is open
â€¢Spring loaded door for quick access
â€¢External power supply
11.5″ x 8″ x 5.5″ /4″
We tested safes produced by Stack-On, Bulldog, Amsec, and GunVault between February, 2012 and July, 2012. We tested a limited sample of each and produced videos of unaltered containers. A manufacturer may have updated or made changes to a design that would make more difficult or prevent us from opening that container in the method shown. The reader or consumer should replicate the methods shown for any particular container and run their own tests. We have no financial interest in any of the manufacturers that are detailed in this report. See the other http://in.security.org disclaimers contained on this website.
I interviewed Albert Chen at the Three-In_One factory in Taipei to discuss the different video borescopes that they produced. This company has developed technology to place a video chip in the tip of their line of scopes for crisp video. They produce a wide range of optical instruments for government, security, locksmith and automotive applications. I spent three days with the owners of the company and was shown their latest technology including wireless applications.
See my interview with cfh6W_Sh16Q.
A RESTRICTED VERSION OF THIS POST IS AVAILABLE TO LOCKSMITHS, SECURITY PROFESSIONALS, RISK MANAGERS, AND CLEARSTAR MEMBERS. THE LINK TO CLEARSTAR IS PROVIDED. IF YOU ARE A SECURITY PROFESSIONAL YOU MAY ALSO CONTACT THE AUTHOR FOR ACCESS AT email@example.com, or the webmaster at ClearStar for clearance.
This post is primarily for locksmiths and security managers of facilities that may have installed the KABA Simplex push-button locks. We will be releasing a second article shortly with regard to mechanical upgrades that KABA appears to have implemented to resolve the security issues that are documented in our video. Every facility that has installed these locks should be aware of the vulnerability and assess their risk and their potential damages.
I would like to address the recent class action lawsuit that has been filed in multiple jurisdictions against KABA-Ilco for the insecure, and I believe defective design of their Simplex push-button locks. This article will discuss the potential liability issues for locksmiths and for the lock manufacturing industry and the profound impact that this litigation may present in the future.
It is likely that millions of Simplex locks (Series 1000, 2000, 3000, 6000, 7000, 9000) have been sold to commercial, government and even residential venues throughout the world and have been an extremely popular push-button lock for at least thirty-five years. Unfortunately, they are, in my opinion, insecure, and demonstrate a critical problem within the lock industry which I have repeatedly addressed and labeled as insecurity engineering.
Our office has produced a detailed video which has been made available to locksmiths and security professionals. It shows the precise security vulnerability of these mechanisms. If you presently utilize these locks, you should view this material to asses your risk, or speak with your local locksmith who is familiar with the locks and their security vulnerability.
Our analysis conclusively demonstrates the vulnerability of locks that were manufactured prior to at least September 19, 2010, and also graphically illustrates what can go wrong when design engineers are not properly trained in bypass techniques, or they fail to use their imagination as to potential methods of entry. While KABA is not the only lock that can be opened with a magnetic field, they are surely the largest target for legal action.
In Locks, Safes, and Security and LSS+, I describe at least fifty methods of bypass, including the use of magnetic fields. Unfortunately most design engineers are clueless with regard to many of these techniques, which mean they are incapable of designing locks that are secure against this and other forms of attack.
This lack of knowledge has and will lead to liability and potentially significant if not catastrophic damages and will likely force some manufacturers out of business. In my view, the KABA lawsuit and what it portends may have a devastating impact on lock manufacturers and the entire industry.
If they do not pay close attention and take steps to insure that their products provide the security which they directly or impliedly represent and which their purchasers rely upon, they will likely find themselves as defendants in similar actions. Any lock manufacturer, foreign of domestic that sells their products within the United States market can be subject to liability.
Be assured that KABA will not be the first to be the target of such litigation. Our office has been investigating several seriously defective or deficient products and will likely be involved in actions in the future for similar design deficiencies that adversely impact security and place consumers at risk.
Several of our legal and consulting clients asked that our law firm set up a testing laboratory to find â€œreal worldâ€ vulnerabilities that UL, BHMA, VdS and other standards organizations and their laboratories either do not recognize or are not allowed to test for because of the way the standards are written. As a consequence, in 2009 we set up Security Laboratories to determine the vulnerability to covert and forced entry techniques of both mechanical and electronic locks. We established our lab through my law office to shield our clients from potential discovery of our test results in the event of litigation involving defective products that we may uncover.
As many of you know, I have been an outspoken critic of many lock manufacturers for their lack of competent security engineering skills, especially with regard to high security locks. All of our clients are vitally concerned about making secure products. They want to be certain their locks protect their customers and do not expose either the customer or manufacturer to liability claims, based upon defective or deficient engineering. We have secured several patents to remedy design problems and make the locks that are produced by our clients more secure.
Many of our clients have learned a very painful lesson about lock design: it is far less expensive to find and remedy design deficiencies before a product is released rather than doing it after the fact.
There has been much criticism of the stance I have taken as to my belief that not only should these engineering failures be documented, but the public, locksmiths, and security professionals should be made aware of the vulnerabilities. My rationale is simple: the possession of such knowledge allows them to properly assess and assume (or decline) the risks that may be inherent in utilizing a specific lock or piece of hardware.
Unfortunately, many lock manufacturers will not communicate known defects or vulnerability issues to their dealers or customers unless they are forced to do so. This, in my view, is a very unsound policy and will lead to legal liability and ultimately, potentially serious and damaging public relations problems. Security by Obscurity does not work. Failing to disclose vulnerability does not make it go away; it just places everyone that uses the product at risk when they are not aware of the vulnerability.
In those cases where manufacturers are ignorant of bypass techniques that can render their locks insecure, I believe they may still be held liable. Why? Because ignorance is no excuse, especially if commercial tools, YouTube videos, or lock picking web sites are discussing different techniques to open the locks. One of the first things we do in our lab is to determine if anyone else has figured out how to open locks that are produced by our clients. Often, there is a wealth of information.
My opinion is that any lock manufacturer that ignores such publicly available information is culpable. The problem is that many manufacturers release products, then essentially forget about them and fail to make changes based upon current bypass techniques. If a company represents in its current technical manuals and advertising that a lock is secure, I do not think it matters whether it is a new or old design. I believe this is why KABA will not prevail.
Everyone is aware that we wrote the book about how we cracked the Medeco high security cylinders. Medecoâ€™s response was to implement certain changes to counteract security vulnerabilities that we had discovered and exploited. This is precisely what is required of a manufacturer if they are to avoid liability and costly lawsuits. Other manufacturers, such as we disclosed at DefCon 18 last summer, chose to do nothing, or simply hide from their design defects.
I have always believed that full disclosure is the only viable policy, regardless of the possible consequences, and have so counseled my clients. Every lock manufacturer has, in my view, a special responsibility to its locksmith-dealers and to the end-users. Often, the locksmiths are left “twisting in the windâ€ by not being apprised of known or suspected security issues by the manufacturer. The lack of such information can adversely impact their customers and create an untenable legal and ethical position for the locksmith.
Perhaps the best example of a lock manufacturer taking responsibility for a deficient product is Schlage and their Kryptonite bike locks. When we made public the ball point pen attack in 2004, Schlage made the decision almost immediately to replace every lock, whether they were liable or not. That conduct should serve as a model to every other lock manufacturer. It cost them a great deal of money, but it was the right course of action and has ultimately paid dividends for them in terms of credibility with their customers.
The same course of action recently occurred in Europe by Uhlmann Zacher when their electronic cylinders were attacked with the magnetic ring that allowed them to be opened in seconds. They immediately shut down their production line, recalled all of the locks, and fixed them at no cost to their customers.
About six years ago, I wrote a detailed two-part article for ALOA Keynotes with regard to locksmith liability issues, after becoming involved in the exposure of the insecurity of master key systems in the New York Times. Little attention was paid to the issue at the time in regard to potential liability. The KABA lawsuit has brought the matter to the fore, and now every locksmith and manufacturer should be paying attention because of the potential liability issues involved.
As most of you know, in 2006, my associates and I went public with regard to lock bumping in the United States, and were soundly criticized by most locksmiths for doing so. ALOA in particular said we should not have told the public about the technique and that essentially, it was much ado about nothing. It had already been widely reported in Europe by Toool and others, and I felt the U.S. consumer should be aware of the threat because virtually every potential burglar already knew about it. The irony is that most locksmiths did not, even though many of them claimed otherwise. I thought that full disclosure should be the rule.
As a result of the exposure of lock bumping as a serious method of covert entry, the manufacturers have begun to address the problem, as have the standards organizations. I believe that the public benefited from the disclosure and is better off for it.
I sit on the UL Standards Technical Panel for locks and safes, and have the privilege to be part of the group that analyzes standards as they come up for periodic review. Both UL and BHMA are moving in the proper direction and are adopting bumping protocols. If you think that lock bumping was an insignificant issue, I would submit that we were able to bypass the most respected high security lock in the United States as a direct result of the re-emergence of lock bumping. I am sure you are all familiar with the Wired Magazine article (June, 2009).
ALL SECURITY IS ABOUT LIABILITY: THE KABA CLASS ACTION LAWSUIT
I am constantly asked â€œwhy is a lawyer picking locks?â€ The answer has always been simple for me to explain: All security is about liability. For many years, I have been cautioning about the nexus between security and liability and defective or insecure products. It would appear that now everyone is beginning to understand the connection. If a product is improperly designed and insecure and results in injury, loss, or other damages then the lock manufacturer will likely be held liable.
So, now we come to the crux of the matter: the KABA lawsuit.
In November, 2010, a class action lawsuit was filed by a number of plaintiffs against KABA-Ilco. The basis of the suit is the insecure engineering of the combination chamber that is the critical component within most of the Simplex push-button locks. Some locksmiths were apparently aware of this issue, but evidently nobody paid much attention to it until some very competent lawyers in New York were notified of the problem by their clients.
For everyone wondering if I am connected with this lawsuit, the answer is no. However, I have met with counsel in New York for the Plaintiffs. As a result, our office is working an independent investigation with regard to certain issues that have been raised in this litigation.
As a lawyer, it is my opinion that KABA is in serious trouble on two fronts. If the case is not dismissed based upon a motion for summary judgment for failure to state a legally actionable claim, then I would bet the case will be settled and will never see a courtroom. My opinion is that KABA will not risk a fifty million dollar verdict for what I perceive as their inept design and potential misrepresentation and false statements by their employees.
KABA, in my view, has not only manufactured and marketed a defective product, I believe they knew it or should have known it for quite some time.
As of two weeks ago, KABA technical support staff is continuing to state that this product is secure, and are assuring customers that the locks cannot be opened with magnets. Perhaps this is true for locks manufactured after September 19, 2010; perhaps it is not. The verdict is not in as of yet as to their “fix.”
My opinion: this is a lie, or at best a half-truth, and is liable to cost them dearly.
I find this particularly interesting in light of the Motion that KABA filed with regard to where this case should be heard. They stated that the design has been modified as of September 19, 2010, but there is no information to indicate that the problem has in fact been remedied. Further, one would assume that technical support staff would be warning customers to have their locksmith replace the critical parts, which may include the combination chamber and front housing with the upgraded version. Instead, the individuals I spoke with denied any knowledge of any specific vulnerability.
Perhaps even more troublesome: I spoke with five different major Simplex dealers across the United States to inquire as to the security of the Simplex locks. None of them were aware of the problem, and they stated that the locks were secure and could not be bypassed with magnets. None reported they had received any information from KABA, notwithstanding that KABA has stated they first learned of the problem in August of 2010. If you believe KABA, that means that at least five months have passed and they have not warned their dealers, at least not the ones I spoke with, about the insecurity of their locks. Evidently KABA subscribes to the theory of Security by Obscurity as well.
All but one of the dealers I spoke with was comfortable in recommending these locks for use, even in secure environments, boasting that â€œthe militaryâ€ uses them. Each of the dealers and locksmiths I spoke with were wrong, and could potentially be held liable for making such statements if a customer relied upon them and were subsequently injured.
DESIGN ISSUES THAT MAY GIVE RISE TO LIABILITY
There are four critical questions that must be answered in relation to the KABA lawsuit: (1) whether the design of the Simplex is defective, (2) if the company misrepresented the security of its product, (3) whether their design engineers, on a continuing basis, should have known or determined whether the lock was subject to a magnetic attack. Even more importantly, (4) did they have prior knowledge of the security vulnerability and failed to correct it and warn their thousands of customers?
The legal criteria with regard to the question of design defects or deficiencies in the security engineering of locking devices is really not settled and is dependent upon many factors. I think we can identify the two opposite ends of the liability-spectrum with regard to security engineering: clever design and clever exploits, versus stupid designs and simple attacks. My opinion is that the KABA Simplex fiasco falls within the second category.
A manufacturer is clearly not liable for a state-of-the-art attack which could not or should not have been foreseen when the lock was designed and first manufactured. A sophisticated decoding tool, for example, which requires a great deal of skill, expertise, and introduces new methods of bypass technique would not give rise to a cause of action.
An example is the John Falle shim-wire decoder that was introduced about twenty years ago to open high security pin tumbler locks. This was classified as a state-of-the-art attack and used a wire that was a few thousandths of an inch in diameter, delivered through a syringe-type tool to probe and measure the length of each bottom pin within the lock. It was only available to government agencies for many years. No manufacturer would have been deemed to be liable at the time if their locks were attacked in this manner.
A similar and more current and relevant example would be the picking and bumping techniques that we developed to open Medeco cylinders with code-setting keys. These state-of-the-art techniques would not give rise to liability upon the part of Medeco, because the manufacturer clearly could not have foreseen the attacks that we developed, even though the ultimate result constituted a relatively simple method to open many of their locks.
At the other end of the spectrum are attacks that require little to no skill or training, nor the use of sophisticated tools. To be blunt, these types of attacks are based upon stupid engineering by the manufacturer. The KABA attack, (and hundreds of others that we have documented in LSS+ and DAME), are neither sophisticated nor complicated, and certainly not state-of-the-art. In my view, reasonable design competence in security engineering would dictate that a properly educated engineer would understand the vulnerability and design around it. I think the KABA bypass is a classic example and failure in this regard.
Anyone familiar with magnetic attacks would recognize the threat and never use a ferrous material that could be influenced by a magnetic field for a critical component, as was done by KABA in their combination chamber. Reading their Motion, KABA is evidently claiming that a rare-earth magnet was “not commercially feasible” at the time the lock was developed, and thus constitutes a sophisticated or state-of-the-art attack. They further claim that these magnets, (which can be held in the palm of your hand), are not easily transportable, and may cause bodily injury when used. In addition, they represent that opening the Simplex by a magnetic field may be difficult and not a reliable technique, and may not even result in the lock being opened.
Frankly, this is all KABA-legal-mumbo-jumbo because they do not want to admit what everyone knows: the locks can be opened with a magnet because they were not properly designed.
This begs the question, because I believe that a manufacturer has a duty, especially if they are on notice of a technique to bypass the security of their locks (or other locks that may have similar components that control critical functions), to constantly update their current products to prevent or minimize such vulnerability. KABA evidently did neither. I would assume that the concept of magnetism was known to KABA at the time they developed the Simplex lock! Any contention that because rare-earth magnets were not available at the time of the initial design and therefore KABA is not liable is simply nonsense. I would be willing to bet that magnets that could open the locks were available or could have been constructed at the time these locks were first introduced and subsequently.
KABA also believes that all locks are subject to some form of bypass, whether by locksmiths or criminals, and that everyone has access to the same bypass tools so no manufacturer should be held liable for such acts of bypass.
This is a novel theory to be sure, but in my view, it denotes faulty logic. Locks are designed to be attacked and â€œscrewed withâ€ by a variety of techniques, including the use of strong magnets. Any manufacturer that does not understand this premise should not be in the business. The very nature of a lock is to keep bad guys out, and that is the entire theory underlying lock standards, such as UL 437 and ANSI/BHMA 156.5 and 156.30.
Even if you accept KABA’s argument, they fail to address the simplicity of the attack against the Simplex. This, in my view, is their real problem and they confirm the issue in their pleadings by stating that all locks are vulnerable, whether by an expert locksmith, or any thief, “even the most clumsy.”
Locks are security-rated in terms of time, tools, and training and whether specific bypass techniques are reliable and repeatable. We call it the 3T2R rule. They are designed to keep criminals out for a specific period of time and are measured against certain types of attack tools and techniques. Claiming that no liability accrues if a lock is opened with any but the correct key is ludicrous, arrogant, and connotes a total lack of understanding of security. KABA has lumped all locks and their bypass together and has conveniently omitted any mention of standards or the security of their products to resist such attacks.
While I agree that most locks can be opened by one or more techniques, the real questions are â€œhow long does it take, what kind of tools are required, and what is the required expertise?â€ This summarizes my 3T2R rule in a nutshell.
The magnetic attack on the Simplex fails on all three counts. Claiming that the use of a rare-earth magnet is a sophisticated, unknown, or “not commercially feasible” attack does not, in my view, pass muster either, because the magnets are readily available from several venues today, and have been for some time.
If KABA was correct in its assertion, then why bother spending any money for a more secure lock. Here is my suggested solution for KABA: let them place verbiage on every Simplex that states â€œWarning: this lock can be opened in two seconds with a strong magnet by an idiot!â€ How many locks do you think they will sell? The answer is zero!
A FALSE SENSE OF SECURITY
Many lock manufacturers have been getting away with selling seriously deficient or defective products for a long time, and have never been held accountable. Tool makers such as HPC, Lockmasters, Peterson, MBA and Wendt make their living, in large measure, because of incompetent or deficient security engineering by some lock manufacturers. Recent examples that we exposed at DefCon 18 last August underscore the severity of the problem: a consumer level â€œsafeâ€ which is really nothing more than a box with a cheap lock on it (which can be opened with the shim from a hanging file folder), a biometric fingerprint lock (which can be opened in one second with a paper clip), and another KABA product, the InSync, which can be opened with a piece of wire inserted through the USB data port.) Two other cylinders, (Kwikset Smartkey and Iloq) both seriously deficient, completed our presentation.
GENERAL LOCKSMITH LIABILITY
Many have asked if locksmiths that have sold these products can be held liable. The answer is not simple and depends upon whether the locksmith was aware of the defect and failed to warn their customers. However, before talking about the KABA Simplex case, there is a threshold issue that must be addressed, and that involves the locksmith holding himself or herself out as a security expert.
If, as a locksmith, you merely install a KABA Simplex or any other lock that is found to be insecure, deficient, or defective, then my opinion is that you have minimal or no liability whatsoever; it would ultimately fall upon the manufacturer. Most locksmiths do not have the skill, tools, or training to find significant design defects in the locks they sell. They rightfully rely upon the expertise of the manufacturer to produce secure products and their representations as to the security of their locks. Normally a locksmithâ€™s job is sales, installation, and maintenance of security products; not testing.
However, if you hold yourself out as an expert in security, recommend a specific lock as secure (either directly or by implication), and as a result the customer relies upon your representations and subsequently suffer a loss, you may be deemed liable.
Once you represent, either directly or by implication, that you have expertise in physical security and that your customers should rely upon your advice, then I believe you also have a duty to be aware of current methods of bypass for the locks you sell. You have a commensurate duty to warn your customers of such issues before they purchase the lock, or, for a reasonable period of time subsequent to the purchase and installation of such products. It is the ethical thing to do, will foster good customer relations, and should shield you from any liability.
LOCKSMITH LIABILITY AND THE KABA SIMPLEX
There are five specific and primary issues of concern: (1) what should locksmiths do now that they are aware of the defect, (2) are locksmiths on notice of the defect, (3) are locksmiths liable for products they have previously sold, (4) what should Simplex dealers tell their clients, and (5) do locksmiths have a duty to warn their present customers that have installed Simplex locks?
What should locksmiths do now that they are aware of the defect?
The answer is simple: advise every customer of the specific problem, so they and not you make the risk assessment and the determination as whether the locks should be replaced or upgraded. In my view, you should stop selling the locks until they are fixed and the manufacturer repairs or replaces every one of them that is in service. You should also demand that KABA upgrade all locks and compensate you for any expense incurred in connection with servicing your customers. If KABA is unwilling or unable to fix their locks, then you should require them to refund the purchase price of your entire inventory.
Are locksmiths on notice of the defect?
If you are reading this article, you are on notice! Further, if you are holding yourself out as a security consultant or expert, then you are presumed to know the current state of the art, which means you have â€œconstructive knowledgeâ€ as to the bypass technique. This means that either you knew directly or should have known.
Are locksmiths liable for products they have previously sold?
I do not believe so, unless you were specifically aware of the problem and failed to warn your customer.
What should dealers tell their clients?
You should tell them they are at risk, and apprise them of the specifics of the bypass, as shown in our video. You should also demand that KABA hold you harmless and agree to replace or upgrade every lock you have sold and that is subject to the design problem.
Do locksmiths have a duty to warn their present customers that have installed Simplex locks?
I believe you have an affirmative duty to warn. If you fail to do so, you may be held liable if they (your customers) suffer a loss based upon the bypass of these locks.
The obvious question as to the time period for which KABA could be liable is unclear. Locks that were sold several years ago may not be covered in this lawsuit unless it can be proved that KABA was aware of the problem and failed to warn their customers. If KABA does the right thing, they will replace or upgrade every lock that is at risk, just like Schlage did with the Kryptonite.
THE REAL PROBLEM: THE STANDARDS THAT MEASURE SECURITY AND THE TESTING LABS THAT CERTIFY THE LOCKS AS COMPLIANT
The KABA Simplex lock was evidently rated as Grade 1 security level by ANSI/BHMA at one time (156.20). Unfortunately, these standards, in my view, are woefully deficient in what they cover. They do not adequately protect the consumer. I have been meeting with BHMA for the past two years in an effort to get them to revise ANSI/BHMA 156.5 and 156.30 (the commercial and high security standards) so that they actually test for â€œreal worldâ€™ bypass techniques. The KABA case is typical and demonstrates the total failure of standards to determine or measure real security in locks.
In September, 2010, our office filed a very detailed complaint to BHMA, seeking to challenge the certification of the Kwikset Smartkey lock as non-compliant with the standards. This lock, also rated as Grade 1 security, as many of you know can be opened in fifteen seconds with little more than a small screwdriver. I think it is junk security, and I have publicly said so on many occasions. Just about every locksmith in the country knows the Kwikset story. Now, KABA Simplex can be placed in the same class with regard to security, or perhaps it is even worse and more insecure, (at least until secure upgrades are in place to prevent the magnetic attack). At least the Kwikset Smartkey is bump and pick resistant and is not affected by a magnetic field!
In citing these examples, the significant issue is the failure of BHMA, UL and other organizations to protect the public by adopting standards that actually mean something. Presently, many forms of bypass are not in the standards which mean the labs are not testing for them. The result: locks that the public believe to be secure are not. The problem is compounded by what we see as incompetence upon the part of some laboratories to find vulnerabilities.
In my view, the consumer should not rely upon either the standards or the results that are certified by these testing labs with regard to methods of covert and forced entry until the standards are written in such a way as to specify real-world attacks. Testing labs should understand that they may share in liability for defective or deficient products which they certify as compliant and which are not.
On January 24, 2010 I met with BHMA to discuss the current situation with regard to the standards and why they should be upgraded. I suggested that an expedited procedure be adopted by BHMA to address security issues such as KABA, Kwikset and other companies, where locks are certified as compliant with Grade 1 standards but are clearly not secure. I was assured that the issue is now being considered in an effort to further protect the public.
I suspect that the KABA lawsuit will be the first of many to be filed and will set a new standard for security engineering within the industry. Any manufacturer, large or small, that fails to grasp the nexus between liability and security engineering will be subject to potentially lethal lawsuits which ultimately may force them out of business.
If you are a manufacturer, it will be incumbent upon you to understand different methods of bypass that are not covered in the standards, and to guard against them. You must develop the expertise to design secure locks. As I meet with engineers throughout the world at different manufacturing facilities, I am constantly amazed at their lack of knowledge with regard to security engineering, and more importantly their potential exposure to liability for such deficiencies.
While most engineers are competent to make mechanical locks function properly, few understand how to circumvent their security. The premise is simple: you cannot design secure locks unless you understand the methods to break them. Most manufacturers only have a cursory familiarity with the latter.
As a manufacturer you may claim that you rely upon the standards and are compliant with them. Such an argument may not shield you from liability, however. If your lock can be opened in fifteen seconds by a kid, I think you will be deemed to be liable. More importantly, if members of a jury can open your locks in seconds, it is over! End of story.
If you are on notice of a significant vulnerability and fail to act upon it, both in terms of design changes and notification to critical customers, you may suffer the consequences. That means that if there are tools on the market to open your locks, or verifiable accurate YouTube or web videos that illustrate how to break them, then you have a problem. I can assure you that the legal community will take note, and where appropriate, pursue such design issues in expensive lawsuits.
KABA has stated that modifications were completed on or about September 19, 2010 in order to minimize the security vulnerability to the Simplex. However, this does not mean that locks which were purchased after that date are in fact secure. This is because old stock may still be sold by dealers. You should determine whether any locks that were purchased after that date have been modified to thwart the threat from strong magnetic fields.
Our investigation into this matter is continuing and we will have a technical update shortly.
If you have specific questions or relevant information regarding Simplex locks, please feel free to contact me at firstname.lastname@example.org, or at Investigative Law Offices, 1.605.334.1155.
Please note that I am not offering legal advice to any specific locksmith in this article, unless I am specifically asked to do so. You should seek the advice of your own counsel with regard to the issues I address in this article. All opinions are those of the author.
DefCon is the largest hacking/security conference of its kind in the world. For the past six years, our research team has demonstrated vulnerabilities in both high security and conventional locks. This year our team (Marc Tobias, Tobias Bluzmanis, Matt Fiddler) selected five different locking mechanisms that are popular in the consumer sector. We chose a broad cross-section: conventional programmable mechanical lock, electronic “safe”, biometric fingerprint lock, RFID-based deadbolt, and a very sophisticated electro-mechanical lock that requires no batteries in either the lock or key. Three of these locks are imports: two from China, and one from Finland. Notably, the locks from China (BioLock and Amsec), are both sold in the United States, and are prime examples of insecurity engineering at its best. They denote a total lack of competence in design, often typical of the cheap products that are being imported from China. More about this later, but suffice it to say, these are prime examples to support the premise: there are no shortcuts to quality and security.
Three of the five companies refused to comment or return phone calls to Wired. Kwikset and Iloq did make statements, both of which, in my view, were inaccurate or misleading, or demonstrated a basic misunderstanding of their products with regard to security. On previous occasions I had attempted to speak with General Counsel for Kwikset and their VP of Engineering in order to disclose security vulnerabilities. They likewise refused to return phone calls.
None of these locks can be considered as high security, but Kwikset, which sells millions of cylinders a year in the U.S., and has incredible market presence, has a grade 1 security rating for its model 980/985 deadbolt, which we selected to analyze. I have attacked Kwikset for several years because of their poor quality and security. In fact, in 2006, the company flew me out to their corporate facility in California for a pre-release briefing of their Smartkey, after eleven-year old JennaLynn bumped open their locks at DefCon. The irony was that senior engineering and management at Kwikset told me that they were not even aware of bumping, except for what they had seen on the Internet! The Smartkey was not designed to be bump-resistant.
At that meeting, I voiced my opinion that the company was selling junk locks. Their reply was “yes, we know, but we make 20-25 million of them a year.” In my view, nothing much has changed in the past four years, other than their locks are mechanically reprogrammable. Clever, yes. Convenient, yes. Secure and maintenance-free, no.
FALSE SENSE OF SECURITY
Each of the five companies represents their products as secure. This creates a false sense of security in the buying public. In the case of Kwikset, in my view they are perhaps the worst offender because of their market penetration. But the problem and responsibility is shared equally with the standards organization that rates their locks, and specifically with BHMA. I have had many discussions with regard to this issue during the past three years with their executive director in an attempt to modify the standards so they actually mean something. I think we are making progress, but because of the inherent way in which standards are adopted, it is a slow process.
The standards do not adequately address simple methods of bypass. The result is that locks are sold that the consumer relies upon as being secure; and yet they are not. Many of the bypass techniques that we utilize are not even included within the standard. Some companies hide behind the standards, stating that their locks “meet or exceed” them, knowing those same locks can be bypassed by methods not enumerated in the standards they are citing. I would submit that whether a lock is certified under an applicable standard or not has nothing do with the its real security if it can be bypassed in seconds. In such a case, any such statements are illusory and mean nothing with regard to protection of the end-user.
WHAT NEEDS TO BE DONE
There is no substitute for competent security engineering. Unfortunately, some locks are expensive and not secure, but generally, you get what you pay for. I think the critical issue for the consumer to understand is that cheap locks are inherently not secure. In 2006 Kwikset told me their smartkey cylinder would cost them about two dollars to produce. In my view, they are of poor quality, and just about every locksmith in the country knows it. Clever options like being programmable are extremely convenient for the consumer, but unless executed properly, can reduce the overall security of the lock.
Granted, some consumers cannot afford better locks, (or those that carry a high security rating), but at least they should know what they are buying and not be misled by untrue or misleading claims of manufacturers. Kwikset has been aware of the vulnerabilities in their locks, and specifically that they can be opened in seconds with a specially modified key and the application of sufficient torque. They have made changes to prevent this bypass technique, but the locks can still be opened, and they know it. Yet, their employees continue to mislead the public into believing that their deadbolts can only be opened by drilling, breaking the door down, or breaking the door frame. This is simply not true. They continue to focus on their Grade 1 rating. Yes, they are certified, but we do not think they will pass in a re-certification test.
We are filing a challenge with BHMA to ask for a retest, because in my view, the Smartkey deadbolt will not pass, based upon two sections of the BHMA/ANSI 156.5 standard: Sections 12.1 and 12.5.2.
Section 12.1 requires that the cylinder be of the pin tumbler design. The Smartkey is not; it uses tiny sliders, as shown in the photograph below. While they may control a sidebar for locking, which generally is more secure, the sliders themselves are not, and never will be as strong as pin tumblers. The BHMA standard excepts locks that are more secure than pin tumbler designs. In my view, the Smartkey is not, and Kwikset knows it. And they cannot use the fact that they are bump-proof, either, because bumping is not in the standard. Yes, they are pick resistant, but we have picked them as well.
The point is that the locks are not physically secure and can be easily compromised. BHMA should not be certifying a deadbolt Grade 1 cylinder that can be opened in thirty seconds. Further, Kwikset should be forced to place a warning on their packaging denoting this fact to the buyer. If they did, I am quite certain that few persons would choose them for protection.
Section 12.5.2 requires that the plug can withstand a minimum of 300 foot-pounds of torque without turning, or that it cannot be turned by manipulation. We do not believe that the Kwikset Smartkey 980/985 deadbolt can meet this requirement either. To open the lock, we are inserting a portion of a key, cut to specific depths, and applying torque. This procedure, we believe, meets the definition of “manipulation”in the standard.
RE-WRITE THE STANDARDS AND MAKE THEM REFLECT “REAL-WORLD” ATTACKS
Include real-world testing procedures that are not presently incorporated within the standards. This will insure that what the manufacturer represents as secure actually is.
START TELLING THE TRUTH TO CONSUMERS AND WARM THEM OF KNOWN VULNERABILITIES
I am quite certain that if Kwikset and all of the other manufacturers that were shown at DefCon 18 were to place warnings on their packaging that their locks could be compromised in seconds, nobody would buy them. After watching the videos, would YOU buy any of these locks? Not likely. And that is precisely the point. If a manufacturer is going to produce inferior quality locks, then warn the public, so that they have the information to make an informed decision as to security.
HIRE ENGINEERS THAT UNDERSTAND SECURITY ENGINEERING, NOT JUST MECHANICAL ENGINEERING
In my experience, many manufacturers have no idea how to open their own locks. While their engineers are quite competent to make things work properly, they have little understanding of bypass techniques. And this is precisely the problem. It is a simple principle: you cannot properly design a lock if you do not have a thorough understanding of the methods to break it.
STOP PLACING PROFIT AHEAD OF SECURITY
For a manufacturer, security can be very expensive. Materials, high tolerance, production controls, and competent engineering all come at a price. If a company is to represent their products as secure, then the company has a duty to make sure they in fact are. Many place profit well ahead of security, leaving consumers at potential risk.
VENDORS SHOULD SEND A MESSAGE TO LOCK MANUFACTURERS THAT THEY WILL NOT BUY (OR SELL) PRODUCTS WITH SHODDY QUALITY OR POOR ENGINEERING
Brickhouse Security is the leading vendor of surveillance and security-related hardware to law enforcement and corporate facilities in the U.S. When we notified them of the problems with the BioLock, they took action, as noted in their press release. Notwithstanding that the manufacturer, BioLock refused to accept any responsibility whatsoever for their defective product, Brickhouse has set the standard for vendors in the security hardware sector. Hopefully, others will follow. It is only when the manufacturers get a clear message from vendors that they will not sell their junk, that they will be forced to engineer their products properly and take responsibility for what they make.
LOCKS, LIES, AND VIDEOTAPE
Photographs and comments below.
KWIKSET SMARTKEY DEADBOLT OPENED WITH A SCREWDRIVER
Kwikset represents that the Smartkey Model 980 Grade 1 deadbolt is the highest grade of residential security available. This is not, in my view, an accurate statement at all, except perhaps for Kwikset products. it is, in my opinion, misleading, and Kwikset knows it. Such statements are being made by their customer service representatives and in their advertising. If in fact this is the best the consumer can buy, and can be opened in thirty seconds or less, then what does a Grade 2 or Grade 3 rating denote in Kwikset’s world? Ten seconds to open? Perhaps both Kwikset and BHMA would like to answer that question!
In my view, the critical security vulnerability in the Kwikset Smartkey are the sliders that control the sidebar. They will never be as secure as brass or nickel-silver pin tumblers, even though they tout sidebar security. They can be easily warped, which in my view is the fatal defect in this lock. The macro photograph shows a normal slider (left) and one that has been warped by the application of torque from a 3.5″ screwdriver blade inserted into the keyway and turned with a small vice grip.
OPENING THE KWIKSET SMARTKEY
Kwikset has been aware, for quite some time, that Major Manufacturing has been producing a locksmith tool to open their locks by applying torque with a key blade cut to specific depths. Kwikset has made changes in an attempt to fix this problem, but not very successfully. Yet their representatives continue to state that the only way to open the lock is to drill it. In our tests, we chose to utilize a cut blank key, a screwdriver, and a small vice grip to demonstrate the insecurity of this lock. In their statement to Wired, it would appear that the Kwikset spokesman tried to give the impression they were not aware of this problem. Maybe the spokesman was not, but the engineering division of Kwikset has known about the issue for quite some time.
BIOLOCK is a company based in China, with an office in Los Angeles. They produce a line of biometric locks, including the Model 333, which we tested, and which Brickhouse Security carried until last week.
This very professional-looking fingerprint lock has a bypass cylinder which provides its fatal flaw in its security. As shown in the video and photograph, the locking system can be bypassed within seconds with a piece of wire or paperclip. The design of this lock is completely incompetent and denotes a total disregard and understanding of security issues in lock design.
AMSEC CONSUMER-LEVEL ELECTRONIC SAFE, MODEL ES1014
AMSEC is a quality safe manufacturer in California, who would, in my opinion, never knowingly market a product with the design defect we demonstrated. Their customer service representatives told me that this safe was a Chinese import and that AMSEC did not test it. That is unfortunate for the consumer who has purchased these. And, just to be clear, we think that to represent this as a “safe” is misleading to the consumer. It is not a safe; it is a container with a lock.
A flat piece of metal from a hanging file folder is bent and inserted through the top of the door. It is used to make contact with the reset switch to allow the combination to be reset. This is an incredibly inept design.
KABA IN-SYNC LOCK
The Kaba In-Sync is a RFID-based cylinder that is popular for use on military bases, apartment houses, churches and other commercial facilities. Incredibly, the design engineers that are responsible for the security of this device did not understand that a wire could be inserted next to the USB communications port to access the locking pin that provides the security for this lock. We had contacted the lead engineer for Saflok almost a year ago, and then last month to discuss this issue. No response.
ILOQ ELECTROMECHANICAL LOCK
The Iloq is an award-winning electromechanical lock that does not use any batteries, but rather generates the needed current through the use of a motor to perform two functions: power generation, and turning a gear to control the primary locking element. These locks are extremely popular in Finland and other Scandinavian countries.
As we note in the video, there are four operating stages for the Iloq. The critical failure of this lock is the ability to circumvent the mechanical re-locking feature. Once this is accomplished, the electronic credentials are neutralized and the Iloq becomes a one-pin conventional lock, which in my view is less secure than the Egyptian pin tumbler lock of 4000 years ago. A senior representative of the company told me that Iloq had made certain changes to prevent our methods of bypass, and that those locks will be available within a couple of months. This is an extremely responsible company who clearly should have understood the ramifications of their design failure, from the security perspective.
ILOQ KEY TIP MODIFICATION
There are two ways to circumvent the security of this lock: one through an internal attack, and one by externally modifying the actuating lever just inside the keyway. The photographs show the very minimal material removal from the key tip to set this lock so that it can be opened by any other key or even a screwdriver.
MODIFICATION OF THE ACTUATING LEVER AT THE FRONT OF THE KEYWAY
The actuating lever can also be modified by removing an equivalent amount of material, about 1/32″. When this occurs, the lock is set and can be opened by any key, simulated key, or screwdriver. Note the small amount of lever material (circled in red) that has been removed. This can be accomplished rapidly and will result in the lock being permanently set, requiring only a mechanical key to open.
The new Assa Solo was recently introduced in Europe and we believe is the latest Cliq design. We were provided with samples and were able to show a reporter for Wired’s Threat Level how to completely circumvent the electronic credentials in less than thirty seconds, which she easily accomplished. This is the latest and most current example of a failure in security engineering at Assa. The photograph has been edited to prevent visual decoding of the bitting in order to protect the dealer who supplied the lock to us.
We believe there are multiple failures in security engineering by some of the worldâ€™s most respected lock manufacturers in conjunction with the deployment of the technology that involve electro-mechanical locks. Potential security vulnerabilities in these locks should cause every security officer and risk assessment team to re-evaluate individual facilities to determine their risk in the event of compromise and their inability to meet certain statutory requirements, such as Sarbanes Oxley or HIPAA.
In response to demonstrations and our disclosures about the bypass of Assa Cliq locks at Defcon 17, the product development manager of Assa in the U.S. told Wired Magazine that â€œFrom what I know of the CLIQ technology it canâ€™t be done,â€ … â€œAnd until Iâ€™ve seen it done, it canâ€™t be done.â€
We believe this statement typifies precisely the problem at Assa Abloy companies: a failure of imagination. It prompted our research and subsequent discovery of multiple vulnerabilities in Cliq, Logic, and NexGen locks. It is this attitude that will continue to allow us to break locks that are represented as the ultimate in security by these companies, and which often provide a false sense of security to the locksmiths and customers that rely upon these products.
Security is ultimately about liability, and such liability is about competent security engineering of locks by their designers. Lock manufacturers are very proficient at making locks work properly. That is what we refer to as mechanical engineering. Unfortunately, the engineering groups for some of the worldâ€™s most respected companies may not, in our opinion, have the requisite skills when it comes to security engineering (the design of locks and associated hardware to protect against different methods of bypass). In other words, sometimes they cannot figure out how to open their own locks without the correct key. This is a familiar theme that we have addressed previously, especially with regard to Medeco.
If these companies dispute our contention and claim that they in fact do have the experience in security engineering, then let them explain publicly how their locks can be opened with paper clips, wires, magnets, shock, vibration, and relatively simple tools. Did they design the locks with these attacks in mind, or do they simply not understand them? Either way, we think such lapses in security engineering are inexcusable, demonstrate incompetence, and should subject these companies to liability if they will not voluntarily and retroactively remedy such problems.
DefCon 17 was held in Las Vegas the first week in August. It is the largest security and hacking conference of its kind in the world. While some locksmiths still believe it is simply a gathering of criminals and, as ALOA has labeled its attendees as â€œpersons of questionable characterâ€ such descriptions are inaccurate and ill-informed. In fact, the vast majority of participants are professional information technology and security specialists, government agents, law enforcement, and investigative teams. It is the best place to learn about the latest vulnerabilities in cyber systems and security hardware, including locks, and to network with other security professionals.
The world of physical security is rapidly changing and will be dominated by Information Security professionals because of the integration of electro-mechanical and electronic locking systems into an overall security plan, controlled by computer servers and multiple systems. If locksmiths do not become educated in both cyber and physical vulnerabilities, they will soon find themselves relegated to repairing mechanical systems, with an adverse impact on their revenue.
Since 2003, we have presented detailed information each year at DefCon about some aspect of locks and physical security. 2009 was no exception. Tobias Bluzmanis and myself (Matt Fiddler was taken ill just before the conference and could not attend) offered a detailed powerpoint presentation regarding electronic access control systems. More specifically, we examined the Assa Abloy Cliq electro-mechanical locking technology and what we perceive as serious security engineering flaws in many of the locks that are produced by AA companies, including those of Medeco, Mul-T-Lock, Ikon, and Assa.
We also think it is time to set the record straight and speak out against what, in our opinion, we believe constitutes various grades of deficient, negligent, defective, or just plain incompetent security engineering with regard to some of these products, and the legal and security ramifications of such designs. We also want to clear the air about why we have refused to provide any information to any Assa Abloy company regarding our findings.
Background: 2007-2008 Research
During the past year, our team (myself, Tobias Bluzmanis, and Matthew Fiddler) have chosen to concentrate on an intensive research program that begun after our book on Medeco was released in July, 2008. We focused on electro-mechanical locks. That is because Medeco and other AA companies are attempting to move their customers to this newer, more sophisticated, and vastly more expensive technology. So, we thought we would take an in-depth look at this new technology to see just how secure, or insecure it really was.
Mechanical v. Security Engineering
We draw a distinction between mechanical and security engineering. Lock designs must incorporate both mechanical and security engineering. One without the other is dangerous, especially for high security locks and more to the point, electro-mechanical locks.
We have no qualms with the mechanical engineering of any of these locks. They all work, and they work well from an operational standpoint. Mechanical engineers go to school to learn how to make things work. Unfortunately, in my experience, most do not have a clue about security and how to break things, nor about even rudimentary rules of security design. I would urge any design engineer to read Ross Andersonâ€™s book entitled â€œSecurity Engineering.â€ It is the classic text, in its second edition, with regard to systems design, and what can and WILL inevitably go wrong. Its lessons, although primarily focused on the cyber world, are equally applicable to physical hardware design, and especially the integration, which is occurring at an accelerated pace, of hardware and software for security solutions in locking and access control systems.
Our latest research, disclosed at DefCon 17, has yielded surprising results which document and spotlight what we feel are incredible lapses in security engineering. We believe that the design engineers at the Assa Abloy companies who have produced locks that we have evaluated either do not consider the vulnerabilities we identify as significant, or they have no idea what they are or their impact. The legal and ethical question is: to what extent is a company liable to the dealer or consumer for design deficiencies or defects that relate solely to security? This is a complex question, because mechanical and security engineering intersect in the finished product. Is a lock defective if it can be bypassed easily with simple techniques or tools? We believe the answer is yes. Should the manufacturer be liable for such lapses in security engineering? We also believe the answer is yes.
The affected lock manufacturers, which include Medeco, Mul-T-Lock, Assa, Ikon, and possibly some or all of the other Assa Abloy companies, as evidenced by the correspondence from their General Counsel in the United States, seem to believe that virtually all security defects occur because of the continuing â€œsecurity warsâ€ as I call it, between manufacturers, criminals, hackers, locksmiths and others. So, as the logic continues, the manufacturer will, in time, cure the defect, but has no duty to retroactively fix anything they have already sold. At least, that is my understanding of their position, as repeated in several letters from Medeco, Mul-t-Lock, and Assa Abloy during the past year.
If we can follow their rationale, they believe that security engineering defects occur in the normal course of lock design and development, and that state-of-the-art attacks will be dealt with when they occur, and cannot be anticipated in advance. In the main, I cannot disagree with this logic at all, either from an engineering or legal perspective. What we do disagree with is the notion that a foreseeable security design defect or deficiency that should have been anticipated by those responsible for conceiving of and producing these locks should be treated in the same fashion. Such defects are, in my belief, legally actionable and should subject the manufacturer to liability by dealers and end-users if they do not voluntarily and retroactively remedy the problem at no expense to dealers or consumers.
Even more importantly, such design issues place the locksmith dealer in an untenable position, because they are the ones that are consulting, recommending, selling, and installing these products, and will be the likely defendants in any lawsuits that stem from the security compromise of the locks they sell. Many locksmiths do not have the time, and often the expertise to do their own research into potential security vulnerabilities, especially when their locks are rated by Underwriters Labs, Builders Hardware Manufacturers Association, or other rating organizations in Europe and elsewhere.
When a locksmith sells a cylinder like the Assa Cliq or Medeco Logic for more than six hundred dollars, I think it is fair to expect that such a lock has been thoroughly tested against different security threats. Both the locksmith and consumer have a right to rely upon such an implied representation of suitability for its intended purpose, which is security. Medeco has stated publicly that they rely on internal experts as well as UL and BHMA to determine vulnerabilities and whether their locks are compliant with the standards. Their answer sounds good, but its logic is fatally flawed, and they know it.
UL and BHMA are only allowed to test for certain vulnerabilities, which is precisely the problem with standards. They do not contemplate many methods of bypass, some quite elementary, and so to use them as the ultimate benchmark or authority as to security is not responsible and in our view, can be misleading and reckless. Few if any of the methods that we have disclosed to bypass Medeco, Assa, Ikon, or Mul-T-Lock are addressed in the standards, which is precisely why these companies must have competent security engineers involved in every phase of lock design and testing. Medeco, for example, claims that its locks meet or exceed all applicable high security standards. So what, if the locks can easily be opened by methods not contemplated within the standards?
We were able to simulate the mechanical bitting for Mul-T-Lock Cliq keys. In this photograph, the factory original key that opens the Mul-T-Lock Cliq is shown, together with our simulate key that was cut on a standard interactive blank that should never, according to representations by Mul-T-Lock, open this cylinder. It does, and with no electronic credentials whatsoever, nor audit trail. See quotes from their advertising, below.
Mul-T-Lock, in its latest correspondence of July 30, 2009, stated that their warranty and liability would only extend to locks that are found to be defective â€œIn normal use.â€ Well, at least that is what I think it said. You can judge for yourself, because in this case, it is unclear whether they will or will not stand behind their products and protect the locksmith and end-user if their locks are found â€œwantingâ€ with regard to security. Based upon the statements of the General Counsel for Mul-T-Lock in Israel, reprinted below, my question to them and all other companies is quite simple: just what constitutes â€œnormal useâ€ and do you actually believe that you have no liability whatsoever if the lock can be opened with simple techniques, regardless of whether the attack is by insiders or outsiders, and with or without advanced intelligence?
Specifically, do you believe that any bypass techniques that allow your locks to be opened should not be covered by your warranty or that you are not responsible to fix, repair, or replace such deficiencies? Do you not think that the primary purpose of high security locks is to resist attack, as you have stated in prior correspondence to me? Do you not believe, to put it very bluntly, that locks are designed to be screwed with, attacked, tampered with, and that their primary purpose is to resist multiple and different method of attacks?
It would appear that these companies believe that they have no responsibility to retroactively fix anything dealing with security. Yes, they may make changes going forward, and will be glad to sell their customers new locks (and make more money by selling the lock again that should have been designed properly in the first place). But what about all those customers that spent $600 or more for each Cliq or Logic cylinder, and it can be shown to be easily bypassed or set so virtually anyone with the properly bitted (or synthesized) key can open the lock, with or without an audit trail? As Medeco so arrogantly stated in the Slate.com article, â€œwhen you buy a Medeco lock, you are not buying a [magazine] subscription.â€ And what about the locksmiths and dealers that have to answer to their customers? Should they be liable to repair or replace locks with significant security defects, or should they have to tell their customers to throw them away and buy new ones! We donâ€™t think so.
Liability and Security Engineering
The concept of liability, as it applies to locks, is about the requirement that manufacturers disclose to their dealers and end-users any security flaws or potential vulnerabilities that they know, or become aware of. It should follow that a manufacture should immediately notify its dealers and stop selling locks that it knows, or has reason to believe, have significant vulnerabilities that could be exploited by criminals, terrorists, foreign intelligence agencies, or those that would cause harm by exploiting such weaknesses. Similarly, we think that a manufacturer has a duty to understand and find and remedy non state-of-the-art vulnerabilities before they release a product.
We believe that a failure to adhere to this policy constitutes what we call â€œirresponsible non-disclosure.â€ It is precisely what occurred, repeatedly, by Medeco and its security engineering with regard to its deadbolt design that we exposed in 2007. They fixed the problem twice, but did they ever tell their dealers to refrain from selling what we demonstrated as defective locks. Nor did they tell their customers that it was a potential threat, as evidenced by several interviews that we conducted and documented with senior customer service technicians at Medeco in 2007. Nor have they ever admitted the problems with bumping, picking, and the ability to compromise their locks through the use of any key within a system that contained the same sidebar code. It is my opinion that they have intentionally misled their dealers and customers with regard to the security vulnerabilities that exist in their locks.
We also believe that a manufacturer should repair or replace locks that they have sold and which contain serious security deficiencies, and they should do so at their expense. Such design deficiencies should not result in the locksmith or end-user being required to purchase new and upgraded locks. Unfortunately, it appears that Assa Abloy, as one of the worldâ€™s largest lock conglomerates, and at least some of its companies do not share in this philosophy, as they have so eloquently noted in correspondence and public statements, noted at the end of this article.
Rather, it appears that they believe that lock exploits, such as we have disclosed at DefCon during the past five years, are inherent in the natural progression of lock design and engineering, and that a manufacturer is not liable, either legally or ethically, to fix or replace such defects retroactively. While I believe this is a nice legal theory which has been put forth by the General Counsel for Assa Abloy in the United States, we think it is only partially true, and not responsible. While we concur that new, state-of-the-art attacks that were unknown when a lock was designed and manufactured generally do not subject the manufacturer to liability, I would submit that the result is and should be quite different when the security vulnerability could and should have been discovered by competent engineers that are responsible for security engineering of a product. Example: a design defect that allows a paper clip to bypass the entire audit control feature and credentials security for a Mul-T-Lock or Assa Cliq, or a two-dollar screwdriver to bypass a Medeco deadbolt mortise cylinder.
Electro-Mechanical Lock Design and Cliq Technology
Many lock manufacturers have been touting the advantages of electro-mechanical and electronic access control systems. There is no question that, if properly designed, they can offer the end-user an incredible array of options. The advantages of electronic credentials are obvious, but again, only if the security engineering has been done competently. Otherwise, these locks can create, in my opinion, huge security and liability issues for the manufacturer, dealers, and end-users.
Cliq technology was developed and introduced about 2002. It appears that the system was initially introduced by Ikon, and then adopted by many of the Assa Abloy companies. The core technology consists of a key that contains mechanical bitting and a processor and battery, which communicates with the microprocessor and sidebar-control motor within the lock. When the proper mechanical and electronic credentials are simultaneously presented to the lock, an internal motor is activated, a rotor turns, and a sidebar is allowed to be pushed into the plug. If the key is properly bitted, then the lock can open.
Each lock and key maintains an audit trail of each access or access attempt. This data can be retrieved by a special programming tool and uploaded into a computer for review. Any key in the system can be added or deleted for any lock.
A macro photograph showing how the Mul-T-Lock Cliq mechanical bitting can be easily simulated with a specially prepared blank with a plastic insert.
Assa Abloy companies are representing this technology as highly secure, and the â€œultimate security solution.â€ Mul-T-Lock states in its advertising video, which they refused to allow us to show the attendees at DefCon, (claiming it would violate their intellectual property rights, notwithstanding it is on the Internet) â€œWhere security is an issue, compromise is simply not an option.â€
Medeco claims in its advertising that its Logic provides â€œsuperior protection against unauthorized key copying.â€
Mul-T-Lock also says, â€œIn a world increasingly challenged my mounting security threats, the need for comprehensive locking systems has become an essential requirement in virtually every conceivable market sector.â€ â€œEach interactive Cliq key contains a unique electronic ID code. It is designated for one individual only, and cannot be duplicated, altered, or corrupted. â€œ
â€œIf the key is not authorized, the mechanical element in the locking system will simply remain locked.â€
â€œInteractive Cliq: unprecedented benefits. The dual patent-protected technologies employed in interactive Cliq represent a truly successful marriage of electrical and mechanical locking systems offering a double layer of impenetrable security.â€
â€œAudit trail control is an absolute necessity if you hope to keep tabs on the efficacy of your locking networkâ€¦. Interactive Cliqâ€™s control key enables you to easily access precise data from every cylinder in your facilityâ€¦each key is designated for use by one individual only. If the key is lost, it is simply made obsoleteâ€¦This enables total control of every key issued to personnel. â€œ
â€œInteractive Cliq: launching electro-mechanical locking systems to the ultimate level of security.â€
We believe such claims are false and misleading and publicly challenge any Assa Abloy company that is making such claims to dispute our findings. We demonstrated that each claim is only partially true, and we believe leaves a false impression with the consumer.
Cliq Technology and Security Engineering
So now we answer our own question: why havenâ€™t we offered to share our research with Medeco, Mul-T-Lock, Ikon, and Assa, with regard to our ability to bypass their Cliq and Logic cylinders by various techniques? The fact is, we offered to do just that. Not once, but many times, but with the following requirements: (1) that the companies would provide us with current lock samples to confirm our research findings, (2) that we would refrain from publishing any information in order that they might confirm and fix the security engineering defects we identify, and (3) we would require that once they confirm the defects, they repair or replace, at their own expense, every lock they have sold to their dealers and end-users that contains the design defects.
And what was the response from Assa Abloy, Medeco, and Mul-T-Lock?
First, they never addressed the issue of supplying samples. Ever. In fact, when I was at the Mul-T-Lock factory in October, 2008, they said they did not have any Cliq locks. End of discussion!
As to agreeing to retroactively fix or replace locks that had security defects, they said that was not going to happen and was unreasonable to require as a precondition for our cooperation.
Finally, they advised that only their internal experts and UL and BHMA were allowed to test their locks. And they said they were not responsible for security defects, because, you know, this is an ongoing issue in lock manufacturing, and, well, nobody really retroactively fixes locks.
This is not quite true. Several companies, both in the U.S. and Europe have done precisely that, and at great cost to themselves. It is the responsible way to do business as a lock manufacturer.
Cliq Technology: What we did and Why it is a Problem
Cliq locks are employed in commercial, government, and residential applications. They are relied upon to protect critical infrastructure and to comply with statutory requirements involving financial institutions, airports, railway, and power generation facilities. If you are a dealer or end-user, you need to understand that we identified several significant vulnerabilities in Cliq and Logic locks which could adversely impact security.
Potential Security Vulnerabilities
OOur research allows us to bypass the security of some Cliq and Logic cylinders to accomplish the following:
Simulate the mechanical portion of the key for Medeco Logic, Assa and Mul-T-Lock Cliq, and Ikon Verso. Plastic keys can be utilized for the Assa Twin and their latest lock, the Solo, which was just released in Europe. Blanks can be modified to simulate Mul-T-Lock keys and allow any number of special blanks to be cut to any bitting;
Utilize a discarded, stolen, or lost key from an Ikon system to compromise other locks in that system, as well as cylinders within a Medeco Logic system, and in similar fashion, to utilize a key from a Medeco Logic system to compromise an Ikon Cliq system;
Change the bitting on a key for an Ikon Cliq or Medeco Logic system to activate the mechanical bitting portion of other systems;
Allow the use of standard Mul-T-Lock non-interactive blanks to open Mul-T-Lock Cliq, because the interactive element is not operable and the mechanical security of the lock is reduced;
Simulate and bypass the electronic credentials for each of the locks listed above;
Trivially bypass the audit trail for each of the locks so that the use of a key is not logged;
Bump open certain of these locks;
Allow an employee to easily bypass a cylinder so that it will accept a key with any credentials. This can occur in certain Mul-T-Lock and Assa versions of Cliq.
We have posted an edited video showing different versions of the Medeco Logic, Assa Cliq, Ikon Cliq, and Mul-T-Lock Cliq being compromised by different attacks. The video does not show the precise techniques to open the locks for obvious reasons. We are sharing that data with affected government agencies and critical customers who are using these locks.
Each of our attacks requires access, at least briefly, to a properly bitted key. However, we have been able to simulate the mechanical bittings for all of these locks.
Admittedly, these attacks all require access to a key with the correct mechanical bitting. However, in many applications, especially government and commercial, a greater threat level exists and is to be expected. Further, the majority of attacks are likely to occur from within an organization, or with the cooperation of an employee, or a person having access.
Lock manufacturers and consumers appear to believe that just because electronic credentials are utilized to open locks, that somehow these locks are inherently more secure. The problem, in our view, is that everyone has forgotten basic security engineering principles: these are still mechanical locks. Although they may employ the additional security layer with the use of electronic credentials, they are still just mechanical locks that rely on moving components to allow them to open.
In our opinion, it is clear that the engineers at Medeco, Mul-T-Lock, Ikon, and Assa have ignored basic security engineering principles, are ignorant of them, or do not understand the potential for compromise of their locks. They clearly have a failure of imagination when it comes to lock design and testing.
While each of these locks are very clever and sophisticated in design, and clearly integrate mechanical and electronic locking systems to a new level, there are, in our opinion, serious deficiencies in each of these technologies that could potentially result in theft, sabotage, vandalism, compromise of critical information, and even loss of life. For that reason, the industry should re-evaluate the efficacy and design of any electronic cylinder and make certain that the essential and critical components of such systems are secure against different methods of attack. While Cliq and other technologies offer the end-user incredible advantages and options, they also offer a prescription for disaster if they are compromised.
We believe these companies should remedy the design issues that we have identified and which will allow their locks to be compromised, and that they should do so retroactively and at their own expense. As a dealer or end-user, we would encourage you to contact the manufacturer and demand to know the following information:
What version of locks do you have installed at your facility, and have they recently been upgraded? We just learned that Mul-T-Lock will be, for at least the fourth time, revising the design of their Cliq. Ask them if the upgrades have been implemented into any new locks that your company is receiving;
What security vulnerabilities have been identified that would allow these locks to be compromised?
What remedies have been taken by the manufacturer to cure the defects?
What does the manufacturer intend to do to insure the security of presently installed cylinders?
How long has the manufacturer been aware of specific methods of bypass of their Cliq or Logic cylinders?
Have the manufacturers notified any dealer, end-user, or government agency with regard to known or potential security vulnerabilities of Cliq or Logic systems?
Has the manufacturer advised their dealers and end-users that in certain keyed-alike systems, the compromise of one key can render the entire facility vulnerable, which would require a replacement of every cylinder in the system?
If you are a dealer or end-user of Cliq or Logic locks, you may contact our office for further information as to the security deficiencies of these locks, possible statutory ramifications for non-compliance, and your legal rights with regard to locks that you have purchased and which have been found to be easily bypassed.
We have tested a limited number of Assa, Mul-T-Lock, Ikon, and Medeco electro-mechanical locks. One or more of these companies may have remedied certain design issues that we have identified in different versions or generations of locks. Each individual customer should determine specific vulnerabilities for the version and brand of lock that they have in service.
QUOTES FROM CORRESPONDENCE THAT WE RECEIVED IN THE PAST YEAR
MUL-T-LOCK GENERAL COUNSEL
â€œYou have misrepresented that Mul-T-Lock’s policy is not to consider replacing or repairing a product which proves to be defective in normal use. This is a gross misrepresentation and not true.â€
ASSA ABLOY GENERAL COUNSEL
â€œAll of your accusations and unreasonable demands seem to stem from your mistaken or feigned belief that because a product may under certain limited circumstances be susceptible to a new form of attack. it is somehow rendered “defective.â€œ
Â® Cliq, Logic, Keymark, and Nexgen are registered trademarks of Assa Abloy companies.
In case you missed it, there was a new segment on bumping that aired on the Today Show in the U.S. on July 8. Incredibly, the NBC lawyers would not allow the use of the term “bump key” because they were worried that viewers might figure out how to open locks! Then they showed a diagram of the key and how it works. Ironically, the program was supposed to air the week before, but at the last minute, I was notified that the segment had been “bumped” by the Michael Jackson tragedy. Tragedy? Really?
The same NBC correspondent, Janice Lieberman, published a related article in Readers Digest the same day that the story aired.
I don’t know why the renewed interest in lock bumping, but I have received calls from several media representatives about the issue in the past few weeks. I am quite sure that our friends at Medeco were very pleased with the story. As I told the correspondent, they are good locks, but not quite as good as they say. For residences, they are just fine, as are Schlage Primus and other brands. Note that the NBC story never claimed that the Medeco cylinders were bump-proof. Only Medeco and many of its dealers continue to represent that falsehood, while at the same time claiming that “they never said it…others did” and that Medeco cannot control what their employees and dealers say! The question as to when Medeco will level with their dealers and customers about the insecurity of their products will be left for another post, and venue. One would have expected a statement from Medeco after their Wired PR fiasco, but true to form…nothing.
Security is all about liability; this maxim may prove to be a very expensive lesson for Medeco and its parent company to learn.
We went to two upscale houses in New Jersey and opened the locks in seconds.
Any joy at Medeco will likely be short-lived. Toby, myself, and Matt Fiddler will be presenting at DefCon again this year, and will be issuing a security alert with regard to electro-mechanical locks and what we perceive as extremely serious vulnerabilities. During the past year, we have focused our efforts on Assa Abloy Cliq technology that is shared by Mul-T-Lock, Medeco, Ikon, and maybe even Assa itself. It should come as no surprise that we found what we believe to be serious design flaws in these locks, both in terms of mechanics and electronics. Anyone who thought that we were ending our research efforts with Medeco will find that the story has just begun. Key control, covert entry, and forced entry…all the same issues that we found wanting in the Medeco locks… are alive and well in Logic, Cliq, and NexGen and should prove highly relevant for everyone concerned with the security of electronic locks.
And for those of you that are not familiar with NexGen, these are the very neat cam locks that are used in vending machines (for example thousands of machines owned by Coca Cola in Philadelphia); In major municipalities’ parking meters (in San Francisco, Los Angeles, Miami Beach, and New York); and also for the protection of cargo shipments in padlocks. Audit trails and revenue security are the prime rationale and justification to install these expensive locks ($100-$150). We think that the premise for implementing these locks might have to be reviewed and re-thought after DefCon. Not only will the implied guarantee of revenue security have to be re-examined, but the issue of potential false accusations that could affect innocent employees will most surely be a serious topic for some labor unions and legal counsel. Insurers and underwriters may also be involved because their premiums are based upon risk assessment. We believe that high-value targets may be at increased risk from the use of certain locks; hence insurability and premium rates could be affected.
During our presentation we will review some of the representations in the advertising of certain vendors, and why we believe these may not only be overstated, but inaccurate and uninformed at best, and false and misleading at worst. We are producing a very detailed WhitePaper with regard to this issue, followed by a supplement to Open in Thirty Seconds. The title still applies to some of these electronic locks.
We are planning a government-only briefing on this topic, and will release more details shortly. If you are a commercial facility, regulated industry, or government agency that has implemented, or is considering the implementation of the Cliq technology, you may want to follow this closely, both in the United States and in Europe. We believe, and will so state in our WhitePaper, that potentially serious security and legal liability issues may flow directly from the implementation or continued use of this technology until the issues we believe exist are remedied. Obviously, many factors are involved, and in part this depends upon the security and regulatory requirements of the specific location, but in general, it would be our view that some electro-mechanical locks are not quite the panacea that the vendors would like you to believe.
The manufacturers are touting this technology as the answer to the insecurity of even their high security mechanical cylinders. Maybe that is true, but we think they may come at quite a high price, both in terms of actual cost, and also with regard to what can happen when things go wrong and there is a breach of security.
We hope to see all of you at DefCon.
LECTURE ON HIGH SECURITY MECHANICAL LOCKS AND ELECTRONIC ACCESS CONTROL SYSTEMS: University of Cambridge Computer Security Lab, Cambridge, England on April 28, 2009
MEDECO NEXGEN electronic cylinder utilized in vending machines, parking meters,
cargo containers and other applications where an audit trail is required.
MEDECO NEXGEN cylinder is installed in a specially-designed padlock to secure cargo and other valuables. The lock provides a complete audit trail of all accesses with the Medeco-supplied key. The lock is in the open position.
I will be lecturing at The University of Cambridge Computer Security Lab on April 28, 2009 with regard to security vulnerabilities and legal issues involving both high security mechanical locks and electronic access control systems. This will be a follow-up to my lecture in Dubai earlier in the month.
Information on the Medeco NexGen, Logic, Assa Abloy Cliq and other access control technologies will be presented in detail in the supplement to OPEN IN THIRTY SECONDS.
DUBAI HITB SECURITY CONFERENCE: Protection of Critical Infrastructure and the use of Electronic Access Control Systems
I will be speaking again this year at the Hack in the Box security conference in Dubai, UAE, on April 22, 2009. For the past two years I have participated in this gathering of almost 1000 security experts from Europe and the Middle East who meet to give presentations about wide-ranging cyber and physical security threats. The conference is always well-attended by a diverse group of participants and is again being held at the Sheraton-Creek in Dubai.
The presentation will include a detailed review regarding the protection of high security facilities, including airports and aircraft, power transmission facilities, and computer server rooms. The emphasis will be on liability and security issues that may result from an undue reliance on certain high security locking systems and technology. I will discuss a number of misconceptions and why these facilities may be at risk, even with some of the most sophisticated physical access hardware and software.
Specific problems inherent in conventional locking hardware will be the primary focus, together with an analysis of high security mechanical locks and electronic access control systems produced by many of the Assa Abloy companies. These technologies include, among others, the CliqÂ®, LogicÂ®, and NexGenÂ®. The security representations of certain manufacturers will be analyzed, and potential vulnerabilities in these high-tech systems will be explored, together with the liability that may flow to users if these systems are circumvented.
Since the publication of OPEN IN THIRTY SECONDS, which details the compromise of Medeco high security locks (2008), intensive research has been on-going in the U.S. and Europe regarding the security of different electronic access control systems. The results will be included in the new supplement to our book. These potential security issues will be examined in Dubai and will be explored in depth in the upcoming supplement, and later this year in future presentations.
Material that is being included in the new supplement will include:
Critical security vulnerabilities and inherent design flaws of Electronic Access control systems that are produced by High Security lock manufacturers;
Medeco cam locks and their lack of key control for critical infrastructure protection;
Medeco X4, the second generation of the Keymark product, and its virtual absence of any real key security.
We will also consider potential legal liabilities in connection with the failure of electronic access control systems to perform as represented by the manufacturer, especially with regard to the failure of audit functions in the event of bypass and the ramifications to the protection of critical information. The legal consequences to employers and employees that could result from false audit trail data will also be explored. In this connection, we analyze certain White Papers issued by Medeco in 2008 with regard to Logic, and why we believe this technology (and other systems) may not meet minimum physical security requirements for the protection of critical facilities and infrastructure. We examine potential non-compliance issues with regard to state and federal regulatory standards such as contained in Mass.201 CMR-17.00, Sarbanes-Oxley, Transportation Security Act, HIPAA, and the Federal Energy Regulatory Act.
If you are a dealer or end-user and have implemented electronic access control systems and have experienced technical or security issues with your deployed hardware or software, we would encourage you to contact our office to exchange information in order that the supplement is as current and complete as possible, and to provide input for the upgrade or redesign of certain systems.
We have notified Medeco of preliminary research results and have repeatedly requested the most current lock samples to confirm certain findings. Medeco has refused to provide any locks in order to allow us to conduct any tests involving Logic or Nexgen. The company has stated that it only allows testing laboratories or internal and other experts to evaluate their products, and that any information about their locks in conjunction with such tests would be considered confidential, proprietary, and protected intellectual property. We have therefore contacted certain dealers and implementers of Logic, Cliq, and Nexgen to conduct real-world trials at different venues.
Translation: Medeco is afraid to have anyone test their locks unless they are one of â€œtheirâ€ experts and that any such testing must be covered by a non-disclosure agreement. For the record, we never asked for any information; just the locks (and we offered to pay for them).
If we had relied on any data from Medeco with regard to the ability to bump or pick their Biaxial or m3, or to develop the technique of code setting keys to open them, we never would have succeeded in doing so, and would continue to believe their locks were still secure as claimed by the manufacturer and others.
OUR QUESTION: if locks that are sold by a manufacturer and represented by them as secure, why would they be afraid for anyone to analyze them independently and attempt to circumvent their security? Isnâ€™t that the point of locksâ€¦to stay locked until the right key or code, or credential is presented? Arenâ€™t locking systems designed specifically to stop people from attempting to open them if they do not have the correct credentials? And isnâ€™t Medeco the undisputed leader in the high security market in North America. So why would they be so wary as to not allow us to test and report on the security of their electronic lock designs? We offered to share some of our research with the company, once we were satisfied with the reliability and repeatability of our findings and conclusions.
WHAT WE ASKED IN RETURN: That they would recall all locks that displayed design defects or deficiencies which could result in security vulnerabilities for their customers. In return we would agree to withhold any publication for at least three months, so long as the company would replace all products at no charge to the consumer.
The response we received from Medeco to this offer? No substantive response at all. We have been told that we have a duty to advise Medeco of any “alleged vulnerabilities.” They reiterated in two recent letters that “they have always been willing to listen.” Yes, that is true, but never willing to share any information, nor confirm any vulnerabilities. It is a one-way street.
After analyzing their latest communications, we remembered their corporate position on locks they have sold and later found to be susceptible to be bypassed: they stated in 2007 that purchasing Medeco locks is not like buying a subscription. If a vulnerability is discovered after purchase, just buy new locks!
Good for Medeco, but not very good for their customer who may have invested in flawed technology.
We guess that one possible answer to their lack of any real response to our request for locks would be that they read our book, or perhaps they are concerned that young JennaLynn might be recruited once again to open their Logic or Nexgen.
August, 2009. â€¦Las Vegas. â€¦DefCon.
Â®Medeco, Logic, Cliq, NexGen, Keymark, and Biaxial are registered trademarks of Medeco Security Locks and Assa Abloy.