In.Security Home


Archive for the 'Security Alerts' Category

PRESCRIPTION DRUG CONTAINERS: They are not secure against simple attacks

Four major brands of prescription drug containers: none are secure

Introduction from Security Labs: Prescription drug containers

Prescription drug containers are supposed to prevent or deter unauthorized access to medication, especially by children. Our lab analyzed four of the leading manufacturers of these containers and found that all of them could be opened, often in seconds, with little skill and no special tools. See the accompanying article on Forbes

The four brands we tested are made by LOCKMED, SAFER LOCK, VAULTZ, and PILL POD. We produced videos for each brand, showing the ease with which they could be compromised.


LockMed containers, as presently configured, can be opened in seconds with essentially no skill

One of the manufacturers is LOCKMED. These containers were developed by a pain management physician in Pittsburgh out of concern for the non-secure ways that drugs that he prescribed were being handled and stored by his patients. I interviewed Dr. Bud Lateef at length about the problem of prescription drug abuse and why it is such a complex problem. Watch the video of my interview with Dr. Lateef Dr. Bud Lateef interview with Marc Weber Tobias

We tested several containers produced by LOCKMED. All of them could be easily opened in seconds and are not secure. When we provided the video to Dr. Lateef, he stated that his company would stop selling the products until they were made secure.
LockMed containers can be easily opened in seconds


Safer Locks can be easily compromised in four different ways

This company produces a series of pill bottles and related containers that employ a specially-designed cap with a four-digit combination lock. While it is a good idea, it is not secure. We determined four different ways to compromise this lock, including with the introduction of sugar through the spaces between the combination wheels. I interviewed the CEO of the company about the design failures. They indicated certain fixes were being implemented, including moisture sensing tags to determine if water was utilized to clear the sugar from the lock. Unfortunately that does not solve the problem with their fundamental designs.

They should not be relied upon for any real measure of security.

Watch the detailed video. Safer Lock containers can be easily opened in four different ways

Watch the video that shows how to open the Safer Lock by introducing sugar into the combination lock. Opening Safer Lock with sugar


Vaultz containers look secure, but they are not and can be easily compromised.

Vaultz produces several different containers, all with essentially the same design. Because they rely on a cheap combination lock for their primary security, they are not secure and can be compromised easily.

Watch the video. Opening Vaultz drug security containers


Pill Pod containers are well made but can be easily opened by manipulation

This container was developed by an engineer that has significant experience in lock design in the U.S. and Europe. The container is well-constructed, but can be compromised if you know “the secret” of how it works. It is provided with a fixed combination, but the numbers can be relatively easily decoded once the mechanical design is understood. In our opinion, this container is the “best of the worst.” For small kids and many adults, it is probably secure enough. However, in our view it is probably not secure to keep teenagers from accessing the contents.


None of the containers we examined are secure. So the question is: what is enough security, and are these better than nothing? If you are a parent and concerned with knowing that your meds had been improperly accessed, then none of these containers will provide the answer. If you just want a deterrent to very young kids or adults who may not have the capability to figure things out, then they are ok.

The bottom line: they are not drug safes. They are cheap boxes with even cheaper and inferior locking mechanisms.

Comments are off for this post

SimpliSafe ? WIRELESS ALARM SYSTEM: An Analysis of Security Vulnerabilities


SimpliSafe sign

The SimpliSafe alarm package is a totally wireless system that can detect and transmit an intrusion, fire, or environmental alarm to a 24 hour monitoring center, via cellular connection. For many homeowners and renters, the system is all that is necessary to provide cost-effective detection and competes with the more expensive and traditional alarm reporting companies, such as ADT.

SimpliSafe is similar, but more sophisticated than the LaserShield system, which we also demonstrated could be easily defeated, initially in 2008, in an article on Engadget and then again in 2015.

These are DIY systems and can be easily installed by consumers. However, in our view, they are not secure, and dependent upon perceived threats that may be present to homeowners. That means that if burglars are at all knowledgeable as to methods of system attacks, the hardware can be defeated and entry into a residence accomplished without tripping the alarm. Before buying such systems, homeowners should assess the potential for knowledgeable thieves to bypass their systems.

This report is written in conjunction with an article by the author in,
and also an article on this site about LaserShield, with video showing how to defeat their system.






A communications gateway receives signals from all of the wireless trips within the system and then processes that information through the wireless keypad. If an alarm is detected, that will be instantly transmitted to the 24/7 monitoring center via a cellular broadband connection, using Verizon as a carrier. Phone lines can be used as a backup but are not necessary for the system to function.

The gateway also announces alarm status when placed in test mode, so the homeowner can verify that all trips are working properly. The system can be programmed, via the web interface, to send email or text messages for alarms and unusual occurrences, such as radio interference which could be affecting the proper operation of the system.

The gateway is battery backed up and will run for at least 24 hours in the event of a power failure.

The SimpliSafe system can be armed and disarmed with the provided key fob, as well as a panic alarm transmitted.


The SimpliSafe system is supplied with a variety of different alarm sensors. Shown is the entry level kit that was used for testing of the system for this report. It includes a wireless keypad, a motion sensor, a magnetic door trip, and a key fob combination on/off control and panic button. More expensive SimpliSafe systems contain smoke detectors, carbon monoxide detectors and other alarm sensors.


One or more motion sensors are supplied with all systems from SimpliSafe. Shown in the photographs is a standard sensor, and one that has been covered with a white mailing label. The effect of this action is to block any recognition of motion, thereby defeating the sensor completely. This means, for example, that a visitor to the home or business could unobtrusively place a piece of paper over the detector to defeat it later when the alarm is set.

The reason that the action of the sensor can be blocked results from the failure to incorporate anti-masking software or hardware so that the system can determine whether the infrared element within the motion sensor is obstructed. In the more sophisticated alarm systems, blocking of the sensor should not be possible. In our tests, we defeated the sensor with paper, and also by pointing it at a solid object such as a wall, in the case where, for example, the detector was simply placed on a shelf, rather than hard-mounted.

This fact was never detected by the system.


Magnetic trips are based upon simple reed switch technology, are not secure, and can be easily defeated by magnets, as shown in the video.

Kids and burglars have figured out how to circumvent the system by placing a small magnet next to the trip, which blocks the detection of the absence or the removal of the normal magnetic field that occurs when the door is opened.

Parents in Florida have found that after setting the alarm at night, their kids figured out the way to defeat the system and sneak out at night without setting off the alarm. Likewise, burglars can place very small magnets next to the door trip during business hours within a commercial facility, and then enter after hours. If no other detectors are in place for the protected area, then the door trips will not trigger an alarm.

The magnet that we used in the demonstration cost about $.25 at Home Depot. We placed it against the SimpliSafe trip with a piece of Scotch tape.


These photographs show the critical element in all non-high security magnetic trips: a reed switch. This is a sealed glass envelope that contains two metal leaves, spaced closely apart. They are normally biased by a magnetic field which causes them to touch each other and complete an electrical circuit. If the field is interrupted, the two leaves will separate and break the circuit, thereby triggering an alarm. We do not recommend the conventional reed switch magnetic trip for any significant security application because of the ease with which they can be defeated.


Wireless systems like SimpliSafe and LaserShield can be easily defeated with an inexpensive transmitter, programmed to the operating frequency of the alarm system. If the transmitter is keyed, the receiver in the gateway unit will be blinded and will not detect any signal that is transmitted by the trips within the system.

In our tests of LaserShield and SimpliSafe, we were able to completely defeat these systems by keying a transmitter during our entry into the protected premises. In the case of SimpliSafe, the system detected the transmission after a predetermined period of time, which was easy for us to determined and defeat.

If the transmitter was keyed continually past this timing window that was set by SimpliSafe, a text message would be sent to the homeowner, advising of the detection of RF interference, and when such interference stopped. However, we could totally defeat this timing window and move through the protected premises without tripping any alarm, nor of the system ever knowing we were there. This is a fatal flaw within these types of systems, as shown in the accompanying video.

The security problem results from several factors, including a lack of “supervision” of the wireless trips. Normally, the trips communicate an alarm condition by a one-way transmission to the gateway. Presently, there is no method for the gateway to constantly interrogate all of the trips in the system to determine their operational status. When a radio signal is detected by the gateway, it will not see the transmissions from the individual trips, and thus, no alarm will be detected.

Compounding the problem: the operating frequencies of all of these wireless systems can be easily found on the FCC database on the Internet. It should be noted that even the latest home automation devices, also linked by wireless, can be defeated in similar fashion, or with radio jammers, which are illegal but are sold commercially.


In our view, all security systems should have hard-wired perimeter door trips which cannot be defeated by the transmission of radio frequency (RF) energy. Otherwise, these systems are vulnerable to attack. Unfortunately, even the largest alarm providers are using wireless because of the ease of installation. SimpliSafe has no way to integrate any hardwired trips, nor to connect to already installed alarm systems.

Unless the trips are two way and supervised, this is a prescription for insecurity. We tried contacting ADT repeatedly to discuss this matter, but they refused to return any calls.

When selecting an alarm system, it all comes down to what the consumer needs and expects with regard to an acceptable level of security. The SimpliSafe system is a good value to provide minimal protection for premises where wiring is impossible, and the homeowner wants some protection with minimal cost, without the necessity of contracts with an alarm company, and without the need for connection to a telephone line. SimpliSafe offers a viable solution, with several very clever enhancements, especially using their web interface. But all users must be aware of the potential security vulnerabilities that are inherent with such systems.

“Simply Safe” does not necessarily mean a high level of security. Clearly, the system is very simple and straightforward to install and operate. Each consumer must make a determination as to whether the methods of attack that we have demonstrated would be of concern. If they are not, then for many consumers, the system should provide adequate protection. The problem is that thieves may target premises protected with these kinds of wireless systems, especially when a homeowner advertises the use of an alarm by placing stickers on windows or doors or even in front of the residence, as shown in the photograph.


SimpliSafe alarm system normal setup

Bypass of the SimpliSafe system with electronic countermeasures

Bypass of the wireless magnetic trip used by SimpliSafe

Comments are off for this post


All of these gun safes can be easily opened with a variety of simple tools.

See my corresponding article
in Forbes that was published on Friday, July 27, 2012.

See the applicable disclaimers with regard to the information contained in this report at the end of the Alert.

This security alert provides detailed information about small gun safes that can be easily compromised. We conducted an analysis in our Security Lab of these containers. Some of these containers are utilized by law enforcement agencies. A PowerPoint presentation and video is available through the AFTE website for any agency, and was the subject of my presentation at the Annual Association of Firearms and Tool Marks Examiners conference in Buffalo, New York on June 28, 2012.

We provide information about some of the most popular gun safes that are produced by the leading manufacturers in the United States: Stack-On, GunVault, and Bulldog. We also looked at one of the small safes produced by AMSEC.

We tested safes from these companies to determine their vulnerability to simple, covert attacks. We did not test for forced entry techniques.
Every consumer that owns or is contemplating owning a small gun safe needs to understand that many of these containers are improperly designed, have little real security, and can often be opened in seconds with common implements such as paper clips, drinking straws, wires, and small pieces of brass. Some can also be dropped from a few inches onto a hard surface and opened because of the simple, cheap, and insecure mechanism that is used to block movement of the bolt work until the proper combination is entered.

All of these safes utilize electronic credentials to open them. While these manufacturers would like you to believe that the use of a keypad, push-button sequences, or fingerprint reader will somehow make their containers more secure, it is not accurate and everyone should understand it. It is merely for convenience.

What constitutes security in any container is the way the locking mechanism is designed to keep the container closed or to be opened. The problem is that none of these manufacturers seem to understand even the basics of security engineering and how to defeat their own products. In this report, we will provide detailed videos that demonstrate the problem for many safes that are sold by Walmart, Cabelas, Dicks Sporting Goods, Scheels,

In conjunction with our investigation we contacted and made available these videos to management at all of these companies. Only Walmart would even issue a statement, which essentially says “it is not our problem” and we rely upon the manufacturer and the California DOJ standards.

The other companies, Cabelas, Scheels, and Dicks Sporting Goods had absolutely no response.

All of these companies continue to sell what we are claiming are dangerously security-defective products, but it evidently is all about money, not the safety and security of their customers that is of their primary concern. They have all been placed on notice of the defective security designs and all have chosen to ignore the evidence and instead rely upon what the manufacturer, Stack-On or others have represented to them.
Stack-On is headquartered in Illinois and by their own account, generate about $100,000,000 annually. They also indicated that they do not talk to the media, but they did issue a press release after I demonstrated opening four of their safes on KELO-TV in May, 2012.
Their Public Relations firm issued the following statement on behalf of their client:

“While Stack-On respects Mr. Tobias’s proven ability to pick the most complex of security locks, we strongly stand behind the safety of our products. Stack-On Personal Safes are certified by California Department of Justice (DOJ). This certification involves testing, by an independent laboratory approved by California DOJ, for compliance with adopted standards. We are proud of this designation and the protection we provide. In addition, our Portable Cases comply with TSA airline firearm guidelines.”

Stack-On believes that their safes are secure. While their containers have been approved by California DOJ under their gun safety regulations, they are fully aware that the methods we demonstrated are not addressed in these standards, and thus the standards are not applicable. It is our opinion that Stack-On has chosen to continue to place every buyer of one of these safes at potential risk. Their safes are manufactured in China. While they may appear to be secure, they are not, as we demonstrate in multiple videos.

I spoke with their VP of Marketing, Steve Martin, in April, 2012. I asked to do an interview at their facility and was refused. When I advised him that we had tested several of their safes, he did not ask one question. I offered to send the links of the videos. He offered no response. The company has never followed-up with any inquiry.

Our opinion is that Stack-On should recall every safe that has security vulnerabilities and issue an alert to the public to warn every purchaser. They should also warn every vendor. To our knowledge, they have done neither. What they have done is to continue to sell what we allege are defective products to the public, knowing that many of these containers can be opened by kids.

I spoke with a spokesperson for Walmart and provided links to all videos. After two months, they finally issued the following statement:

“Walmart is committed to providing safe, quality products customers can rely on. After being made aware of your concerns, we reached out to the manufacturer of Stack-On products to discuss their compliance and quality programs. According to Stack-On, the product you mentioned is tested by a third party independent lab and those results are submitted to the California Department of Justice for certification as meeting their safety standards for this category of products.”

It is also our opinion that Walmart is far more concerned about revenue than in protecting the safety and security of their customers, notwithstanding their claims to the contrary. According to their employees, the company has a security and safety testing team that analyzes products. That would indicated that they have the competence and skill to evaluate the claims that we made.

Walmart did not deny our allegations but rather are avoiding responsibility by hiding behind the representations of Stack-On. In our opinion, nobody should believe anything that Stack-On states with regard to the security of any of their products. It is very clear that Stack-On has no competence to design or test a container for security vulnerabilities.

While they may believe that they can avoid liability by claiming they meet the requirements of the California gun statutes, they may find that those standards offer no protection whatsoever. We believe they are producing dangerously defective containers that they are representing as secure for use by the consumer to store weapons. They are not secure, and nobody should rely upon them for any measure of security.

It is my opinion that any retailer, once on notice of the defects we have demonstrated, can and will be held liable if a customer purchases one of these containers and the result is that someone is hurt or killed.

We conducted undercover interviews at Cabelas and Scheels to document what their sales “experts” were telling the public about these safes. It is precisely what you would expect: they are secure, kids cannot get into them, and you can safely store weapons in them without fear that they can be covertly compromised.

Unfortunately, each of these statements is false. The problem is that these sales personnel do not have a clue as to what is secure or is not. What they understand is profits and what sells, and it would appear that is all they care about, based upon the total lack of response from any of these companies to us.

While we only looked at about ten safes, we are quite sure there are dozens, if not hundreds of different models that are similarly insecure. Most of this junk is made in China and peddled by U.S companies. These safes are cheaply made, and the security engineering is essentially non-existent, as you will see in the videos and our detailed analysis.


This is a common solenoid design that blocvks the movement of the bolt in many safes. The magnetic pin must retract in order for the bolts to pass. This can be vibrated to an unlocked state.

As a result of another gun death involving a member of the Clark County Sheriff’s Department in 2003, the Sheriff mandated that all deputies keep their weapons in designated Department safes at their homes. The Department, without any testing, initially purchased approximately 200 Stack-On Strong Boxes, shown in the video. It is clear that the CCSO relied upon the representations of Stack-On, and had no independent expertise to evaluate the security of these containers. It is incredible to us that the Department would entrust the lives of their officers and families to a container that reportedly cost $36.00 without any tests being conducted by the Department as to suitability, safety, or security.

Detective Ed Owens was a member of the Clark County Sheriff’s Department since 2004. He was issued a Stack-On safe to store his weapons at home. On September 14, 2010 one of his four children was able to open the Stack-On Strong Box container that was located in the Master Bedroom. At about 9:50 P.M. three year old Ryan was shot and died four hours later.

We were asked by the Owens family and attorney to provide expert analysis of the suspect safe. We conducted an extensive analysis of a container from the same batch that was provided to the Clark County Sheriff’s Office.

It is our opinion that these were defective containers, based upon the testing we performed and the videos we shot from inside the safe. The problem, quite simply, revolves around the solenoid mechanism that controls a locking pin. This pin when in its normal state blocks lateral movement of the bolts thereby preventing their retraction. When the correct code is entered, via the keypad, the blocking pin is retracted and the bolt can be turned to the unlocked position. The problem is the design of the solenoid and spring-biased locking pin. It can be bounced to allow the bolts to pass and leave the safe in an unlocked state. As demonstrated by the three year old in our video, this safe can then be opened by simply turning the knob.

As a result of testing this particular safe, we expanded our inquiry and tested virtually every Stack-On model of small safe. What we found was disturbing. Each could be opened in a variety of ways, as we demonstrate. We also tested similar containers from Bulldog and GunVault. We reached out to these companies as well, but they refused to return phone calls.

Any consumer that owns one of these containers should return it and ask for a model that has been fixed to made it secure, or demand a refund. In our view, no weapons or valuables should be stored in one of these containers.

We provide all of the video segments of our analysis as well as televised news reports and some of the undercover video that we obtained.

Gun safe detailed report by Security Labs

Video of three year old opening four different safes

KELO-TV Sioux Falls, South Dakota

aired the accompanying story

Undercover video from Cabelas store

Security Labs Stack-On safes introduction (for each of the separate video elements)

Stack-On PC 650 gun safe

Stack-On PC-650 Portable Case with Electronic Lock
Electronic lock allows for a 3 to 8 digit combination to be programmed into the case.
Includes a backup trouble key.
Slim line design of the case allows for storage in a briefcase, under the seat
of many cars and trucks. Foam padded bottom protects contents from scratching.
Meets TSA airline firearm guidelines.
Body is designed for safe to be secured with steel cable (1500 lb. test). Cable is included.
11” wide (27.9 cm)
8-1/4” deep (21 cm)
2-3/8” high (6 cm)
(dimensions include key pad)


Stack-On PDS 500 gun safe

Stack-On PDS-500 Drawer Safe with Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
2 live action locking bolts and concealed hinges.
Fastening hardware is included with each safe.
11-13/16” wide (30 cm)
8-5/8” deep (22 cm)
4-3/8” high (11 cm)


Stack-On biometric safes with fingerprint readers can be easily compromised.

Stack-On PS-5-B Drawer Safe with Biometric Lock,
Stack-On PS-7-B Extra Wide Safe with Biometric Lock and
Stack-On PS-10-B Personal Safe with Biometric Lock
Great security for pistols, ammo and valuables at home, on the road or in the office.
Tested and listed as California Department of Justice firearms safety devices that
conform to the requirements of California Penal Code Section 12088 and the regulations
issued thereunder.
Solid steel, pry resistant, plate steel doors, steel live action locking bolts and concealed
hinges provide greater security.
Biometric lock can be programmed to accept up to 32 different fingerprints–provides
greater security and quicker access to the safe’s contents. Also includes an electronic
lock and hidden trouble key.

13-7/8” wide (35.2 cm)
11-1/2” deep (29.2 cm)
4-1/2” high (11.4 cm)

17-3/4” wide (45 cm)
14-1/4” deep (36.2 cm)
7-1/8” high (18 cm)

13-7/8” wide (35.2 cm)
9-7/8” deep (25 cm)
9-7/8” high (25 cm)


Stack-On QAS 1200B biometric safe can be easily opened with paperclips.

QAS-1200-B Quick Access Safe with Biometric Lock
Tested and listed as a California DOJ Firearm Safety Device.
Biometric Lock can accept 28 different fingerprints with back up trouble key.
Biometric reader is easy to use and program.
Biometric locks provide greater security – no combinations to remember.
Holds standard sized pistols and other valuables.
Includes a removable shelf. Foam padded bottom and shelf.
Safe has pre-drilled holes for mounting to the floor, wall or a shelf.
Fastening hardware is included with each safe.
10” wide (31.1 cm)
12-1/4” deep (30.5 cm)
8-1/4” high (21 cm)
(dimensions include key pad)


QAS 710 Stack-On safe

Stack-On QAS-710 Drawer Safe with Motorized Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
All steel construction and low profile design allows for storage in a drawer.
Lid pops up when the correct security code is entered for instant access.
Safe has pre-drilled holes for mounting in a drawer or on a shelf.
Fastening hardware is included with each safe.
10-1/4” wide (26 cm)
16-5/8” deep (42.2 cm)
3-1/2” high (9 cm)


Stack-On QAS 1000 can be easily opened

Stack-On QAS-1000 Quick Access Drawer Safe with Electronic Lock

Tested and listed as a California DOJ Firearm Safety Device.
Electronic lock allows for a 3 to 8 digit combination to be programmed into the safe.
Includes a backup trouble key.
Drawer pops out when locking mechanism is released.
Ball bearing drawer slide allows the drawer to slide in and out without binding.
Holds standard sized pistol and valuables.
Foam padded bottom protects contents from scratching.
Body is designed for safe to be secured with steel cable (1500 lb. test) or can be
mounted to a shelf or floor.
Cable is secured when drawer is in place.
Cable is included.
10” wide (25.4 cm)
12-1/4” deep (31 cm)
4-5/8” high (11.6 cm)
(dimensions include key pad)


Stack-On QAS 1200

Stack-On QAS-1200 Quick Access Safe with Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
Electronic lock allows for a 3 to 8 digit combination to be programmed into the safe.
Includes a backup trouble key.
Holds standard sized pistols and other valuables.
Includes a removable shelf.
Foam padded bottom and shelf.
Safe has pre-drilled holes for mounting to the floor,wall or a shelf.
Fastening hardware is included with each safe.
10” wide (25.4 cm)
12-1/4” deep (31 cm)
8-1/4” high (21 cm)
(dimensions include key pad)


GunVault GV2000S gun safe

GunVault MultiVault Standard GV 2000S
*Protective foam-lined interior
* Extra storage capacity and removable interior shelf
* Tamper-resistant spring-loaded door
* 16-gauge steel housing
* Audio and LED low battery warning

Customizable Convenience
*Battery power provides portability
* Optional high-strength security cable secures GunVavult in a home, car, RV, office or hotel
* Mounts almost anywhere in any direction

Foolproof Security
*Precise fittings are virtually impossible to pry open with hand tools
* Built-in computer blocks access after repeated invalid keypad entries (Digital models only)
* Tamper indicator alerts invalid entry attempts (Digital models only)

14″ X 10.1″ X 7.9″


BullDog BD1500 gun safe

Bulldog BD1500 Deluxe Digital Pistol Vault

Bulldog’s “Easy Guide” top pad features raised ribs that lead your fingers to the numbered buttons for quick and easy code entry. After 4 invalid keypad entries the electronics temporarily disable the control panel. In three minutes, the electronics automatically reset and will accept the valid code.

*”Easy Guide” ribbed top pad for quick entry
*”Smart Safe” technology remembers safe combination during power loss or while changing the
*More than 1000 combinations available
*Secure cylinder key override
*Pre-drilled mounting holes
*Pre-drilled holes for optional security cable
*Deluxe foam interior with egg-crate bottom pad
*Heavy-duty steel construction
*Durable powder coated black matte finish
*Mounting hardware included
*Interior light when door is open
*Spring loaded door for quick access
*External power supply
11.5″ x 8″ x 5.5″ /4″



We tested safes produced by Stack-On, Bulldog, Amsec, and GunVault between February, 2012 and July, 2012. We tested a limited sample of each and produced videos of unaltered containers. A manufacturer may have updated or made changes to a design that would make more difficult or prevent us from opening that container in the method shown. The reader or consumer should replicate the methods shown for any particular container and run their own tests. We have no financial interest in any of the manufacturers that are detailed in this report. See the other disclaimers contained on this website.

Comments are off for this post

The Medeco® m3 Deadbolt Design: How Secure is it?



If you are a locksmith or security professional, see the detailed analysis that follows. The password is available on ClearStar. or from the author.

There are millions of Medeco deadbolt systems in place worldwide. They are rated as one of the most secure systems available. That is based upon the Medeco reputation for quality and engineering excellence and their high security ratings by UL, BHMA/ANSI and other standards organizations. The current mechanical design of their deadbolt has been utilized on the Biaxial® product line and now the m3. Bypass of these systems by means of forced entry has been difficult although there are expensive tools that are available to compromise them.

We have conducted very limited testing but it appears there may be a serious security flaw in certain of their deadbolt designs. Part of the problem results from widening of the keyway in the m3 as discussed in Part I of this series of articles. We would urge any user to contact their locksmith, security consultant, or Medeco representative for further information. Medeco has been notified and is aware of the issue. We believe the problem is mainly with the m3 deadbolt cylinders but there may also be some Biaxial® models that could be affected.

A detailed analysis is available together with a video demonstration that clearly shows the method of bypass. This publication has been restricted to locksmiths and the professional security community because of the simplicity of the technique and the potential security ramifications that could result from a public disclosure of the exact method. If you have security responsibility, you may contact the author for access to the restricted document. The password has been posted on ClearStar for security professionals.

Marc Tobias and Matt Fiddler will be addressing this issue at Defcon 15 on August 5 in Las Vegas as part of a two hour presentation regarding design issues with conventional and high security locks. Marc Tobias will also be presenting with regard to high security locks at the HITB conference in Kuala Lumpur, Malaysia the first week in September.

® Medeco and Biaxial are registered trademarks of Medeco Security Locks, Inc.

Comments are off for this post

Protected: BYPASS OF THE MEDECO® m3 DEADBOLT LOCK: A Detailed Analysis

This content is password protected. To view it please enter your password below:

Comments are off for this post

MEDECO® m3 DETAILED ANALYSIS: Obtaining a Password

Part I of a four-part series of articles detailing potential security vulnerabilities in the Medeco Biaxial and m3 is available to locksmiths, security professionals, law enforcement and government agencies. This information is also contained in the new edition of LSS+ and is restricted.

A public summary of the first article will be published on Engadget later this week but will not contain critical information that would be required to bypass Medeco cylinders.

The password for this article will be posted on ClearStar later in the week or you can register on for site clearance. When registering, please specifically request the password for this article.

You may also contact the author at for access or further information.

Medeco® is a registered trademark of Medeco Security Locks, Inc.

Comments are off for this post


This content is password protected. To view it please enter your password below:

Comments are off for this post

A Personal Comment about the Gun Lock Story

Two years ago, we posted an alert about the poor quality and insecurity of gun locks. The media reported the story in an in-depth television news story. The result: absolutely nothing changed. The manufacturers continued to produce cheap locks that afforded no protection. Standards were not changed by the State of California which certifies cable and trigger locks as secure to protect kids. Retail outlets continued to sell junk locks. And more alarming, law enforcement agencies throughout the U.S. still offer poor quality gun locks to the public for free, believing that they are designed properly.

There have been many adverse comments to my posting of videos with the article on and on Many think that a simple warning would have been sufficient without the videos. History has shown that this is not the case.

The reality is that if you simply warn parents that gun locks are dangerous because they create a false sense of security, the warnings will be largely ignored as they were two years ago. In fact in 2001 a security alert was published by the Consumer Product Safety Commission on this subject. Shortly thereafter, ABC did a television report on the dangers of these locks and how easily they could be compromised. Again, nothing happened. It was business as usual.

A few months ago our local sheriff showed me the gun locks that they distribute as part of the Operation ChildSafe program (funded by the Department of Justice). I decided it was time to revisit this issue. If a police department hands a gun owner a lock then, it impliedly represents that the lock is secure and will keep kids safe from guns. Our Sheriff had no idea that these locks could be so easily compromised. When he learned otherwise he took immediate action to warn every consumer that received these devices through his department.

So, for everyone that feels that our report should not have been published, I respectfully disagree. Simple warnings would accomplish nothing, as borne out by past events. This was reinforced by my conversations with the National Shooting Sports Foundation. They have distributed 35,000,000 of these cable locks and tell people they will protect kids from access to weapons. Worse, they actually believe that the standards that California passed seven years ago are sufficient to keep kids safe up to the age of seventeen. They cite the American Society of Testing and Materials as the ultimate authority on standards and the fact that these locks passed ASTM tests.

Their concern could be paraphrased thusly: “We have never had a problem with these locks so there is no problem.” I don’t question their motives, just their understanding of how these locks work.

Before I released the report I spoke with the California DOJ Firearms Division about their standards. They said that they believed that they were quite sufficient to keep kids from accessing weapons, repeating that the locks had been analyzed by designated testing laboratories and found compliant with the standards. It was the same story line.

In my view, the real issue is the standards and the manufacturers that produce cheap locks that do not even meet the minimal requirements promulgated by the DOJ. So, if this is an important issue (as I believe it is), then how do you get everyone’s attention so that something positive will occur?

Some say it is irresponsible to show how to compromise these locks. I considered very carefully whether to demonstrate the problems with these products or just write about them. I came to the conclusion that perhaps the only way to get the regulators to act was to show them what they apparently did not understand, and at the same time to graphically warn parents about the hazards of using these devices. Perhaps they might put pressure on the agencies to make needed changes.

And yes, there is a risk that kids will see this report. But I thought that would be far outweighed by the potential positive results that might occur. And frankly, it is clear that if a kid wants to access a weapon he will, regardless of whether there is a report showing him how to do it or not. The difficulty in compromising these locks is minimal and that is the entire point of the article.

The fact is that any adult that uses one of these locks as the sole protection of a handgun is grossly negligent. If they compound the problem by either locking a loaded weapon or keeping ammunition close by, then I would submit they could be held criminally liable if a kid uses the weapon.

So the conclusion I reached with regard to airing the videos was based upon the following premise: if the locks are as secure as represented by the DOJ, NSSF, and manufacturers, then why would they be concerned about showing how these locks can be compromised?

After all, they are all saying that the locks WILL protect a weapon against access by a kid, (no matter how ludicrous that argument might be) and that the standards are sufficient.

My contention: Either these locks are secure or they are not. You can’t have it both ways. And if they are not then laws should be changed so that the locks actually do what they are supposed to do.
Finally, the information that was presented has been on the Internet for quite some time as almost everyone knows. An incredible amount of material has been published about bumping, including padlocks. So kids already are aware of that method of bypass. The fact that bump keys are available on the Internet for the Master cable lock should alarm everyone. I and others have been raising this issue for the past year. In fact, I submitted draft legislation to the Postal Inspection Service six months ago to close the loopholes in the postal regulations to stop the trafficking in bump keys on the Internet.

And what about the ability to cut these cables? I would dare say that every reader would look at one of these locks and laugh at the absurdity of the ostensible protection that they afford. A pair of pliers or fourteen inch bolt cutters from Ace Hardware will sever any of these cables and everyone, including kids, knows it. Even Targus figured it out when I wrote the article last year about their much publicized armored computer lock that uses an almost identical approach as the gun cable lock.

So should we just keep quiet and continue to promote the failed concept of “security by obscurity”? I don’t think so, for the same reason that I am challenging the standards set forth by Underwriters Laboratories, BHMA, and ANSI with regard to high security locks and the ability to compromise some of them in well under the minimum time standards set forth for forced and covert entry in UL 437 and ANSI 156.30. I would submit that the risk could be far greater for reliance on some of these standards and for the defective or deficient design of some of these locks than for the compromise of gun locks.

I have never believed it was prudent to publicly demonstrate methods of covert bypass unless there was a valid reason to do so. That material is left to the multimedia edition of my book. I have never once shown such techniques in the media; only to law enforcement and security professionals. But when bypass techniques are so simple that anyone can accomplish them in a few seconds, I believe it is vastly different. In my view it enhances everyone’s security if they have a full understanding of the simplicity of the methods.

The issue raised in the gun lock story is about responsible disclosure with regard to matters of security. There has always been a legitimate debate as to whether disclosure promotes or places security at risk by publishing “secret” or more to the point, “unknown” information. The reality is that there are no more secrets. The Internet took care of all of that. And if I had simply posted a warning about the insecurity of these devices or there had been a news story written about a child that was hurt or killed as the result of his ability to bypass one of these locks, you can be sure that someone would have posted detailed information about the method of compromise. Welcome to the global information world.

There are two sides to every story and if this one has sparked thoughtful debate about the disclosure of security defects, then I would submit that the article has accomplished its purpose. Many parents have written to me after reading this article, not to complain but to voice concern about the locks they have relied upon and to ask what they should replace them with.

If you believe that material on gun locks should not have been released, then you will surely have an opinion regarding the next alert about the insecurity of small Fixed Base Operations at our airports, and the security issues it raises.


Comments are off for this post

Gun Locks: Unsafe at any Caliber

A detailed report and videos that demonstrate design deficiencies in gun locks may be found at:

gunlock-zev.png loganlock2-3_214.jpg

The eleven year old demonstrated the removal of three of the most popular trigger locks from a rifle in just a few seconds. The eighteenth month old examines the Project ChildSafe® cable lock for guns. We do not believe that either of these types of locks are secure as the primary method to protect weapons.

Gunlocks are designed to protect kids and keep them from gaining access to weapons. An extremely successful program was launched several years ago by the National Shooting Sports Foundation to promote gun safety and keep children away from guns. The U.S. Justice Department provided funding so that NSSF could administer a program to provide free gun locks to the public through law enforcement agencies around the country. A total of thirty-five million Project ChildSafe® locks have been produced.

We do not think these locks are secure enough and should not be used to provide the primary protection to immobilize a weapon. Poor quality locks rarely offer any protection, and this is a classic example. These devices are produced in China with cheap pin tumbler mechanisms that can be bumped open in seconds. The cables on some models are easily compromised.

The quality control in the case of at least one model, the GL710N (listed on the California DOJ website as having been produced by PCS) appears to be so poor that two out of three locks that we obtained from the Denver Police Department could be circumvented merely by twisting the cable. That’s right; simply hand twisting the cable caused it to pull loose from the lock housing! Could a kid have done that? Without question the answer is yes.

The real problem is the standards for these devices. NSSF rightfully responded to our concerns about security by stating that the locks meet California and ASTM requirements. In our view, the standards need to be updated so that they take into account real world attempts to open them, which just might involve the use of more than a paper clip or screwdriver! Kids can be clever, especially when it comes to guns.

The NSSF statement in their literature that the locks will not stop a “determined attack” does not really address the issue. Is their position really that anyone that wants to remove a lock from the gun will succeed, as opposed to the kid that half-heartedly pulls on the cable and if it does not come apart, then he gives up. Of course, in the case of the GL710N models that we tested that may be good enough!

We take an in-depth look at gun locks and the standards that are supposed to make them safe.

Comments are off for this post

OPENING LOCKS BY BUMPING IN FIVE SECONDS OR LESS: Is it really a threat to security?

How a lock is bumped: the physics

See the WPIX NEW YORK news story on bumping at

See the detailed White Paper at

See Bumping of locks: Legal issues in the United States

See the security alert at

See the resposne to the ALOA editorial at OpEd on this site.

See Spectrum On Line at

See the feature article at by the author and at

A report was released on March 22, 2006 in the Netherlands regarding the vulnerability from bumping of more than 80 different pin tumbler locks that are manufactured or utilized in that country. The findings were researched and produced by Dutch Consumentenbond, the most prestigious Dutch consumer protection organization . This study was largely the result of significant research that was conducted by Toool, “The Open Organization of Lock pickers” in the Netherlands with regard to the vulnerability of certain cylinders. Their tests and that of Consumentenbond demonstrated that many locks could be opened within seconds by an unskilled individual with less than one hour of instruction.

The author previously addressed this issue in LSS+, the multimedia edition of Locks, Safes and Security, and in an article published in the ALOA magazine KEYNOTES in January, 2005. A White Paper had also been issued by members of Toool. Although the Netherlands tests showed that many locks could easily be opened with little skill, there are many variables that can affect the ability to compromise a lock in this manner. As a result, a detailed analysis of the threat level to physical security posed by bumping is now available.

Comments are off for this post

Targus Defcon CL Armored Cable Locks: Not Secure

The Targus Defcon CL Armored computer cable lock is touted as the most secure in the industry, but is it? Read the feature article by the author at

Comments are off for this post

Next Page »