Zhou added in his statement that Securam will be fixing the vulnerabilities Omo and Rowley found in future models of the ProLogic lock. \u201cCustomer security is our priority and we have begun the process of creating next-generation products to thwart these potential attacks,\u201d he writes. \u201cWe expect to have new locks on the market by the end of the year.\u201d<\/p>\n
Photograph: Ronda Churchill<\/p>\n
In a followup call, Securam director of sales Jeremy Brookes confirmed that Securam has no plan to fix the vulnerability in locks already in use on customers\u2019 safes, but suggests safe owners who are concerned buy a new lock and replace the one on their safe. \u201cWe\u2019re not going to be offering a firmware package that upgrades it,\u201d Brookes says. \u201cWe\u2019re going to offer them a new product.\u201d<\/p>\n
Brookes adds that he believes Omo and Rowley are \u201csingling out\u201d Securam with the intention of \u201cdiscrediting\u201d the company.<\/p>\n
Omo responds that\u2019s not at all their intent. \u201cWe\u2019re trying to make the public aware of the vulnerabilities in one of the most popular safe locks on the market,\u201d he says.<\/p>\n
A Senator\u2019s Warning<\/p>\n
Beyond Liberty Safe, Securam ProLogic locks are used by a wide variety of safe manufacturers including Fort Knox, High Noble, FireKing, Tracker, ProSteel, Rhino Metals, Sun Welding, Corporate Safe Specialists, and pharmacy safe companies Cennox and NarcSafe, according to Omo and Rowley\u2019s research. The locks can also be found on safes used by CVS for storing narcotics and by multiple US restaurant chains for storing cash.<\/p>\n
Rowley and Omo aren’t the first to raise concerns about the security of Securam locks. In March of last year, US senator Ron Wyden wrote an open letter<\/a> to Michael Casey, then director of the National Counterintelligence and Security Center, urging Casey to make clear to American businesses that safe locks made by Securam, which is owned by a Chinese parent company, have a manufacturer reset capability. That capability, Wyden wrote, could be used as a backdoor\u2014a risk that had already led to Securam locks being prohibited for US government use like all other locks with a manufacturer reset, even as they’re widely used by private US companies.<\/p>\n In response to learning about Rowley and Omo\u2019s research, Wyden wrote in a statement to WIRED that the researchers\u2019 findings represent exactly the risk of a backdoor\u2014whether in safes or in encryption software\u2014that he\u2019s tried to call attention to.<\/p>\n \u201cExperts have warned for years that backdoors will be exploited by our adversaries, yet instead of acting on my warnings and those of security experts, the government has left the American public vulnerable,\u201d Wyden writes. \u201cThis is exactly why Congress must reject calls for new backdoors in encryption technology and fight all efforts by other governments, such as the UK<\/a>, to force US companies to weaken their encryption to facilitate government surveillance.\u201d<\/p>\n ResetHeist<\/p>\n Rowley and Omo\u2019s research began with that same concern, that a largely undisclosed unlocking method in safes might represent a broader security risk. They initially went searching for the mechanism behind the Liberty Safe backdoor that had caused a backlash against the company in 2023, and found a relatively straightforward answer: Liberty Safe keeps a reset code for every safe and, in some cases, makes it available to US law enforcement.<\/p>\n