Article illustration 1

What began as curiosity about a political scandal involving Liberty Safe’s cooperation with the FBI has spiraled into a revelation that shakes the foundation of physical security. Security researchers James Rowley and Mark Omo, probing how law enforcement accessed a suspect’s safe during the January 6 investigations, stumbled upon far graver issues: critical vulnerabilities in Securam ProLogic locks, embedded in millions of safes worldwide. These electronic locks, certified by Underwriters Laboratory and trusted by companies from gun safe manufacturers to pharmacy chains, were found to harbor not one, but two exploitable backdoors—dubbed "ResetHeist" and "CodeSnatch"—that allow attackers to bypass security in moments.

Article illustration 3

Security researchers James Rowley and Mark Omo, whose investigation exposed widespread flaws in Securam locks.

The Unseen Flaws in Fort Knox-Grade Security

Securam ProLogic locks, used by at least eight major safe brands including Liberty Safe, Fort Knox, and CVS pharmacies for narcotics storage, rely on firmware that Rowley and Omo quickly dismantled. Reverse-engineering the lock’s processor—a Renesas chip also found in PlayStation 4 consoles—revealed glaring oversights. The first vulnerability, ResetHeist, exploits a legitimate "recovery" feature intended for locksmiths. By analyzing the firmware, the researchers extracted a secret algorithm that computes reset codes, turning a simple Python script into a master key. "There's no hardware security to speak of," Rowley noted. "We could reverse engineer the whole algorithm just by reading the firmware."

The second method, CodeSnatch, is even more alarming. Using a Raspberry Pi-based tool inserted into the lock’s debug port, attackers can extract a "super code" to unlock the safe instantly. This port, protected by a trivial password, was easily bypassed with voltage glitching—a technique that manipulates the chip’s power supply. Omo emphasized the accessibility: "This attack requires no specialized hardware. I could pull up the code right now with nothing but basic tools."

Industry Denial and the Backdoor Dilemma

When Rowley and Omo alerted Securam in spring 2023, the response was legal threats, not remediation. Securam CEO Chunlei Zhou dismissed the findings in a statement to WIRED, calling the vulnerabilities "well known" and claiming attacks require "specialized knowledge." Yet, the researchers countered that one method needs no special equipment, and neither flaw was publicly documented. More troubling, Securam admitted it won’t patch existing locks, advising customers to buy replacements instead. "We’re not offering a firmware upgrade," confirmed sales director Jeremy Brookes. "We’re offering a new product."

Article illustration 5

A Securam ProLogic lock, now under scrutiny for vulnerabilities that could affect safes storing everything from firearms to pharmaceuticals.

This stance echoes broader concerns about backdoors in security systems. US Senator Ron Wyden, who previously warned about Securam’s Chinese parent company and government-use prohibitions, told WIRED: "This is exactly why Congress must reject calls for new backdoors in encryption technology." The parallels to digital security debates are stark—manufacturer-accessible resets, whether in safes or software, create exploitable weaknesses.

Why This Matters for Developers and Security Pros

Beyond the immediate risk to safe owners—who can mitigate ResetHeist by changing default recovery codes, as seldom recommended—the implications ripple across tech. The vulnerabilities underscore how embedded systems, often treated as "dumb" hardware, inherit software-like risks. Rowley and Omo’s work exposes gaps in certification processes; Underwriters Laboratory approval failed to catch flaws that render safes vulnerable to low-skill attacks. For engineers, it’s a cautionary tale: "Electronics are hard to secure," Omo stressed, urging scrutiny of supply chains in IoT and physical devices.

The researchers, now backed by the Electronic Frontier Foundation, withheld exploit details to prevent misuse but warn replication is feasible. As Rowley put it: "If you’re skilled in the art, this is a one-week project." Their call isn’t just for Securam to act—it’s for an industry-wide reckoning with security by obscurity. In a world where safes guard everything from cash to controlled substances, trust in locked boxes must be earned, not assumed.

Source: WIRED