Security researchers James Rowley and Mark Omo have discovered critical flaws in high-security safe locks made by Securam, a company used by major brands such as Liberty Safe, Fort Knox, and CVS. The vulnerabilities allow hackers to open safes using simple techniques, rendering the devices “not very secure” at all.
Rowley and Omo’s research began with a 2021 investigation into Liberty Safe, which was found to have provided an FBI code that allowed agents to access a suspect’s safe. This led them to examine the Securam ProLogic lock, which they discovered had a backdoor intended for locksmiths. However, the researchers found a way to reverse-engineer the lock’s firmware and compute the reset code themselves.
This technique, dubbed “ResetHeist,” can be performed with little more than punching numbers into a Python script. Rowley and Omo warn that safe owners can prevent this vulnerability by changing their lock’s recovery code or encryption code. However, Securam does not recommend this safeguard in its user documentation.
The researchers also developed another technique called “CodeSnatch,” which involves removing the battery from the lock and inserting a small tool into an exposed debug port to extract the super code combination from the lock.
In one newer Securam ProLogic lock manufactured in March of this year, Securam changed the password, but Rowley and Omo were able to learn it again using a “voltage glitching” technique. This allows hackers to bypass the password check and dump the chip’s contents, including the new password.
The researchers stress that patching Securam locks’ security flaws is possible, but implementing any fixes would require manual updates lock by lock, a slow and expensive process. They warn that others with less benevolent intentions could still figure out how to replicate their safecracking tricks if they have the hardware and skills.
Rowley and Omo’s findings highlight the need for improved cybersecurity standards in consumer products. Securam locks are certified by Underwriters Laboratory, yet suffered from critical security flaws. The researchers urge safe owners to be aware of these vulnerabilities and not rely on a false sense of security.
Source: https://www.wired.com/story/securam-prologic-safe-lock-backdoor-exploits