THIS POST IS RESTRICTED TO LOCKSMITHS, SECURITY PROFESSIONALS, RISK MANAGERS, AND READERS OF THE NATIONAL LOCKSMITH and CLEARSTAR MEMBERS.
I would like to address the recent class action lawsuit that has been filed in multiple jurisdictions against KABA-Ilco for the insecure, and I believe defective design of their Simplex push-button locks. This article will discuss the potential liability issues for locksmiths and for the lock manufacturing industry and the profound impact that this litigation may present in the future.
Millions of Simplex locks (Series 1000, 2000, 3000, 6000, 7000, 9000) have been sold to commercial, government and even residential venues throughout the world and have been an extremely popular push-button lock for at least thirty-five years. Unfortunately, they are, in my opinion, insecure, and demonstrate a critical problem within the lock industry which I have repeatedly addressed and labeled as insecurity engineering, and which is the subject of my latest book. The attached video has been made available to locksmiths and security professionals and details the security vulnerability of these mechanisms. Many versions of the KABA Simplex lock can be opened in under five seconds with a rare-earth magnet. The problem is based upon the design of the combination chamber, which is common to many models.
Our analysis conclusively demonstrates the vulnerability of these locks and also graphically illustrates what can go wrong when design engineers are not properly trained in bypass techniques, or they fail to use their imagination as to potential methods of entry. While KABA is not the only lock that can be opened with a magnetic field, they are the largest target for legal action. In Locks, Safes, and Security and LSS+, I describe at least fifty methods of bypass, including the use of magnetic fields. Unfortunately most design engineers are clueless with regard to many of these techniques, which mean they are incapable of designing locks that are secure against this and other forms of attack.
This lack of knowledge has and will lead to liability and potentially significant if not catastrophic damages and will likely force some manufacturers out of business. In my view, the KABA lawsuit and what it portends may have a devastating impact on lock manufacturers and the entire industry if they do not pay close attention and take steps to insure that their products provide the security which they directly or impliedly represent and which their purchasers rely upon. If not, they will likely find themselves as defendants in future class action lawsuits. Any lock manufacturer, foreign of domestic that sells their products within the United States market can be subject to liability.
Be assured that KABA will not be the first to be the target of such litigation. Our office has been investigating several seriously defective or deficient products and will likely be involved in actions in the future for similar design deficiencies that adversely impact security.
Several of our legal and consulting clients asked that our law firm set up a testing laboratory to find “real world” vulnerabilities that UL, BHMA, VdS and other standards organizations and their laboratories either do not recognize or are not allowed to test for because of the way the standards are written. As a consequence, in 2009 we set up Security Laboratories to determine the vulnerability to covert and forced entry techniques in both mechanical and electronic locks. We established our lab through my law office to shield our clients from potential discovery of our test results in the event of litigation involving defective products that we may uncover.
As many of you know, I have been an outspoken critic of many lock manufacturers for their lack of competent security engineering skills, especially with regard to high security locks. All of our clients are vitally concerned about making secure products. They want to be certain their locks protect their customers and do not expose either the customer or manufacturer to liability claims, based upon defective or deficient engineering in their design. We have secured several patents to remedy design problems and make the locks that are produced by our clients more secure.
While some on Clearstar have suggested that we “sold out” to some of the major lock companies that we are employed by, the reality is that we are helping them to make better and more secure products. Many of our clients have learned a very painful lesson about lock design: it is far less expensive to find and remedy design deficiencies before a product is released rather than doing it after the fact.
There has been much criticism of the stance I have taken as to my belief that not only should these engineering failures be documented, but the public, locksmiths, and security professionals should be made aware of the vulnerabilities. My rationale is simple: that knowledge allows them to properly assess and assume (or decline) the risks that may be inherent in utilizing a specific lock or piece of hardware.
Unfortunately, many lock manufacturers will not communicate known defects or vulnerability issues to their dealers or customers unless they are forced to do so. This, in my view, is a very unsound policy and will lead to legal liability and ultimately, potentially serious and damaging public relations problems. Security by Obscurity does not work. Failing to disclose vulnerability does not make it go away; it just places everyone that uses the product at risk when they are not aware of the vulnerability.
In those cases where manufacturers are ignorant of bypass techniques that can render their locks insecure, I believe they may still be held liable. Why? Because ignorance is no excuse, especially if commercial tools, YouTube videos, or lock picking web sites are discussing different techniques to open the locks. One of the first things we do in our lab is to determine if anyone else has figured out how to open locks that are produced by our clients. Often, there is a wealth of information. My opinion is that any lock manufacturer that ignores such publicly available information is culpable. The problem is that many manufacturers release products, then essentially forget about them and fail to make changes, based upon current bypass techniques. If a company represents in its current technical manuals and advertising that a lock is secure, I do not think it matters whether it is a new or old design. I believe this is why KABA will lose their lawsuit.
Everyone is aware that we wrote the book about how we cracked the Medeco high security cylinders. Medeco’s response was to implement certain changes to counteract security vulnerabilities that we had exploited. This is precisely what is required of a manufacturer if they are to avoid liability and costly lawsuits. Other manufacturers, such as we disclosed at DefCon 18 last summer, chose to do nothing, or simply hide from their design defects.
I have always believed that full disclosure is the only viable policy, regardless of the possible consequences, and have so counseled my clients. Every lock manufacturer has, in my view, a special responsibility to its locksmith-dealers and to the end-users. Often, the locksmiths are “left twisting in the wind” by not being apprised of a known or suspected security issues by the manufacturer. The lack of such information can adversely impact their customers and create an untenable legal and ethical position for the locksmith.
Perhaps the best example of a lock manufacturer taking responsibility for a deficient product is Schlage and their Kryptonite bike locks. When we made public the ball point pen attack in 2004, Schlage made the decision almost immediately to replace every lock, whether they were liable or not. That conduct should serve as a model to every other lock manufacturer. It cost them a great deal of money, but it was the right course of action and has ultimately paid dividends for them in terms of credibility with their customers. The same course of action recently occurred in Europe by Uhlmann Zacher when their electronic cylinders were attacked with the magnetic ring. They immediately shut down their production line, recalled all of the locks, and fixed them at no cost to their customers.
About six years ago, I wrote a detailed two-part article for ALOA Keynotes with regard to locksmith liability issues, after becoming involved in the exposure of the insecurity of master key systems in the New York Times. Little attention was paid to the issue at the time in regard to potential liability. The KABA lawsuit has brought the matter to the fore, and now every locksmith and manufacturer should be paying very close attention because of the potential liability issues involved.
As most of you know, in 2006, my associates and I went public with regard to lock bumping in the United States, and were soundly criticized by most locksmiths for doing so. ALOA in particular said we should not have told the public about the technique and that essentially, it was much ado about nothing. It had already been widely reported in Europe by Toool and others, and I felt the U.S. consumer should be aware of the threat because virtually every potential burglar already knew about it. The irony is that most locksmiths did not, even though many of them claimed otherwise. I thought that full disclosure should be the rule.
As events have unfolded, I think just about every locksmith now knows they were wrong in their belief that the public should not have been warned about the dangers from lock bumping. In fact, many locksmiths and executive at ALOA went public and demonstrated the technique on their local television stations. As a result of the exposure of lock bumping as a serious method of covert entry, the manufacturers have begun to address the problem, as have the standards organizations. I believe that the public benefited from the disclosure and is better off for it.
I sit on the UL Standards Technical Panel for locks and safes, and have the privilege to be part of the group that analyzes standards as they come up for periodic review. Both UL and BHMA are moving in the proper direction and are adopting bumping protocols. If you think that lock bumping was an insignificant issue, I would submit that we were able to bypass the most respected high security lock in the United States as a direct result of the re-emergence of lock bumping. I am sure you are all familiar with the Wired Magazine article (June, 2009).
ALL SECURITY IS ABOUT LIABILITY: THE KABA CLASS ACTION LAWSUIT
I am constantly asked “why is a lawyer picking locks?” The answer has always been simple for me to explain: All security is about liability. For many years, I have been cautioning about the nexus between security and liability and defective or insecure products. It would appear that now everyone is paying attention to this warning, as well they should.
So, now we come to the crux of the matter: the KABA lawsuit.
In November, 2010, a class action lawsuit was filed by a number of plaintiffs against KABA-Ilco. The basis of the suit is the insecure engineering of the combination chamber that is the critical component within most of the Simplex push-button locks. Some locksmiths were apparently aware of this issue, but evidently nobody paid much attention to it until some very competent lawyers in New York were notified of the problem by their clients.
For everyone wondering if I am connected with this lawsuit, the answer is no. However, I have met with lead counsel in New York for the Plaintiffs. As a result, our office is working an independent investigation with regard to certain issues in this case.
As a lawyer, it is my opinion that KABA is in serious trouble on two fronts. If the case is not dismissed based upon a motion for summary judgment for failure to state a legally viable claim, then I can assure you the case will be settled and will never see a courtroom. My opinion is that KABA will not risk a fifty million dollar verdict for their inept design and what I perceive as their potential misrepresentation and false statements by their employees.
KABA, in my view, has not only manufactured and marketed a defective product, I believe they knew it or should have known it for quite some time, and are still representing that the product is secure when they know it is not. As of two weeks ago, KABA technical support staff is continuing to state that this product is secure, and are assuring customers that the locks cannot be opened with magnets. Quite simply, this is a lie, and is liable to cost them dearly.
I find this particularly interesting in light of the Motion that KABA filed with regard to where this case should be heard. They stated that the design has been modified as of September 19, 2010, but there is no information to indicate that the problem has in fact been remedied. Further, one would assume that technical support staff would be warning customers to have their locksmith replace the combination chamber with the upgraded version. Instead, the individuals I spoke with denied any knowledge of any specific vulnerability.
Perhaps even more troublesome: I spoke with five different major Simplex dealers across the United States to inquire as to the security of the Simplex locks. None of them were aware of the problem, and they stated that the locks were secure and could not be bypassed with magnets. None reported they had received any information from KABA, notwithstanding that KABA has stated they first learned of the problem in August of 2010. If you believe KABA, that means that at least five months have passed and they have not warned their dealers, at least not the ones I spoke with, about the insecurity of their locks. Evidently KABA subscribes to the theory of Security by Obscurity as well.
All but one of the dealers I spoke with was comfortable with recommending these locks for use, even in secure environments, boasting that “the military” uses them. Each of the dealers and locksmiths I spoke with were wrong, and could potentially be held liable for making such statements.
DESIGN ISSUES THAT MAY GIVE RISE TO LIABILITY
There are four critical questions that must be answered in relation to the KABA lawsuit: (1) whether the design of the Simplex is defective, (2) if the company misrepresented the security of its product, (3) whether the design engineers, on a continuing basis, should have known or determined whether the lock was subject to a magnetic attack. Even more importantly, (4) did they have prior knowledge of the security vulnerability and failed to correct it and warn their thousands of customers?
The legal criteria with regard to the question of design defects or deficiencies in the security engineering of locking devices is really not settled and is dependent upon many factors. I think we can identify the two opposite ends of the liability-spectrum with regard to security engineering: clever design and clever exploits, versus stupid designs and simple attacks. My opinion is that the KABA Simplex fiasco falls within the second category.
A manufacturer is clearly not liable for a state-of-the-art attack which could not or should not have been foreseen when the lock was designed and first manufactured. A sophisticated decoding tool, for example, which requires a great deal of skill, expertise, and introduces new methods of bypass techniques, would not give rise to a cause of action. An example: the John Falle shim-wire decoder that was introduced about twenty years ago. This was classified as a state-of-the-art attack and used a wire that was a few thousandths of an inch in diameter, delivered through a syringe-type tool to probe and measure the length of each bottom pin. It was only available to government agencies for many years. No manufacturer would be deemed liable if their locks were attacked in this manner.
A similar and more current and relevant example would be the picking and bumping techniques that we developed to open Medeco cylinders with code setting keys. These state-of-the-art techniques would not give rise to liability upon the part of Medeco, because the manufacturer clearly could not have foreseen the attacks that we developed, even though the ultimate result constituted a relatively simple method to open many of their locks.
At the other end of the spectrum are attacks that require little to no skill or training, and no sophisticated tools. To be blunt, these types of attacks are based upon stupid engineering by the manufacturer. The KABA attack, (and hundreds of others that we have documented in LSS+ and DAME), are neither sophisticated nor complicated, and certainly not state-of-the-art. In my view, reasonable design competence in security engineering would dictate that a properly educated engineer would understand the vulnerability and design around it. The KABA bypass is a classic failure in this regard.
Anyone familiar with magnetic attacks would recognize the threat and never use a ferrous material that could be influenced by a magnetic field for a critical component, as was done by KABA in their combination chamber. Reading their Motion, KABA is evidently claiming that a rare-earth magnet was “not commercially feasible” at the time the lock was developed, and thus constitutes a sophisticated or state-of-the-art attack. They further claim that these magnets, (which can be held in the palm of your hand), are not easily transportable, and may cause bodily injury when used. In addition, they represent that opening the Simplex by a magnetic field may be difficult, nor a reliable technique, and may not even result in the lock being opened.
Frankly, this is all KABA-legal-mumbo-jumbo because they do not want to admit what everyone knows: the locks can be opened with a magnet because they were not properly designed.
This begs the question, because I believe that a manufacturer has a duty, especially if they are on notice of a technique to bypass the security of their locks (or other locks that may have similar components that control critical functions), to constantly update their current products to prevent or minimize such vulnerability. KABA evidently did neither. I would assume that the concept of magnetism was even known to KABA at the time they developed the Simplex lock! Any contention that because rare-earth magnets were not available at the time of the initial design, KABA is not liable is simply nonsense.
KABA also believes that all locks are subject to some form of bypass, whether by locksmiths or criminals, and that everyone has access to the same bypass tools so no manufacturer should be held liable for such acts of bypass.
This is a novel theory to be sure, but in my view, it denotes faulty logic. Locks are designed to be attacked and “screwed with” by a variety of techniques, including the use of strong magnets. Any manufacturer that does not understand this premise should not be in the business. The very nature of a lock is to keep bad guys out, and that is the entire theory underlying lock standards, such as UL 437 and ANSI/BHMA 156.5 and 156.30.
Even if you accept KABA’s argument, they fail to address the simplicity of the attack against the Simplex. This, in my view, is their real problem and they confirm the issue in their pleadings by stating that all locks are vulnerable, whether by an expert locksmith, or any thief, “even the most clumsy.”
Locks are rated in terms of time, tools, and training and whether specific bypass techniques are reliable and repeatable. We call it the 3T2R rule. They are designed to keep criminals out for a specific period of time and are measured against certain types of tools and techniques. Claiming that no liability accrues if a lock is opened with any but the correct key is ludicrous, arrogant, and connotes a total lack of understanding of security. KABA has lumped all locks and their bypass together and has conveniently omitted any mention of standards or the security of their products to resist such attacks.
While I agree that most locks can be opened by one or more techniques, the real questions are “how long does it take, what kind of tools are required, and what is the required expertise?” This summarizes my 3T2R rule in a nutshell.
The magnetic attack on the Simplex fails on all three counts. Claiming that the use of a rare-earth magnet is a sophisticated, unknown, or “not commercially feasible” attack does not, in my view, pass muster either, because the magnets are readily available from several venues.
If KABA was correct in its assertion, then why bother spending any money for a more secure lock. Here is my suggested solution: let them place verbiage on every Simplex that states “Warning: this lock can be opened in two seconds with a strong magnet by an idiot!” How many locks do you think they will sell? The answer is zero!
A FALSE SENSE OF SECURITY
Many lock manufacturers have been getting away with selling seriously deficient or defective products for a long time, and have never been held accountable. Tool makers such as HPC, Lockmasters, Peterson, MBA and Wendt make their living, in large measure, because of incompetent or deficient security engineering by some lock manufacturers. Recent examples that we exposed at DefCon 18 last August underscore the severity of the problem: a consumer level “safe” which is really nothing more than a box with a cheap lock on it (which can be opened with the shim from a hanging file folder), a biometric fingerprint lock (which can be opened in one second with a paper clip), and another KABA product, the InSync, which can be opened with a piece of wire inserted through the USB data port.) Two other cylinders, (Kwikset Smartkey and Iloq) both seriously deficient, completed our presentation.
GENERAL LOCKSMITH LIABILITY
Many on Clearstar have asked if locksmiths that have sold these products can be held liable. The answer is not simple and depends upon whether the locksmith was aware of the defect and failed to warn their customers. However, before talking about the KABA Simplex case, there is a threshold issue that must be addressed, and that involves the locksmith holding himself or herself out as a security expert.
If, as a locksmith, you merely install a KABA Simplex or any other lock that is found to be insecure, deficient, or defective, then my opinion is that you have minimal or no liability whatsoever; it would ultimately fall upon the manufacturer. Most locksmiths do not have the skill, tools, or training to find significant design defects in the locks they sell. They rightfully rely upon the expertise of the manufacturer to produce secure products and their representations as to the security of their locks. Normally a locksmith’s job is sales, installation, and maintenance of security products; not testing.
However, if you hold yourself out as an expert in security, recommend a specific lock as secure (either directly or by implication), as a result the customer relies upon your representations, and they subsequently suffer a loss, you may be deemed liable.
Once you represent, either directly or by implication, that you have expertise in physical security and that your customers should rely upon your advice, then you also have a duty to be aware of current methods of bypass for the locks you sell. You have a commensurate duty to warn your customers of such issues before they purchase the lock, or, for a reasonable period of time subsequent to the purchase and installation of such products. It is the ethical thing to do, will foster good customer relations, and should shield you from any liability.
LOCKSMITH LIABILITY AND THE KABA SIMPLEX
There are five specific and primary issues of concern: (1) what should locksmiths do now that they are aware of the defect, (2) are locksmiths on notice of the defect, (3) are locksmiths liable for products they have previously sold, (4) what should Simplex dealers tell their clients, and (5) do locksmiths have a duty to warn their present customers that have installed Simplex locks?
What should locksmiths do now that they are aware of the defect?
The answer is simple: advise every customer of the specific problem, so they and not you make the risk assessment and the determination as whether the locks should be replaced or not. In my view, you should stop selling the locks until they are fixed and the manufacturer repairs or replaces every one of them that is in service. You should also demand that KABA upgrade the combination chamber in all locks and compensate you for any expense incurred in connection with servicing your customers. If KABA is unwilling or unable to fix their locks, then you should require them to refund the purchase price of your entire inventory.
Are locksmiths on notice of the defect?
If you are reading this article, you are on notice! Further, if you are holding yourself out as a security consultant or expert, then you are presumed to know the current state of the art, which means you have “constructive knowledge” as to the bypass technique. This means that either you knew directly or should have known.
Are locksmiths liable for products they have previously sold?
I do not believe so, unless you were specifically aware of the problem and failed to warn your customer.
What should dealers tell their clients?
You should tell them they are at risk, and apprise them of the specifics of the bypass, as shown in our video. You should also demand that KABA hold you harmless and agree to replace or upgrade every lock you have sold and that is subject to the design problem.
Do locksmiths have a duty to warn their present customers that have installed Simplex locks?
I believe you have an affirmative duty to warn. If you fail to do so, you may be held liable if they (your customers) suffer a loss based upon the bypass of these locks.
The obvious question as to the time period for which KABA is liable is unclear. Locks that were sold several years ago may not be covered in this lawsuit unless it can be proved that KABA was aware of the problem and failed to warn their customers. If KABA does the right thing, they will replace or upgrade every lock that is at risk, just like Schlage did with the Kryptonite.
THE REAL PROBLEM: THE STANDARDS THAT MEASURE SECURITY AND THE TESTING LABS THAT CERTIFY THE LOCKS AS COMPLIANT
The KABA Simplex lock was evidently rated at one time as Grade 1 security level by ANSI/BHMA (156.20). Unfortunately, these standards, in my view, are woefully deficient in what they cover. They do not adequately protect the consumer. I have been meeting with BHMA for the past two years in an effort to get them to revise ANSI/BHMA 156.5 and 156.30 (the commercial and high security standards) so that they actually test for “real world’ bypass techniques.
The KABA case is typical and demonstrates the total failure of standards to determine or measure real security in locks. In September, 2010, our office filed a very detailed complaint to BHMA, seeking to challenge the certification of the Kwikset Smartkey lock as non-compliant with the standards. This lock, also rated as Grade 1 security, as many of you know can be opened in fifteen seconds with little more than a small screwdriver. I think it is junk security, and I have publicly said so on many occasions. Just about every locksmith in the country knows the Kwikset story. Now, KABA Simplex can be placed in the same class with regard to security, or perhaps it is even worse and more insecure. At least the Kwikset Smartkey is bump and pick resistant and is not affected by a magnetic field!
In citing these examples, the significant issue is the failure of BHMA, UL and other organizations to protect the public by adopting standards that actually mean something. Presently, many forms of bypass are not in the standards which mean the labs are not testing for them. The result: locks that the public believe to be secure are not. The problem is compounded by what we see as incompetence upon the part of some laboratories to find vulnerabilities.
This, I believe, is the case in regard to Intertek and the testing of the Kwikset Smartkey. After more than four months, BHMA finally notified us that Intertek (the lab they contract with for certification compliance) determined that the Kwikset Smartkey was as secure as a pin tumbler lock and passed the tests for certification. The net result: Intertek is now attesting to the fact that a lock that can be bypassed in fifteen seconds is secure enough to receive a Grade 1 certification. I would imagine that they would likewise find the KABA Simplex, which can be opened in two seconds, to meet the criteria for Grade 1 certification as well.
In my view, the consumer should not rely upon either the standards or the results that are certified by these testing labs with regard to methods of covert and forced entry.
Testing labs should understand that they may share in liability for defective or deficient products which they certify as compliant and which are not.
Earlier this week, I met with BHMA to discuss the current situation with regard to the standards and why they should be upgraded. I suggested that an expedited procedure be adopted by BHMA to address security issues such as KABA, Kwikset and other companies, where locks are certified as compliant with Grade 1 standards but are clearly not secure. The issue is now being considered in an effort to further protect the public.
The KABA lawsuit will be the first of many to be filed and will set a new standard for security engineering within the industry. Any manufacturer, large or small, that fails to grasp the nexus between liability and security engineering will be subject to potentially lethal lawsuits which ultimately may force them out of business.
If you are a manufacturer, it will be incumbent upon you to understand different methods of bypass that are not covered in the standards, and to guard against them. You must develop the expertise to design secure locks. As I meet with engineers throughout the world at different manufacturing facilities, I am constantly amazed at their lack of knowledge with regard to security engineering, and more importantly their potential exposure to liability for such deficiencies.
While most engineers are competent to make mechanical locks function properly, few understand how to circumvent their security. The premise is simple: you cannot design a secure lock unless you understand the methods to break them. Most manufacturers only have a cursory familiarity with the latter.
As a manufacturer you may claim that you rely upon the standards and are compliant with them. Such an argument may not shield you from liability, however. If your lock can be opened in fifteen seconds by a kid, I think you will be deemed to be liable. More importantly, if members of a jury can open your locks in seconds, it is over. End of story.
If as a manufacturer you are on notice of a significant vulnerability and fail to act upon it, both in terms of design changes and notification to critical customers, you may suffer the consequences. That means that if there are tools on the market to open your locks, or verifiable accurate YouTube or web videos that illustrate how to break them, then you have a problem. I can assure you that the legal community will take note, and where appropriate, pursue such design issues in expensive lawsuits.
Our investigation into this matter is continuing and we will have a technical update shortly.
If you have specific questions or relevant information regarding Simplex locks, please feel free to contact me at [email protected], or at Investigative Law Offices, 1.605.334.1155.
Please note that I am not offering legal advice to any specific locksmith in this article, unless I am specifically asked to do so. You should seek the advice of your own counsel with regard to the issues I address in this article. All opinions are those of the author.