 Good afternoon, everybody. My name is Mark Tobias. I'm an attorney and a physical security specialist. My associate is Matt Fiddler. He works for a Fortune 100 company in security and forensics. We're here, again, at DEF CON, to talk about locks and specifically high-security locks and some problems and some issues that, especially the UIT and security people ought to be aware of regarding standards, locks, how they work, and certain bypasses that demonstrate certain engineering problems that are really widespread in the industry. I'm going to let Matt begin this with an overview of the regulations, as far as Underwriters Laboratory and ANSI, the standards for high-security locks. Matt? Good afternoon. So today, we're going to go through the standards, as Mark said. We'll also demonstrate via video demos a host of bypass methods. And then we'll go into the representations, some of the lies made by manufacturers and the legal issues that arise. So there are standards out there, Underwriter Laboratories and ANSI, BHMA. They have facility specifications that protect against or test against forced covert entry and apply key control mechanisms. So the UL-437 standard for picking determines that the tested locks cannot be bypassed within 10 minutes. The same is true for impressioning. And then for all forced entry attacks, drilling, sawing, prying, and others, it's five minutes. Now, and I might add, the relevance of UL-437, first of all, it's represented as a high-security standard. It's really a higher-security standard. The real standard is the ANSI, BHMA, which is Builders Hardware Manufacturers Association. That standard, which Matt will talk about, is 156.30. But the relevance of all this is that risk management, purchasing, procurement, and security rely on these standards and rely on the tests that these standards represent that you're obtaining locks that are secure for your facility. And as Matt said, and we're specifically interested in covert entry, that is, you don't know they were there, there's no outward signs. These standards present a minimum of 10 minutes of resistance. Basically, you configure that for 10 minutes of attempting to get into a lock, they're not going to succeed. The ANSI standard is even higher, it's 15 minutes. So ANSI began with auxiliary locks for 156.5. They're graded one through three. So if you go to Home Depot or Lowe's and pick up a lock, you'll see the grades on the locks. They enhance that with 156.30, it's their high security rating, and they're graded A through C, and it's applied on the lock. So again, if you buy a Kwikset or Schlage at Home Depot or Lowe's, you'll see those ratings on the locks. Much like UL437, they apply security tests, resisting forced entry. And as Mark indicated, ANSI applies an additional five minutes on top of UL437 for picking attempts. The other thing ANSI does above and beyond UL437 is applies key control. And that contains three levels of key control. So the manufacturer has to restrict the blanks, the blanks are protected by law, so you can't go into your hardware store and have a blank made, and you need to provide authorization. So when you purchase a high security lock, typically you'll receive a credit card or something identifying you as the owner and purchaser of those locks. There's several levels of key control that can be implemented by a manufacturer. Sometimes the locksmiths have basically public keyways, but they're not at the hardware store, or there are specific keyways or keys for a specific user, or the highest level, you can't get any blanks, nobody can cut the keys except the factory by code with an authorized individual. So a lot of facilities want key control, patented protection against the replication of keys, because if you can't replicate the key, it's a lot tougher to break the system. So the pick resistance, as we said in 156.30, there's a minimum of two security pins, and if you attended any of the other lock picking seminars or up in the lock picking village, security pins have a special configuration to try and resist picking, so there's spool, there's serrations, there's a whole host of specialized picks. They require paracentric keyways, so the keyway where you insert the lock actually, or insert the key, actually is overlapped to reduce the possibility of someone inserting tools to bypass the lock. Overlifting is another method of bypass, whereby you overlift all the pins in the lock and push them up to bypass the lock, so one of the board depths in 156.30 has to be designed to prevent overlifting, and as we said, it meets all levels of UL437, and the interesting thing is for the 15 minutes of picking, it's tested by five ALOA, the Associated Locksmiths of America, for testing those locks. So what is high security? As we said, the standard UL437 covers cabinet locks, door locks, cylinder security containers, and two key locks. UL437 is considered a high security standard. We believe it's higher security, not high security. Yeah, there's nothing in UL437, even though the manufacturer's really touted is the high security standard. It really is, and it's higher security. There's actually no definition in the standard of high security, but everybody specifies it in their bid specs and their internal security. So the tests are wide and varied, and they test things like finish, endurance, strength, but what we're gonna focus on today is attack resistance. And I'll just read this quote, a product shall not be opened or compromised as a result of application of the tools and methods described, and this is explicitly out of UL437. Common hand tools, hand or portable electronics, saw blades, portable mechanisms or picking tools. And then the further detail, the forced entry and covert entry mechanisms of bypass, pry bars, chisels, commercially available tools, and then in covert entry, picking and impressioning. And what we'll demonstrate here via some of these videos is methods of bypass for both standard and high security UL and anti-graded locks through drilling, pulling, prying, sawing, picking and impression. This will give you an idea of how these locks are attacked and what they're tested against before we start talking about some of the more sophisticated methods of entering these locks. So with forced entry drilling, your attempt is to bypass the locks either by drilling a new shear line through the lock, drilling out screws to remove the cylinder. There's a whole host of tools, varieties, drill bits to bypass locks. If any of you participated in the mystery box challenge, a lot of the teams were drilling the locks just the way they were positioned within the boxes. So we have some videos here of drilling a standard cylinder along with drilling a high security cylinder. And the high security cylinders actually incorporate hardened steel rods, ball bearings, and a host of defense mechanisms to prevent against drilling. So basically the forced entry attack on cylinders that you're gonna see here, these videos were actually shot last year of an Amsterdam. There's two real methods, forced entry methods to normally bypass pin tumbler cylinders, and that is either to drill out the plug, basically ream out all the guts, or drill a hole to create another shear line so that you can just stick a screwdriver and turn the plug. This is what the bad guys use to attack cylinders. Now the normal cylinder, it takes very little time as you'll see to attack the cylinder. The high security cylinders, as we're gonna show, we're demonstrating one that's made by an Austrian lock manufacturer called EVA, very good locks. And as you'll see, this one's impervious to this type of attack. Okay, so bear with me here. Hopefully this audio won't go crazy. This is a plug, this is a shear line attack. So the drill is just actually creating another shear line. You can see how easy that's going through this profile cylinder from Europe. Okay. So, and the lock is open. And it's open. It's open. Okay, a second. Now this is a high security lock. Doesn't quite work the same way. This is a very special reaming tool, and it just doesn't hardly touch the surface of the lock. They're special anti-drill pins, and as you can see, it's not getting anywhere. Again, this is an EVA 3KS, very popular in Europe. And we really work to go through this to the point that we burned up the little reaming tool here. Look, you can see the smoke coming out of it. It just flat isn't going anywhere. That's what you get when you pay for a high security lock and so certified. Very frustrating for the burrler. So pulling is another method of attack, whereby you drill through the cylinder, attach a special pulling tool. Some of these tools are based on auto mechanics dent pullers and forcibly remove the cylinder. So we're going to demonstrate two videos. And these we should note, these are profile locks. We can do the same thing in America, but I happen to have shot a lot of video in Europe for my book, so we grabbed these segments because they're so demonstrative. And the first is actually interesting. The first is a multi-lock. It's a UL certified, UL 437 certified lock. So we'll first demonstrate pulling that as well as pulling the Eva 3KS. Well actually to correct, in Europe it's not certified as UL 437 here in America it is. And this technique, you drive a screw into the lock and then you pull it out. It's so easy to put into place. And the multi-lock happens to have a very wide keyway. It's a dimple lock into a horizontal keyway. So there's a lot of room to insert this special steel screw. Taking one or two back. Yes, in case. And this is a, this is a special breaker tool that's available and widely available. This isn't anything difficult. So then it's just tightening the screw and it's gonna pull the lock right out of the door. And so much for the multi-lock. That was the multi-lock. This is a typical relatively low-level security cylinder that's sold all over the world. This is what the bad guys are doing so that this is why you get a certified lock. Although as we're gonna talk about later there are some issues with that. This is a, again an EVA 3KS, it's a little different. What's happening is when they're pulling this they're snapping a screw that retains this within the housing hardware. Same attempt. And this guy is a master locksmith. It's Paul Crowell in Amsterdam and he really worked at this. He does this for a living. Watch how the door bends. I don't think it wants to break. No, the door is starting to break. The lock is not breaking. If I didn't know better it was making love with the lock. So another method is prying. This is often used by individuals to try and bypass a lock. We don't have video demonstrations of it but you can see evidence of it in the photos on the right. As well as sawing. The left hand is just using a hacksaw to drill through the, or saw through the bolt and on the right side just using a shim to force and break the bolt. And then picking, we'll demonstrate some picking techniques later. But some of the tools displayed here are a standard pick set from Southord in the upper left hand corner. Below that is John Falls standard pick set. The upper right is an H&M tool for multi lock standard and interactive cylinders. And the lower right hand corner picture is another multi lock. Are you gonna talk about that tool? Oh, we have that video. Okay, that one, yeah. So impressioning, I'll let Mark describe impressioning, but we have a host of pictures here and this is actually leveraging a key, a blank key inserted into a lock to try and decode the pin depths and create your own key to open the lock. Impressioning is a technique that you actually put a blank key in, mark it, and at the end of the day, you produce a working key for the lock if you know what you're doing. It's a technique that's widely known. This particular key on the top that's shown is what's patented about 30 years ago. It's actually a combination of a brass and a lead blank. The top material is lead. It's so soft that when you stick it in the lock, it's very easy to impression, make marks from the pins and read them. It actually was not a particularly successful venture for the inventor, but it really works well. Anybody can learn impressioning with this technique. The bottom three keys are dimple keys, the type of keys with little holes in them, and you can use electrical tape, wax, that's what's shown here. Aluminum foil. Aluminum foil is very popular to actually obtain impressioning marks. It's another method of covert bypass that we use in the industry. You just need to be aware, especially with dimple locks, if you guys have Kaba, queso, multi-lock, some of these locks are pretty simple to impression and you do have to pay attention to it if you're looking at facility security. So the specification also references common hand tools. We just demonstrate some here, but screwdrivers, hammers, picks, knives, you name it. And we should note that UL is pretty specific in their standard as to what types of tools you can use. And so it's pretty commonly available tools, but it doesn't include everything. In Europe, testing has done more on it. If you open the lock within a timeframe, that's it. In America, we more define the types of tools and techniques that we're gonna use for testing and we feel as we're gonna talk about, this is part of the problem. Yeah, and that is important. The specifications actually detail the size, the amount of force per square inch that a tool can be applied, the fact that it has to be commercially available. So they pigeonhole themselves into common hand tools. And so that's where we lead into, so we demonstrated the locks, going to the lies of representations made by the manufacturers, design failures, issues, incompetence, failure of imagination, and the fact that the security engineers don't contemplate these bypass methods as they're engineering these locks. So basically, when you look at packaging on a lot of locks, and let's talk about my favorite company, which is Kwikset, as noted by Jenna Lynn, the last year 11 year old, who many of you remember bumped open a standard five pin tumbler lock in about five seconds, having virtually no prior experience. She's here again today cause we're gonna talk about her again today, but this really is a problem. A lot of the manufacturers, by no means all of them, but a lot of them are pretty loose in their use of verbiage on the packaging relating to security. And for example, Kwikset, ultra security, maximum security, the highest level of security you can get for your residents. This all needs to be taken with a grain of salt. A lot of it's just frankly not true. We've done some very detailed testing and analysis of locks that are supposedly really good locks and some high security locks. And our problem is that we're finding a lot of them that can be bypassed very rapidly, very simple, with relatively no skill. For example, the latest Kwikset, which we'll talk about in a little while, their deadbolt design, as well as their Kia knob design, we can go through them in literally 15 seconds with no visible means of entry. This is a real problem. The consumer, if you spend $35, $30 on a cylinder, they think that they're buying some security. I don't think 30 seconds is security. 15 seconds isn't security. Maybe a minute isn't security. And so we've really been pushing the industry to tighten this up and put warnings on the packaging. And we'll talk about this in a little while, but basically you really need to read with skepticism a lot of what you see in packaging. Some of the manufacturers are doing a great job. They've been around for 100 years. They know what they're doing and they're not overselling their products or telling you exactly what they get. But part of the problem is the design engineers and I deal with some of these folks around the world in different factories and they all know how to make locks work. They learn in engineering school, how to deal with tolerances and metals and whatever, but they didn't grow up learning how to break locks. And if you don't know how to break locks, you can't make them work properly and securely and that's really our problem. And so we're gonna talk about some fail, what I call failure of imagination, failure of these design engineers even at some of the best companies in the world to conceive of simple methods of bypass that literally a 15 year old kid might think of and implement. And this is precisely the problem. It's really why we're talking today and it's why we're talking Underwriters Laboratory and Builders Hardware Manufacturers Association to get the standards to more properly reflect real world challenges by bad guys. So as Mark said, failure of imagination and the key here quite literally is the key never unlocks the lock. The key typically actuates some mechanism which unlocks the lock. And as you'll see in some of the bypass techniques we're publishing here and in the future, the key does not unlock the lock. Yeah and let me comment a little bit more about that because everybody looks at me like I'm nuts when I say that when I teach. The key never unlocks the lock. And everybody says, what are you talking about? You stick the key in and unlocks the lock. Not exactly. The key actually actuates the mechanism that unlocks the lock. The key doesn't actually do that. And so if you can figure out the shortcut or a shortcut either through normal covert entry means or mechanical bypass means to get to what the key actually actuates then you get to open the lock. And we're gonna talk about a prime example later in one of the best locks in the country. And so this is a real problem. And frankly there's no difference in the cyber world. If you figure out the code that'll get you to where you wanna go without going through a lot of other code, you get to break the system. Okay, and we also, we wanna talk about what we've dubbed for this talk, the Moshe Diane problem. How many, the problem is a lot of you are very young. How many of you guys know who General Moshe Diane was from the Israeli military? Moshe Diane was an extremely famous general, one of the most famous in the history of Israel about 25, 30 years ago when Israel had their six day war and the Syrians were threatening to send their tanks from Damascus, Syria down to annihilate Israel. Moshe Diane came on the radio and television and said the Syrians shouldn't forget that the road from Damascus to Tel Aviv also goes from Tel Aviv to Damascus. And so where you can send your tanks to us we can send tanks back to you guys. That same theory applies to certain bypass techniques and locks that we'll get into. So mechanical bypass is defeating locks in less than a minute. It's typically not included in the standards. So some of the methods we'll demonstrate here are not included. Bumping is not currently included in the standards and other methods of bypassing the key or cylinder or actuating mechanism to get to open the lock. Yeah, and this is the problem. They're not included in the standards. Everybody got caught by surprise by bumping which the industry said had been around for 75 years and everybody knew it. Everybody knew it but nobody did anything about it. Well the fact is not everybody knew about it. Barry Wells and Han Faye and Julian Hart and Klaus Knox in Europe really pioneered the new bumping in 2003, 2004. Barry went public with it in Europe. Then he and I lectured in America last year and then Matt and I lectured and really brought bumping to the forefront in this country. It's a very serious problem and none of the standards organizations in America are yet addressing it. They're talking about it now. So we'll demonstrate many certified locks that can be bypassed and we believe that all of us are being misled. So Mechanical Bypass has another method. We'll demonstrate a electronic lock that can be bypassed with wires in a few minutes. There's other methods including vibration, bumping, air pressure, magnetics, there's been a lot of attacks or a lot of attempts on Eva's famous MCS. To my knowledge, nobody has succeeded. No, it's the magnetic code system that has never been broken, made in Austria again. Leveraging breaking techniques to disable internal components using RF attacks or hot, very hot or extreme temperatures. So as we said, we believe it's a failure of imagination. And at the end of the day, the manufacturers can't find the vulnerabilities. For the past several years, as Mark and I and other researchers in the industry have brought forward these vulnerabilities to the manufacturers, they respond they can't duplicate it. Or they don't believe it or it's a lie. I will talk about that in a little while. The problem is that a lot of these very, very simple attacks as we noted, they're just escaping them. And often a kid can figure it out and kids do figure it out and the manufacturers don't understand what happened. And one of the problems we think and as we're gonna address is there's not different teams within a manufacturing research and design facility to check each other's work and to work against each other to break what they've done to make blocks more secure. So design defects, again, they don't understand the methods of entry and we believe they fail to imagine. Typically what we've seen are very trivial, very simple bypass methods. They do affect their security ratings while these testing methods aren't referenced in the standards, we believe they affect the ratings. That's why Mark is going to be going in front of the UL board and we believe at the end of the day it misleads the consumer. Yeah, I mean at the end of the day as we'll talk about a very, very popular high security deadbolt lock for 20 years that's been a design issue with a disaster waiting to happen. Well we just, we happen to look at it by accident and realize what the problem was and released a public statement. It's just, it's classic insecurity engineering and something needs to get everybody's attention so the industry progresses and checks their work and understands how to break things so they can make them better. So we're gonna go through quite a few case examples. Elsafe, if any of you go back to your room and look at that little closet, you'll find an Elsafe. How many of you have broken into your room saves? No, nobody would do that. Couple hands. I believe a few years ago I concentrated on in-room saves in the hotel industry because there's huge liability issues in this industry and there's losses every day both from other guests and from employee theft and one of the saves that's actually in one of the major hotels here, there's about 2,000 of them, you use your Visa card or your AmEx card to set the combination. It's a patented design out of Israel, it's manufactured in Israel, very clever and basically it reads the mag stripe on your card, it sets the combination, locks the safe, you go up, use your card again, you unlock it. There's also a bypass card that hotel security has that'll open all the saves. One would think this is a great idea and so I had evaluated the safe, I knew what the problem was, I went over to Israel, met with the inventor and casually I asked him, so what's the security in this safe? So they're using thousands and thousands of hotel rooms and he looked at me like I was nuts, he says, what do you mean what's the security? I said, well, there's a computer that controls this with a keypad or a mag swipe card, what's the security of the computer? And he says, the door is locked. And I said, oh, that's it? The door is locked. He says, yeah, you can't get to the computer. Okay, well, what he didn't know and the hotel here in Las Vegas and the hotel down at Disney World didn't know is that we had figured out where they stored the non-encrypted 24-byte code for the bypass card. So we checked into the hotel here in Las Vegas, this was many years ago, statute of limitations is run. That, I wasn't worried about that actually, I was worried about being sued for trespass opening the safe improperly. I had license to be in the room but we took the eProm out of the safes, this was 10 years ago, stuck it into our program or read it, figured out we matched the card from the factory and then we generated a card that will still open their 2000 safes. Then we went down to Disney World, actually with one of my friends in the bureau and we checked in and in 10 minutes we had a card that would open everyone at their safes and they haven't changed this if you can believe this and so this is a classic design issue, it's a failure. So actually L-Safe which is another ASSA Abloy company, I'm really not picking on ASSA Abloy, they're a great company and they own lots and lots of lock companies and they own, they happened to own Medico, ASSA and Multilock which are terrific high-security lock manufacturers but there are some issues. And so they also own L-Safe which we actually changed their logo on our website to the unsafe. And I never had any comment from them. So they sued a locksmith in Hawaii because he found the same problem I did with their safe and they thought they were going to intimidate them so they sued them for about $10 million to scare them into keeping quiet about their problem. So I got a call so I actually, the closest hotel that had these safes was up in Canada near where I live and so I went up and it took me about two minutes to figure out what the problem was and so I documented the problem. Then I had the 15-year-old kid that worked for me during the summers who's now a graduate engineer. I had him with no lock knowledge open the L-Safe with a paper clip and a Torx screwdriver. And that problem still, a lot of those safes, there were up to a million of those safes out there. As you'll see, and the video isn't real good because this was shot like 10 years ago but you really get the idea. Some of these other examples, gun locks. Our website is in.security.org, it's our blog and security.org is our main domain. About a month ago, two months ago, I issued a gun lock report. I had done this a few years ago, ABC News did it, the CPSC did it. There's 35 million gun locks that are designed to protect kids from access to weapons. They're certified, it's a certified program, welcome to Mac. It's a certified program by the Department of Justice, there's a grant. 35 million of the locks you'll see have been handed out. I think they're essentially worthless. These are designed to keep kids up to 17 years old from getting access to handguns, they don't. If you're a parent that has weapons and you're using one of these locks, get a real gun lock. The Department of Justice in California passed standards, but I think they're deficient, they don't cover everything. Some of the other things we're gonna talk about, and again, these are classic examples of engineering deficiencies or defects. They just, in many cases, they don't get it. And that's not to say there aren't really good locks out there. There are, and I work for some of the manufacturers, I do consulting work with them, and there are some really good locks. And as we'll point out, most of these high-security-rated locks are just fine for 90% of the applications. And we'll talk about that in a little while. Anyway, these examples that we're gonna show you with some video, these demonstrate some classic design failures that will allow these locks to be bypassed really, really simply. Okay, go. So as we talked about the LSAFE, this picture was actually taken in Amsterdam last year during the Dutch Open. When Mark and I were out there, we checked into the hotel, walked by the maintenance room, and saw a cart with dozens of these LSAFes on them. They were all opened up, and the maintenance engineer slash janitor was attaching electronics and keypads to ultimately make it easier for him to reprogram these locks when individuals had left the rooms with them long. This was really great. And Matt knew that we had broken LSAFE years ago, and so we started chatting with their maintenance guy. And of course, because we were from America, he thought we were great guys, and just couldn't wait to tell us everything he had done. And in the course of telling us, we said, well, what are the wires hanging out that you soldered to the circuit board? And he says, well, because we have a problem if we're locked out. And so we put a couple diodes in so we can feed a nine-volt battery to actuate the solenoid through a couple of the blank pins at the bottom of the keypad. So that's what this guy was doing. He had a stack of readers, he had a stack of wires, a box of nine-volt batteries, and he was just soldering them all up. Yeah, so because you wouldn't wanna be locked out of the safe as maintenance. Of course, if you're a guest and you figure this out, that would be a real problem. But what he didn't realize was he was actually leveraging the bypass hole whereby we'll demonstrate in the video that you can actuate the solenoid in these keys for his keypad. So let me tell you about this bypass that you're gonna see. What the locksmith first figured out in Hawaii years ago is that the geniuses at El Safe built their entire system around a set of nylon gears that controlled a motor-driven set of gears that the computer would control the motor and would turn the motor that would turn the gears that would retract the bolt. So in order to make all this high-tech work, they put the electronics, as you could see, behind the door. There's a slot that's cut in the heavy metal door because there's a ribbon cable that feeds from the keypad and the electronics and the computer is all in the door and the batteries are in the door. So you take a Torx screwdriver you're gonna see you remove the keypad and then you stick a long paper clip hardwired down and you push on the gears. And when you push on the gears, you don't need the motor. Again, the key never unlocks the lock. You don't need the computer, you don't need the motor. The kid that worked for me just pushed on the gears. One, two, three, four. Just revolve it and the bolt retracts. So again, we apologize for the quality. Yeah, this is a 10-year-old video, yeah. The quality wasn't quite the same then. Okay. And the first thing that I need to use to open up it is a Torx screwdriver. Just to remove the one bolt that is holding the keypad and the electronics, that is held by what? By one Torx screw and then it is secured by a ribbon cable going into the same. And why don't you show that? You can remove the ribbon cable from the keypad. I'm sure some of you have seen this picture in your room. It's the same size. Now, what's the next procedure that you have to do? Next, I will use a modified Allen wrench, which is just been shaved off. So it's a sharp point. Yeah, a sharp point and it's just used as a little tool just to poke out a little hole here in the plastic and there's one inch hole where the ribbon came out. So they're just a little plastic back. He just made a little hole. Yeah, we'll put the keypad back on so we can open the safe door. Now, I'll just go through it as I said using the Torx, your gear bag. This was a high school kid that did this. I can speak up for the mic, yes sir. Still locked. So now he takes his little paper clip. You can hear the gears moving. Handle. Y'all still want to put stuff in your in-room safe? L-Safe never commented on this. And shortly thereafter, and he's locking it up again. And it is locked now. Shortly thereafter, we figured out how to break the Vincard lock, which as some of you may know, it's that lock, it's a programmable hotel lock, a white card with a bunch of holes punched in it that you stick in the door. And I figured out how to do that using a piece of carbon paper and a piece of wire. And in less than a minute, another 15 year old kid, my partner's kid who was an art student, made a picture of what the key looked like and then we took a bunch of Scotch tape over a matrix, punched it out with a ballpoint pen, opened the lock. And so, it was a great lock design. It was quite revolutionary, patented, but nobody ever figured it out. So as Mark said two years ago, we put out a security alert on the gun locks. We went through over two dozen gun locks from major manufacturers, Master, Remington. The one you see in the middle on the 38, or is that 357? No, it's a gun. That's a 38. Yeah, it's a gun. What do I know? Very perceptive. Summer Marine, what do I know? That's a clamshell design that it seems everybody has copied. There's a serious flaw with that, as we'll demonstrate. And then on either side are the project ChildSafe. We released a security alert on this as well. Some of these gun locks were able to bypass with a drinking straw. They were just a screw, ultimately. Yeah, actually, Matt figured this one out. It's just, it's an idiotic design. Yeah, when my kid took a plastic straw from McDonald's and just unscrewed it. It just happened that the diameter was correct, sort of like the ballpoint pen on the tubular locks. And the design in the middle is a ratchet mechanism that is fatally defective, and all the manufacturers have copied each other. These are the non-quote certified gun locks. And basically they work like the club on your car or a handcuff. They just, the two pieces locked together. So as you'll see, I shot a video, no, go back to the, I shot a video of an 11 year old kid in Toronto a couple years ago when we first did this report. He was sitting in his kitchen with an air, actually an air rifle, but it replicates a rifle with three of the most popular gun locks in the United States. All these ratchet mechanisms, the center one you see on the revolver. And as you'll see, he was able to remove them in seconds with an ice pick. Now, I would say that a lot of households have ice picks, and it's not the only way you could remove them. When I talked to one of the manufacturers of these locks, very, very popular, he said, look, we don't make enough money to really re-engineer these, so we're not gonna worry about it. I said, yeah, but we're talking about kids and guns. Yeah, but we don't make enough money to re-engineer them. So we've already got the dies and we're just gonna keep selling what we sell. The other two locks, the lock that you see on the right, the Project Child Safe, is the Justice Department Lock. This particular model, it's a cable lock, and every local law enforcement agency in the country is handing these out for free, as well as the National Sports Shooting Foundation. They're the ones that actually spearheaded this, and don't get me wrong, I think it's a great idea to have gun locks, but at the bottom of the day, at the end of the day, the guns ought to be in a gun safe. So not protected with cable locks or any other kind of gun locks. We did a report last year on Engadget about the Targus Defcon cable lock for computers, the Armored Defcon, that was supposed to be the top lock. Well, we showed how to bypass it in seconds on our report on Engadget. The Project Child Safe lock uses the same type of armored technology, and some of these can be broken with a pair of pliers. You don't even need a pair of wire cutters, and the real problem is virtually all of them can be bumped open. So go ahead and roll the video. So again, this is two years old, same principle. Time is at 11 years old, we're gonna put these three gun locks on this weapon, and take them off of my stick. This lock is a Remington. Notice that the cameraman's in the line of fire. Yeah, the kid gets bored after the first one, watches expression. This is a pretty bright kid, but this took him about three minutes to finish the job. Once it's attached, you can't pull it off. Then we'll get to get off of the nice pick. Looks like a surgeon. First, you move the rubber so you can see the insides a little bit. Yeah, right. So now we're gonna attach this club lock and remove it. Now he's taking another brand. This is a winner international. These are the same people that make the club for your car. Attacks, you can't pull it off. And essentially, they've all adopted each other's design. This one's really easy. I think you can actually, yeah, there you go. That's really particular for a weapon. So now we're gonna attach the master lock. Then this is the master lock. And frankly, these guys know better because this is an awfully good company. They really know better. And so he's squeezing it tight. It won't come off, okay? Attach so you can't pull it off. He actually really got good at this. And it's over. And so I'm 11 years old and it took me about three minutes to learn how to take these trigger locks off this weapon. It's easy and I can't do it. Okay, now this one, oh yeah. Let me give you a little background before you run that. This is the Department of Justice in California. They enacted standards. Great idea, very laudable effort to try to enumerate the protections for these locks so manufacturers would have to comply for all firearm safety devices to protect kids up to the age of 17. This lock is a redesign of what you just saw the kid in Toronto do. This actually mechanically is a terrific lock for a trigger guard. There's just one problem. They used a 50 cent Pintumbler cylinder like they use on all their padlocks that can be bumped open in two seconds by bump keys the kids can buy on the internet or make themselves. Roll it. Watch Mark it as you can see. Once again, this master trigger lock, the Department of Justice approved trigger lock. He is affixed to this weapon. It's not coming off. The weapon can't be fired. Unfortunately, with a simple little bump key, this lock can be removed from the weapon. The head of that P is so small it's really. It's a brand new lock out of the box. That's a problem. And again, master lock redesigned the lock. I have no problem with the mechanical design. It's not coming off the weapon once it's affixed. And then they use a 50 cent cylinder. What kind of insanity is this? So this is a tool made by Peterson Manufacturing for bypassing file cabinet locks. So when you're sitting in your veal stall you pull out one of these knives and you insert it into the lock and there's a little locking dog in the back of the cylinder. All you need to do is actuate that locking dog with the tip of the knife and the lock will turn. Yeah, there are millions. This is the push button lock on the top of your file cabinet. Everybody thinks they're so secure. Of course they're secure because it's a lock. And nobody tells you that it isn't. And my problem here and Matt's problem is the manufacturers ought to be putting warnings on packaging to the consumers to tell you if you're using this lock as opposed to a better lock, there's bypass methods that can open this lock in five seconds. All of these file cabinet locks of this generic class can be instantly opened and it doesn't take any skill to do it. And these are some screenshots of the DEF CON CL. On the left we have the beer can bypass whereby you take a small aluminum shim, insert it into the lock and decode the lock. I actually used Miller beer for this. I don't drink Miller. Typically a Guinness drinker. So that's very relevant. It is relevant because to this day I still have cans of Miller sitting in my fridge. When I called Matt when we figured out this problem when we wrote the article, I said, Matt we need a shim, a really fine piece of metal to stick through the end of the lock because it's just a classic design failure and it isn't like they didn't know better because I went after them three years ago for the same kind of thing and they thought they fixed it but they didn't fix anything. They made it simpler. And so I said, Matt go get a Miller beer can because of all the commercials that have been on television and I said then when you do the video just say it's Targus time. So that video is available out on YouTube but on the right we see the Targus DEF CON CL armored cable being burned with a lighter, revealing the links and then with the six inch pair of pliers severing the links and ultimately breaking the internal cable. Yeah, you don't even need a wire cutter. I got called by the Minneapolis paper that their tech editor was doing stories on new computer locks for kids going back to school and he said, they just sent me one of these and got it, really looks good. And I hadn't seen one yet. I said, well why don't you send it over to me so I got some of them and I called them back. I said, not quite. I said, these steel links if you don't bend them work great. You can't cut them with a wire cutter. You can use a bolt cutter, a 14 inch bolt cutter but that's a different issue. I said, but they never conceived of the fact that these links are relatively sharp and if you compress the links, as shown in the bottom right photograph with a pair of pliers, you can not only expose the cable but if you really compress the pliers, you can use the links to shear the cable so you don't need a wire cutter. So again, the laboratory engineers that developed this only tested this in a limited environment. It wasn't real world testing and that's exactly the problem. It's like the iPod lock that I wrote an article on also on Engadget. I was standing in an Apple store on video, the iPod lock. What a brilliant idea by Targas. You stick it into the electronics port on the bottom of the iPod with two little pieces of wire that hold it and you go, and it's open for $30. And everybody's wondering, what is it? First of all, I don't understand the concept but Targas shouldn't be making something like this. Go ahead. So the next one is the padlocks. Again, if you're up in the lock picking village, there's demonstrations by Deviant and the folks from Tool US. They have padlock shims. The one in the middle is a sesame decoder for the popular sesame lock. That decoder's inserted into one of the positions on the wheels to decode the gates and open the lock. Very, very trivial attack. It's been around for a long, long time. So this is the Cold Lock's CL1000. It's a spring-loaded blocking tab inherent within the lock and we're gonna demonstrate a video bypassing this. Go ahead. Let me talk about this lock for a minute. This is really not designed primarily for security. I've talked to the owner of this company. This company's been around for quite a while. They have offices, they're engineering offices in the UK. They're in California. They also have an ISO manufacturing facility in China. They actually really do nice work. I just have a problem with their security engineering. So we knew there was a problem. I called the owner and the president of the company and I said, tell me about your locks. And he said, well, we make the cabinet lock 1000, the CL1000 that's mainly for health clubs and medical carts and hospitals and really low security applications. These locks I think retail for about 70 bucks. And they've got actually a pretty slick feature that you can enter the combination once like for the health club and then enter it again and it unlocks it and it doesn't remember the combination. So I asked them, well, who does your security engineering? He said, oh, we've been in business a long time and we've got really good engineers and they're really clever and, you know, but it's not a high security lock. It's okay, I understand that, but at least there has to be as targets would say a modicum of security. And so what we found and actually the fella that found this first is Ben Heath from a company called Benjim. They're making some bypass tools, very clever guys. And what we found is they're using a little piezo motor to control how this lock opens and there's a little spring-loaded bolt and they actually forgot about a guy called Isaac Newton. My favorite guy from 350 years ago who invented bumping before there were Pintumbler locks. He just didn't know it. And so this is the same problem. The lock is open. Now, you know, you can say, well, the lock's not designed for security. Okay, well, but everybody believes if it's locked, there's some level of security. And so this is a design problem. Next. That was a design problem. This is a more serious design problem. Okay, so here's my friend, General Moshe Diane. And the way, the reason we dubbed this the Moshe Diane problem is because of this lock. But there's a lot of other locks that suffer from the same design problem. And actually there's two design problems with this lock. The first design problem is they've got a drain hole. This is a $400 lock that can be used outside. It's really a nice piece of work as far as metal. The electronics are okay. Obviously it's computer controlled with a bypass cylinder which can be bumped but that's not particularly relevant. But if you're gonna spend $400, I think there's an expectation that there is some security. Now, the owner of the company, when I talked to him about this lock, he said, well, this is a lock for convenience. I said, I don't think so for $400. And he says, well, it's not really designed for security. And I said, well, you know, that really sounds good, but why don't you put warnings and disclosure on the package that tell people that this isn't designed for security. It's designed to keep the door shut. Well, we wouldn't wanna do that because then we couldn't sell any of the locks. And that's really, that's my problem. So the Moshe Diane problem with this lock is there's a drain hole as the arrow, the red and blue arrow show at the bottom so that if this is outside and condensation builds up, water can go outside out the hole. The problem is the same place where the water can come out, the wire can go in, just like the tanks from the Tel Aviv to Damascus. So it's a perfect application, roll the video. What we're gonna attempt to do today is bypass a code lock CL5000 electronic door lock, battery powered, free-floating handle when the door is locked. Latch does not retract when you move the handle. Once you enter the right code, you'll obviously unlock the lock retracting latch. What we're gonna do today, there's a little drain hole in the bottom of this lock right underneath the handle, right at the back of the door. We're gonna take and insert a wire. We're gonna bring that wire up. There's a little rubber boot that you gotta get past. Once you get that past the rubber boot and the set screw that's in there that holds the front and the back, I'm gonna bring the handle up just a bit and you'll be able to push the wire up just a little bit more. When you get it to correct positions, you might go to handle. It's gonna be at a little angle. It's not gonna be dead with the lock. It'll be up just about 10 degrees. What we're gonna do here basically, we're ready to open the lock now. If you watch the back handle, we're gonna be turning this handle here, but what we're doing in reality is we're engaging that carrier to the spindle through the entire lock, which is gonna actually activate by the interior lever. As we pull down, you'll see, get my hand out of the way, you'll see the interior lever is actually the one that's really turning the lock and you'll let the spring or the wire go up in and it'll just literally carry it inside the lock. Notice the latch is retracted and I don't know if we're gonna see it on this video or not, but the wire, as I let the handle go up, you'll see it move back down. Yep, it moves in and out with the handle. It's actually engaged. It's locked the whole system into place. When you're done unlocking it, raise up the handle, bring the wire back down. The lock is back to working normally. There is some forensic that would probably be left inside the lock if something were to look. It's not surreptitious, definitely, but it is a quick, easy means of bypassing the lock. You can also pick the lock. It's a Schlage, it looks like an SC-4 keyway. On this particular one, if you pick it one way, it will unlock the door. If you pick it the other way, it will put it into a passage mode, which will allow the lock to just remain freely unlocked. Anyway, that's about it. Very inexpensive. Wire is modified just a little bit. I don't know if you can actually see that or not. We'll get a better video going once we get this moving a little bit. Thanks. So the manufacturer never contemplated that the little piece of wire, about 20,000-inch diameter, would act as a gear that would wedge in and open the lock. And I might make one other comment. When I went after LSAFE with the paperclip, they made a statement to the media that this was a high-tech attack. And my comment was, well, yes, probably in Norway a paperclip would be a high-tech attack. The problem is, I think the paperclip was invented in Norway in 1922. And so, but this is all kidding aside, a classic design issue. And again, they should have figured this out. If there's a hole in a lock, you better be looking at where you can stick a wire to do what with. Go ahead. So the next video demonstration is bypassing or picking a multi-lock 036 cylinder with a specialized tool from China. Briefly, I just wanted to describe how a multi-lock works so you can understand how this tool is working when you watch the video. A multi-lock is a pin-in-pin design. So in this specific lock, there's five pins and there's a pin inside that pin. So you actually have 10 pins that all need to raise to the shear line to open up the lock. It's a telescoping pin. So you have to pick one pin and then another pin within that pin. So picking these with manual tools is very difficult. We had, we brought a few of them to put in the village for the points competition. Nobody picked the locks. I'll narrate this video as we go through and explain what I'm doing. So it's an 036 cylinder H&M's pick. Third generation. This is a really slick little pick. So I insert the tool in and the interesting thing is the tool actually gives you feedback. And I'm gonna turn this up a little bit so you can hear the clips. Did you hear that? So what I'm doing is I'm setting all the outer pins first. So this tool really reduces this 10 pin lock to two five pin locks. Once I get those, you'll see the cam just moved in the back of the lock. It moves about two, three degrees. That means I've set all the outer pins. I'm now going back to pick the inner pins. And when I've done that, the lock will open. And it's open. So this is a UL437 rated high security lock. Now the problem is that UL says you can't do this in under 10 minutes. And everybody that's specifying this or other type of high security locks where we can get through them in less than 10 minutes, you're actually being misled as to the security that you're purchasing and relying upon. And that's our real problem. There must be a shift kind from China. Yeah, that must be what it is. I never thought about that. Well, these locks aren't made in China. These are made in Israel. The pick is made in China. So the quick set maximum security, as Mark said, grossly mislabeled. We have quick set maximum. We have quick set ultra max. Clearly the consumer's being misled when they read the packaging. They see the picture of the burglar attempting to pick the lock on the packaging. These designs are defective. There is no real security. We've developed a bypass method to get through these in under 30 seconds with no apparent evidence of entry. Yeah, and let me make the distinction. Strength wise, this is a great lock. Even quick set, this is their latest lock. Okay, this is the maximum. This is the, oh yeah, this is the maximum security lock. Right, I keep forgetting. This is the one gentle and open. It's confusing because they say maximum security. So we actually always go back and forth. No, that's the ultra max. No, that's the maximum. So I'm really not, I'm never sure just what maximum security means with quick set and some of these other manufacturers. This is a die cast plug. Basically, it's okay for a deadbolt, but as I said, we figured out a bypass for this in about 30 seconds and so it's not very secure and of course these locks can be easily bumped open, but it really gets better. In the nature of full disclosure, though, we've not negotiated with the manufacturer and provided all the details. No, they're not talking. This is another manufacturer that's not talking. I was advised that they're smart enough to figure out their own problems, which is fine. And I notified them they had a problem. They didn't ask exactly what it was and we weren't about to tell them either. So this is the Ultramac. It's an ANSI 15630 certified grade one. It's grade one, 15630. I think it's 15650, not 15630. It's not a high security lock. This they just came out with, it's got a brass plug. At least it's not a cast ZAMAC plug, but it's not a high security cylinder. But it's a grade one rated cylinder. And so that means that it's a strong cylinder and it is, there's no question about that. The problem is we develop the bypass technique for this cylinder, their latest and greatest. 15 seconds, no problem, no visible sign of entry. Really simple to open. And they have no clue that this is out there. We're just waiting. And so they think they understand all this and that's great and they're selling a lot of these and it's really a nice looking cylinder. And as I said, it's very strong but all of their security means nothing. So common miss, key control. Again, the core concepts of UL437 and 15630. Bumping, picking and mechanical bypass. So enter Medeco, the high security cylinder. For 35 years it has been the lock to attack. It is UL437 and ANSI rated. And you need to consider in context their advertising statements. Bump proof or virtually bump proof, highly pick resistant or pick proof. Their key control and ultimately security is always aligned with Medeco. And I want to make some comments and be very clear. I think Medeco is one of the best the high security lock manufacturers on the planet. They're another ASSA Abloy group. They really started high security in the United States. They got a patent in about 1968 that was revolutionary. They invented the sidebar, the modern sidebar design. Originally it had been developed in the automotive industry about 1935 for the General Motors products but they really invented high security in the United States with sidebar which everybody is using now. We figure that they own about 70% of the high security market in the United States. Everybody knows who Medeco is. They're around the world. They have been a target for 30, 35 years. Since they started the market everybody's been trying to break their locks. There's been many, many attempts. How many of you guys have tried to break Medecos? Many? No? Not very many, okay. Well, in the industry they are the lock to attack. There's been many decoders develop some very, very sophisticated. These are very, very secure locks. For 90 to 95% of the applications they're more than acceptable. And everybody uses them. They use them at the White House. They use them at the Pentagon. They're great locks. But we found some problems. And the entire security, essentially the real security of Medeco rests in their sidebar design. And what this means is the Medeco key incorporates they both lift the pin tumblers and they rotate the pin tumblers. And it's the rotation of the pins to different angles that create the really high security aspect of this lock. They also have very high tolerances, very high quality control. I've written about them for 30 years and I think they are one of the best companies in the world. However, last summer after, just to give you a little bit of background, Jenna Lynn bypassed by bumping the quick set cylinder. And that sort of started a revolution in America with the lock manufacturers. They're actually starting to pay attention now. And there's several manufacturers that have come out with anti-bump pin systems, including Master Lock. These are still being tested, but the industry is really moving in the right direction. So when we came out with the material last summer in Berry Wells in Europe, Medeco boldly announced the day after Jenna Lynn did her demonstration, they issued a press release first on MSNBC, I think, that Medeco locks are bump proof. And not bump resistant, not virtually bump resistant, that they were bump proof. And I called the contact that I dealt with at Medeco and said, maybe ought to tell your marketing people not to be making those kind of statements. We were just beginning to become confident that we could bump open Medeco cylinders, but we really weren't there yet. But I thought it was very foolish for them to be making those kind of statements. So that, and frankly, the individual I was talking to agreed with me, but he wasn't in marketing. Marketing thought this was a bonanza. And so for the last nine months at least, they've been doing spot after spot on television, on their website, on DVD, implying or stating that their locks are bump proof. Well, we don't think they are. And now they've changed their language to virtually bump proof. Virtually bump proof to me is like virtual reality. It means nothing. And it is what my brother lawyers have developed as a term to cover your butt, to so you can say anything you want. But we embarked on a research project about 18 months ago, but really kicked into gear last summer. And we analyzed Medeco's codes. There's a very detailed article that's being released this afternoon on the Wired Magazine's website. Detailing a lot of this. We examined Medeco's code book. We evaluated it. We think, and I need to tell you, there's a number of assumptions that we've made that we believe are correct. We have sent for the last nine months all of our supporting data to Medeco, all of it. We've sent them videos. We've sent them locks. We've sent them special bump keys that we've developed. Full disclosure. Because I've known Medeco for a long time and we really wanted confirmation that we were either going in the right direction or the wrong direction. Although we've had a nice dialogue, we've had no comment, no confirmation, no denial. And in fact, the first article I wrote, I submitted a draft to a month ago and said, please tell me where we're wrong, where we're right, if we're in error, if there's something that is not correct, we'll fix it. If there's material that's classified that we don't have access to that we don't know because they have a lot of government contracts, tell us. We don't want to waste our time. The problem is that we're open in the locks. And so, and by no means can we open all their locks. We've never claimed that. We believe, based on the assumptions that we've developed over the last year that we can determine with some accuracy certain sidebar codes or the pattern of angles in order to allow us to both bump and pick these locks and to bypass their patented key control legally. And so, we've released some of this material and Medico has sort of gone on the attack and said, well, this is all a lie. These cylinders are manipulated. There's no way that our locks can be bumped. And, but this has also been several other manufacturers that have been saying this. And so, we, and I offered to Medico to sponsor a research project to have other security experts validate our findings. We'd provide them all the data and let them try to make the keys and either replicate what we did or say it must have been a fluke. And, you know, and I said, if we're wrong we'll be glad to apologize and say, look, you know, we open the locks but obviously it's not universal. And so we're making that offer again. And if anybody in the audience or anybody that is, you know, privy to this is interested in participating in a research project and have, you know, some credentials, send me an email or send Matt an email and we'll send you an application. We wanna do this under a non-disclosure agreement until we're done and ready to publish the findings. But we have no problem putting out our research and having everybody else validated. So, Medeco came out a couple years ago with their new lock which is called the M3 which has a slider in it which extends their patent for 20 years. It's actually a biaxial which was the older design but it's with one more layer of security. And so the article that I released on our website a few weeks ago showed how to totally circumvent their key control with simulated keys and a paper clip to bypass this level of security in the Medeco lock. We think this is a fairly serious vulnerability if you're concerned about key control. There's another problem that we released an alert on last week and that involves their dead bolts. Medeco makes the best deadbolt locks on the planet. They're terrific hardware design other than there's a little problem. A little problem would be, and you have to understand these are used in facilities all over the world. They sold millions of them. The design has been around for about 20 years but the M3 has only been out for about two, three years. The problem with the M3 is they widen the keyway. They widen the keyway to accommodate a little step on the side of the key. We are able to bypass this deadbolt cylinder that they make in about 30 seconds. Has nothing to do with their keys. It has nothing to do with all their high security. So yesterday, Jenna Lynn, our 11 year old from last year of Kwikset fame, we asked Jenna Lynn who's here and sitting in the front row and I'm gonna ask her to stand in just a moment to take a round of applause. We handed Jenna Lynn a six pin Medeco biaxial lock. On Friday, we pointed a camera at her and we said, why don't you open it? Bump it open with one of our special bump keys. I think she was a little bit flustered. She had never done this before obviously and these are Medeco high security UL437 rated locks which they say is bump proof and virtually in bump proof and impossible. So she couldn't open it on Friday but she also couldn't pick open several other locks that she's been repeatedly picking over the last year because her dad's got her a set of picks. And so it's what every father ought to do for an 11 or 12 year old. And actually she, and I asked her, I said, well have you been bumping? She said, well I really haven't been bumping locks very much this year but I've been concentrating on picking. And you know, I said, well either I or Matt asked her on camera, why do you like to do picks? She says, well it's a mind sport which is all about sports lock picking. And what I try to explain to locksmiths in the industry and they're so dead sent against all the lock sports groups. And she says, well it's just, you know, it's like an intellectual challenge. And so yesterday while I was being interviewed by the media Matt and another one of my researchers who was instrumental in what we think we've done to compromise some of the medical security, they were upstairs shooting video of her bumping open a medical biaxial twice. And then she came down to be interviewed by the media or to see what was going on. And the media shot a video at seven minutes in length. We've posted about a minute and a half on our blog in.security.org. And little Jenna Lynn has graduated the high security locks at age 12. So Jenna Lynn, once you stand up. And in all candor I did bribe her because I said if you can open this lock I'm gonna give you a set of the multimedia edition of my book. And so I think that was the impetus for her to open the lock. And so in the interest of full disclosure she was bribed to do this. This is actually a real accomplishment. And she actually got into bumping and she figured out the feel. Medical has bumped actually all these high security locks awesome multi lock and medical and they all claim that they can't be bumped open. And this is smoke and mirrors. And I really wanted a pot of water with some dry ice in it to put in front of her so that the smoke would come up when she was bumping open the lock. But I couldn't get any in time. And honestly I didn't think she was gonna bump open the lock yesterday before the media. Cause you know there's a lot of pressure. She's 12 years old. She bumped it open as you'll see. And she really deserves a lot of credit. She really got into it. And she's gonna go far in life. And I asked her well what do you think you wanna do in life unless you wanna become a bank robber? And she said no, I wanna become a veterinarian I think which would be great. And she's a very clever little girl and she's had a great time here. So that's where we're at with medical. There's several problems and I just wanna make clear again. We've never claimed or we're not claiming that we can open all of them. We don't know how many are set of keys can open. What we do know is the locks and we've probably tested 30 cylinders and we bumped them open hundreds of times and picked them open probably a hundred times which we're not supposed to be able to do. The procedure that we've developed seems to work. We're waiting for medical to tell us substantively through documentation it doesn't work for the following reasons. They haven't chosen to do that yet. That's just a caveat. If you have medical locks in your facility and it's a critical target. If you're a jewelry store, business owner, residential, medical locks are great, multi locks, awesome, they're all great. There's no problem. It's the last five or 10%. It's just like copper wire with the telephone company. It's the last mile you gotta worry about. Three years ago I looked at a burglary that occurred in Antwerp, Belgium at a diamond exchange where there was $100 million worth of diamond stolen by seven expert thieves that planned two years to do this job and had an office in the facility they had access to the vault. This is the real world and they bypass the locks, they bypass the alarm systems, they bypass the cameras, they bypass everything. So these locks do matter and high security matters and our concern and we are going to UL to talk about potentially decertifying, petitioning to decertify some of these locks. Multi lock, my associates can pick multi locks like Matt showed you in a minute, two minutes, three minutes. This does not meet the standard and either the standard has to be adjusted or something has to occur so that when you buy these locks you know that the standard means something. Okay, keep going. So we're a little bit off script here. The important thing was to get some of these notes out about the research exercise, the standards and so we're going to probably fly through some of this. We've gone through most of this. The M3 in 2005 replaced the biaxial with that slider that Mark spoke about. Medico in their M3 patent actually details three levels of security, the shear line, the pin tumblers that need to be elevated to shear line like a common pin tumbler lock. The fact that they need to be rotated and then the third security component which is clearly called a security component in their patent is the slider movement. So these are some pictures of in the upper or lower left-hand corner you can see the M3 lock or key rather and down at the bottom the grooves that mate with the sidebar in the upper right-hand corner you can see key inserted into an M3 cylinder pushing the slider back. Yeah, you can see it's a very distinctive key. The lower left it has little protrusions on the key which is what's patented and that's what we bypass with a paperclip. So key control, UL437 has no key control criteria. We explained previously that 15630 from ANSI and BHMA, patent protected blanks, you can't replicate them and there's factory control of the keys that use by-code to individuals. And what's relevant if you look on our website there's a article about how we simulated keys as I said to get around the key control in the medical and I'm not picking on medical, it's just that they happen to be the top company in America and we found a problem with the M3 and so we've exploited the problem and I wrote about it. And this is detailed right here in this slide. So the patent expired in 2005, the M3 came to further extend that patent and we can bypass that without infringing upon the patent and that's done with the paperclip. So the paperclip is inserted and it happens to be the exact thickness to actuate a common distance for the slider to mate with the sidebar. Yeah, it moves the slider back about 40,000 of an inch which is the diameter of the paperclip and it just so happens that when you move it back that amount, the slider works as if a key was inserted with the right step to push it to that right position. And so Eric Michaud had also discovered this after we had, he approached Medico with this, he coined it the Michaud M3 degrade attack and the degrade is really taking an M3 and degrading it back to a biaxial. Right, the problem is it didn't get you anywhere. Alone, it was clever but it didn't open the lock. So bumping, some high security locks can be bumped, we are bumping multiple high security locks, not all but many, it depends on a lot of factors. Sidebar codes must be known. And do you want to discuss that final? Yeah, very quickly, this is called advanced bumping. This is not like walking up to a quick set. We have created special keys in Medico's, in the Medico locks, you either have to know the sidebar code or the angle configuration or you have to be able to simulate that code and we think we're able to do that. So we've done it with the locks, we've tested, obviously we haven't done it with all the locks and again, Medico hasn't commented. But the bottom line is the Medico locks in certain instances can be bumped open, ASAs can be bumped open, Multilocks can be bumped open, quite a few of the high security cylinders can be compromised. Is it easy? No, it is not easy. Even though Jenna Lynn did a cylinder three times yesterday which is more than an accident, she's got really good feeling to do this and it's a very different kind of bumping but the bottom line is, again, if you have a facility that's a critical target, high value target and you're really worried about the last five to 10%, then you need to be aware of this potential vulnerability. So originally as Mark said, I believe it was August 6th of last year, a day after Jenna Lynn had picked that quick set, they came out and claimed their locks were bump proof. They've since changed that a little bit and they now claim virtual bump proof. So this is our interpretation of virtually bump proof. I don't believe these gentlemen actually worked for Medico. No, they'd never worked glasses like that. So we wanna show you a quick demo. This was during an interview, this was after she had already bumped. Jenna Lynn had already bumped the Medico by Axial two or three times. Yeah, this was the third time that she bumped the lock open and as I said, and I actually qualified, I didn't think she'd do it. So what did you do? So what I did was I bumped this lock by putting the key inside and you then put just a little tension and then you hit it with the hammer and then it took me a few times before the key actually turned and it opened. And how many times did you do it? I wasn't counting. Are you willing to give it another try on camera? She probably won't be able to do it because she's nervous, she can try it. You can try it, go ahead and try it. Oh, you're bumping it, that's it. Okay. Excellent, she got it. There it's all right. have more video proof of it and that's that is now there's a there's a number two there's a number two on this that we've identified the cylinder this is going to be sent for analysis tomorrow to another expert but you saw it right on video right on video so that's frankly pretty impressive now I'm sure medicos going to come out tomorrow when when they see what happened and they're going to have an answer for this that this was a manipulated cylinder there was no sidebar in the cylinder there was no pins in the cylinder it was a normal six pin biaxial medical cylinder I've sent it by FedEx to another expert to evaluate we sealed it right after we did this took a right down to FedEx so we didn't have custody of it and they can make their determination but this was for real and as I said it's not every lock but it's a little scary when a 12 year old can bump open a lock and granted she was holding it in her hand we don't think there's any difference between it being in a door and holding in her hand go ahead so the the other myth is picking that in medical other high security UL rated locks can't be picked special pick in decoder tools have been developed they can be extremely difficult to pick but they have been a target and there are a host of caveats associated with picking much like bumping we haven't been able to pick all of them but we have been very relatable we have a method that we've developed again we think the way we've developed it is based on sound assumptions and physics principles we have provided all this to medical they have not seen fit to deny to confirm they haven't seen fit to comment and and that's their right and they may have certain legal constraints as to what they can say because they have government contracts and I respect that but at the end of the day we've had a very high success rate with traditional picks opening these locks so the video we're going to show you is a standard pick opening a medical UL 437 rated cylinder in a minute or so and this again this is not a special lock we we do some things that we're not showing on camera as far as pre-preparation that takes about 30 seconds the locks not taken apart obviously the lock is mounted and one of our research guys that's been integrally involved in this project sticks a pick in the lock and he picks it this is a standard medical m3 lock that means it's got three levels of secure is an m3 or by it is an m3 yeah okay and it's got three levels of security okay okay so we can see we have a normal open normal m3 now and it shouldn't really matter once you release the the torque once that code is set and we haven't disturbed it so what we're doing is we're locking the pins in position by applying torque and this time has not been edited now we edited beginning in the end but this is the actual time it took to pick this lock now that doesn't mean you can do this with every one by no means but this one we repeatedly picked it just as you'll see and this has got two security pins in it it's a UL requirement this is not an easy lock to pick now and and one of our guys happens to be really good at picking these locks but again this is a standard pick and you're sure you've set the speed okay that's not too bad as far as opening the 437 now put the key right in front of it again okay now and again that lock there was nothing manipulated about that lock we took that lock and we we picked it so we mentioned before about the hardware bypass techniques we developed methods for quick set their standard their ultramax along with medical hardware security again the key never unlocks the lock so this is one of the best dead bolts in the world this is the medical deadbolt that's used everywhere their terrific locks the problem is that we released a security report to locksmiths and the security industry that demonstrated opening this lock in about 30 seconds very simply very trivially trivial with a couple dollars worth of tools if you are using single-sided medical dead bolts you need to talk to your locksmith your security consultant or medical because in my view they're going to have to fix this and they need to fix it sooner than later this is really once we discovered this and that's why we're not publishing the technique other than to say that it involves a two-dollar screwdriver this is a real security threat and it doesn't apply to double-sided dead bolts at all it's a single-sided dead bolts mainly on a standard one and three-quarter inch door if you have that combination you need to talk to your locksmith because I'm sure that medical is going to generate a fix for it sooner than later it is a classic case of failure of imagination and insecurity engineering it is when we figured it out it's mind-boggling that nobody else has figured it out so what we're talking about here is potentially deficient or defective products and their liability can attach to this for negligent designs if you have a loss of somebody's hurt raped robbed or killed and we think there's misrepresentations and puffing as it's called in packaging we think the manufacturers ought to be held to account and they ought to tell the truth if there's methods of bypass they don't need to disclose what those methods are they need to tell you there's methods of bypass and you know there needs to be federal statutes regarding bump keys and there's a fiduciary duty that locksmiths and these lock companies have to their customers there's a case from about 25 years ago if you're interested you should read it's called dcr versus peak it's in the alarm industry and it's a utah supreme court case it's dead on that locksmiths and security people that advise about locks that know about vulnerabilities they have to advise you go ahead so our proposal is to establish security laboratories combination of security professionals manufacturers research scientists experts in the industry as well as hackers to get together to disclose tests based on vulnerabilities that they've discovered share the information leverage NDAs but work with the manufacturers to bring forward these weaknesses in design yeah and we just think it's about time that the helpful hackers be brought into the mix with manufacturers they're not finding the problems and they need creative people to help them find them and design around them so obviously there's a whole host of considerations our disclosure policy one of the biggest ones down at the bottom the national security issues you know should at a vulnerability or bypass method be an exposure to national security obviously there's huge caveats associated with that you know we'll have disclosure policy and we'll outline on our website but if you'd like to participate send us an email we're accepting research now yeah and so we're looking at doing product testing and we'd like to involve this community as well as manufacturing and law enforcement into the process and so if you give us we want to build a vulnerability database mainly in video on our site we have the capability to do that and so if you'd send us emails we'd like to talk to you about physical security vulnerabilities and develop documented video so we can publish it to the community you can contact us that's our email address do any of you have any questions start over here go yes sir there may be a lot of things look we don't know everything and and we don't claim that and we're a little our we're a little surprised that we have figured this out these have been around for a long time there's a combination of issues that may prevent us from picking or bumping their cylinders and we also may have issues with some of their codes we don't know that and they're not disclosing that but we do know what we've done other questions right go ahead well I don't know well yeah well no it's no it's not they don't remember them at all they're not they weren't that smart when they developed the save and and to be honest a lot of those aren't around now and else they've got a lot of different models and that by the way wasn't an else if it was another model it was made by the omen safe company that anymore it's graphite powder used no not really just to make the lock work better other questions go ahead actually I have an eva magnetic code system and a shlake primus so actually that question was asked last year of me and I have medical m3's on my house and primarily because it was a negotiation with my wife to get more products to test with right any other questions yeah well they also have insurance actually the problem is mysterious disappearance and actually some of these hotels have safes that have for example medical locks that are master keyed so if I check into a room and compromise their master key system that I can get in any safe in the hotel with a key and so I don't know what to tell you you know I guess safes are better than nothing but you know a lot of these door locks I don't trust either and so now what are you going to do right right well usually they have insurance coverage of course that doesn't really help you yep right yeah well unless you can show employees the problem is if it's all mysterious disappearance you got a big problem I just I wouldn't leave anything really valuable in the room I mean that's really my policy next yeah way back no I do it offline because it'd be technical and so what why don't you come see me afterwards we'll just talk about it yeah right next that that's awful dangerous to issue that challenge any other questions yep well there's two issues there's the M3 that we've been able to compromise with key control and picking and bumping but there's also a huge problem with the M3 deadbolt and some of the biaxial dead bolts no no look we just look we've we've honestly found this by accident we were looking at another company and we figured it out and we were a little bit dumbfounded about it and so we put out an alert to locksmiths in the security community and then sort of a public alert not disclosing exactly the problem we just looked at the single-sided deadbolt yep yeah because thank you for the advertisement I appreciate it because I have some agreements with some folks that have agreements with intelligence agencies that some of the very high-tech bypass tools and techniques are not to be shared with the public or the locksmith community they can't buy the tools they do not have a need to bypass some of these locks and they can't get the tools nor could they afford them and the agencies do not want the manufacturers to be aware of the problem so they get fixed because they're in competing values they need to get some of them need to get into these locks no they don't honestly they don't and the fellas I deal with that are making these tools don't sell them to the criminals they sell them the only known agencies a little what I really I know who's selling the tools and they're not buying them now can the KGB buy the tools and then sell them to somebody else sure but you know at some point we can't protect against that the same tool you mean they could but let me tell you some of the folks I deal with are the brightest in the world and these are really incredible tools and they're also very expensive and so the locksmith version of my the multimedia edition of my book it contains almost all the material it's just there's about 30 hours of video that's missing that details how to open some of these high-security cylinders and systems and saves and you know I look I'd love to put it out because I you know I'd sell a lot of them but I can't do it and I haven't done it no there's quite a bit but most everybody's buying the locksmith version it's it a lot of this stuff's been out long enough now that I everybody's buying the locksmith version and that's fine any other questions yep next question I'm not talking to you yeah well first of all let me make a disclaimer because I do some consulting work for Schlagan Primus I think they're a really good lock and at the end of the day based on what we've developed so far on medico they may win the war they're all great locks there's some design issues with Primus that I favor over medico there's some design issues with medico that I did favor over Primus and I'm rethinking it essentially the integrated rotation and lift of the pin I'm thinking about that the problem is any any medical key machine can cut any medical key they can't with the Primus so key control is really built in with Primus and there's some other issues I'd be glad to talk to you offline they're both good locks but there are some design issues now that we're really looking at the two that Primus may have a slight advantage next question no more thanks guys it's been a pleasure hopefully we'll see you next year