Popular Safe Locks Have Undisclosed Back Doors

Posted by TJ Easter II on Thursday, March 14. 2024 in Security, Tech


Two of the biggest manufacturers of locks used in commercial safes have been accused of essentially putting backdoors in at least some of their products in a new letter by Senator Ron Wyden. Wyden is urging the U.S. government to explicitly warn the public about the vulnerabilities, which Wyden says could be exploited by foreign adversaries to steal what U.S. businesses store in safes, such as trade secrets.

The little known “manufacturer” or “manager” reset codes could let third parties—such as spies or criminals—bypass locks without the owner’s consent and are sometimes not disclosed to customers. Wyden’s office also found that while the U.S. Department of Defense (DoD) bans such locks for sensitive and classified U.S. government use in part due to the security vulnerability reset codes pose, the government has deliberately not warned the public about the existence of these backdoors.

# The meatspace equivalent of the "forgot password" link.

The specific companies named in Wyden’s letter are China-based SECURAM and U.S.-based Sargent and Greenleaf (S&G). Each produces keypad locks which are then implemented into safes by other manufacturers. The full list of locks that contain backdoor codes is unknown, but documentation available online points to multiple SECURAM products which do include them, and S&G confirmed to Wyden’s office that some of its own locks also have similar codes.

[ ... ]

The findings produce clarity on sometimes-hidden features inside widely popular physical locks. They also provide an analogy to the discussion around encryption backdoors. For decades, governments, tech companies, and members of civil society have clashed over multiple lobbying attempts by agencies to have backdoors inserted into technology, and in particular, encryption products. The fact the DoD protected its own interests while not warning the public gives a stark demonstration of what could happen if a backdoor was inserted into a consumer electronics device or similar.

“The government has opted to keep the public in the dark about this vulnerability, after quietly protecting government agencies from it,” Wyden writes in the letter. The letter is addressed to the Honorable Michael C. Casey, director of the National Counterintelligence and Security Center (NCSC). The NCSC is tasked with leading the U.S. government’s counterintelligence efforts, and, of particular relevance to backdoors in locks, “provide [counterintelligence] outreach to U.S. private sector entities at risk of foreign intelligence penetration,” according to the NCSC’s website.

# These companies are using security through obscurity; that is, the locks are secure so 
# long as the reset code remains secret.  Many. not least of which is Bruce Schneier,
# have proven that this means of security is not secure at all.

[ ... ]

SECURAM products include SafeLogic Xtreme, a keypad style lock that sells for around $550. Another is the SafeLogic Direct Drive, a similar lock that is available to wholesale buyers. According to SECURAM’s documentation available online, both of these locks can include a “manager code.” This allows someone who isn’t the end user to unlock the safe lock system, change the manager code, add or delete a user code, or enable or disable a user code, the documentation reads.

# The U.S. government has banned the use of  such locks, those featuring a reset code,
# for securing anything classified while keeping consumers in the dark about the
# security implications thereof.
# The article mentions requiring a serial number from the safe to obtain the reset code.
# This is likely to avoid having a single, universal reset code.  All it takes is one 
# disgruntled former employee to leak the application the manufacturer uses and all
# is lost.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.


Search for an entry in Digital Warlock's Blog:

Did not find what you were looking for? Post a comment for an entry or contact us via email!