Zhou added in his statement that Securam will be fixing the vulnerabilities Omo and Rowley found in future models of the ProLogic lock. “Customer security is our priority and we have begun the process of creating next-generation products to thwart these potential attacks,” he writes. “We expect to have new locks on the market by the end of the year.”
Photograph: Ronda Churchill
In a followup call, Securam director of sales Jeremy Brookes confirmed that Securam has no plan to fix the vulnerability in locks already in use on customers’ safes, but suggests safe owners who are concerned buy a new lock and replace the one on their safe. “We’re not going to be offering a firmware package that upgrades it,” Brookes says. “We’re going to offer them a new product.”
Brookes adds that he believes Omo and Rowley are “singling out” Securam with the intention of “discrediting” the company.
Omo responds that’s not at all their intent. “We’re trying to make the public aware of the vulnerabilities in one of the most popular safe locks on the market,” he says.
A Senator’s Warning
Beyond Liberty Safe, Securam ProLogic locks are used by a wide variety of safe manufacturers including Fort Knox, High Noble, FireKing, Tracker, ProSteel, Rhino Metals, Sun Welding, Corporate Safe Specialists, and pharmacy safe companies Cennox and NarcSafe, according to Omo and Rowley’s research. The locks can also be found on safes used by CVS for storing narcotics and by multiple US restaurant chains for storing cash.
Rowley and Omo aren’t the first to raise concerns about the security of Securam locks. In March of last year, US senator Ron Wyden wrote an open letter to Michael Casey, then-director of the National Counterintelligence and Security Center, urging Casey to make clear to American businesses that safe locks made by Securam, which is owned by a Chinese parent company, have a manufacturer reset capability. That capability, Wyden wrote, could be used as a backdoor—a risk that had already led to Securam locks being prohibited for US government use like all other locks with a manufacturer reset, even as they’re widely used by private US companies.
In response to learning about Rowley and Omo’s research, Wyden wrote in a statement to WIRED that the researchers’ findings represent exactly the risk of a backdoor—whether in safes or in encryption software—that he’s tried to call attention to.
“Experts have warned for years that backdoors will be exploited by our adversaries, yet instead of acting on my warnings and those of security experts, the government has left the American public vulnerable,” Wyden writes. “This is exactly why Congress must reject calls for new backdoors in encryption technology and fight all efforts by other governments, such as the UK, to force US companies to weaken their encryption to facilitate government surveillance.”
ResetHeist
Rowley and Omo’s research began with that same concern, that a largely undisclosed unlocking method in safes might represent a broader security risk. They initially went searching for the mechanism behind the Liberty Safe backdoor that had caused a backlash against the company in 2023, and found a relatively straightforward answer: Liberty Safe keeps a reset code for every safe and, in some cases, makes it available to US law enforcement.
Liberty Safe has since written on its website that it now requires a subpoena, a court order, or other compulsory legal process to hand over that master code, and will also delete its copy of the code at a safe owner’s request.
Rowley and Omo planned to reveal the existence of Securam’s vulnerabilities more than a year ago, but held off until now due to the company’s legal threats.Photograph: Ronda Churchill
Rowley and Omo didn’t find any security flaw that would allow them to abuse that particular law enforcement-friendly backdoor. When they started examining the Securam ProLogic lock, however, their research on the higher-end version of the two kinds of Securam lock used on Liberty Safe products revealed something more intriguing. The locks have a reset method documented in their manual, intended in theory for use by locksmiths helping safe owners who have forgotten their unlock code.
Enter a “recovery code” into the lock—set to “999999” by default—and it uses that value, another number stored in the lock called an encryption code, and a third, random variable to compute a code that’s displayed on the screen. An authorized locksmith can then read that code to a Securam representative over the phone, who then uses that value and a secret algorithm to compute a reset code the locksmith can enter into the keypad to set a new unlock combination.