 My name is Mark Tobias. This is our team, Tobias Bluesmanus, Matt Fiddler. We engage in the testing of mainly high security locks. We have a lab and we do testing for the major lock companies of the world to figure out how to open them when they can't be opened, figure out vulnerabilities and then figure out how to fix them. That's our primary mission. My background is both as a lawyer and as a criminal investigator for the Office of Attorney General in my state. Tobias is a locksmith for many, many years in Miami. We wrote the medical book together a couple years ago when we broke that lock. Matt Fiddler is with our group for a long time also. He works for a very large corporation on the East Coast doing security testing and we're going to talk today about some engineering problems regarding one company as an example. We're not intending to pick on this company. We don't have any issues with them. They've been around for a very long time but they're a prime example of what we call insecurity engineering. And so we're going to go through a lot of slides and some video today to talk about design problems that can cause real problems both from a liability standpoint and from a security vulnerability standpoint. And we've targeted four locks. The company that we're going to talk about today is CABA. They're a Swiss company. As I said, they've been around for a very long time. Very respected company. Very competent at making things work. We don't think they're quite so competent in making them secure and we're going to look at four of their locks to talk about that. So the four locks that we're looking at today, one of them we did last DEFCON which is in the upper left hand corner which is called the CABA in sync. It's an RFID based lock. And then we're going to talk about the push button lock that many of you may recognize upper right which is called the CABA Simplex. Then we're going to talk about the two electronic versions of that lock which was really our target this year. So the markets, they design for access, the access control market, commercial buildings, business complex, government facilities and the real question is access control and exactly what does it mean. And in our view, especially because of the locks we're going to talk about today, it means access control in government facilities and high level commercial facilities that are secure environments. So CABA who are they the third largest lock manufacturer in the world and they have a very large presence in the United States as well as in Europe. As I said, they're based out of Zurich, Switzerland. They do have engineering expertise. Why is this important? As we'll talk about, there was a very major class action lawsuit that was filed November of 2010 against this company by a group of lawyers around the United States in regard to their Simplex 1000 mechanical push button lock which we'll talk about in a little while. So the CABA case study, it's engineering failures and the ramifications that flow from that. Engineering failures, why are they important in lock design? Because they can lead to serious liability and breach of security in facilities. And this PowerPoint obviously will be on DEF CON site and it'll be on our site. So we have four different designs. We're going to do an analysis of each of the designs and what the problem is. So we look at this as escalating insecurity, defects in critical design. So again we've got the CABA, the mechanical push button lock, the RFID lock and then two versions of their electronic lock which is essentially what's called the Eplex 5000 which is the electronic version of the mechanical. So our real problem and going through this today is a failure of imagination and it's not just CABA. It's a lot of lock companies that we deal with around the world. And the real problem is and we've talked about this on a number of DEF CON presentations in the past, it's the engineers go to engineering school to learn how to make things work properly but they don't know how to break them so that they can really make them secure. So deficient or defective products. It's an intersection of mechanical and security engineering. Both of them have to be there and the problem is that you can have a false sense of security especially if the standards organizations whether government or civilian say the lock is secure and fit for the purpose intended. So what appears unfortunately secure is often not in our world and the real question for especially those of you that are security or risk managers, how do you know the difference? There is an undue reliance on the standards and that is part of the problem. There's also a problem of misrepresentation by a lot of manufacturers. Matt? So we've talked about this before but typically physical security or locks are the first line of defense. Often times they're the only security layer. We talked in detail about US standards, underwriter laboratories and BHMA in the past and specific lock manufacturers adherence to those standards and reliance and ultimately you as the consumer how do you know if those locks are secure? Yeah, the real problem they're going to switch the power so we're going to break for like one second here. The real problem is that and I'm on one of the underwriters laboratories testing boards for locks and safes. The real problem is all of you in an organization that buy locks based on standards they don't test for the kinds or most of the kinds of bypass attacks that we use to open these locks mainly covertly. So the standards can be essentially meaningless. We've petitioned the Builders Hardware Manufacturers Association to change the high security standard to reflect current attack technologies. Okay go ahead, you guys go ahead and cut your power or switch it over. Yeah, we're switched. Okay we just crashed Hoover Dam, the lights are dimming in Las Vegas. Okay this is perfect. No, this is the blue screen of death on the projector. Okay, so the real question is what does secure mean? And I suppose the projector will catch up with us to find the image. So manufacturers of locks have really unique responsibilities. One they obviously have to understand mechanical engineering and electronic engineering but more importantly they have to understand security engineering because if the lock isn't secure we don't care how well it works it doesn't do what it's supposed to do. There are implied representations by every lock manufacturer and that is that we are experts. When you buy a lock from a company like Kaba, Asa Abloy, Ingersoll Rand, which are the major lock companies of the world, you expect that they know what they're talking about and they know how to design locks. Often this isn't the case and the problem is that a lot of, well all of the lock companies always claim we meet or exceed the standards. The problem as we noted, the standards may not protect you against some fairly non-sophisticated methods of bypass. So expertise is required, mechanical engineering, security engineering, understanding minimal engineering standards when you design a lock. And security engineering requirements means one, that you test the products against current methods of bypass and that you understand and know what those current methods of bypass are. We employ a variety of techniques in our work to test locks for our clients. And it's everything from shock, vibration, wires, air, magnets, hairdryer, which we open one lock with, believe it or not. No, it's for real because the engineers never, ever, ever could believe that we could do this. Well, in a very specific lock overseas, because of the kind of elements they used as a locking device, we were able to heat it up, change its physical properties and open the lock. So, yeah, they weren't really pleased with it when we found it. Opening a lock with a hairdryer is not really cool from their standpoint. It was from ours. So, the bottom line is they need to understand bypass techniques and that's why we get hired by a lot of different groups to figure out if there is a vulnerability. Because as a lawyer, I can tell you and I tell my clients and have for a long, long time, if a lock is defectively designed from the security standpoint and somebody gets hurt, robbed, injured, killed or information is compromised or damage is done to property, somebody is going to pay for it. And what you all need to really keep in mind is all security is about liability. Other than in the government sector, which doesn't have any liability generally because of sovereign immunity, all security really comes down to liability. If there's a breach in security, somebody is going to pay for it. So, there's insecure products. They're often, as we're going to show you today, often easily bypassed. They use the standards as a measure but they're no measure. Products look great but they're not secure. And the bottom line is they're placing your facilities at risk. So we're going to talk about these locks briefly. We prepared a number of videos. There was an article that was published this morning by Forbes, by Andy Greenberg, their security correspondent that you all might want to read and there's a number of videos that they uploaded to YouTube. So we're going to go through how these locks are supposed to work and how they don't. The first rule that we teach design engineers is the key never unlocks the lock. Now everybody says what does that mean? Of course the key unlocks the lock. No, it really doesn't. The key actuates the mechanism that allows the lock to be unlocked. Either the bolt retracted, the latch, whatever the locking, fastening mechanism is, the key allows you to rotate or move that. But generally the key doesn't do that. The mechanism that the key actuates does that. So what we do in our work is we figure out in layers of attacks, which we develop when we attack the medical lock, the top high security lock in the United States a few years ago, we develop what we call a layer attack. So we isolated each security layer in the lock, whether it's electronic or mechanical. We attacked and neutralized each layer and once all the layers are neutralized, the lock opens. So Toby, why don't you talk about this lock briefly, the Kava NSYNC? Well, the Kava NSYNC, the one that you're seeing there is a RFID key. It's like a plastic key. This is a deadbolt type. You can see the bolt a little bit extended. It's not too complicated. You have an RFID tag in the key. The locks read that tag. If it's programming to the lock, the lock will open. Now we're going to, there's also on the bottom, there is a USB port where you can program that lock. Oh no. But see, all you guys think we're going to defeat it electronically. No, no, no, no. That would be, he's a ones and zeros guy. We're physical security guys, okay? So why would we always bypass the electronics? We neutralize and we bypass. So keep going, Toby. There's a USB port. Okay. So the USB port, we're going to use cables but not wires. Why bother? Yeah. Okay. So this is a commercial lock. This used, we were told, even in military installations, very easy to bypass. We were really stunned how we bypassed. So this is a Kaba company. This is the first one we actually looked at. So these are used all over the world. They were very proud in telling me how secure this was and that you're just not going to open it without the right key. So it's got very wide applications. So here's how this lock is supposed to work. Toby? The image for space we have to put it sideways. But actually the bar that you see next to that big round plug, that bar is what protects that plug to rotate. And what it does is move away with a small motor and then you can turn and activate the bolt and open it or lock the system. So we're going through the, no, they have to see the video, right? Yeah. Okay. So how does everybody think that we open the lock? You guys all figured we did it with a computer? No, no, no, no. No, no, no, no magnets. Magnets are coming soon. It's an electronic lock. Okay. Self-contained, very operated. It uses a small RFID tag that is insert like a regular key to unlock a lock of the dead room. Basically it's inside the reset locking bar that blocks the plug. I'm going to be using a small wire to push that locking bar away so we can open the lock. I'm going to do that by inserting a very small wire through the location. The difficult part is to remove the cover that the rubber cover on the USB port. Then you just have to leave that here. Well, by the way, because of what we did this year with Cava, they told us that they fixed it. Yeah, they fixed it. We haven't seen what they did, but they told us not what we fixed it. Yeah. Now, and the problem with all of this, and it can be locked back up again too. The problem with all of this, and it's not, as I said, just Cava. They just happen to be in our target range this year. Other companies, as you guys know, if you've seen us before here, we've gone after a lot of the companies because of the same problem. So it's not unique to Cava at all. So we looked at this lock. The problem is not that they fixed it. The problem is that they had to fix it in the first place. And that's really the issue. So now, it's November 2010. Well, let's back step to 2009 because we'll go across some of these slides. This is the Cava Simplex 1000. This lock was developed in about 1965. It is the most popular mechanical programmable push button lock ever. Just quick show of hands. Who's seen this lock before? Yeah. Okay. So you all know. Okay. Have any of you read my articles in Forbes about this lock? No one. No. Good. Great. Perfect. Yeah. They'll be very happy at Forbes to hear that. Okay. Perfect. Okay. So did anybody read the New York Times about this lock? No. Okay. So here's the deal. In 2009 in Brooklyn where there's a high orthodox Jewish population, these locks have found a niche market for the orthodox because on the Sabbath they can't use keys. Okay. That's just part of the rules in the orthodox religion. But they can use push button locks. Okay. As crazy as that sounds, that's the way it works. You can't use anything on the Sabbath that you normally use during the week. You can't drive a car. You can't push buttons on an elevator. So these locks have become incredibly popular in the orthodox community around the country. Okay. Good for Cava. Okay. Bad for Cava. So there's a group of technicians in Brooklyn that I referred to in one of the articles I wrote as the Jewish Geek Squad. They go around and help the elderly open their houses and they figured out they could do it with a rare earth magnet. Okay. Because there's a design defect in this lock. And it's been sitting there since 1965 because there weren't any rare earth magnets in 1965. They came around late 70s, early 80s. There were electromagnets but there weren't rare earth magnets. Okay. However, the manufacturer never retested this lock because they say, yeah, we're selling millions of them. What the hell do we care? It's not broken. It's not broken. We'll fix it. Yeah. So the problem is that there was a Ferris metal component as we'll show you in this lock. And let's go to this. Okay. This is the combination chamber that actually controls the programming when you push the buttons and you can push one button, two buttons at a time, and up to what? Seven, I think. Five? You can use, it's five buttons. Yes. Five numbers. You can use combinations between one through five. You cannot repeat numbers but you can use combination of two numbers, like two and four and then one. You cannot repeat numbers. There's... Okay. So who's seen them at airports? They're everywhere. DoD, DOE, I got tons of mail from nuclear power plants. They want to know what the DL is. Okay. Because we put out the video that it could be open with a magnet. And they use that same chamber in some more, not that commercial, more residential style. That same piece is also present. Okay. So this is inside, this a macro of inside the combination chamber and this plate that you see that goes across all five rotors. If you move that with a magnet, you're going to open the lock. Now they've fixed this. We don't like the fix but they have fixed it. Okay. After not telling anybody about it for about five months, they figured it out last year. So what happens? The Jewish Geek Squad is opening doors and one of them happens to talk to his lawyer in 2010. The lawyer says this is a class action lawsuit. So Kaba gets sued in a huge complaint that is going to set the standard in the lock manufacturing industry in the United States for defective or deficient product. So this is the magnet that opens the lock. And actually I interviewed one of the plaintiffs and he told me that his 13-year-old kid, he gave him a magnet that he bought off the internet for $50 and commanded him to open the lock. Didn't tell him how to do it, commanded him, you know, like in the Bible or the Torah. I command you to open this lock. Four minutes later, the 13-year-old kid had the lock open. That's when I went public with this because it's such a threat. So class action lawsuit was filed. Here's the deal. Normal use lock is a clutch lock. We have to put the right combination factories soon for the same time, three, we can open the lock. Once if we make a mistake every time that we depress the lever, it resets so we can enter the right combination again. Okay. So this lock, as we said, is easily bypassed using the magnet. I have a magnet just wrapped in a bag. I'm just going to depress the lever. The lock is open. That's it. That's a big problem. And that was that. And that was that. So our office initiated an investigation separately. We're not hooked up with the lawyers in this case. We weren't involved in the litigation. I've met with the lawyer several times to get a briefing because all of our clients were concerned about the liability issue that this raises because this is leveled across millions and millions of dollars. Okay. And it's not the cost of the part to fix the lock. It's who's going to pay to put it in. And this is always the problem with locks. Locks aren't like software where you can send out a patch. You have to physically take them apart to fix them. Okay. So our office launched an investigation to protect all of our clients. And because the pleadings were amended a couple weeks later from the mechanical lock to also add the CABA electronic lock. So now we have their new generation called the E-Plex. And this is the 5,000 series, which is a very heavy duty, very, very nice piece of work. It's a push button lock. It's got a lever handle with a bypass cylinder in it. It's programable. Toby, talk about it for two minutes. It's programmable. Depending on the model that you're getting, you can either get like, I think you can program 300 codes or it gives you Audi trail also for like 3,000 in this basic model. Okay. They use the same platform for scale models that we're going to talk also about. Yeah. So they develop the 5,000. This is typical in a lot of lock companies because it's very efficient and saves money. You design a lock once and then you add enhancement and sell it as an enhanced version of the lock. So they... The enhancing is more in the electronics. They just change electronics and the lock has a totally different function. But the hardware platform is the same. And that's what's important in this case. So along comes a Homeland Security Presidential Directive in 2004 that's enacted in 2005. And Kaba jumps into the game to use their 5,000 platform to supply the government with locks. Okay. And this is... And it's called the E-Plex 5800. And Matt will talk about this. Matt? Yeah. So HSPD 12, as Mark said, was signed in 2005. And it really mandated the government and Department of Defense to move towards a central access card. It was very high level. It just defined... You want to go to the next slide. Just defined the requirements to protect privacy, drive efficiency, and increased security of facilities. So after HSPD 12 was signed, FIPS 201 comes along. And so NIST, working on FIPS 201, defined ultimately what we have and many of you have in your pocket out there, I'm sure, is the common access card and even the twit card for that matter. And it's a smart card that provides unique access control, physical, logical security. And Kaba was the first manufacturer to create a standalone locking device that is FIPS 201 compliant. So the bottom line is the government in 2012 has to replace all their mechanical locks for electronic locks, FIPS 201, so that there's an audit of who opened the door exactly. This is the game. They want to know personal identification, verification, and the card has to be secure and reliable so they know it was actually a validly issued card by a federal agency. So we're basically saying the same thing here. So personal identity verification was the mandate from HSPD 12. Identify verification and security. The other thing you'll read in HSPD 12 that I mentioned is really the efficiency play here to drive a standard access card across all government and contractors. Right now, here's the deal. FIPS 201 has nothing to do with security. It's personal identity verification in a secure card system. However, when you marry that to a lock, just like Kaba and other companies are doing, it does have a security component because if you can bypass the audit trail and open the lock or they don't know who opened it, then there's a problem. It's a security breach. And back to the beginning part of the lecture, if we stamp a compliance statement from Kaba that says this is FIPS 201 compliant, there's an implied assumption that we're secure. And it's just not the case. So when you walk up to one of these these new FIPS 201 compliant locks, you can use a pin and use your card, but you can't just use a pin. Okay. So if it's the purpose, they need the car and they take another step that you can use pin and car, but never a pin only. Only for the master, I don't know what they did it one when you get the lock and you're going to stop the lock, it comes from the factory program 12345678. Okay, then you have your force to change that master code in order to do any other program. Okay. And we're going to talk about that. Okay, so because we don't want to run out of time. We looked at this lock in detail in depth for several months. We identified nine really what we consider pretty serious security issues. Some of them you have to look at in terms of where these locks are going to be used. If it's at the Pentagon, maybe it's not such a problem for some of them. It's a lot of problem for others. So Kaba says you can only the open these locks with a card, keypad, keypad and or key. Okay, unfortunately, we figured out this lock can be wrapped open. We can D link the bypass cylinder from the latching system. We can reset the master code to open. There's an internal lever handle attack that we're going to show you. There's a remote open feature. So the girl and the receptionist of the desk can have a push button to open the lock. We defeated that. So Toby, number one, wrapping. Well, this is the critical component of the lock. There's a plunger type and inside the lock. And that plunger really engages the outside lever with the internal components. That's done by the electronics. It's a little motor that dropped that pin. And then we can open the lock. We have to tell us on this lock that we don't rely on only in the credentials. They have a bypass key. One of the reason if the lock fails, you cannot, you know, take time to attack the lock and open it. You have a key as a backup to open the lock. And also, we can reset the lock if the master code or the master code to program the lock is lost. They tie those two together in the function of the lock. Okay, so here's what we fed all of our videos to Kaba's Accuracy. We wanted the comments. Okay, so frankly, they made the mistake in analyzing our videos and sending us written comments. That was a mistake. Okay, so Kaba basically said as far as wrapping, hey, we fixed it. And we need to tell you, it depends on what kind of door these locks are mounted on, and what kind of timing and forces applied to wrap it open. Sometimes you can do it. Sometimes you can't. It's not 100% threat. But here's what Kaba said. This issue was detected by Kaba shortly after the product launch in 2004. And was attributed to a steel blocking device. The blocking device was changed to aluminum and implemented in production over five years ago. With the aluminum part, this attack is not successful. This is a macro video demonstrating the design problem with the clutch mechanism. This is what Toby is talking about when it's engaged versus not engaged, and how we're able to bounce that out of position. Toby, what we're seeing is the back of the lock. We have here the hub that where we attach the latch, we're going to remove the back cover. And what we've seen there is the plunger that we are bouncing in order to open the lock. Now let me remotely open that. And you can see that piece moving that plunger up and down. That action engages the outside lever. Okay, let me put everything together again. So right now there's no connection between the lever and that hub. When we open the locks, then we get that connection. Simple design. Very simple. And stays in the idle lock position. So now let's just show on reversing the back. So there's the part that we're bouncing. And this is the handle. So what the lock does is pressing that plunger. And then you can engage the handle with that plunger assembly. That moves and retracts the latch. Then it releases the connection. And then the handle can go free. What we're doing is we're bouncing that pin. But the timing is very important. We have to bounce that pin and at the same time grab it in order to open it. If we bounce that pin and we're late turning the handle, the pin is going to go up, down. It's like lock bumping. Or if we go too fast on the handle, the handle will turn. We cannot drop that pin. And the lock will remain in the lock state. Okay. So they obviously didn't consult with Sir Isaac Newton when they designed this lock. This will demonstrate the first very serious problem with this lock. Toby? We have to do it in slow motion was too fast. We had to do it in slow motion. Well, but as I said before, it's timing. It's timing. It's just like lock bumping. Now, the problem is that the hardware platform for the ePlex 5800, which is the government version of this lock, it's the same problem. Now we put this on a stand. This is the ePlex 5800 demonstrating the same vulnerability with regard to applying shock to lift the or bounce the locking plunger assembly in order to open the mechanism. Toby? That's one. Again, it's timing. That day that we were doing that video, I couldn't open it. So at the end, I said, well, let's shoot the last video and continuously we were open the lock. Okay. So that's our first problem. Now we go to the button. It's not our first problem. That's our first problem. Okay. Okay. So this is the next attack where we use a cheap screwdriver to physically break the link inside the bypass cylinder to the tailpiece. Okay. So this is like a $3 ace hardware screwdriver. And why we want to do that? Because we got extra screwdrivers. So we have two functions for this key. One is factory reset. And the other is to open the lock. In order to reset the lock with the key, we just have to turn counterclockwise retracting the ball. We're going to press down. We're going to release on the key. Let me do it again. Release on the key. And you see the two LEDs flashing back and forth. In this moment, we have to put one, two, three, four, five, six, seven, eight pound. And that comment resets the lock to factory. Our new master code of factory master code is one, two, three, four. Okay. Okay. So Toby, how are we going to defeat the system? Well, we're just going to put up on a screwdriver through the keyway. We're just going to break the tailpiece on the back. Okay. So we utilized an inexpensive screwdriver about $2, $3 to break the linkage between the tailpiece on the bypass cylinder to the plug. Now what happens here is once you break that linkage, then you have the capability of going through the keyway with a screwdriver. And we can directly control the bolt. Right there. Just like that. Okay, let's do it again. Now what I'm going to do, I would like to reset the lock. Right here. Button, the key. And now we put in a new master code. So you can see the vulnerability. We just reset the lock. Now I can open this lock one, two, three, four, five, six, seven, eight. And the lock is open. And the lock is open. By resetting the lock, what we're doing is all the codes that we're programming in that lock, we just delete it. Yeah, nobody can enter. Okay. Okay. This is the next one. This is an internal attack, which we're really most concerned about, rather than somebody walking up to the door. This is somebody, this is the bad guy that's in your banking system, that once he has authorized access into the building, nobody's watching them. And he goes down to a room that's not particularly protected, that stores all the blank credit cards, okay, or a remote military base. And we sabotage the handle to open the lock the way it's not supposed to. So this involves removing the lever handle on the back with a set screw, inserting a wire through the back of the lock, putting the handle back on, retightening the set screw. Very detailed. It's a very difficult process to do this. Very, very difficult. Okay. So actually, this was the video that we show cover. Yeah, this was the video we showed cover. So this next attack with the 5800 is a right hand opening door attack involves removing the lever handle on the inside of the door, inserting a piece of wire, closing it up again. And that will allow the lock to be opened in a way that is not normal that is lifting the lever handle upwards, rather than downwards. Most employees would not even think to try to access the locking system with the lever up versus down. Okay, Toby, let's do it. Our code again with semester one, one, one, one. Okay, deliver clutch. Yeah, the clutch is not engaged. So in this mode. So now if it was programmed for passage mode, then it would be entirely different. There is a small and screw range on the bottom. We remove that. Just have to unscrew that remove the inside handle. We're gonna push down the outside ever. I'm gonna sort of very sophisticated piece of wire. You can see if I pull on the lever, we can just hover that wire, putting the handle back with the set screw. Yeah, there's no there's there's nothing different in the operation of the lock. But it's now been set so anybody can open it by lifting the lever upwards, which is not standard operation. So it works the same one is not opening open with the master code or once. So the lock works normally. If I decided that I don't want to use the code, I can just leave the handle. So these are the four components that you have to deal with. We know this is really, really difficult. Okay, this is Cobb's statement. It takes five to 10 minutes to do this. In the video, the removal and reinstallation of the inside lever was shown to occur in seconds. This is not the case. A small set screw must be removed first. To reinstall the set screw, the lever must be carefully positioned. And then the screw installed to the correct depth or lever binding will occur. This may take five to 10 minutes to accomplish while on your knees behind the lock. Okay, well, we test their their pre we tested their premise. I called Toby I said, Oh, okay, here's what we're going to do. Well, we never show how how long it takes to and this is liberal time. So here we go. On top we have the total time to accomplish the attack. Now, the first screw, 10 seconds, 12 seconds, 12 seconds to remove. Yep. We didn't tell how long it takes to remove the handle. So I don't because actually they said it has to be very carefully, very carefully, very carefully. So we put the wire, we check that the wire is working, is working. Now the difficult part against putting back them. So again, we're and I'm using one hand, because the thing is, the the camera angle was okay, if I'm covering, it's not going to show that I'm putting the wire. Okay. And we stopped 5951. Now, you can do it in 10 minutes also. Yeah. So we save the best for last. So all of these we think are really serious design deficiencies that could be exploited by bad guys. Okay, this is the best one. So Kaba offers a programming option to allow remote open. So you like I said, you push the push button just like an electric strike, the receptionist pushes the button opens the lock. Okay. So there's two LEDs at the top of the lock to show status. Okay. So this is what happens. The next demonstration is another design defect that we perceive in this lock. In the ePlex series. This is the remote open option. You gotta love this engineering and shorting out the pin, which the engineers at Kaba decided to place directly in back of the LED port. So you guys are doing it wrong. Yeah. So here's Kaba's answer. We fixed it. Okay. A part of the factory configuration. What a part of the factory configuration for remote unlock, a metal blocking devices installed in the way of the LED parts to prevent this type of attack. The version tested in the video was not factory configured for remote unlock. Like maybe somebody got the master code and entered the 012 code for remote unlock and they didn't even know it. Okay. So they said you can't do this. So this will be the last video. If we ordered the lock to Kaba and asked to ship the cable and because we want to use the request to exit feature of the lock, they will provide you with the cable to be hooked at the terminal on the back of the lock. But also it will provide a protector. A protector. It will cover the contact point that we're looking for to trigger the request to exit, which is right here. Now the way that we are triggering that is through the LED and we just grounded the first post. Now if I put the protector on top, we have to notice two things. First of all, there is a gap between the protector and the circuit board. So we can steal. So it's the same thing. So that's the problem. They think they fixed it. They didn't fix it. So let us just tell you we have found three or four other covert entry attacks on this lock that were not disclosing except to the government in Kaba. We can open this lock literally in five seconds. No audit trail, no damage, no trace. Well, with our clock, with their clock will be like 15. Yeah. So the bottom line is security engineering failures have consequences. They have consequences in the protection of your facilities. And they can also cause legal liability. So you really need to understand what you're buying, what's secure, and what's not secure. We'd like to thank you guys for coming again. If you have any questions, we're offline.