We Digitally Cracked A High Security Safe
Read more: https://slim-weight.info/story/securam-prologic-safe-lock-backdoor-exploits/%3C/a%3E%3Cbr%3E%3Cbr%3EDirector: Lisandro Perez-Rey
Director of Photography: Charlie Jordan
Editor: A.J. Schultz
Talent: James Rowley; Mark Omo
Host: Andy Greenberg
Written by: Andy Greenberg; Lisandro Perez-Rey
Line Producer: Jamie Rasmussen
Associate Producer: Brandon White
Production Manager: Peter Brunette
Production Coordinator: Rhyan Lark
Camera Operator: Jake Kinney
Gaffer: Nicholas Villafuerte
Sound Mixer: Rado Stefanov
Production Assistant: Abigayle Devine
Assistant Editor: Britt Bernstein
is meant to protect everything from guns to cash in stores,
Without the combination, it's supposed to be impenetrable,
but these two security researchers can open it in seconds.
No drills, no cutting tools, no stethoscope,
just two different digital flaws
that can entirely defeat this safe's security.
And the company that makes the lock on this safe,
it told me that it has no plans to update its code,
leaving safes across the US and homes, retail outlets
I'm Andy Greenberg, I investigate the strange, dark
and subversive sides of technology for WIRED.
This is Hack Lab. We digitally cracked a high security safe.
I'm here in Las Vegas for DEF CON,
America's biggest Hacker conference.
Two of the security researchers I've been talking to here
are James Rowley and Mark Omo,
who revealed for the first time on stage of the conference
that they've discovered not one
but two techniques for cracking a popular line
of electronic locks sold by the China-based firm SECURAM,
and used on eight brands of high-end electronic safes.
So what was it that got you all started
on this research project that eventually led you
to find these two safe cracking techniques?
We read the New York Times article in 2023
about how the FBI was able to call Liberty Safe
Two years ago, Liberty Safe, which markets itself
as America's number one heavy duty home
and gun safe manufacturer, responded to an FBI warrant
by giving agents the combination to open the safe
of a criminal suspect in the midst
of the Bureau's investigation of the January 6th, 2021
invasion of the US Capitol Building.
that for this physical security product
that's not internet connected, that the FBI is able
to call a manufacturer and get a code from them
and they have the keys to the kingdom
Mark and James wanted to understand
how this apparent backdoor worked.
So they took a closer look at Liberty Safe
and discovered that the company does keep a reset code
for every safe and makes it available to US law enforcement
if they have a warrant or a court order.
But that was just the beginning of the story.
The locks that Liberty Safe used were actually made
separately by SECURAM, a third party vendor,
[Mark] And we focused in on the SECURAM ProLogic locks,
their higher end digital series of locks.
And one of the most interesting features
that caught our eye is they have this reset functionality
where you can through a locksmith, reset your lock
even if you've forgotten all the combinations on it.
So it turns out that these SECURAM ProLogic locks used
but also many other brands have this reset method
Yeah, we were able to dump all the firmware
and inside every single safe lock is the secret algorithm
that they use to calculate the code
that you need to reset the lock.
And we were able to reverse engineer
and replicate it so we can open almost any ProLogic lock.
We call that attack reset heist.
For our Safe cracking experiment,
we headed to the headquarters of the Red Team Alliance,
a Las Vegas-based company focused on physical security
research and covert entry instruction.
you all don't even need any tools?
So let's imagine you own a safe and you forgot your code.
and they could then communicate with SECURAM
to provide that challenge to them,
and then they would give back the appropriate response
to reset all the codes on your safe.
So this is like a kind of approved interaction
between an authorized locksmith and SECURAM,
but somehow you all cracked it.
Yeah, the firmware on this lock has everything
that we needed to know to recreate that secret algorithm
So we can try the default code from the factory all ones
and of course, that doesn't work.
we're gonna go ahead into this recovery mode here,
and we need to type in all nines for the recovery code,
and it's gonna show us this challenge on the screen.
This is like a series of numbers,
and you are gonna copy those into your
Exactly, it's gonna show us the response that we need
[Andy] So it's like a challenge number
and then a response number that you type back
Then it's gonna warn us that we're gonna reset
the whole lock to factory defaults.
Of course, we're gonna continue.
There we go. All users deleted.
So now, it is back in this factory default setting
and that 111111 code will actually open it.
There we go. Here you go, nice.
So is there some easy way for safe owners
to disable that reset mechanism?
I mean, that seemed way too easy.
Yeah, so safe owners can actually change
what's known as the encryption code on these locks,
and that'll prevent someone from doing this
But SECURAM doesn't recommend changing the codes
in its reset method in any online user documentation
Only in a manual for some locksmiths and manufacturers.
the researchers found SECURAM suggests changing the codes
isn't necessary, and that the codes
We purchased a bunch of these locks from eBay
and on every ProLogic lock we bought,
these codes were left at the default.
This process worked on every single one that we tested.
So everybody who has a safe with a SECURAM ProLogic lock
could change the encryption code,
which would protect themselves from this technique,
which obviously they should do,
given how easy that just seemed to be.
But you have a second technique, right?
Yep, one that's not as easy to protect yourself against.
This second, even simpler hacking technique uses a device
that if it were to become available more widely
or sold online, could leave safes across the US vulnerable.
After all, beyond Liberty Safe, SECURAM ProLogic locks
are used by a long list of manufacturers,
Fort Knox, High Noble, FireKing, ProSteel, Rhino Metals,
Sun Welding, Corporate Safe Specialists,
and pharmacy safe companies, Cennox and NarcSafe.
The locks can also be found on safes used by CVS
In a moment, I'm going to try pulling off
this second technique myself to see just how easy
But first, I reached out to SECURAM to find out
what they've done to fix these vulnerabilities.
When I asked SECURAM about this,
they told me that they have no plan to fix this at all.
In fact, they have a new version of the lock
that they're gonna come out with before the end of the year,
If you want that more secure version,
you just gotta buy a new lock for your safe.
As SECURAM's director of sales, Jeremy Brooks told me,
we are not going to be offering a firmware package
We're going to offer them a new product.
In other words, if you want a security update,
also wrote in a longer statement to WIRED
that Mark and James's techniques are already known
to security industry professionals.
He also said their methods required
specialized knowledge skills and equipment.
To get a response to SECURAM's claims,
I spoke to Babak Javadi a co-founder
and a professional hacker specializing in physical security.
The CEO of SECURAM also told me in a statement
that the techniques that Mark and James have shown here
Locksmiths have always had some sort
of insider secret knowledge of some kind.
that it impacts the most, the customers?
Because I suspect a lot of people would make
different purchasing decisions.
The CEO of SECURAM also told me in a statement
that they have never seen a single safe lock defeated
You don't know what you don't know
'cause people don't talk about it.
So like maybe he doesn't know, but it's definitely happened.
The most sensitive, most important situations
where this attack would be used, you wouldn't know
because it doesn't leave any obvious traces.
When you heard about how this works, were you surprised
I'm not surprised by how easy it was.
I think the thing that always strikes me as stupid
is any kind of backdoor by design.
You can call it a factory recovery method
and resources can be reverse engineered successfully.
There's no good reason to put a backdoor in a product,
and that's what I have a bigger problem with.
So can SECURAM fix this in their code?
Can they push out some sort of update or patch?
they're not connected to the internet,
so they don't have a way to push firmware updates to them.
If new firmware was developed that mitigated these issues,
you could go lock to lock with a tool,
but it'd be a very manual process.
So could just anybody figure out
Are you releasing enough information
that other people could replicate your technique
So we're not releasing the techniques that we have.
We think the potential for abuse is way too high.
But how easy would it be for somebody
to just figure out your techniques and do them themselves?
I think it would take about a week
for someone skilled in the art to execute all the work
that we did and produce a similar tool or similar research.
That's a pretty practical risk.
[Andy] Now, the researchers are going to demonstrate
their other hack, one that's even harder to defend against.
So what are we calling this second trick?
Code snatch rather than a phone app type thing.
We got a custom tool that we made that is gonna go in
through the battery door of the lock.
So we're gonna start by taking that out
and then just inserting this little guy in there,
kinda start feeling around for the pins there.
Basically, looking for a little debug port in there
that we're able to get the unlock codes out for.
There we go. Just like that, we have got the code.
So I'm just gonna put the battery back in there.
Turn the lock back on. Let it think for a second.
Then all we gotta do is type it in.
So what is this little device that all built
and how is it possible that it can extract
It's all off the shelf hardware.
That is basically just a raspberry pi pico
with a little screen on it and some pins up here.
We're trying to set those pins on a programming port,
which is also a debugging port,
and that lets us read out everything
from the locks microcontroller,
including all the codes that are in the lock.
Those codes are stored in an encrypted manner,
but we can also read out the keys to decrypt them
and we decode that right there on the little
raspberry pi pico and show it on the screen.
that the locks keypad itself contains the super code,
and all you have to do is find a way to extract it.
The firmware in the keypad and the firmware in the latch
SECURAM stores the codes in the keypad part of the safe,
and really, what needs to happen is those codes
need to be stored inside the safe, behind all the concrete
So you can't get at them with a tool
or something like we did here.
If you've created this lock box that is meant
to be secure, maybe you should put the sensitive things
like the combination to open it inside instead.
Absolutely. You'd sure think so.
So can I give this a try myself?
It looked like it took a little bit of finesse.
and you can see just how easy it is.
If any idiot like me can do it, that means that somebody
could start selling this thing on the dark web
and then anybody can open one of these safes
I'm gonna turn it on now. Yeah, go for it.
[Andy] I'm pushing the top of it towards me, right?
Took a minute, but I got it. You know.
[James] And that's basically our tool
that opens the high security electronic safe lock.
If want a few hundred thousand dollars of fake money.
Why did you decide to go public with your techniques?
You know, SECURAM's Director of Sales, Jeremy Brooks,
says that you are singling out SECURAM
and trying to discredit the company.
We want SECURAM to fix this issue, but more importantly,
of the flaws that they have today.
Mark and James are not the first to raise concerns
Last year, US Senator Ron Wyden wrote an open letter
to Michael Casey, then director
of the National Counterintelligence and Security Center.
Urging Casey to warn in American businesses
that safe locks made by SECURAM,
which is owned by a Chinese parent company,
have a manufacturer reset capability that could be used
as a back door, a risk that had already led to SECURAM locks
being prohibited for government use
that has a manufacturer reset capability.
Even as SECURAM locks are widely used in safes
about the researcher's safe cracking techniques,
that back doors will be exploited by our adversaries.
Yet instead of acting on my warnings
and those of security experts,
the government has left the American public
This is exactly why Congress must reject calls
for new back doors in encryption technology
and fight all efforts to force US companies
and facilitate government surveillance.
When I asked representatives at High Noble
and Liberty Safe, they told me they weren't previously aware
of any vulnerabilities in SECURAM locks,
but are now reviewing the issue
and investigating options including using alternative locks.
but said that safety is a top priority.
This story is in some ways a familiar one
A company builds an and then secure product,
and it takes a couple of white hat hackers to create
a proof of concept hacking technique
that shows us definitively how vulnerable we really are.
But there's another lesson here too.
If you build a backdoor into someone's secrets
for law enforcement or even for the products creator,
it's often just a matter of time until that backdoor
becomes an entryway for uninvited guests too.
I 3D-Printed Luigi Mangione’s ‘Ghost Gun’
We Digitally Cracked A High Security Safe
I Cheated At Poker By Hacking A Casino Card Shuffling Machine
The Surface Book Really Is the Ultimate Laptop
Gear Review | Apple iPad Pro
Gear Review | WIRED's Creative Team Tests Apple's iPad Pro and Pencil
Coravin's Wine Gadget Lets You Drink One Glass Now, Save the Rest
How Oculus Cracked the Impossible Design of VR
The Untold Story of Magic Leap, the World's Most Secretive Startup
AR, VR, MR: Making Sense of Magic Leap and the Future of Reality
