Hackers Discover Seconds-Long Backdoor in High-Security Safes

About two years ago, security researchers James Rowley and Mark Omo delved into a scandal in the world of electronic safes. Liberty Safe, renowned as "America’s #1 heavy-duty home and gun safe manufacturer," allegedly provided the FBI with a code to access a suspect's safe during investigations related to the January 6, 2021, US Capitol building invasion.

Rowley and Omo were baffled by how easily law enforcement could open a safe that was supposedly impenetrable to anyone other than its owner. "How is it possible that there's this physical security product, and somebody else has the keys to the kingdom?" Omo wondered.

Their investigation revealed not only Liberty's method but also another backdoor meant for locksmiths to open high-security Securam Prologic locks, used across numerous brands. Alarmingly, they discovered a hacker's way to exploit this backdoor to open a safe in seconds. Additionally, they identified another vulnerability in newer Securam locks that allows digital safecrackers to insert a tool into a hidden port and instantly retrieve a safe's unlock code.

The findings were presented at the Defcon hacker conference in Las Vegas, showcasing two distinct methods for opening electronic safes secured with Securam ProLogic locks, used for everything from personal firearms to pharmaceutical narcotics.

Despite the security flaws, Omo emphasized the severity of the vulnerability meant for locksmiths, highlighting its widespread and dangerous nature. "This attack is something where, if you had a safe with this lock, I could literally pull up the code right now with no specialized hardware," he explained. "Our testing suggests people can access almost any Securam Prologic lock worldwide."

The security vulnerabilities were shared with Securam in the previous year. However, legal threats from the company delayed public disclosure until Rowley and Omo found protection through the Electronic Frontier Foundation’s Coders’ Rights Project.

Upon being contacted by WIRED, Securam's CEO Chunlei Zhou responded to the vulnerabilities, noting they were known to industry professionals and affected other locks using similar chips. Zhou highlighted the need for skills and equipment to exploit these flaws, with no customer reportedly affected by such an attack.

Zhou acknowledged other unlock methods, like drilling, cutting, and a locksmith device exploiting some electronic safe locks' vulnerabilities. In contrast, Rowley and Omo asserted their findings revealed previously unknown issues, requiring minimal equipment for one of them. Compared to prior methods, the discovered vulnerabilities posed more significant concerns.

Zhou mentioned ongoing efforts to address these gaps and aimed to release updated versions by year-end. However, existing locks would remain vulnerable as Securam decided not to offer a firmware upgrade but to introduce a new product in the market, advising customers to purchase new locks.

The vulnerabilities span multiple brands using Securam ProLogic locks, including Fort Knox, High Noble, FireKing, and even safes used in retail and pharmacy chains like CVS. US Senator Ron Wyden had previously raised alarms about the security of Securam locks, emphasizing the risks of backdoor access.

Rowley and Omo developed "ResetHeist," a method that computes a reset code using unpublished firmware secrets. A simple Python script can derive the reset code without needing much technical know-how.

Another method called "CodeSnatch" involved some hardware manipulation. The researchers used a Raspberry Pi to access a debug port and extract a "super code" for opening the lock.

Securam is working on addressing these vulnerabilities, but customers are advised to stay aware of the risks associated with their safes. Omo and Rowley caution that current US cybersecurity standards for consumer products need substantial improvement to prevent such security breaches in the future.