Lock manufacturers can be liable for designs that have serious security vulnerabilities. Several class action lawsuits have been filed against lock makers for such design issues. Especially in the United States, liability can attach, especially is someone is hurt or killed, or significant property damage occurs. Essentially the rule is that if the lock has a state-of-the-art design and the attack is also complex or sophisticated, then the manufacturer will not be liable. However, if the design defect is simple and should have been anticipated, and the attack is also simple, then the lock make will be held responsible.
We have reduced this premise to our 3T2R rule, which states that the criteria is Time, Tools, and Training. If training to learn the attack is minimal, required tools are simple, and the time to bypass the mechanism is minimal, then liability will generally attach. However, if the reverse is true, then the lock maker should not be held liable. The other component to the test is Repeatability and Reliability of the attack. Just because there is an exploit does not mean the lock is not secure. However, if the exploit is both reliable and repeatable, then obviously there is a problem. Remember, all security is about time delay, and all Standards are also based upon the time it takes to defeat the lock.
Many lock makers have argued that they are not liable or anything because the locks were not used in their normal anticipated state. This is not correct, because locks are designed to be attacked. That is also why we have standards to assess their resistance to forced and covert entry.
There are several cases in this area that are instructive.
Kryptonite bike locks were attacked in 2004 by Marc Tobias, Matt Fiddler, and others, through the use of a ballpoint pen. The design engineers failed to “connect the dots” between the design of a tubular pin tumbler lock, impressioning technique, the diameter of the keyway and its correlation to the diameter of common plastic ballpoint pens. The defect was disclosed by Marc Tobias in 2004 and led to the recall of 350,000 locks, at a cost to the company of $10,000,000. The design issue also affected Kensington and its computer cable locks, and Harley Davidson motorcycles, as well as elevator control companies and others that utilized tubular lock designs in vending machines and alarm panels.
KABA SIMPLEX PUSH BUTTON LOCK
The Kaba Simplex 1000 push button lock was the subject of a class action lawsuit in 2010 because the locks had a fatal design defect that allowed them to be opened with a strong rare-earth magnet in seconds. These locks can be found in millions of installations including airports, banks, universities, hospitals and other areas that require some level of access control. The problem with the design was a critical component that was subject to magnetic fields. While the lock was designed in 1965 when the first patent was issued, it was still being sold in 2010, so 1965 standards did not apply with regard to security.
Kaba response to class action lawsuit Kaba_response
One of the best deadbolt locks made by Medeco was knocked-off and produced in Canada. The company copied a design defect that was corrected by Medeco in 2007. The engineers that developed this lock failed to understand that the entire security of the system was based upon two tiny screws that retained the plug within the cylinder.
HP is a trusted company, and consumers believed they knew what they were doing when they designed their laptop lock to compete with Kensington, which is the leader and innovator in the industry. HP introduced a lock that was subject to attack within a couple of seconds and offered essentially no protection against theft.
HP produced an easily defeated laptop lock, which is an excellent example of insecurity engineering. Watch the video.
Stack-On is one of the largest gun safe and vault manufacturers in the United States. They produced a series of safes that were deemed defective in design and one of their safes caused the death of a three year old, which was examined by KENS-TV in Austin, Texas. That video report can be found on this site.
A class action lawsuit was filed by Marc Tobias and Larry Drury in 2012 and ultimately settled by the company without admitting liability. It cost them several million dollars.