Securam Locks Face Security Scrutiny Amid Vulnerabilities
Zhou, a spokesperson for Securam, recently announced plans to address security vulnerabilities uncovered by researchers Omo and Rowley in the ProLogic lock series. In a statement, he emphasized that customer security remains the company’s top priority and outlined initiatives to develop next-generation locking products aimed at preventing potential attacks. He anticipates that these updated locks could be available by year’s end.
However, in a follow-up conversation, Jeremy Brookes, Securam’s director of sales, confirmed that the company will not be retrofitting existing locks in customers’ safes with security patches. Instead, he encouraged owners worried about vulnerabilities to purchase new models. Brookes further asserted that Omo and Rowley are unfairly targeting Securam in a campaign he interprets as an attempt to discredit the brand.
Omo, on the other hand, refutes Brookes’s claims, insisting that their objective is simply to alert the public to the vulnerabilities in widely-used safe locks, which could put consumers at risk. Their findings highlight that Securam ProLogic locks are employed not only by Liberty Safe but by various manufacturers, including Fort Knox, and by companies storing sensitive items like narcotics in pharmacies.
Concerns regarding the security of Securam locks are not new. In March, U.S. Senator Ron Wyden issued an open letter to the then-director of the National Counterintelligence and Security Center. He warned businesses that Securam locks, which are manufactured by a company with a Chinese parent firm, featured a reset capability that could potentially serve as a backdoor for unauthorized access. This has already led to their prohibition for U.S. government use, despite widespread adoption in the private sector.
The risks presented by these vulnerabilities align precisely with the threat of backdoor access—a concern Wyden has consistently raised regarding both physical locks and digital encryption. He remarked that the government’s inaction to safeguard the public has exacerbated vulnerabilities, advocating for Congressional resistance against backdoor approaches in technology.
Researchers Rowley and Omo initiated their investigation to uncover potential security risks linked to a largely undisclosed unlocking method used in safes, particularly following a controversy related to Liberty Safe. Their inquiry revealed that Liberty maintains a reset code for each safe, which may be disclosed to law enforcement under specific legal contexts. Liberty has since mandated stricter requirements for releasing these codes.
While Rowley and Omo approached the investigation of Securam’s ProLogic locks, they discovered a reset method specified in the user manual aimed at assisting locksmiths in cases of forgotten access codes. The process involves entering a default recovery code and generating a specific screen code through built-in parameters, which an authorized locksmith can subsequently verify with Securam to obtain a reset code.
This incident raises serious questions about the overall security posture of devices that house sensitive data or valuables. The identification of these vulnerabilities aligns with the MITRE ATT&CK framework, particularly highlighting tactics such as initial access, persistence, and potential privilege escalation, which are critical to understanding the methods adversaries might exploit.
In light of these developments, business owners must remain vigilant regarding the security measures in place for their physical assets and ensure that they are not inadvertently exposed to unnecessary risks.
