We Digitally Cracked A High Security Safe

This high security safe

is meant to protect everything from guns to cash in stores,

to narcotics in a pharmacy.

Without the combination, it's supposed to be impenetrable,

but these two security researchers can open it in seconds.

No drills, no cutting tools, no stethoscope,

just two different digital flaws

that can entirely defeat this safe's security.

And the company that makes the lock on this safe,

it told me that it has no plans to update its code,

leaving safes across the US and homes, retail outlets

and pharmacies vulnerable.

I'm Andy Greenberg, I investigate the strange, dark

and subversive sides of technology for WIRED.

This is Hack Lab. We digitally cracked a high security safe.

I'm here in Las Vegas for DEF CON,

America's biggest Hacker conference.

Two of the security researchers I've been talking to here

are James Rowley and Mark Omo,

who revealed for the first time on stage of the conference

that they've discovered not one

but two techniques for cracking a popular line

of electronic locks sold by the China-based firm SECURAM,

and used on eight brands of high-end electronic safes.

So what was it that got you all started

on this research project that eventually led you

to find these two safe cracking techniques?

We read the New York Times article in 2023

about how the FBI was able to call Liberty Safe

and get a code from them.

Two years ago, Liberty Safe, which markets itself

as America's number one heavy duty home

and gun safe manufacturer, responded to an FBI warrant

by giving agents the combination to open the safe

of a criminal suspect in the midst

of the Bureau's investigation of the January 6th, 2021

invasion of the US Capitol Building.

So it really blew me away

that for this physical security product

that's not internet connected, that the FBI is able

to call a manufacturer and get a code from them

and they have the keys to the kingdom

to open a safe that you own.

Mark and James wanted to understand

how this apparent backdoor worked.

So they took a closer look at Liberty Safe

and discovered that the company does keep a reset code

for every safe and makes it available to US law enforcement

if they have a warrant or a court order.

But that was just the beginning of the story.

The locks that Liberty Safe used were actually made

separately by SECURAM, a third party vendor,

[Mark] And we focused in on the SECURAM ProLogic locks,

their higher end digital series of locks.

And one of the most interesting features

that caught our eye is they have this reset functionality

where you can through a locksmith, reset your lock

even if you've forgotten all the combinations on it.

So it turns out that these SECURAM ProLogic locks used

on Liberty Safe safes,

but also many other brands have this reset method

and you all cracked it.

Yeah, we were able to dump all the firmware

out of the microcontroller

and inside every single safe lock is the secret algorithm

that they use to calculate the code

that you need to reset the lock.

And we were able to reverse engineer

and replicate it so we can open almost any ProLogic lock.

We call that attack reset heist.

So can you show us?

Yeah, let's do it.

For our Safe cracking experiment,

we headed to the headquarters of the Red Team Alliance,

a Las Vegas-based company focused on physical security

research and covert entry instruction.

So for this first technique,

you all don't even need any tools?

Nope, just my phone.

Well, how does it work?

So let's imagine you own a safe and you forgot your code.

You could call a locksmith

and they could then communicate with SECURAM

to provide that challenge to them,

and then they would give back the appropriate response

to reset all the codes on your safe.

So this is like a kind of approved interaction

between an authorized locksmith and SECURAM,

but somehow you all cracked it.

Yeah, the firmware on this lock has everything

that we needed to know to recreate that secret algorithm

on my phone right here.

So we can try the default code from the factory all ones

and of course, that doesn't work.

[lock clanking]

So what we need to do,

we're gonna go ahead into this recovery mode here,

and we need to type in all nines for the recovery code,

and it's gonna show us this challenge on the screen.

This is like a series of numbers,

and you are gonna copy those into your

program here on your phone.

Exactly, it's gonna show us the response that we need

to provide to the lock here.

[Andy] So it's like a challenge number

and then a response number that you type back

into the keypad.

That's exactly right.

Then it's gonna warn us that we're gonna reset

the whole lock to factory defaults.

Of course, we're gonna continue.

There we go. All users deleted.

So now, it is back in this factory default setting

and that 111111 code will actually open it.

Yep. Give it a try. Okay.

[lock beeping]

There we go. Here you go, nice.

So is there some easy way for safe owners

to disable that reset mechanism?

I mean, that seemed way too easy.

Yeah, so safe owners can actually change

what's known as the encryption code on these locks,

and that'll prevent someone from doing this

without knowing that code.

But SECURAM doesn't recommend changing the codes

in its reset method in any online user documentation

the researchers could find.

Only in a manual for some locksmiths and manufacturers.

In another SECURAM webinar,

the researchers found SECURAM suggests changing the codes

isn't necessary, and that the codes

are usually never changed.

We purchased a bunch of these locks from eBay

and on every ProLogic lock we bought,

these codes were left at the default.

This process worked on every single one that we tested.

So everybody who has a safe with a SECURAM ProLogic lock

could change the encryption code,

which would protect themselves from this technique,

which obviously they should do,

given how easy that just seemed to be.

But you have a second technique, right?

Yep, one that's not as easy to protect yourself against.

This second, even simpler hacking technique uses a device

that if it were to become available more widely

or sold online, could leave safes across the US vulnerable.

After all, beyond Liberty Safe, SECURAM ProLogic locks

are used by a long list of manufacturers,

Fort Knox, High Noble, FireKing, ProSteel, Rhino Metals,

Sun Welding, Corporate Safe Specialists,

and pharmacy safe companies, Cennox and NarcSafe.

The locks can also be found on safes used by CVS

for storing narcotics.

In a moment, I'm going to try pulling off

this second technique myself to see just how easy

it really is.

But first, I reached out to SECURAM to find out

what they've done to fix these vulnerabilities.

When I asked SECURAM about this,

they told me that they have no plan to fix this at all.

In fact, they have a new version of the lock

that they're gonna come out with before the end of the year,

but they've essentially said,

If you want that more secure version,

you just gotta buy a new lock for your safe.

It's an interesting approach.

As SECURAM's director of sales, Jeremy Brooks told me,

we are not going to be offering a firmware package

that upgrades it.

We're going to offer them a new product.

In other words, if you want a security update,

buy a new lock.

SECURAM's CEO, Chunlei Zhou

also wrote in a longer statement to WIRED

that Mark and James's techniques are already known

to security industry professionals.

He also said their methods required

specialized knowledge skills and equipment.

To get a response to SECURAM's claims,

I spoke to Babak Javadi a co-founder

of the Red Team Alliance,

and a professional hacker specializing in physical security.

The CEO of SECURAM also told me in a statement

that the techniques that Mark and James have shown here

are already known,

Known by who?

Locksmiths have always had some sort

of insider secret knowledge of some kind.

Are they known to the people

that it impacts the most, the customers?

Because I suspect a lot of people would make

different purchasing decisions.

The CEO of SECURAM also told me in a statement

that they have never seen a single safe lock defeated

through a use of this attack.

You don't know what you don't know

'cause people don't talk about it.

So like maybe he doesn't know, but it's definitely happened.

The most sensitive, most important situations

where this attack would be used, you wouldn't know

because it doesn't leave any obvious traces.

When you heard about how this works, were you surprised

at how easy it was?

I'm not surprised by how easy it was.

I think the thing that always strikes me as stupid

is any kind of backdoor by design.

You can call it a factory recovery method

or customer support tool.

Everything with enough focus

and resources can be reverse engineered successfully.

There's no good reason to put a backdoor in a product,

and that's what I have a bigger problem with.

So can SECURAM fix this in their code?

Can they push out some sort of update or patch?

SECURAM on these locks,

they're not connected to the internet,

so they don't have a way to push firmware updates to them.

If new firmware was developed that mitigated these issues,

you could go lock to lock with a tool,

but it'd be a very manual process.

So could just anybody figure out

what you all have done here?

Are you releasing enough information

that other people could replicate your technique

and use it for crime?

So we're not releasing the techniques that we have.

We think the potential for abuse is way too high.

But how easy would it be for somebody

to just figure out your techniques and do them themselves?

I think it would take about a week

for someone skilled in the art to execute all the work

that we did and produce a similar tool or similar research.

That's a pretty practical risk.

Absolutely.

[Andy] Now, the researchers are going to demonstrate

their other hack, one that's even harder to defend against.

So what are we calling this second trick?

We call that one code snatch.

Code snatch rather than a phone app type thing.

We got a custom tool that we made that is gonna go in

through the battery door of the lock.

So we're gonna start by taking that out

and then just inserting this little guy in there,

kinda start feeling around for the pins there.

Basically, looking for a little debug port in there

that we're able to get the unlock codes out for.

There we go. Just like that, we have got the code.

So I'm just gonna put the battery back in there.

Turn the lock back on. Let it think for a second.

Then all we gotta do is type it in.

[lock beeping]

There we go.

So what is this little device that all built

and how is it possible that it can extract

the super code so easily?

It's all off the shelf hardware.

That is basically just a raspberry pi pico

with a little screen on it and some pins up here.

We're trying to set those pins on a programming port,

which is also a debugging port,

and that lets us read out everything

from the locks microcontroller,

including all the codes that are in the lock.

Those codes are stored in an encrypted manner,

but we can also read out the keys to decrypt them

and we decode that right there on the little

raspberry pi pico and show it on the screen.

It's kind of shocking

that the locks keypad itself contains the super code,

and all you have to do is find a way to extract it.

The firmware in the keypad and the firmware in the latch

both need to be reworked.

SECURAM stores the codes in the keypad part of the safe,

and really, what needs to happen is those codes

need to be stored inside the safe, behind all the concrete

and steel that protects them.

So you can't get at them with a tool

or something like we did here.

If you've created this lock box that is meant

to be secure, maybe you should put the sensitive things

like the combination to open it inside instead.

Absolutely. You'd sure think so.

So can I give this a try myself?

It looked like it took a little bit of finesse.

Give it a try yourself

and you can see just how easy it is.

Battery out.

If any idiot like me can do it, that means that somebody

could start selling this thing on the dark web

and then anybody can open one of these safes

anywhere in the world.

I'm gonna turn it on now. Yeah, go for it.

[Andy] I'm pushing the top of it towards me, right?

[James] Yeah.

Oh, there it is. Hey.

Took a minute, but I got it. You know.

You got the code. Type it in.

[lock beeping]

[lock clicks] There we go.

[James] And that's basically our tool

that opens the high security electronic safe lock.

If want a few hundred thousand dollars of fake money.

Why did you decide to go public with your techniques?

You know, SECURAM's Director of Sales, Jeremy Brooks,

says that you are singling out SECURAM

and trying to discredit the company.

So that's not it at all.

We want SECURAM to fix this issue, but more importantly,

we want people to be aware

of the flaws that they have today.

Mark and James are not the first to raise concerns

about SECURAM's locks.

Last year, US Senator Ron Wyden wrote an open letter

to Michael Casey, then director

of the National Counterintelligence and Security Center.

Urging Casey to warn in American businesses

that safe locks made by SECURAM,

which is owned by a Chinese parent company,

have a manufacturer reset capability that could be used

as a back door, a risk that had already led to SECURAM locks

being prohibited for government use

along with every other safe

that has a manufacturer reset capability.

Even as SECURAM locks are widely used in safes

in US private companies.

When I wrote to the senator

about the researcher's safe cracking techniques,

Wyden sent me a statement.

Experts have warned for years

that back doors will be exploited by our adversaries.

Yet instead of acting on my warnings

and those of security experts,

the government has left the American public

vulnerable, Wyden rights.

This is exactly why Congress must reject calls

for new back doors in encryption technology

and fight all efforts to force US companies

to weaken their encryption

and facilitate government surveillance.

When I asked representatives at High Noble

and Liberty Safe, they told me they weren't previously aware

of any vulnerabilities in SECURAM locks,

but are now reviewing the issue

and investigating options including using alternative locks.

CVS declined to comment,

but said that safety is a top priority.

This story is in some ways a familiar one

in the security industry.

A company builds an and then secure product,

refuses to update it,

and it takes a couple of white hat hackers to create

a proof of concept hacking technique

that shows us definitively how vulnerable we really are.

But there's another lesson here too.

If you build a backdoor into someone's secrets

for law enforcement or even for the products creator,

it's often just a matter of time until that backdoor

becomes an entryway for uninvited guests too.

This is Hack Lab. I'm Andy Greenberg.

[logo warbling]