The KABA Simplex affair

$400 lock opened with a magnet

Now I’m going back a few years here – I mean, this is an oldie – but goody! It’s one of those stories you should know, it says so much about so many different aspects of this peculiar game of locks in which we find ourselves playing that it’s worth repeating. If you’re new to lock picking, or somehow this affair slipped under your radar – it’s my duty – as someone who isn’t new, and who’s radar it didn’t slip under – to give you the story, the story of a $400 lock that can be opened – by your nanna – with a magnet.

Rather than cut and paste various other articles, with total transparency, I reproduce here the article as written by lock picking legend Marc Tobias, enjoy….

The Kaba Simplex 1000. It's attractive. Especially to rare-earth magnets.

The lock you see in the picture can be found in thousands of locations: hotels, banks, casinos, office buildings, airports. And, according to a class action lawsuit, it isn't safe at all. Kaba-Ilco, the maker of the ubiquitous  Simplex series of push-button locks, is being sued for selling a defective product that can be broken into in seconds by an unskilled person wielding only a powerful magnet. Virtually all of these locks, with the exception of Kaba's Series 5000 model, are vulnerable, according to the complaint filed by the plaintiffs in this case. Kaba is one of the largest lock companies in the world and has likely sold millions of these incredibly popular Simplex mechanical push-button locks during the past thirty-five years. They sell for $300 to $400 each. Not cheap at all. If the company loses the case or settles, it could be on the hook for millions of dollars in liability claims.

The problem is that the Simplex has been designed using a critical component called the combination chamber that has been discovered to be sensitive to a strong magnetic field. Kaba reported that it only learned of this security vulnerability in August 2010. The litigation is important because it affects thousands of installations that rely upon these locks for access control and security.

Kaba, in its motion to the court for a change of venue, is claiming that rare-earth magnets were not “commercially feasible” when the locks were designed and would constitute a state-of-the-art attack for which it should not be liable. My problem with this logic is that the locks continued to be manufactured throughout the years with the same design defect, even though many lock manufacturers and security experts have been aware of the availability of strong magnets that are capable of opening some locking mechanisms.

The Simplex is not the only example of a lock that can be compromised by this technique, as we have documented in DAME (Defense Against Methods of Entry), one of the multimedia editions of my book.

You will recognize many of these locks because they can be found in virtually every venue from high security facilities such as airports, critical infrastructure, banks, casinos, hospitals, offices, schools, credit card processing facilities and even private residences. Many of them are vulnerable to an incredibly simple attack with a rare-earth magnet, and can be opened in about two seconds. The attack requires virtually no skill, expertise, or training, once the exploit of the fatal design defect is understood.

This rare-earth magnet can allow many Kaba Simplex locks to be opened without difficulty, leaving no trace.

Our security lab conducted an analysis of the Simplex 1000 series, and documented the critical element within these locks that allow them to be bypassed. We produced a video which is only available to security professionals, locksmiths, risk managers and law enforcement agencies. Any locksmith that has access to ClearStar (a secure on-line forum for locksmiths) can view the video in order to allow them to provide detailed information to their customers on the security threat that this attack creates.

You may also contact me at  mwtobias@security.org for the link if you will provide confirmation of your need-to-know.

The locks, (at least those produced prior to September 19, 2010) in my opinion have a fatal design flaw in the combination chamber. This is the critical element that reacts when each push-button is depressed using the correct combination. The defect allows a strong magnetic field to move one critical component within the chamber that can allow the bolt to be withdrawn as if the correct button sequence had been entered. Kaba believes they have figured out how to make their locks highly resistant or invulnerable to this particular attack.

We obtained the latest version of the combination chamber on Friday January 28 to test, and also looked at the interaction of the lock housing with the chamber. We were unable to open it with the magnet that we employed to compromise their earlier version. We are not ready to state that the Simplex cannot be compromised by a stronger and shaped magnetic field, especially because of the carefully crafted language in the Motion that was filed on December 29.

If the class action lawsuit is allowed to proceed, Kaba could potentially be liable for millions of dollars because of the widespread use of these locks, even if their fix turns out to be relatively minor. Every vulnerable lock should be upgraded to reduce the threat from this kind of attack, especially in high security applications.

This litigation, in my view, may expose other manufacturers to similar liability for deficient or defective security designs. I call this insecurity engineering, and it results from a lack of expertise in methods of entry by engineers when they design locks. We have documented hundreds of cases of “insecurity engineering” by large and small lock manufacturers throughout the world, and are working with many of them to review designs and possible vulnerabilities and to eliminate such threats.

Although the law of liability for such design issues is not settled, I believe that Kaba may set the precedent and establish required minimum industry levels of competence when it comes to discovering and guarding against insecure designs which can place consumers at risk, especially because it appears that Kaba was able to significantly reduce or eliminate the threat to their locks with a relatively simple change. The relevant question is why they did not discover and design around this threat a long time ago, thereby preventing possible security breaches from occurring in thousands of facilities?

I believe the relevant issue in this litigation relates as much to the responsibility of lock manufacturers to keep up with current methods of bypass (and constantly measure current products against such threats), as it does to the liability of Kaba.

Many “security-rated” locks are subject to different forms of bypass from simple attacks to sophisticated ones. Some high security locks can be opened in seconds, notwithstanding their rating by UL or BHMA that essentially guarantees their resistance to covert and forced methods of entry for a specified period of time, which are definitely more than a few seconds!

Part of the problem rests with the standards organizations that determine the testing criteria which provide a guide to government agencies, commercial facilities, and consumers as to what is secure and what is not. Unfortunately, the standards promulgated by Underwriters Laboratories (UL), Builders Hardware Manufacturers Association(BHMA)  and European groups do not protect against many forms of covert and forced entry that are utilized by criminals and government agents in the “real world” that I deal with.

In my book Locks, Safes, and Security,  I have documented at least fifty methods of attack that are not addressed in the standards, often leaving everyone at risk, especially for critical infrastructure and facilities that require a higher level of security.

This failure of the standards to adequately protect the user leaves the consumer with little remedy or information as to the real security of a lock or piece of hardware. A consumer Grade 1, (ANSI/BHMA 156.5),  which is a commercial-level standard, is supposed to denote the highest level of security for commercial and residential locks. It is, in my view, meaningless when it comes to covert and even some forced methods of entry. It can convey a false sense of security to the consumer.  The standard does not take magnetic attacks into account.

It appears that the Simplex 1000 series had a BHMA/ANSI 156.2 rating at one time, according to pleadings filed by the Plaintiff and in advertising brochures. A check of 2011 certification listings by BHMA shows only the 5000 series as being listed under this standard. That lock is not subject to magnetic bypass. I noted in my original post that the lock had a 156.5 rating. That was in fact incorrect.

If the Kaba suit proceeds to a verdict or settlement, the lock manufacturers will surely pay attention, because many of them could be the next target of similar legal action.

When I spoke with two different technical support staff at Kaba earlier this month, they denied the locks could be opened with magnets, and never mentioned that the problem ever existed or that Kaba had released a new design to combat the attack. Even more troubling, I contacted five different dealers across the United States. None of them had heard anything about a magnetic attack.

Even if the problem has been remedied by Kaba, there are still potentially millions of locks in service in critical applications that can be easily opened.

I have written a very detailed blog post on in.security.org discussing the Kaba Simplex security problem as it relates to locksmith and manufacturer liability.

We will release a subsequent report as to the effectiveness of the fixes that Kaba has implemented. How the company plans to deal with the retrofit of currently installed base is unknown at this time.

You might also be interested in: The Marc Tobias interview.

Note: I would like to correct an error that I made with regard to certification of the Kaba push-button locks that are the subject of this article. I noted that the Simplex 1000 series lock carried a BHMA/ANSI 156.5 Grade 1 certification for security. A check with the 2011 BHMA Certification List only shows the Series 5000 as having a Grade 1 certification under the 156.2 standard (not 156.5).  The pleadings that were filed by the Plaintiff refer to the locks that are subject to the lawsuit as having been certified under the 156.2 standard. The 156.2 criteria for security testing relate primarily to attacks on the lock body and lever handle and does not include covert entry. BHMA/ANSI standard 156.5 describes several security tests for lock cylinders. I incorrectly stated that Kaba had such a rating when in fact they did not. I had misread the pleadings and apologize for the confusion and the error.

(The views and opinions expressed in this article do not neccessarily reflect those of UK BUMP KEYS Ltd or LockPickWorld.Com or the employees therein)