diff --git a/pico-keys-sdk b/pico-keys-sdk
index 8aad7bd..39c3339 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit 8aad7bdef9103f0c2abb4ececffa29928d489403
+Subproject commit 39c3339b38b4adce642ba9a0013e4f3eba0919ee
diff --git a/src/hsm/cmd_read_binary.c b/src/hsm/cmd_read_binary.c
index a5bca1c..0a36fac 100644
--- a/src/hsm/cmd_read_binary.c
+++ b/src/hsm/cmd_read_binary.c
@@ -22,7 +22,7 @@ typedef int (*file_data_handler_t)(const file_t *f, int mode);
 int cmd_read_binary(void) {
     uint16_t offset = 0;
     uint8_t ins = INS(apdu), p1 = P1(apdu), p2 = P2(apdu);
-    const file_t *ef = NULL;
+    file_t *ef = NULL;
 
     if ((ins & 0x1) == 0) {
         if ((p1 & 0x80) != 0) {
@@ -62,6 +62,18 @@ int cmd_read_binary(void) {
         }
     }
 
+    if (ef == NULL) {
+        return SW_FILE_NOT_FOUND();
+    }
+
+    if (offset > 0x7fff) {
+        return SW_WRONG_P1P2();
+    }
+
+    if ((ef->fid >> 8) == PROT_DATA_PREFIX) {
+        ef->acl[ACL_OP_READ_SEARCH] = 0x90; //force PIN for protected data objects
+    }
+
     if ((ef->fid >> 8) == KEY_PREFIX || !authenticate_action(ef, ACL_OP_READ_SEARCH)) {
         return SW_SECURITY_STATUS_NOT_SATISFIED();
     }