 Good morning everybody. My name is Mark Tobias. My partner is Tobias Blues-Manus. The third member of our research team decided, Matt Fidler in Connecticut, decided at the last moment that he was going to have emergency apendectomy surgery on Wednesday. We knew he didn't want to come. And so he feigned the surgery, called me and said he'd never been in the hospital before. So he's doing fine, I think, watching today, and wishes he were here. We also wish he were here and I think he'll be back to work this week, but. So my partner and I for the last three years have been engaged in pretty detailed research regarding the bypass of high security locks. It's my background for a long time. Tobias has been a locksmith for 25 years. He's in Miami originally from Caracas, Venezuela. And he's on the ground side of our research team. I deal with opening a lot of locks for clients and some agencies and writing in the theoretical aspects and teaching. Toby is hands on on the ground all the time. And so it's made a very, very good team. We, as we'll go through our PowerPoint, it's a very detailed PowerPoint. We'll go through it fairly rapidly. If we have time, we'd like to throw it open to some discussion at the end of our presentation to get some input. There's a lot of material to cover. This year we're talking about electromechanical locks and how we've been able to compromise them and we'll tell you up front that we're not putting out a great deal of information about precise techniques. There's actually an upcoming event in the Netherlands with Barry Wells, Hanfei, and Tuul that are going to go in, as I understand it, into some more detail. But for mainly United States consumption, we felt that we really didn't want to put out certain critical information because of certain critical infrastructure that's being protected. So today, basically we're talking about opening new doors to insecurity. The agenda this morning, we're going to talk very briefly about standards and requirements from underwriters laboratory and the Builders Hardware Manufacturers Association. We're going to talk about electromechanical locks as well as mechanical locks, both conventional and high security. We're going to talk about the protection of critical infrastructure, real world threats, and then a case study on electronic access control technology. In years past at DEF CON, we've talked about standards and why they're promulgated and what the problems are with them. All of the high security locks as well as everything else in the world is governed, as you know, by standards. In the high security lock arenas, we'll point out underwriters laboratory and the BHMA are the two main standards organizations in the United States that deal with locks. And the real high security standard in the US is BHMA 156.30, and we'll talk very briefly about that. We've covered this material before. This PowerPoint will be online, so a lot of it we're going to go through fairly rapidly because we want to really focus on what we've done and the vulnerabilities of electromechanical locks. So basically why we need standards and what they measure. Well, they measure the performance of locks in the security arena with regard to covert entry, forced entry and key control. The problem with standards is they don't measure everything, they're very inflexible and they don't really leave room for imagination. And our problem is that we can break quite a few of the high security locks that are rated for a minimum resistance time of 10 or 15 minutes for covert entry, which is really what we're interested in. We've looked at forced entry, we released some information two years ago on medical dead bolts and the ability to open them in about 30 seconds. But that's not our prime concern. The real problem is the standards exclude many real world attacks, bumping mechanical bypass and knowledgeable and special attack techniques. So there are conventional locks like the quick sets of this world, the cheap pin tumbler locks that everybody has on their doors, and then we have high security locks. The threat levels are different for the different kinds of locks. And as I said, forced entry, covert entry and key security are the prime criteria for measuring locks, high security locks and how they perform. We've reduced all the standards to our 3-T to our rule, which is time, tools, and training. And then reliability and repeatability of the ability to open them. And what does this mean? How much time does it take to open a lock? What kind of tools are required? Are they easy? Are they sophisticated? And what kind of training or expertise is required? When all of us went public about bumping very well in the group, the tool started in 2004, 2005 in earnest in the Netherlands. Then we all did it in America in 2006 with little gentle in. Bumping attracted so much attention because of its simplicity. Relatively no expertise, tools, piece of cake, basically anybody can generate a bump key, training, few minutes. So that's really the criteria for the standards. Forced entry under UL 437 and BHMA 15630, what you really need to understand. These locks are supposed to resist forced entry attacks for five minutes. Some of them do and some of them don't, as we demonstrated last year and the year before. Covert entry protection, again, 10 to 15 minutes is the minimum guaranteed criteria to resist covert and surreptitious entry. Unfortunately, the standards only address picking and decoding. They don't address really other forms of attack and that is precisely what the problem is. Then last year we talked about key security. And the problem is that the standards address key control. That is the ability not to replicate blanks, patent protection, organizational controls. But they don't address key security. The ability to simulate and replicate and duplicate keys. Last year we gave a very detailed presentation, as did Barry Wells, about keys and the ability to duplicate them and replicate them and simulate them. And all lock security really begins with key security. If you can replicate, simulate or duplicate the keys, there is no security with the lock. Because obviously the key is the easiest way to open the lock. And unfortunately, the standards don't address key security adequately. So categories of locks, we have conventional mechanical locks, we have high security mechanical locks. And then we have electronic credentials. And the electronic credentials can be used for electromechanical locks, which is what we're going to talk about, electronic locks. And then we have wired wireless and data on card systems. The industry is obviously moving to electronic or electromechanical locks. The manufacturers would like to move there in part because of everyone's disclosures about the vulnerabilities of mechanical locks. And so we've sort of in a way been a victim of our own success. Driving everybody to the panacea of electronic locks. And they're really neat and they really provide options for the users and the organizations. But they also can have some deadly security design defects. So we have certain critical questions. Toby? Well, the real questions would be what is security when we refer to a lock? What we consider is a secure lock, okay? Is it secure enough? Most of you guys don't know the answer, you don't have to know the answer. You rely on standards, you rely on experts that tells you this lock is secure or not, why it's secure or why it's not. And high security, we have ratings. So I do locksmith work. So if I see a lock that has a rating of UAL of BHMA, I can assume that these locks meet the minimum criteria of those locks regarding force entry, peaking, and cover entry attacks. The problem that we see, really we see, is that we don't, it's a piece of the puzzle that we don't know. I don't know. Bumping is, for example, one of these criteria that is not on any of the standards. So to me, I know that a high security lock, UAL 437, that lock, I don't know if that lock can be bump or not. This is not a standard or a protocol to test this lock for bumping. So the real problem is the standards do not address certain real world attacks. And the problem is, the criminals aren't following the standards as to how they can open a lock and how they can't open a lock. We neither. They just open, yeah, we neither. They just open them, and I'm actually on the standards technical panels for Underwriters Laboratory to help review the standards regarding locks, safes, and alarm systems in an attempt to start cleaning these standards up and make them address real world threats and attacks. That's what we're talking about. So conventional lock functions, these are the quick sets of the world. The low quality, often low quality, inexpensive locks you buy at the hardware store, you have in your houses, maybe some of your offices. Conventional locks, the functions are they restrict who can enter. They prevent or delay unauthorized access. They're low to medium security, they're not certified, and covert entry is often very easy. So conventional lock vulnerabilities, picking, bumping, decoding, impressioning, master key extrapolation, mechanical bypass, and failure of key control. Last year we demonstrated how the top high security lock in the country and many others accept plastic. That is, we could take credit cards and make keys for them. This is not supposed to happen, and we don't believe this is not high security. It is not addressed in the standards. It's not addressed in the standards. So convention locks are they adequate for critical applications. Here's the problem. No tracking of access attempts how often or when. Adding or duplication of keys is not a problem, but you can't delete keys from the system without essentially reprogramming every lock in the system or re-pinning it. There's very little key security in most of these systems. The master key systems are insecure. There's no evidence of entry, and there's no intelligence in the lock or the key. So of course we're going to move in a little while to electromechanical locks, which are supposed to be a lot smarter. So conventional versus high security locks. We've talked about the conventional cylinders, essentially they're easy to open, and there's really no key security. High security cylinders are controlled by standards, UL and BHMA. They're higher quality intolerances, and they have increased resistance to forced and surreptitious or covert entry. Okay, there's also more standards, we're just covering the standards in the US. So UL and BHMA in Europe, there are also standards that these locks have to meet. But we're just talking about the standards here in the US. Right, now the bottom line is for high security, we need increased protection because the threat level is higher. That's the idea. So high security locks, critical differences, multiple security layers, so there's not one point of failure. Each security layer is supposed to be independent, the security layers operate in parallel, so you have to meet the requirements of all security layers in order to open the lock. And it should be difficult to derive intelligence about the lock, it should be. So mechanical locks design limitations, as I said, they're good for one person, one key. There's no user tracking on keys, the addition or deletion of keys in the system is a problem. Lost or stolen or copied keys is a serious problem, because the locks have to be repinned in order to protect the integrity of the system. And keys can be manipulated in a lot of locks. We call it key jiggling. One of the locks that we researched last year was the multi lock, the conventional multi lock, either the interactive or their classic. The problem is that because of tolerances and master key systems, the keys could be jiggled. And one key that was not designed for the lock would open it if you pull it out maybe a tenth of a millimeter and jiggle it. This is really one of the real design limitations of mechanical locks. So our electronic locks, the security solution. The manufacturers seem to think they are. Shown in this slide, we have a multi lock key, which is a click key on the left, which opens the lock on the right and we have a medical logic lower left and the key for a medical logic on the right. The key, as we'll show, is comprised of electronics and mechanics. So what are electromechanical locks? Essentially, as they say, they're mechanical locks and they're electronic credentials. Here's the problem and here's what the manufacturers seem to have lost in the equation. They're still mechanical locks. We don't care what their credentials are, whether it's RFID or Dallas Semiconductor or a transponder. It doesn't matter to us because they're still mechanical locks. At the end of the day, mechanics have to control whether the plug turns or not. Generally, there's two parallel locking systems in these electromechanical locks. Mechanically, there's a mechanical key just like your car key, or just like your standard office key or house key. There's a bidding portion of that key that controls movable sliders or pin tumblers in the lock. Then, so there's key bidding and then there's electronic credentials. So in the electronic access control system arena, we're talking about mechanical lock designs and we're talking about electronic credentials. And we're talking about security layers, which means protocols, mechanical locking systems, audit functions, and key security. So now we get to the real issue. We studied for the last year the technology that is employed across several companies in Osso Obloy in Sweden. Osso Obloy is one of the largest lock conglomerates in the world. They own 10% of the world's locks. They make very, very good locks mechanically. We, from the mechanical side, we can't fault them at all. The click technology was developed several years ago and the core platform is used in all their locks. There are mechanical variations, but the core platform is basically the same. And in the United States, it's the medical logic. It's the ASA click. It's the multi lock click. In Europe, it's ICON and there are other brands in Europe that also use the same technology. These clicks also, they integrate these clicks in their high security locks. They're not using this click on lower quality locks. They're implementing this click in high security locks. So they can also use mechanical keys with electronic credentials to open mechanical locks too. So it's a merge also that they're trying to make life easy for you people. So a click system can be integrated into a mechanical only system. So as Toby said, the click keys can open mechanical locks, but mechanical keys are not supposed to be able to open the click locks. So again, click is a very neat technology. We're not wrapping that. We're wrapping the security engineering and the design on these locks because of what we found and what we'll show you. So mechanical locks plus electronic controls. So click keys, bidding plus electronics. So you see two different versions here. The top one is an icon and a medical. So we have mechanical bidding and we have the electronics. We talk through two contacts or one contact into the lock and then we have multi lock on the bottom which is another example. Different kind of mechanical lock, but the electronics are essentially the same. This is the new ASSA DP solo click. These just came out in Europe a few weeks ago. We were lucky enough to obtain samples. We obtained them a couple days ago and we looked at it and they were promptly compromised. These will not be released in America, it's our understanding for probably another year. This is what the keys look like. And again, we'll show you, we've got one up here that we're going to show you what exactly the problem is. So these locks are used for critical infrastructure, among other applications. In transportation, aviation and airport security, cargo and transport, power facilities, finance and banking, server rooms, defense and public safety. So critical infrastructure vulnerabilities, as we all know, is intrusion, sabotage and vandalism. Theft of critical and high value targets, terrorism, data leakage, identity theft, and interruption of critical or essential services. Airports and aircraft, there was an article that just came out this morning in Wired Magazine. Some of this technology, for example, has used at the Ottawa Airport. We've shown how these locks can be compromised. We think it's a real problem. The US Aviation Transportation Security Act mandates certain requirements where electromechanical or electronic locks have to be used to track people. Positively verify the identity of each employee and law enforcement officer, and be able to test and assure compliance with security requirements. So at airports, we've got layered security and physical security of fixed assets. So, and we need to make sure we can't copy the keys. That's very important. Very important. Conventional locks are not secure for airport protection. Frankly, we don't think they're fit for most high security installations, which is obviously why everybody goes to high security locks. Why? Duplication of keys, no user auditable information and no scheduling capabilities, and issues with master key systems. Cargo protection and cargo containers. Electronic access control systems, as well as other applications. There's a really slick lock, but the locks have to provide identity, identify tampering, and an audit trail. So you know when things were open, when things were sealed. So there's a very slick lock that's made by Medeco. There are some other brands also, but this really looks like the best one. It's called Medeco Next Gen. What's shown here is a padlock with a drop in cam lock insert that's totally electronic. The problem is that we figured out how to open that in about 10 seconds. And no audit trail. And we'll revisit audit trail in a few minutes. Next we have the protection of power generation facilities. Gas, oil, and power grid. There are two main agencies, the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation. Each of these have physical security requirements for the reliability of power. Prevent attacks both physical and electronic. Access to data and equipment, we've got to protect hard and soft assets. Critical infrastructure protection, there's specific requirements to contain procedures for identifying, controlling, and monitoring all access points and authorization requests and logging of physical access. This is why everybody's going to these locks, electromechanical or electronic because of the audit control. Sarbanes-Oxley Act, we have financial responsibility in reporting in the United States now. As of 2002, so that we have integrity of financial reporting for public corporations. Again, electronic locks play a vital role in this so you can control and audit access. Financial data, integrity, and security. We have to control and safeguard data. What affects a lot of you folks is data center security. Must control physical access to servers to protect information. If you can access the server physically, you can own it as you all know. Real world threats, high security locks, and electronic access control systems. Total compromise, false sense of security, and liability. In 2007, 2008, we did research breaking conventional high security locks. This was, in summary, the result. We broke key control, we broke dead bolts, and we did covert entry. So, as we noted, there's too many limitations in mechanical locks. Good for one person, one key, and there's no tracking. That's really the problem. For electronic access control, the answer to mechanical locks. So, here we go. Stand alone, electronic access control, ASSA obloy click. We have multi-lock, ASSA icon, medical logic, all the same core technology. This is the multi-lock, this is the best image that we lifted out of their advertisement that's online, their great video. Unfortunately, when we asked multi-lock, if they had any problem with us running this video that's on the web, they said absolutely not. If you use it, we will sue you. It's intellectual property. Now, we could have linked to it. I'm sure all you can do that, but this is the best image in the presentation. It's about a six minute presentation, the ultimate in high security. Choosing a sophisticated locking system where security is an issue, compromise is simply not an option. It's not an option. Stand by. And again, multi-locks are great company. I was actually just there, they're Israeli. I was just there in October. I like their locks, respected them for 20 years. But again, there's security engineering issues that we have serious disagreements about. Logic and click design attributes. You can program permissions, authorized keys, audit trail events, mechanical and electronic security. And there's no wiring or additional hardware. The key powers the lock, mechanical bidding plus credentials and easy retrofit to current systems. So security and reality, key control. We can simulate the keys for some of these locks, lost stolen or deleted keys. Their advertisement is that it's not a problem because if you lose a key or an employee leaves or you have a rogue employee, just program it out of the system, no problem. That is absolutely true and it's also not true. We can compromise some of these systems if we have one key on a key to like system. We can compromise the entire system. We can bypass the electronic credentials, which means the entire system at risk. And you may not know we were there because if we use one of our keys there's no audit trail. We can simulate the credentials, we can bypass all of the locks. So we think there are serious security issues regarding audit trail. There's a false sense of security. There's an ability to bypass a lot of these audit trails. There's a potential for false blame. How would you like to be the last employee that actually accessed an area that shows up in the audit trail? But you weren't the one that stole the goods or compromised the information because somebody had a simulated key. We can open these locks with no evidence of entry and total lack of chain of custody if it's involved. Bypass of mechanical or electronic system and audit trail depends on reading the key. What happens if one layer is bypassed? This all started last year in Europe when there was a magnetic attack with a magnetic ring, the devil's ring that was initially developed by Wendt in Germany. And there was locks that were found that could be bypassed by spinning of series of magnets around the outside of the lock. This was then translated to certain click technologies. So what happened was that we were at a meeting in the Netherlands last October and we were briefed, Barry Wells and Tool did quite a bit of research on this. We then brought the research to America and have worked for nine months to deal with this. Without pay. Yeah, without pay, right. So all of these systems, the mechanical locking part is really good. They're fairly secure. Well, multi-lock we can open fairly easily, it depends. I'll be a video on our website later today in.security.org that goes through it's a composite that we're going to show here. So click and logic simulated credentials, possess a key and simulate and bypass the credentials. As I said, one lost key in a key to like system means we can totally compromise the system. Last year in Europe, the multi-lock click was bypassed initially with magnets. That has subsequently been fixed, but it started the research. Auditrail bypass, auditrail again is dependent on reading the lock and the key. If there's no auditrail, there's a false sense of security and false blame. Click and logic security from Medico. They're advertising states, unauthorized key copying is removed from the equation. Not quite. Superior protection against unauthorized key copying and the same thing next gen. We've been able to compromise those and by the way, next gen, which is a very clever lock, is also used on thousands of coke machines, vending machines, and parking meters. This is a real potential problem, and that's one of the reasons we're not putting out specific details. Because all of these vending machines and parking meters could potentially turn into cash machines. This is a lie. No, no, no, listen, the cities are in enough trouble with revenue security. They don't need that problem. Remember also that we work with time tool training. The timing that we can compromise these locks is very, very low. Okay, so this is the design of two of these locks. They're very, very, very similar technology. Medico on top, Icon on the bottom, and again this PowerPoint will be available, but these are very clever locks. But again, we found the problems. Logic insecurity, the Medico logic is the click version for Medico. This lock shows a simulated key opening the lock. We created that key. We created the key with no electronic credentials. We're still opening the lock. We're still opening the lock. Click compromise, this was one of the early attacks that involve vibration of the multi-lock. So since fix that, but not exactly. So we have serious issues with electronic access control. Mechanical bypass, simulation of credentials, bypass of electronics, clone credentials, defective security design, failure to meet statutory requirements. When everybody figures out that the audit trails may be compromised, then there's legal liability and statutory issues that are going to have to be addressed. So security engineering issues, and we break mechanical engineering and security engineering, we think they're different. All of these companies do a great job with mechanical engineering. We have no qualms with that at all. It's the security engineering that frankly, our opinion is with a lot of these locks are just flat incompetent. And you can open a lock that costs $6, $7, $800. With essentially a special key and a paper clip, or a piece of wire. We think that is defective security engineering. And frankly, as a lawyer, I think the manufacturers ought to be liable for that. I've been pushing for them to agree to retroactively fix and remedy these issues for the consumer at no charge. And I'll read you a couple of quotes. They have no interest according to them in doing that. They think this is an ongoing war, security war as I call it, that's been going on for hundreds of years, and the state of the art attacks. There's an attack, they fix the lock. There's another attack, they fix the lock. I agree if it's state of the art that there's no issue. The problem is a paper clip or a piece of wire or vibration or shock. This isn't the state of the art attack. It's a simple attack, it's security engineering 101. And these companies are missing that, and we think they ought to be liable. So 2009 research, electromechanical locks. And we went through this, so we won't do it again, but it was begun by Tool in Europe. We continued in America, we examined and analyzed the design of click technology, key control, mechanical bypass, and the simulation of electronics. We have had repeated contact with Osa Abloy and Medeco and Multilock over the last nine months, not friendly. They have told us if we speak about their products, if we disparage their products, if we talk about the security, we're liable to be sued, whatever. My attitude is, let's fix the locks. Let's make them work right to begin with, and let's not be selling them until we do the proper job of security engineering. And if they don't fix them and retroactively fix identifiable security vulnerabilities, they ought to be made to pay for it or replace them. They have stated, at least to us, they're not interested in doing it. Their response, no locks. We offered Osa Abloy, Medeco, Multilock. Give us current samples, let us test them. Send padlocks, locks, so you know that we didn't screw around with them. And we will give you all of our research data, everything, and we won't publish. If you agree to fix them, retroactively fix them and replace them, not interested. These locks are $600, $700, $800. Yeah, I'm sure you'd be happy. They're like $85,000. So here's Medeco's response. This was in a Slate.com article two years ago. But that doesn't tell you what to do if you've got a potentially vulnerable Medeco lock. This is a reporter. Don't count on Medeco to replace it. Quote, this is from Medeco. When you buy a lock, you don't buy a subscription. Roberson told me instead he counseled people should visit experts and determine their security needs. That doesn't help the consumer. This is a statement from General Counsel at Multilock. Who have misrepresented that Multilock's policy is not to consider replacing or repairing a product which proves to be defective in normal use. This is a gross misrepresentation and not true. I don't know what that means. Does that mean that they will replace their locks if we show that they're defective in a security design? Or does it not? And Osa Abloy, all of your accusations and unreasonable demands seem to stem from your mistaken or vain belief that because a product may, under certain limited circumstances, be susceptible to a new form of attack, it is somehow rendered defective. That would be their general counsel for Osa Abloy in the United States. So the question is, mechanical defects versus security defects, is there a difference? Should a manufacturer be liable for defective security engineering if it's not a state of the art attack? And should have been foreseen. Remember, choosing a sophisticated locking system where security is an issue compromises simply not an option. This is Multilock's advertising that they didn't want us to run. In a world increasingly challenged by mounting security threats, the need for comprehensive locking systems has become an essential requirement in virtually every conceivable market sector. Each interactive click key contains a unique electronic ID code. It is designed for one individual only and cannot be duplicated, altered, or corrupted. If the key is not authorized, the mechanical element in the locking system will simply remain locked. And finally, interactive click, unprecedented benefits. Dual patent protected technologies employed in interactive click represent a truly successful marriage of electrical and mechanical locking systems, offering a double layer of impenetrable security. Right, okay. And finally, the last quote, and then we're going to run a video. Audit trail control is an absolute necessity if you hope to keep track tabs on the efficacy of your locking network. Interactive clicks control key enables you to easily access precise data from every cylinder in your facility. Each key is designated for use by one individual only. If the key is lost, it is simply made obsolete. This enables total control of every key issued to personnel. Yeah, okay, the ultimate insecurity. So, let's, because we're going to run out of time otherwise, this is the video. This is about a six minute video and we'll narrate it as we go through it. And this will be on, as I said, this will be on insecurity.org this afternoon. If you guys want to watch it, again, this video has been edited so that we're not disclosing exactly how we're opening these locks. But if you're using electronic access control and some of this click technology you need to call ASSA or Abloy or Multilock or Medeco and ask them, what's the vulnerabilities that was shown and do we have it in our locks and are you going to fix it? So, here we go. ASSA click. One beep you're in, three beeps you're out, like baseball. Mechanical key, mechanical key, no electronics can't open the lock. Now we do our magic. Okay, here's the correct key, open the lock. Here's the incorrect key, open the lock. Here's the mechanical only key, open the lock. Audit trail bypass, that's a very high tech piece of paper. Open the lock. The wrong key, no audit trail, open the lock. And of course, there's no audit trail issue with the mechanical key because there's nothing to talk to the lock. Open the lock. Okay, that's an ASSA. Simulated plastic, we can now advertise ASSA takes plastic. So we bypass the electronics. Icon Verso in Europe, little smiley face on the key that tells you everything's okay. Is everything okay Toby? Yeah. Okay, there's our simulated key. We create that key for that specific lock. Hello. Yeah, lock is open, no audit trail, $600 lock, priceless. And still you have the lock is still work like a regular lock. Next, icon Verso click. This is the same lock that you saw, but we're using a key that is no program, you can see the sad face. It's his sad face, it's not our sad face. Well, but it's still open the lock. So again, open. Okay, we just edit the part. And a simple part. Next. No, no, no, not yet, not yet, this is the medical logic, okay, same technology as icon. Yes, it's basically an icon key, a cylinder. Same technology, okay, no electronics, okay. Now put in the battery, Toby. Well, it's more difficult to put the battery in the lock. Okay, so you see the mechanical bidding, we see the little smiley face. You know the fan. Now you see the fan. And the lock opens, this is the way it's supposed to work, okay. Now we take a specially prepared mechanical key, no electronics, the lock is open. No audit trail. No audit trail inside attack. That's basically one of the biggest problem. This is again the medical logic. Little Mr. Smiley face, okay. That's the correct key, that's an icon. Now this is an icon key opening a medical lock. That would be, and if you'll notice the way the cuts look, I think we run that again. We also cut this key. So we took an icon key, we opened a medical cylinder, we modified the key. We made the cuts in a different way that the manufacturer did it. We managed to use a key from a different system and put it to work on a medical. Yeah, now our friends at Multilock. Here we go. This is an older generation, but unfortunately, and this is a profile cylinder from Europe. The little green light comes on, Toby, go ahead and describe this. If you notice, we put the key and tried to turn it really fast. The timing between the lock, the response from the lock on the key is like one-third of the second. So if you go too fast, it doesn't open. And it won't open until we do our magic. There's no battery in this key. That key doesn't have any batteries. So no electronics, the lock is open. Now we're going to put the regular working key and now the previous key won't work anymore. Do our magic and okay, it's open again. So now this is the older version of Multilock. So then we went out. They have that problem. Once we bypass the electronic, the electronic is bypassed until you put the right credential and then can relock back. They fixed this. They fixed it, so we went out and bought their new latest locks. But the idea, every time that we use that blue key, no Audi trail in the lock. This is the new Multilock. This came out of the factory about six weeks ago. It took four months for them to deliver it to a dealer that I ordered it through. This is a US mortise cylinder. You can see how this works. The little green light flashes, it shows the key is working. We simulate some keys. Okay, that's a non-electronic key. Okay, these keys normally should not work. Okay, so we bypass the electronics. That's the key that should work. This is the key without an interactive pin. And this is an interactive lock system. Open, no electronics, no interactive pin. This is a simulated key that we made with a plastic insert. We've got the cut. Which means that we can take any restricted keyway if we get one blank, we can keep recutting it over and over and over again for different keys. This, Toby is picking the lock about two minutes. I don't know if we're going to run out of time here. But about two minutes and this lock is open. Okay. And this is an electronic lock. We are not supposed to be able to do this. So, but the lock still clicks. Yeah, it still clicks as you click each tumbler. And so basically to sum up, we think there are serious issues with the way some of these locks have been designed. They can be sabotaged for insider attacks so that you can set the lock in a matter of seconds like the reporter did that wrote the wired article that's online this morning. We showed her how to bypass one of these cylinders. She did it in about 30 seconds. Stuck a key into the lock that's not programmed for the lock and opened it. And opened it repeatedly. We're not going to have time today to show you the latest OSSA, but we'll be glad to do it offline. If anybody's interested, if there's any agencies here that need further briefing, it's not a problem. And basically that's it. My email address is mwtobias at security.org. If you need any further information or you can contact me at my office, all the information is on our website, security.org. And as you can see, this lock is just about ready to be opened. This is a high security lock. And that's one of the reasons that you move to electronic, electromechanical lock is especially to prevent this. And that lock is open. We don't want to run out of time here. We thank you very much. If you have any questions, we'll be glad to answer them offline. It's been a pleasure seeing you guys at DEF CON again this year. That's it. Thank you. Thank you very much everybody.