Massively Popular Safe Locks Have Secret Backdoor Codes (404media.co) 62
Two of the biggest manufacturers of locks used in commercial safes have been accused of essentially putting backdoors in at least some of their products in a new letter by Senator Ron Wyden. 404 Media: Wyden is urging the U.S. government to explicitly warn the public about the vulnerabilities, which Wyden says could be exploited by foreign adversaries to steal what U.S. businesses store in safes, such as trade secrets. The little known "manufacturer" or "manager" reset codes could let third parties -- such as spies or criminals -- bypass locks without the owner's consent and are sometimes not disclosed to customers. Wyden's office also found that while the U.S. Department of Defense (DoD) bans such locks for sensitive and classified U.S. government use in part due to the security vulnerability reset codes pose, the government has deliberately not warned the public about the existence of these backdoors.
The specific companies named in Wyden's letter are China-based SECURAM and U.S.-based Sargent and Greenleaf (S&G). Each produces keypad locks which are then implemented into safes by other manufacturers. The full list of locks that contain backdoor codes is unknown, but documentation available online points to multiple SECURAM products which do include them, and S&G confirmed to Wyden's office that some of its own locks also have similar codes.
The specific companies named in Wyden's letter are China-based SECURAM and U.S.-based Sargent and Greenleaf (S&G). Each produces keypad locks which are then implemented into safes by other manufacturers. The full list of locks that contain backdoor codes is unknown, but documentation available online points to multiple SECURAM products which do include them, and S&G confirmed to Wyden's office that some of its own locks also have similar codes.
not really news (Score:5, Informative)
Re:not really news (Score:5, Insightful)
Re:not really news (Score:5, Insightful)
Eh, if they get a warrant to search that sucker, all the backdoor is doing is preventing severe damage to the safe.
And if they don’t get a warrant, they’re only confirming 250 years of documented and validated threats by Government to violate your Rights.
The entire point is warrants are supposed to be hard to get. A lot harder than cracking into a shitty consumer-grade safe.
Re: (Score:2)
Eh, if they get a warrant to search that sucker, all the backdoor is doing is preventing severe damage to the safe.
If they have a warrant and you are there then you can open the safe for them anyway. If you aren't there then the damage is the only way that you find out that someone compromised your secrets. Having to damage the lock to get inside is a big point of a proper lock because nothing is completely impenetrable given enough time and money.
Re: (Score:2)
There are some things you want to be tamper evident. A gun safe is probably one of those things.
Re: (Score:2)
Re: (Score:2)
And if they don't get a warrant, it allows unethical government employees free access to your safe without your knowledge. They could replace documents with forgeries. They could find out your secret business plans and give them to your competitor for a price.
Yeah, mandated back doors are a good thing... if you are the one doing the mandating.
Re: (Score:2)
Re: (Score:2)
Technically speaking, Liberty Safe didn't make the lock. The lock is a standard safe lock and you can buy those locks with varying degrees of security. And yes, even the government has locks that will fit in the h
Re: (Score:2)
Are there any combination locks that are any good? Every single one I've ever seen the Lockpicking Lawyer test have been trivially easy to open, often faster without knowing the combination, or break open.
I've come to the conclusion that if you are using a lock as anything more than a deterrent or way to slow down an attacker, you are doing it wrong.
Text of the letter (Score:5, Informative)
The Senator has posted a copy of the letter at https://www.wyden.senate.gov/i... [senate.gov]
Wait, what? (Score:2, Troll)
What kind of moron buys a safe made in China?
Re:Wait, what? (Score:5, Informative)
1. U.S.-based Sargent and Greenleaf has the same issue
2. Most US based safes (like most things built in the US) are built in the US using Chinese components.
Re: (Score:2)
Re: (Score:2)
It's a shame The Lockpicking Lawyer doesn't do safes very often. His recommendations for padlocks are extremely useful.
Re: (Score:2)
Ummm, sir? There is not a single thing you can buy on the market that is secure. If you want true security, you do it yourself or you engage in person to person business with someone who can. All market offerings are compromised.
Re:Wait, what? (Score:4, Interesting)
You buy a safe made in the US, says so right there in the docs.
It has a *lock* made in China, but they don't tell you that.
Common arguments about this are stupid (Score:2)
"Well, LEO's can just cut open the lock or safe. All this is doing is saving you money if you are innocent your safe won't be cut open"
The fact the manufacturer kept the combination or a backdoor to the lock is the problem. People do not like the idea that if that company gets compromised (hacked, malicious employee, leaked by LEOs) then their security device is a lot less secure. It's just like the arguments for the Clipper chip.
"If you have nothing to hide, what are you worried about?"
As I said, thieves can also get a hold of the backdoor codes. It's one thing to set a default code that can be changed, but to leave a permanent backdoor in place is asking to be treated like a Liberty Safe (that
Re: (Score:2)
1) Someone uses the backdoor code to remove a firearm from your safe without your knowledge
2) They use it to kill someone and leave the gun at the scene
3) The gun gets traced back to you (possibly via a tipoff)
As the existence of the codes has been kept secret, the court presumes that you are at best guilty of supplying the murder weapon and at worst the murderer.
Re: (Score:1)
LOL (Score:5, Insightful)
That's a good one. You know I will bet anything the primary driver for this is not the safe company wanting to get in, but the sheer number of dumbass customers calling and crying that they forgot the safe code or lost the key.
Re:LOL (Score:4, Informative)
You know, when I last rented a safe deposit box, they told me (in person and in writing) that if I lose the key, that would be $400 for the locksmith and the replacement lock and several weeks wait to get at my stuff, no discussion. Was completely fine by me. The bank person was not in a rush and told me after I asked that he had seen the drilling of such a box once and that it was pretty impressive and took about two hours or so.
Re: (Score:3)
Re: (Score:2)
I doubt he would have come to a smaller town in Europe for a measly $400 ;-)
Re: (Score:2)
I think the fact that most locksmiths don't even attempt to pick, when The Lockpicking Lawyer has demonstrated that most locks can be opened in seconds via picking, often with extremely low skill attacks, is purely to keep costs up and their businesses viable. People would not be happy if they turned up and did 5 seconds of work, then billed them full call-out rate, and it would undermine confidence in the locks themselves.
Maybe it's just a false impression from his videos, but it seems like about 75% of lo
Re: (Score:1)
Waiting for LPL to see this article and do a video on it..... Wake me up when that happens.
Re: (Score:1)
Because zillions of people need to break into their own accounts/safes/etc.
That's why in too many cases others can contact support and take control of your accounts. They can use the same excuses that people use to regain access to their own stuff.
"I'm on a trip to a different country, forgot my password and my phone got stolen".
Shocking I tell you (Score:4, Insightful)
Hence the reason all of my locks ( including the one on my gun safe ) are of the analog variety.
I simply do not trust the digital variety.
In fact, as time goes on, I'm trusting digital anything less and less :|
Comment removed (Score:5, Funny)
Re:Shocking I tell you (Score:4, Funny)
In fact, as time goes on, I'm trusting digital anything less and less :|
Meme: After years of working in tech the only "smart" device in my house is an inkjet printer. I keep a gun next to it in case it makes a sound I don't recognize.
Exactly. I looked on the back of my safe just to be safe, and sure enough there was no back door.
Re: (Score:1)
the only "smart" device in my house is an inkjet printer. I keep a gun next to it
Indeed. I keep a Canon.
Re: (Score:3)
Good thing analog locks have no vulnerabilities!
Re: (Score:2)
Yeah [youtube.com]
Re: (Score:2)
My front door lock is computer-controlled. It's certainly hackable if you know what you're doing and really want in. But you know what? A lock is never perfect. Long before someone hacks my lock, they're going to break the glass of my sliding back doors. Or pop a window. Or lift a garage door and come in through the interior door.
You balance the lock strength against the threat and your convenience. My lock keeps out bored teens idly considering their first B&E and lets me check it from my phone
Damn assholes (Score:2)
You essentially have to take the safe, strip out the electronics and roll your own now. Makes the thing a lot more expensive than it has to be.
Re:Damn assholes (Score:4, Informative)
This is the lock the government uses for itself [kabamas.com]
Yeah, $2k a pop. But, secure.
Re: (Score:2)
Not worth the squeeze. Those safes are trash and you can break into them in about 10 minutes with modern battery powered tools.
Better to build something into the building that's difficult to find and doesn't look like a safe.
Realistically, you've got to prevent against theft and warrantless search of a safe.
If they don't know you have a safe...
Re: (Score:2)
Oh, I am not claiming that this way you end up with a good safe. If will still be the same cheap crap. Buit the time to break in will then be 10 minutes, not 20 seconds.
Re: (Score:2)
Which is the exact reason behind OpenSSL/SSH devs begging people "JFC please please please for the love of God don't try to roll your own crypto security code on anything that rem
Re: (Score:2)
Unlikely. The main effort an expert has in attacking a custom design is understanding it. That usually drives time up. Your amateur crypto example serves nicely to illustrate the effect: Why does a lot of amateur crypto never get broken? Simple, because even an expert would have to invest a bit of time to understand it. That may be hours to weeks, even if the actual break at the end is sub-second. And since the experts know it is amateur crypto, breaking it gives them nothing and they are simply not interes
It's ok! (Score:1)
There's Chinese people everywhere too! (Score:1)
It's so scary, everything has a backdoor, and there's Chinese people living in our neighborhoods...
So in effect no safer than.. (Score:2)
Yeah, so? (Score:5, Interesting)
Did you really think every time someone forgets the code they set, a hotel spends money on a locksmith?
Those safes protect you against casual thieves, nothing more. The pros know the backdoor code, the manager knows the backdoor code... it's probably in a binder somewhere anyone on the staff could easily find if they looked for it. But your typical hotel cleaning staffer isn't going to break into a safe and risk losing their job (or jail) for what is likely worth less than a few hours' pay and would need to be fenced.
Re: (Score:1)
This is probably beyond "casual thief", but I think it's interesting. My wife was traveling in Spain once, and a guy broke into her room, removed the safe from the wall, wrapped it up in gift wrap and walked out of the hotel carrying what looked like a present (there were scraps of gift wrap on the floor when she returned to find the gaping hole in the wall).
She had made the mistake of traveling with a couple of sentimentally important rings that she had kept in the safe. Not sure if a staffer might have
Re: (Score:2)
> But to her, the loss of her grandmother's ring was very painful. She never travels with nice jewelry anymore.
My wife keeps her nice stuff in a safety deposit box. I honestly don't get it... if you're afraid to wear it, you might as well sell it and PRETEND you have it stored in the box. Pretend jewellery is free and doesn't cost you a safety deposit box rental, either.
S&G???? (Score:4, Interesting)
Honestly, I'm shocked. And no sarcasm this time.
Many years ago, I worked for a DoD contractor, and the ONLY lock we would use for secure storage was S&G.
If Wyden's allegations are true -- and to be fair, he's usually right -- this is a huge disappointment.
Re: (Score:2)
GSA lock (Score:3)
Re: (Score:2)
Sargent and Greenleaf make many different types and styles of locks, from inexpensive consumer grade locks, padlocks, door locks, up to GSA approved locks for classified material. For example, the S&G 2740B is approved for GSA-approved for security containers. https://sargentandgreenleaf.co... [sargentandgreenleaf.com]
Just like Ford makes everything from the consumer Fusion to the Police Interceptor models, comparing S&G's consumer and professional models doesn't give you a full picture.
One breach of trust is enough (Score:3)
Fool me once, shame on you.
Fool me twice, shame on me.
Any company who intentionally breaches trust with even a single product, is a crappy company to begin with.
You see, trust is required when interacting with people, companies etc., because the world, people, companies, technology is so complicated that you cannot check everything all the time. You trust them to not cheat on you. For every instance that you DO find out they cheated, you must assume there's been dozens or more instances where they did, but
If it is electronic, it is insecure (Score:3)
"Such as trade secrets"??? (Score:3)
Who on earth still keeps the only copy of trade secrets in a _safe_?
"Okay, Jimbob, y'all better get started work for t'day on that thar micro-pro-ce-ssor dee-sign. Grab the do-cu-men-tay-shun outta that thar safe and git to work wit yo bi-ro!"
"Massively" popular? (Score:2)
They must be way more popular than just..."popular."
More and more annoyances (Score:2)
First SecuROM, now SECURAM ...
Analog safes are better (Score:2)
If you want a genuinely good safe, buy a safe with a good quality dial combination lock. No battery to run out of juice and no electronics to fail. And no backdoors in the system that could be exploited.
Oh and you need to buy said safe from a proper locksmith or safe company since nothing sold by a big-box store of any kind is in any way a "good safe"
We all saw it. (Score:3)
We all saw the video of SWAT guys assaulting the home of someone who dared to be in the neighborhood of the Jan 6 thing, where they came up to the electronically locked front door and *somehow* they knew the code that would open it.