In.Security Home

THE SIDEBAR: MARC WEBER TOBIAS

Archive for the 'Security Alerts' Category

DETAILED REPORT ON THE INSECURITY OF GUN SAFES MADE BY LEADING U.S. MANUFACTURERS: STACK-ON, GUNVAULT, AND BULLDOG

All of these gun safes can be easily opened with a variety of simple tools.

See my corresponding article http://blogs.forbes.com/marcwebertobias
in Forbes that was published on Friday, July 27, 2012.

See the applicable disclaimers with regard to the information contained in this report at the end of the Alert.

This security alert provides detailed information about small gun safes that can be easily compromised. We conducted an analysis in our Security Lab of these containers. Some of these containers are utilized by law enforcement agencies. A PowerPoint presentation and video is available through the AFTE website for any agency, and was the subject of my presentation at the Annual Association of Firearms and Tool Marks Examiners conference in Buffalo, New York on June 28, 2012.

We provide information about some of the most popular gun safes that are produced by the leading manufacturers in the United States: Stack-On, GunVault, and Bulldog. We also looked at one of the small safes produced by AMSEC.

We tested safes from these companies to determine their vulnerability to simple, covert attacks. We did not test for forced entry techniques.
Every consumer that owns or is contemplating owning a small gun safe needs to understand that many of these containers are improperly designed, have little real security, and can often be opened in seconds with common implements such as paper clips, drinking straws, wires, and small pieces of brass. Some can also be dropped from a few inches onto a hard surface and opened because of the simple, cheap, and insecure mechanism that is used to block movement of the bolt work until the proper combination is entered.

All of these safes utilize electronic credentials to open them. While these manufacturers would like you to believe that the use of a keypad, push-button sequences, or fingerprint reader will somehow make their containers more secure, it is not accurate and everyone should understand it. It is merely for convenience.

What constitutes security in any container is the way the locking mechanism is designed to keep the container closed or to be opened. The problem is that none of these manufacturers seem to understand even the basics of security engineering and how to defeat their own products. In this report, we will provide detailed videos that demonstrate the problem for many safes that are sold by Walmart, Cabelas, Dicks Sporting Goods, Scheels,
and Amazon.com.

In conjunction with our investigation we contacted and made available these videos to management at all of these companies. Only Walmart would even issue a statement, which essentially says “it is not our problem” and we rely upon the manufacturer and the California DOJ standards.

The other companies, Cabelas, Scheels, and Dicks Sporting Goods had absolutely no response.

All of these companies continue to sell what we are claiming are dangerously security-defective products, but it evidently is all about money, not the safety and security of their customers that is of their primary concern. They have all been placed on notice of the defective security designs and all have chosen to ignore the evidence and instead rely upon what the manufacturer, Stack-On or others have represented to them.
Stack-On is headquartered in Illinois and by their own account, generate about $100,000,000 annually. They also indicated that they do not talk to the media, but they did issue a press release after I demonstrated opening four of their safes on KELO-TV in May, 2012.
Their Public Relations firm issued the following statement on behalf of their client:

“While Stack-On respects Mr. Tobias’s proven ability to pick the most complex of security locks, we strongly stand behind the safety of our products. Stack-On Personal Safes are certified by California Department of Justice (DOJ). This certification involves testing, by an independent laboratory approved by California DOJ, for compliance with adopted standards. We are proud of this designation and the protection we provide. In addition, our Portable Cases comply with TSA airline firearm guidelines.”

Stack-On believes that their safes are secure. While their containers have been approved by California DOJ under their gun safety regulations, they are fully aware that the methods we demonstrated are not addressed in these standards, and thus the standards are not applicable. It is our opinion that Stack-On has chosen to continue to place every buyer of one of these safes at potential risk. Their safes are manufactured in China. While they may appear to be secure, they are not, as we demonstrate in multiple videos.

I spoke with their VP of Marketing, Steve Martin, in April, 2012. I asked to do an interview at their facility and was refused. When I advised him that we had tested several of their safes, he did not ask one question. I offered to send the links of the videos. He offered no response. The company has never followed-up with any inquiry.

Our opinion is that Stack-On should recall every safe that has security vulnerabilities and issue an alert to the public to warn every purchaser. They should also warn every vendor. To our knowledge, they have done neither. What they have done is to continue to sell what we allege are defective products to the public, knowing that many of these containers can be opened by kids.

I spoke with a spokesperson for Walmart and provided links to all videos. After two months, they finally issued the following statement:

“Walmart is committed to providing safe, quality products customers can rely on. After being made aware of your concerns, we reached out to the manufacturer of Stack-On products to discuss their compliance and quality programs. According to Stack-On, the product you mentioned is tested by a third party independent lab and those results are submitted to the California Department of Justice for certification as meeting their safety standards for this category of products.”

It is also our opinion that Walmart is far more concerned about revenue than in protecting the safety and security of their customers, notwithstanding their claims to the contrary. According to their employees, the company has a security and safety testing team that analyzes products. That would indicated that they have the competence and skill to evaluate the claims that we made.

Walmart did not deny our allegations but rather are avoiding responsibility by hiding behind the representations of Stack-On. In our opinion, nobody should believe anything that Stack-On states with regard to the security of any of their products. It is very clear that Stack-On has no competence to design or test a container for security vulnerabilities.

While they may believe that they can avoid liability by claiming they meet the requirements of the California gun statutes, they may find that those standards offer no protection whatsoever. We believe they are producing dangerously defective containers that they are representing as secure for use by the consumer to store weapons. They are not secure, and nobody should rely upon them for any measure of security.

It is my opinion that any retailer, once on notice of the defects we have demonstrated, can and will be held liable if a customer purchases one of these containers and the result is that someone is hurt or killed.

We conducted undercover interviews at Cabelas and Scheels to document what their sales “experts” were telling the public about these safes. It is precisely what you would expect: they are secure, kids cannot get into them, and you can safely store weapons in them without fear that they can be covertly compromised.

Unfortunately, each of these statements is false. The problem is that these sales personnel do not have a clue as to what is secure or is not. What they understand is profits and what sells, and it would appear that is all they care about, based upon the total lack of response from any of these companies to us.

While we only looked at about ten safes, we are quite sure there are dozens, if not hundreds of different models that are similarly insecure. Most of this junk is made in China and peddled by U.S companies. These safes are cheaply made, and the security engineering is essentially non-existent, as you will see in the videos and our detailed analysis.

BACKGROUND

This is a common solenoid design that blocvks the movement of the bolt in many safes. The magnetic pin must retract in order for the bolts to pass. This can be vibrated to an unlocked state.


As a result of another gun death involving a member of the Clark County Sheriff’s Department in 2003, the Sheriff mandated that all deputies keep their weapons in designated Department safes at their homes. The Department, without any testing, initially purchased approximately 200 Stack-On Strong Boxes, shown in the video. It is clear that the CCSO relied upon the representations of Stack-On, and had no independent expertise to evaluate the security of these containers. It is incredible to us that the Department would entrust the lives of their officers and families to a container that reportedly cost $36.00 without any tests being conducted by the Department as to suitability, safety, or security.

Detective Ed Owens was a member of the Clark County Sheriff’s Department since 2004. He was issued a Stack-On safe to store his weapons at home. On September 14, 2010 one of his four children was able to open the Stack-On Strong Box container that was located in the Master Bedroom. At about 9:50 P.M. three year old Ryan was shot and died four hours later.

We were asked by the Owens family and attorney to provide expert analysis of the suspect safe. We conducted an extensive analysis of a container from the same batch that was provided to the Clark County Sheriff’s Office.

It is our opinion that these were defective containers, based upon the testing we performed and the videos we shot from inside the safe. The problem, quite simply, revolves around the solenoid mechanism that controls a locking pin. This pin when in its normal state blocks lateral movement of the bolts thereby preventing their retraction. When the correct code is entered, via the keypad, the blocking pin is retracted and the bolt can be turned to the unlocked position. The problem is the design of the solenoid and spring-biased locking pin. It can be bounced to allow the bolts to pass and leave the safe in an unlocked state. As demonstrated by the three year old in our video, this safe can then be opened by simply turning the knob.

As a result of testing this particular safe, we expanded our inquiry and tested virtually every Stack-On model of small safe. What we found was disturbing. Each could be opened in a variety of ways, as we demonstrate. We also tested similar containers from Bulldog and GunVault. We reached out to these companies as well, but they refused to return phone calls.

Any consumer that owns one of these containers should return it and ask for a model that has been fixed to made it secure, or demand a refund. In our view, no weapons or valuables should be stored in one of these containers.

We provide all of the video segments of our analysis as well as televised news reports and some of the undercover video that we obtained.

Gun safe detailed report by Security Labs

Video of three year old opening four different safes

KELO-TV Sioux Falls, South Dakota

aired the accompanying story

Undercover video from Cabelas store

Security Labs Stack-On safes introduction (for each of the separate video elements)

Stack-On PC 650 gun safe

Stack-On PC-650 Portable Case with Electronic Lock
Electronic lock allows for a 3 to 8 digit combination to be programmed into the case.
Includes a backup trouble key.
Slim line design of the case allows for storage in a briefcase, under the seat
of many cars and trucks. Foam padded bottom protects contents from scratching.
Meets TSA airline firearm guidelines.
Body is designed for safe to be secured with steel cable (1500 lb. test). Cable is included.
SPECS
11” wide (27.9 cm)
8-1/4” deep (21 cm)
2-3/8” high (6 cm)
(dimensions include key pad)

VIDEO OF ANALYSIS OF PC-650

Stack-On PDS 500 gun safe

Stack-On PDS-500 Drawer Safe with Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
2 live action locking bolts and concealed hinges.
Fastening hardware is included with each safe.
SPECS
11-13/16” wide (30 cm)
8-5/8” deep (22 cm)
4-3/8” high (11 cm)

VIDEO OF PDS-500

Stack-On biometric safes with fingerprint readers can be easily compromised.

Stack-On PS-5-B Drawer Safe with Biometric Lock,
Stack-On PS-7-B Extra Wide Safe with Biometric Lock and
Stack-On PS-10-B Personal Safe with Biometric Lock
Great security for pistols, ammo and valuables at home, on the road or in the office.
Tested and listed as California Department of Justice firearms safety devices that
conform to the requirements of California Penal Code Section 12088 and the regulations
issued thereunder.
Solid steel, pry resistant, plate steel doors, steel live action locking bolts and concealed
hinges provide greater security.
Biometric lock can be programmed to accept up to 32 different fingerprints–provides
greater security and quicker access to the safe’s contents. Also includes an electronic
lock and hidden trouble key.

PS-5-B SPECS
13-7/8” wide (35.2 cm)
11-1/2” deep (29.2 cm)
4-1/2” high (11.4 cm)

PS-7-B SPECS
17-3/4” wide (45 cm)
14-1/4” deep (36.2 cm)
7-1/8” high (18 cm)

PS-10-B SPECS
13-7/8” wide (35.2 cm)
9-7/8” deep (25 cm)
9-7/8” high (25 cm)

VIDEO OF PS-5B

Stack-On QAS 1200B biometric safe can be easily opened with paperclips.

QAS-1200-B Quick Access Safe with Biometric Lock
Tested and listed as a California DOJ Firearm Safety Device.
Biometric Lock can accept 28 different fingerprints with back up trouble key.
Biometric reader is easy to use and program.
Biometric locks provide greater security – no combinations to remember.
Holds standard sized pistols and other valuables.
Includes a removable shelf. Foam padded bottom and shelf.
Safe has pre-drilled holes for mounting to the floor, wall or a shelf.
Fastening hardware is included with each safe.
SPECS
10” wide (31.1 cm)
12-1/4” deep (30.5 cm)
8-1/4” high (21 cm)
(dimensions include key pad)

VIDEO OF QAS 1200B

QAS 710 Stack-On safe

Stack-On QAS-710 Drawer Safe with Motorized Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
All steel construction and low profile design allows for storage in a drawer.
Lid pops up when the correct security code is entered for instant access.
Safe has pre-drilled holes for mounting in a drawer or on a shelf.
Fastening hardware is included with each safe.
SPECS
10-1/4” wide (26 cm)
16-5/8” deep (42.2 cm)
3-1/2” high (9 cm)

VIDEO OF QAS 710

Stack-On QAS 1000 can be easily opened

Stack-On QAS-1000 Quick Access Drawer Safe with Electronic Lock

Tested and listed as a California DOJ Firearm Safety Device.
Electronic lock allows for a 3 to 8 digit combination to be programmed into the safe.
Includes a backup trouble key.
Drawer pops out when locking mechanism is released.
Ball bearing drawer slide allows the drawer to slide in and out without binding.
Holds standard sized pistol and valuables.
Foam padded bottom protects contents from scratching.
Body is designed for safe to be secured with steel cable (1500 lb. test) or can be
mounted to a shelf or floor.
Cable is secured when drawer is in place.
Cable is included.
SPECS
10” wide (25.4 cm)
12-1/4” deep (31 cm)
4-5/8” high (11.6 cm)
(dimensions include key pad)

VIDEO OF QAS 1000

Stack-On QAS 1200

Stack-On QAS-1200 Quick Access Safe with Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
Electronic lock allows for a 3 to 8 digit combination to be programmed into the safe.
Includes a backup trouble key.
Holds standard sized pistols and other valuables.
Includes a removable shelf.
Foam padded bottom and shelf.
Safe has pre-drilled holes for mounting to the floor,wall or a shelf.
Fastening hardware is included with each safe.
SPECS
10” wide (25.4 cm)
12-1/4” deep (31 cm)
8-1/4” high (21 cm)
(dimensions include key pad)

VIDEO OF QAS 1200

GunVault GV2000S gun safe

GunVault MultiVault Standard GV 2000S
Features
•Protective foam-lined interior
• Extra storage capacity and removable interior shelf
• Tamper-resistant spring-loaded door
• 16-gauge steel housing
• Audio and LED low battery warning

Customizable Convenience
•Battery power provides portability
• Optional high-strength security cable secures GunVavult in a home, car, RV, office or hotel
• Mounts almost anywhere in any direction

Foolproof Security
•Precise fittings are virtually impossible to pry open with hand tools
• Built-in computer blocks access after repeated invalid keypad entries (Digital models only)
• Tamper indicator alerts invalid entry attempts (Digital models only)

SPECS
14″ X 10.1″ X 7.9″

VIDEO OF GUNVAULT STANDARD GV2000S

BullDog BD1500 gun safe

Bulldog BD1500 Deluxe Digital Pistol Vault

Bulldog’s “Easy Guide” top pad features raised ribs that lead your fingers to the numbered buttons for quick and easy code entry. After 4 invalid keypad entries the electronics temporarily disable the control panel. In three minutes, the electronics automatically reset and will accept the valid code.

•”Easy Guide” ribbed top pad for quick entry
•”Smart Safe” technology remembers safe combination during power loss or while changing the
batteries.
•More than 1000 combinations available
•Secure cylinder key override
•Pre-drilled mounting holes
•Pre-drilled holes for optional security cable
•Deluxe foam interior with egg-crate bottom pad
•Heavy-duty steel construction
•Durable powder coated black matte finish
•Mounting hardware included
•Interior light when door is open
•Spring loaded door for quick access
•External power supply
SPECS
11.5″ x 8″ x 5.5″ /4″

BULLDOG BD1500 VIDEO

DISCLAIMERS

We tested safes produced by Stack-On, Bulldog, Amsec, and GunVault between February, 2012 and July, 2012. We tested a limited sample of each and produced videos of unaltered containers. A manufacturer may have updated or made changes to a design that would make more difficult or prevent us from opening that container in the method shown. The reader or consumer should replicate the methods shown for any particular container and run their own tests. We have no financial interest in any of the manufacturers that are detailed in this report. See the other http://in.security.org disclaimers contained on this website.

Comments are off for this post

The Medeco® m3 Deadbolt Design: How Secure is it?

deadbolt_350_3.jpg

A SIMPLE ATTACK CAN BYPASS THE SECURITY OF THIS LOCK IN LESS THAN ONE MINUTE, RENDERING ALL OF THE ADVANCED MEDECO TECHNOLOGIES VIRTUALLY IRRELEVANT.

If you are a locksmith or security professional, see the detailed analysis that follows. The password is available on ClearStar. or from the author.

There are millions of Medeco deadbolt systems in place worldwide. They are rated as one of the most secure systems available. That is based upon the Medeco reputation for quality and engineering excellence and their high security ratings by UL, BHMA/ANSI and other standards organizations. The current mechanical design of their deadbolt has been utilized on the Biaxial® product line and now the m3. Bypass of these systems by means of forced entry has been difficult although there are expensive tools that are available to compromise them.

We have conducted very limited testing but it appears there may be a serious security flaw in certain of their deadbolt designs. Part of the problem results from widening of the keyway in the m3 as discussed in Part I of this series of articles. We would urge any user to contact their locksmith, security consultant, or Medeco representative for further information. Medeco has been notified and is aware of the issue. We believe the problem is mainly with the m3 deadbolt cylinders but there may also be some Biaxial® models that could be affected.

A detailed analysis is available together with a video demonstration that clearly shows the method of bypass. This publication has been restricted to locksmiths and the professional security community because of the simplicity of the technique and the potential security ramifications that could result from a public disclosure of the exact method. If you have security responsibility, you may contact the author for access to the restricted document. The password has been posted on ClearStar for security professionals.

Marc Tobias and Matt Fiddler will be addressing this issue at Defcon 15 on August 5 in Las Vegas as part of a two hour presentation regarding design issues with conventional and high security locks. Marc Tobias will also be presenting with regard to high security locks at the HITB conference in Kuala Lumpur, Malaysia the first week in September.

® Medeco and Biaxial are registered trademarks of Medeco Security Locks, Inc.

No comments

Protected: BYPASS OF THE MEDECO® m3 DEADBOLT LOCK: A Detailed Analysis

This post is password protected. To view it please enter your password below:


Enter your password to view comments

MEDECO® m3 DETAILED ANALYSIS: Obtaining a Password

Part I of a four-part series of articles detailing potential security vulnerabilities in the Medeco Biaxial and m3 is available to locksmiths, security professionals, law enforcement and government agencies. This information is also contained in the new edition of LSS+ and is restricted.

A public summary of the first article will be published on Engadget later this week but will not contain critical information that would be required to bypass Medeco cylinders.

The password for this article will be posted on ClearStar later in the week or you can register on www.security.org for site clearance. When registering, please specifically request the password for this article.

You may also contact the author at mwtobias@security.org for access or further information.

Medeco® is a registered trademark of Medeco Security Locks, Inc.

No comments

Protected: DETAILED ANALYSIS: POTENTIAL SECURITY VULNERABILITIES OF THE MEDECO m3 AND ITS KEY CONTROL

This post is password protected. To view it please enter your password below:


Enter your password to view comments

A Personal Comment about the Gun Lock Story

Two years ago, we posted an alert about the poor quality and insecurity of gun locks. The media reported the story in an in-depth television news story. The result: absolutely nothing changed. The manufacturers continued to produce cheap locks that afforded no protection. Standards were not changed by the State of California which certifies cable and trigger locks as secure to protect kids. Retail outlets continued to sell junk locks. And more alarming, law enforcement agencies throughout the U.S. still offer poor quality gun locks to the public for free, believing that they are designed properly.

There have been many adverse comments to my posting of videos with the article on in.security.org and on engadget.com. Many think that a simple warning would have been sufficient without the videos. History has shown that this is not the case.

The reality is that if you simply warn parents that gun locks are dangerous because they create a false sense of security, the warnings will be largely ignored as they were two years ago. In fact in 2001 a security alert was published by the Consumer Product Safety Commission on this subject. Shortly thereafter, ABC did a television report on the dangers of these locks and how easily they could be compromised. Again, nothing happened. It was business as usual.

A few months ago our local sheriff showed me the gun locks that they distribute as part of the Operation ChildSafe program (funded by the Department of Justice). I decided it was time to revisit this issue. If a police department hands a gun owner a lock then, it impliedly represents that the lock is secure and will keep kids safe from guns. Our Sheriff had no idea that these locks could be so easily compromised. When he learned otherwise he took immediate action to warn every consumer that received these devices through his department.

So, for everyone that feels that our report should not have been published, I respectfully disagree. Simple warnings would accomplish nothing, as borne out by past events. This was reinforced by my conversations with the National Shooting Sports Foundation. They have distributed 35,000,000 of these cable locks and tell people they will protect kids from access to weapons. Worse, they actually believe that the standards that California passed seven years ago are sufficient to keep kids safe up to the age of seventeen. They cite the American Society of Testing and Materials as the ultimate authority on standards and the fact that these locks passed ASTM tests.

Their concern could be paraphrased thusly: “We have never had a problem with these locks so there is no problem.” I don’t question their motives, just their understanding of how these locks work.

Before I released the report I spoke with the California DOJ Firearms Division about their standards. They said that they believed that they were quite sufficient to keep kids from accessing weapons, repeating that the locks had been analyzed by designated testing laboratories and found compliant with the standards. It was the same story line.

In my view, the real issue is the standards and the manufacturers that produce cheap locks that do not even meet the minimal requirements promulgated by the DOJ. So, if this is an important issue (as I believe it is), then how do you get everyone’s attention so that something positive will occur?

Some say it is irresponsible to show how to compromise these locks. I considered very carefully whether to demonstrate the problems with these products or just write about them. I came to the conclusion that perhaps the only way to get the regulators to act was to show them what they apparently did not understand, and at the same time to graphically warn parents about the hazards of using these devices. Perhaps they might put pressure on the agencies to make needed changes.

And yes, there is a risk that kids will see this report. But I thought that would be far outweighed by the potential positive results that might occur. And frankly, it is clear that if a kid wants to access a weapon he will, regardless of whether there is a report showing him how to do it or not. The difficulty in compromising these locks is minimal and that is the entire point of the article.

The fact is that any adult that uses one of these locks as the sole protection of a handgun is grossly negligent. If they compound the problem by either locking a loaded weapon or keeping ammunition close by, then I would submit they could be held criminally liable if a kid uses the weapon.

So the conclusion I reached with regard to airing the videos was based upon the following premise: if the locks are as secure as represented by the DOJ, NSSF, and manufacturers, then why would they be concerned about showing how these locks can be compromised?

After all, they are all saying that the locks WILL protect a weapon against access by a kid, (no matter how ludicrous that argument might be) and that the standards are sufficient.

My contention: Either these locks are secure or they are not. You can’t have it both ways. And if they are not then laws should be changed so that the locks actually do what they are supposed to do.
Finally, the information that was presented has been on the Internet for quite some time as almost everyone knows. An incredible amount of material has been published about bumping, including padlocks. So kids already are aware of that method of bypass. The fact that bump keys are available on the Internet for the Master cable lock should alarm everyone. I and others have been raising this issue for the past year. In fact, I submitted draft legislation to the Postal Inspection Service six months ago to close the loopholes in the postal regulations to stop the trafficking in bump keys on the Internet.

And what about the ability to cut these cables? I would dare say that every reader would look at one of these locks and laugh at the absurdity of the ostensible protection that they afford. A pair of pliers or fourteen inch bolt cutters from Ace Hardware will sever any of these cables and everyone, including kids, knows it. Even Targus figured it out when I wrote the article last year about their much publicized armored computer lock that uses an almost identical approach as the gun cable lock.

So should we just keep quiet and continue to promote the failed concept of “security by obscurity”? I don’t think so, for the same reason that I am challenging the standards set forth by Underwriters Laboratories, BHMA, and ANSI with regard to high security locks and the ability to compromise some of them in well under the minimum time standards set forth for forced and covert entry in UL 437 and ANSI 156.30. I would submit that the risk could be far greater for reliance on some of these standards and for the defective or deficient design of some of these locks than for the compromise of gun locks.

I have never believed it was prudent to publicly demonstrate methods of covert bypass unless there was a valid reason to do so. That material is left to the multimedia edition of my book. I have never once shown such techniques in the media; only to law enforcement and security professionals. But when bypass techniques are so simple that anyone can accomplish them in a few seconds, I believe it is vastly different. In my view it enhances everyone’s security if they have a full understanding of the simplicity of the methods.

The issue raised in the gun lock story is about responsible disclosure with regard to matters of security. There has always been a legitimate debate as to whether disclosure promotes or places security at risk by publishing “secret” or more to the point, “unknown” information. The reality is that there are no more secrets. The Internet took care of all of that. And if I had simply posted a warning about the insecurity of these devices or there had been a news story written about a child that was hurt or killed as the result of his ability to bypass one of these locks, you can be sure that someone would have posted detailed information about the method of compromise. Welcome to the global information world.

There are two sides to every story and if this one has sparked thoughtful debate about the disclosure of security defects, then I would submit that the article has accomplished its purpose. Many parents have written to me after reading this article, not to complain but to voice concern about the locks they have relied upon and to ask what they should replace them with.

If you believe that material on gun locks should not have been released, then you will surely have an opinion regarding the next alert about the insecurity of small Fixed Base Operations at our airports, and the security issues it raises.

MWT

No comments

Gun Locks: Unsafe at any Caliber

A detailed report and videos that demonstrate design deficiencies in gun locks may be found at: http://download.security.org/gunlock_2007.pdf

gunlock-zev.png loganlock2-3_214.jpg

The eleven year old demonstrated the removal of three of the most popular trigger locks from a rifle in just a few seconds. The eighteenth month old examines the Project ChildSafe® cable lock for guns. We do not believe that either of these types of locks are secure as the primary method to protect weapons.

Gunlocks are designed to protect kids and keep them from gaining access to weapons. An extremely successful program was launched several years ago by the National Shooting Sports Foundation to promote gun safety and keep children away from guns. The U.S. Justice Department provided funding so that NSSF could administer a program to provide free gun locks to the public through law enforcement agencies around the country. A total of thirty-five million Project ChildSafe® locks have been produced.

We do not think these locks are secure enough and should not be used to provide the primary protection to immobilize a weapon. Poor quality locks rarely offer any protection, and this is a classic example. These devices are produced in China with cheap pin tumbler mechanisms that can be bumped open in seconds. The cables on some models are easily compromised.

The quality control in the case of at least one model, the GL710N (listed on the California DOJ website as having been produced by PCS) appears to be so poor that two out of three locks that we obtained from the Denver Police Department could be circumvented merely by twisting the cable. That’s right; simply hand twisting the cable caused it to pull loose from the lock housing! Could a kid have done that? Without question the answer is yes.

The real problem is the standards for these devices. NSSF rightfully responded to our concerns about security by stating that the locks meet California and ASTM requirements. In our view, the standards need to be updated so that they take into account real world attempts to open them, which just might involve the use of more than a paper clip or screwdriver! Kids can be clever, especially when it comes to guns.

The NSSF statement in their literature that the locks will not stop a “determined attack” does not really address the issue. Is their position really that anyone that wants to remove a lock from the gun will succeed, as opposed to the kid that half-heartedly pulls on the cable and if it does not come apart, then he gives up. Of course, in the case of the GL710N models that we tested that may be good enough!

We take an in-depth look at gun locks and the standards that are supposed to make them safe.

No comments

OPENING LOCKS BY BUMPING IN FIVE SECONDS OR LESS: Is it really a threat to security?

How a lock is bumped: the physics

See the WPIX NEW YORK news story on bumping at http://video.security.org/wpix_200.wmv

See the detailed White Paper at http://download.security.org/bumping_040206.pdf

See Bumping of locks: Legal issues in the United States
http://download.security.org/bumping_legal_mwt_040206.pdf

See the security alert at http://security.org/dial-90/alerts.htm

See the resposne to the ALOA editorial at OpEd on this site.

See Spectrum On Line at http://www.spectrum.ieee.org/jul06/comments/1459

See the feature article at www.engadget.com by the author and at
http://www.engadget.com/2006/08/24/the-lockdown-locked-but-not-secure-part-i/

A report was released on March 22, 2006 in the Netherlands regarding the vulnerability from bumping of more than 80 different pin tumbler locks that are manufactured or utilized in that country. The findings were researched and produced by Dutch Consumentenbond, the most prestigious Dutch consumer protection organization . This study was largely the result of significant research that was conducted by Toool, “The Open Organization of Lock pickers” in the Netherlands with regard to the vulnerability of certain cylinders. Their tests and that of Consumentenbond demonstrated that many locks could be opened within seconds by an unskilled individual with less than one hour of instruction.

The author previously addressed this issue in LSS+, the multimedia edition of Locks, Safes and Security, and in an article published in the ALOA magazine KEYNOTES in January, 2005. A White Paper had also been issued by members of Toool. Although the Netherlands tests showed that many locks could easily be opened with little skill, there are many variables that can affect the ability to compromise a lock in this manner. As a result, a detailed analysis of the threat level to physical security posed by bumping is now available.

1 comment

Targus Defcon CL Armored Cable Locks: Not Secure

targus_beercan.gif
The Targus Defcon CL Armored computer cable lock is touted as the most secure in the industry, but is it? Read the feature article by the author at
http://www.engadget.com/2006/09/08/the-lockdown-your-new-targus-defcon-cl-lock-hacked-by-beer/

No comments

TSA Luggage Locks Are Not Secure

tsa_052a_200.giftsa_032_200.giftsa_031a_200.giftsa_048a_200.gif

The Transportation Security Agency has approved certain locks to be used by passengers to secure their luggage against theft of contents. An investigation by the author has determined that these locks are not designed to provide any measure of security and should not be relied upon to do so. Each of the mechanisms that are examined in this report can be easily bypassed without any special tools or expertise, often in a few seconds. Detailed photographs within the report allow a thorough understanding of the TSA 002, TSA 003, TSA 004 and TSA 005 locks.

See the detailed report at http://download.security.org/tsa_luggage_locks_report.pdf

No comments

Next Page »