- 5 months ago
Safes are everywhere in America, securing everything from cash and guns to narcotics and sensitive personal documents—in both homes and workplaces. But with no drills or cutting tools, security researchers James Rowley and Mark Omo have developed two separate techniques for cracking the Securam ProLogic L02, a digital lock used on 8 popular brands of high security electronic safes sold in the U.S. The kicker? The company that makes the lock has no plans to update its code, leaving safes across the country vulnerable.Read more: https://www.wired.com/story/securam-prologic-safe-lock-backdoor-exploits/Director: Lisandro Perez-ReyDirector of Photography: Charlie JordanEditor: A.J. SchultzTalent: James Rowley; Mark OmoHost: Andy GreenbergWritten by: Andy Greenberg; Lisandro Perez-ReyLine Producer: Jamie RasmussenAssociate Producer: Brandon WhiteProduction Manager: Peter BrunetteProduction Coordinator: Rhyan LarkCamera Operator: Jake KinneyGaffer: Nicholas VillafuerteSound Mixer: Rado StefanovProduction Assistant: Abigayle DevineAssistant Editor: Britt Bernstein
Category
🤖
TechTranscript
00:00This high-security safe is meant to protect everything from guns to cash in stores to
00:05narcotics in a pharmacy. Without the combination, it's supposed to be impenetrable. But these two
00:09security researchers can open it in seconds. No drills, no cutting tools, no stethoscope. Just
00:14two different digital flaws that can entirely defeat this safe's security. And the company
00:18that makes the lock on this safe, it told me that it has no plans to update its code,
00:22leaving safes across the U.S. in homes, retail outlets, and pharmacies vulnerable. I'm Andy
00:28Greenberg. I investigate the strange, dark, and subversive sides of technology for Wired.
00:32This is Hack Lab. We digitally cracked a high-security safe. I'm here in Las Vegas for
00:38DEFCON, America's biggest hacker conference. Two of the security researchers I've been talking to here
00:43are James Rowley and Mark Omo, who revealed for the first time on stage at the conference that
00:47they've discovered not one, but two techniques for cracking a popular line of electronic locks
00:52sold by the China-based firm SecureRAM and used on eight brands of high-end electronic safes.
00:58So what was it that got you all started on this research project that eventually led you to find
01:02these two safe-cracking techniques? We read the New York Times article in 2023 about how the FBI was
01:08able to call Liberty Safe and get a code from them. Two years ago, Liberty Safe, which markets itself as
01:14America's number one heavy-duty home and gun safe manufacturer, responded to an FBI warrant by giving
01:20agents the combination to open the safe of a criminal suspect in the midst of the Bureau's
01:24investigation of the January 6, 2021 invasion of the U.S. Capitol building. So it really blew me away
01:29that for this physical security product that's not internet connected, that the FBI is able to call
01:34a manufacturer and get a code from them, and they have the keys to the kingdom to open a safe that you
01:40own. Mark and James wanted to understand how this apparent backdoor worked. So they took a closer look
01:45at Liberty Safe and discovered that the company does keep a reset code for every safe and makes
01:50it available to U.S. law enforcement if they have a warrant or a court order. But that was just the
01:54beginning of the story. The locks that Liberty Safe used were actually made separately by SecureRAM,
01:59a third-party vendor. And we focused in on the SecureRAM ProLogic locks, their higher-end digital
02:05series of locks. And one of the most interesting features that caught our eye is they have this reset
02:09functionality where you can, through a locksmith, reset your lock even if you've forgotten all the
02:14combinations on it. So it turns out that these SecureRAM ProLogic locks used on Liberty Safe,
02:19safes, but also many other brands have this reset method, and you all cracked it. Yeah,
02:23we were able to dump all the firmware out of the microcontroller, and inside every single safe lock
02:28is the secret algorithm that they use to calculate the code that you need to reset the lock. And we
02:33were able to reverse engineer and replicate it so we can open almost any ProLogic lock. We call that
02:39attack Reset Heist. So can you show us? Yeah, let's do it!
02:44For our safe cracking experiment, we headed to the headquarters of the Red Team Alliance,
02:49a Las Vegas-based company focused on physical security research and covert entry instruction.
02:55So for this first technique, you all don't even need any tools.
02:57Nope, just my phone.
02:59Well, how does it work?
02:59So let's imagine you own a safe and you forgot your code. You could call a locksmith,
03:04and they could then communicate with SecureRAM to provide that challenge to them,
03:07and then they would give back the appropriate response to reset all the codes on your safe.
03:12So this is like a kind of approved interaction between an authorized locksmith and SecureRAM,
03:16but somehow you all cracked it.
03:17Yeah, the firmware on this lock has everything that we needed to know to recreate that secret
03:23algorithm on my phone right here. So we can try the default code from the factory, all ones,
03:28and of course that doesn't work. So what we need to do, we're going to go ahead into this recovery mode here,
03:35and we need to type in all nines for the recovery code, and it's going to show us this challenge on the screen.
03:41This is like a series of numbers, and you're going to copy those into your program here on your phone.
03:46Exactly. It's going to show us the response that we need to provide to the lock here.
03:50So it's like a challenge number and then a response number that you type back into the keypad.
03:54That's exactly right. Then it's going to warn us that we're going to reset the whole lock to factory defaults.
03:59Of course, we're going to continue. There we go. All users deleted.
04:01So now it is back in this factory default setting, and that 1111111 code will actually open it.
04:07Yep. Give it a try.
04:08Okay.
04:15There we go. There you go. Nice. So is there some easy way for safe owners to disable that reset mechanism?
04:23I mean, that seemed way too easy.
04:24Yeah. So safe owners can actually change what's known as the encryption code on these locks,
04:28and that'll prevent someone from doing this without knowing that code.
04:31But SecureRAM doesn't recommend changing the codes in its reset method in any online user documentation
04:36the researchers could find, only in a manual for some locksmiths and manufacturers.
04:41In another SecureRAM webinar the researchers found, SecureRAM suggests changing the codes isn't necessary
04:46and that the codes are usually never changed.
04:49We purchased a bunch of these locks from eBay, and on every ProLogic lock we bought,
04:53these codes were left at the default. This process worked on every single one that we tested.
04:58So everybody who has a safe with a SecureRAM ProLogic lock could change the encryption code,
05:02which would protect themselves from this technique, which obviously they should do given how easy that just seemed to be.
05:06But you have a second technique, right?
05:08Yep. One that's not as easy to protect yourself against.
05:11This second, even simpler hacking technique uses a device that, if it were to become available more widely or sold online,
05:17could leave safes across the U.S. vulnerable.
05:20After all, beyond LibertySafe, SecureRAM ProLogic locks are used by a long list of manufacturers.
05:25Fort Knox, High Noble, Fire King, ProSteel, Rhino Metal, Sun Welding, Corporate Safe Specialists,
05:30and PharmacySafe company Cenex and NarcSafe.
05:33The locks can also be found on safes used by CVS for storing narcotics.
05:37In a moment, I'm going to try pulling off this second technique myself to see just how easy it really is.
05:43But first, I reached out to SecureRAM to find out what they've done to fix these vulnerabilities.
05:47When I asked SecureRAM about this, they told me that they have no plan to fix this at all.
05:51In fact, they have a new version of the lock that they're going to come out with before the end of the year.
05:56But they've essentially said, if you want that more secure version, you just got to buy a new lock for your safe.
06:02It's an interesting approach.
06:03As SecureRAM's Director of Sales, Jeremy Brooks, told me,
06:06we're not going to be offering a firmware package that upgrades it.
06:09We're going to offer them a new product.
06:11In other words, if you want a security update, buy a new lock.
06:13SecureRAM's CEO, Chunlei Zhou, also wrote in a longer statement to Wired that Mark and James' techniques are already known to security industry professionals.
06:22He also said their methods required specialized knowledge, skills, and equipment.
06:25To get a response to SecureRAM's claims, I spoke to Bhavik Javadi, a co-founder of the Red Team Alliance and a professional hacker specializing in physical security.
06:33The CEO of SecureRAM also told me in a statement that the techniques that Mark and James have shown here are already known.
06:39Known by who?
06:40Locksmiths have always had some sort of insider secret knowledge of some kind.
06:44Are they known to the people that it impacts the most, the customers?
06:47Because I suspect a lot of people would make different purchasing decisions.
06:50The CEO of SecureRAM also told me in a statement that they have never seen a single safe lock defeated through a use of this attack.
06:57You don't know what you don't know because people don't talk about it.
06:59So like maybe he doesn't know, but it's definitely happened.
07:02The most sensitive, most important situations where this attack would be used, you wouldn't know because it doesn't leave any obvious traces.
07:09When you heard about how this works, were you surprised at how easy it was?
07:13I'm not surprised by how easy it was.
07:15I think the thing that always strikes me as stupid is any kind of backdoor by design.
07:22You can call it a factory recovery method or customer support tool.
07:27Everything with enough focus and resources can be reverse engineered successfully.
07:31There's no good reason to put a backdoor in a product.
07:36And that's what I have a bigger problem with.
07:37So can SecureRAM fix this in their code?
07:40Can they push out some sort of update or patch?
07:42SecureRAM on these locks, they're not connected to the internet.
07:45So they don't have a way to push firmware updates to them.
07:48If new firmware was developed that mitigated these issues, you could go lock to lock with a tool, but it'd be a very manual process.
07:55So could just anybody figure out what you all have done here?
07:58Are you releasing enough information that other people could replicate your technique and use it for crime?
08:02So we're not releasing the techniques that we have.
08:05We think the potential for abuse is way too high.
08:08But how easy would it be for somebody to just figure out your techniques and do them themselves?
08:12I think it would take about a week for someone skilled in the art to execute all the work that we did and produce a similar tool or similar research.
08:20That's a pretty practical risk.
08:22Absolutely.
08:23Now the researchers are going to demonstrate their other hack, one that's even harder to defend against.
08:28So what are we calling this second trick?
08:30We call that one CodeSnatch.
08:34CodeSnatch, rather than a phone app type thing, we've got a custom tool that we made that is going to go in through the battery door of the lock.
08:42So we're going to start by taking that out and then just inserting this little guy in there, kind of start feeling around for the pins there.
08:52Basically looking for a little debug port in there that we're able to get the unlock codes out for.
08:57There we go.
08:58Just like that, we've got the code.
09:01So I'm just going to put the battery back in there, turn the lock back on, let it think for a second.
09:06Then all we got to do is type it in.
09:07There we go.
09:12So what is this little device that you all built and how is it possible that it can extract the super code so easily?
09:17It's all off-the-shelf hardware.
09:18That is basically just a Raspberry Pi Pico with a little screen on it and some pins up here.
09:24We're trying to set those pins on a programming port, which is also a debugging port.
09:29And that lets us read out everything from the lock's microcontroller, including all the codes that are in the lock.
09:36Those codes are stored in an encrypted manner, but we can also read out the keys to decrypt them.
09:41And we decode that right there on the little Raspberry Pi Pico and show it on the screen.
09:45It's kind of shocking that the lock's keypad itself contains this super code and all you have to do is find a way to extract it.
09:53The firmware in the keypad and the firmware in the latch both need to be reworked.
09:57SecureRAM stores the codes in the keypad part of the safe.
10:01And really what needs to happen is those codes need to be stored inside the safe, behind all the concrete and steel that protects them.
10:08So you can't get at them with a tool or something like we did here.
10:12If you've created this lock box that is meant to be secure, maybe you should put the sensitive things, like the combination, to open it inside instead.
10:19Absolutely.
10:19You sure think so.
10:21So can I give this a try myself?
10:22It looked like it took a little bit of finesse.
10:24Give it a try yourself and see just how easy it is.
10:27Battery out.
10:28If any idiot like me can do it, that means that somebody could start selling this thing on the dark web and then anybody can open one of these safes anywhere in the world.
10:36I'm going to turn it on now.
10:37Yeah, go for it.
10:38I'm pushing the top of it towards me, right?
10:40Yeah.
10:41Oh, there it is.
10:42Hey.
10:43Took a minute, but I got it.
10:46You get the code, type it in.
10:50There we go.
10:53And that's basically our tool that opens the high security electronic safe lock.
10:57It won a few hundred thousand dollars of fake money.
11:01Why did you decide to go public with your techniques?
11:04You know, SecureRAM's director of sales, Jeremy Brooks, says that you are singling out SecureRAM and trying to discredit the company.
11:10So that's not it at all.
11:11We want SecureRAM to fix this issue.
11:13But more importantly, we want people to be aware of the flaws that they have today.
11:18Mark and James are not the first to raise concerns about SecureRAM's locks.
11:21Last year, U.S. Senator Ron Wyden wrote an open letter to Michael Casey, then director of the National Counterintelligence and Security Center, urging Casey to warn American businesses that safe locks made by SecureRAM, which is owned by a Chinese parent company, have a manufacturer reset capability that could be used as a backdoor.
11:38A risk that had already led to SecureRAM locks being prohibited for government use, along with every other safe that has a manufacturer reset capability, even as SecureRAM locks are widely used in safes in U.S. private companies.
11:50When I wrote to the senator about the researchers' safe cracking techniques, Wyden sent me a statement.
11:54Experts have warned for years that backdoors will be exploited by our adversaries. Yet, instead of acting on my warnings and those of security experts, the government has left the American public vulnerable, Wyden writes.
12:04This is exactly why Congress must reject calls for new backdoors in encryption technology and fight all efforts to force U.S. companies to weaken their encryption and facilitate government surveillance.
12:15When I asked representatives at High Noble and Liberty Safe, they told me they weren't previously aware of any vulnerabilities in SecureRAM locks, but are now reviewing the issue and investigating options, including using alternative locks.
12:26CVS declined to comment, but said that safety is a top priority.
12:30This story is, in some ways, a familiar one in the security industry.
12:33A company builds an insecure product, refuses to update it, and it takes a couple of white hat hackers to create a proof-of-concept hacking technique that shows us definitively how vulnerable we really are.
12:44But there's another lesson here, too. If you build a backdoor into someone's secrets for law enforcement or even for the product's creator,
12:51it's often just a matter of time until that backdoor becomes an entryway for uninvited guests, too.
12:57This is Hack Lab. I'm Andy Greenberg.
Comments