The following article is written by By Marc Weber and published by Forbes:

I have received a plethora of e-mail from concerned security officers and locksmiths throughout the world in both commercial and government sectors, wanting to understand the magnetic attack on the Kaba Simplex series of locks that was the subject of my original article on February 1, 2011.

Kaba is one of the world’s biggest lock manufacturers, and my article about the class action against it caused everyone to want to know just how simple or difficult the attack is to accomplish and whether they (or their clients) are at risk in their facilities or homes.

Because of the number of locks that may be affected throughout the world (with many in critical facilities), I view this as an extremely important security concern. So, for the past week I have been investigating three critical issues as a follow-up: just how the vulnerability was discovered by non-experts in relation to the Simplex series of locks, what is the fix that Kaba has devised to ensure the security of thousands of facilities that rely upon these devices, and is their fix effective?

Kosher Locks (without bagels) in Brooklyn

Yesterday, I interviewed one of the plaintiffs in the lawsuit. He is Jewish, Orthodox, lives in Brooklyn, deals in real estate, and until last summer, had confidence that his Simplex push-button lock would protect his property from unauthorized entry. It seems that Kaba has found a niche in the Orthodox community, especially in New York. Everyone uses their Simplex locks. Why? Because during the Sabbath, one cannot carry keys nor do any other work that would violate religious doctrine.

Essentially, Orthodox Jews cannot drive, use the phone, utilize anything electronic, or perform functions that are normally accomplished during the week. The Sabbath is supposed to be a day of rest in all respects. However, security is still important, and locking and unlocking doors becomes a major issue for those who cannot use keys on Friday and Saturday.

The Kaba Simplex solves the problem because it is a mechanical lock that utilizes push-buttons, which, believe it or not, are allowed under Jewish law. So Kaba has, in effect, created what I will refer to as its “Kosher Locks!” According to the plaintiff that I spoke with (who wishes to remain unnamed), virtually the entire Orthodox community relies upon Kaba for their security, both in their homes and many of their businesses.

Enter the dozen or so volunteers, the Jewish Geek Squad as it were, who help the elderly of the community when they need things fixed, technical-gizmo related assistance, or to get into their houses in Brooklyn when they have forgotten the combination to their door locks. It seems that in the summer of 2009, one of these volunteers figured out that many of the Kaba locks could be opened with a relatively inexpensive magnet.

So, for the past eighteen months, they have been performing Magnetic Mitzvahs (a good deed or charitable act under Jewish law) for the residents of Brooklyn, compliments of the deficient or defective design of the Simplex. The home and business owners thought it was a miracle: How can you wave your hand in front of my door lock and it opens? “Magic,” the saviors answered. “The Lords work.” They never told anyone how they were doing it. In fact, it appears they never told anyone about their secret until this fall.

And then the word leaked out and eventually ended up in the hands of lawyers, who decided that everyone was at risk and had been misled as to the security of the locks. They filed a lawsuit in November.

If you read the motion that was filed by Kaba in December in Federal Court (and is referred to in my original post), the company claims that the ability to open these locks is dependent upon many factors, and may be difficult or even impossible to accomplish. According to Kaba, there are many variables, including finding a “sweet spot” (as the defendants characterize it) in each magnet and lock which, they go on to claim, may or may not even exist. They intimate that the locks, as I read their motion, are or can be difficult to open.

The due diligence in the plaintiff’s case started with an unnamed dad who bought a $40 magnet on-line and opened at least twenty-five locks that are “protecting” homes and businesses of his friends, relatives, and associates in Brooklyn. Then he gives his “high tech” magnet to his 13-year-old son Israel and “commands” him to open a lock. According to the father, he provides absolutely no information about the lock, where its open-spot is, or how to open it to his son. “Just do it,” he challenges.

Now what thirteen year old Yeshiva student would not jump at the chance to demonstrate just how clever he really is to his father? None. So our soon-to-be covert entry expert takes only four minutes to figure out the secret and open the lock. No prior knowledge. No training. No expertise. Nothing. All it took was just a cheap magnet and an expensive lock: the Kaba which everyone thought was secure. This was the Kaba Simplex lock that was sold to everyone who believed it would satisfy their security and religious needs at the same time.

In the motion that Kaba filed with the court, they clearly implied if not directly stated, that their locks could not be opened reliably with magnets. And even if some of them could, they claimed, it required a rare-earth magnet and some expertise to find that precise point that would allow it to be compromised.

I challenge this statement as misleading, which brings me to one of the critical reasons for posting this article and the decision I have arrived at for doing so.

In my earlier post, I rather sarcastically questioned whether Kaba engineers, in the 1960s, were aware of the concept of magnetism as it applies to covert entry. For years, my associates and I have known about and exploited the capability to open many locks with the proper application of a magnetic field. Covert entry experts have employed this technique quite successfully in many venues around the world, and the exploit is fairly well known in our community.

Lawyers for the defendant in this case seemed to focus their argument on the fact that rare-earth magnets were not commercially feasible until a few years ago (and evidently not available in the 1960s) when the lock was first developed. So goes their apparent logic that even if their engineers had considered the potential for a magnetic attack they dismissed it because no magnets were available, at least to the private sector, to accomplish such a bypass.

That argument may or may not be true and really begs the relevant question: Did they know about the potential for strong magnetic fields to move ferrous metal components within their locks? If they understood that a critical piece of the lock was subject to a magnetic field, then why did they not design it differently? Or were they just not familiar with or simply ignored the concepts of magnets-metal-and-locks as they all work together to cause them to open?

I received an e-mail from a colleague at one of our National Laboratories after he read the article. He is a senior vulnerability specialist and leads a team that discovers security and design flaws in hardware. He read the article and wrote that “Their argument (Kaba’s) that rare earth magnets are state-of-the-art is bizarre. I thought rare earths were commercially available in the late 1960s, with battery powered electromagnets (which can be stronger) available in the 1900s.”

Exactly! Every kid who watched Mr. Wizard (myself included) learned how to make a strong magnet with some wire, a battery, and an iron rod.

The problem with this attack in relation to Kaba is the ease with which it can be carried out. Initially, we produced a video that detailed the vulnerability and why it can occur. This was distributed only to locksmiths, law enforcement and security professionals on my security website. I thought it would be ill-advised to make the video openly available to all consumers, businesses and government agencies (although many government covert entry teams were actually aware of the issue quite some time ago).

I have since decided that if a thirteen year old kid can figure this out, then everyone needs to understand their risk. Just like I made known what eleven-year old JennaLynn did a few years ago when she easily opened the Kwikset lock by bumping that one, and later, high security locks.

My resolve was reinforced yesterday morning when I again contacted tech support at Kaba to see if they were now warning of the security risk that is apparently inherent in many models of their locks. I was told that the locks could be used for access control and for security applications. There was absolutely no mention of the magnet attack. That is, until I specifically inquired about Simplex and magnets. Then I was told “No comment” and referred to others in the company.

I then contacted a V.P. for Kaba, who was extremely polite but stated that it was corporate policy not to comment on pending litigation. I told him that, as a lawyer, I understood, but in fact I was not asking about the lawsuit, but about the locks and what they were going to do about it. Again I was told “No comment,” which is where things stand today.

Kaba: “All locks can be bypassed, so nobody should be liable”

Kaba argues that “all locks can be bypassed” by locksmiths and thieves because they all have access to the same tools and information. Although this may be true, in my view it completely fails to address the core issue. They claim that the company “never advertised or warranted in any way that any of its access control products are impenetrable.” No, but I would think that anyone who purchased their products had a reasonable expectation that the locks would resist a simple covert attack, at least for a few minutes. It should be noted that a close reading of their pleadings never mentions security, but only “access control.” Yet their advertising, employees and dealers continue to state that their push-button locks are “just like regular locks and are designed to control access to secure areas.”

So just what does “access control” really mean? In my world, all locks are access control devices. This is pretty obvious and basic. The real question, and one which apparently escapes Kaba, is just how difficult that access is to accomplish. And that premise is at the root of their problem. The simplicity of this attack is what is dangerous and what negates, in my view, any disclaimers that these locks are only for “access control.” Access control means restricting access to authorized individuals. Evidently, everyone with the proper magnet is “authorized.”

I don’t think the owners of these locks would agree!

A Possible Fix

We obtained what appears to be the “new” enhanced version of the combination chamber from a Simplex dealer on January 28. Recall that this is the brains of the lock. It contains the ferrous part that created this nightmare for Kaba. We also purchased a complete lock in December, 2010. It contained a combination chamber that was dated November 10, 2010. It had not been modified, and the lock was easy to open.

In our initial inspection of the new chamber, it looks like the only difference between the earlier design and the “enhanced-to-be-more-secure” model is the cover. In our preliminary tests, the cover does seem to prevent our opening the lock with the same strength magnet, but we are only just beginning our analysis. We have not yet obtained a complete new lock and housing with all of the updates, which may incorporate designs to alter the magnetic field and its effects upon the combination chamber. We are waiting for a definitive word from Kaba “that they believe the problem has been remedied” before conducting further tests and drawing any definitive conclusions.

Even more interesting is the programming sheet that is supplied with the lock and is dated December 15, 2010, regarding the installation and code programming of the new part. This came with our January 28 combination chamber.

READ MORE: FORBES