Endpoint Security , Hardware / Chip-level Security
Experts Say Chinese Safes Pose Risks to US National Security
Senator Urges Government to Tell Public About Little-Known Manufacturer Reset CodesA senior U.S. senator is raising concerns that Beijing may be able to gain unauthorized access to commercial electronic safes made in China and used by the American public.
Sen. Ron Wyden, D-Ore., sent a letter Wednesday to the director of the National Counterintelligence and Security Center "about the counterintelligence risks posed by commercial safe locks that do not meet U.S. government security standards."
"Many commercially available safes include electronic locks that can also be unlocked using special codes set by and known only to the manufacturer," the letter says. It also says that the existence of manufacturer reset codes is not "prominently advertised to consumers."
"These backdoor codes can be exploited by foreign adversaries to steal sensitive information that U.S. businesses store in safes, such as trade secrets and other intellectual property," the senator warned.
Wyden also said that the U.S. government "has opted to keep the public in the dark" about vulnerabilities posed by manufacturer reset codes by leaving any mention of the reset codes out of government standards for approved locks "to avoid tipping off the public to their existence."
Electronic safe manufacturers maintain factory reset codes for emergency access and maintenance purposes, allowing technicians or owners to reset a safe's locking mechanism in the event of a malfunction or forgotten passcode.
Experts told Information Security Media Group the global commercial electronic safe market is predominantly controlled by three major companies: SecuRam Systems from China, Sargent and Greenleaf from the United States, and Dormakaba from Switzerland. SecuRam Systems is one of the most popular electronic locks and safes sold in the U.S., according to Tom Pace, CEO of security firm NetRise.
"It is far from a stretch that the Chinese government can obtain access to these codes as they see fit," Pace said. He said SecuRam also produces locks and parts for other manufacturers not based in China. "Even if you're purchasing a product from a U.S.-based manufacturer, it very well may contain components that are Chinese-manufactured."
Wyden's letter says SecuRam is "of course obligated to follow Chinese law," which mandates PRC-based companies comply with requests to share data and assist in foreign surveillance operations. Wyden urged the NCSC to update its publicly available educational resources for U.S. organizations and include recommendations to upgrade their safe locks in alignment with government security standards.
A spokesperson for SecuRam told ISMG the company does not maintain any codes for its safes, "including access codes, management reset or recovery codes."
"SECURAM locks ship with default access codes, management reset or recovery codes along with operation manuals that clearly state all default codes must be changed by the safe owner upon installation to assure their security," the spokesperson said in a statement. "Our locks are meticulously engineered and manufactured in full compliance with the rigorous American UL-SUB2058 high-security electronic lock standard.”.
Christopher Warner, senior security consultant for the cybersecurity firm GuidePoint Security, said many customers may not be aware that some locks on safes include built-in backdoor codes.
"Folks may not be aware that it's common for locks on safes to include built-in backdoor codes," said Christopher Warner, senior security consultant for the cybersecurity firm GuidePoint Security.
Warner said organizations should be testing all commercial safes in use for potential backdoor access and "performing an assessment on all safes and updating the policies, standards and procedures for any future safes."
*Update March 26 2024 3:21 IN UTC: Adds comment from SecuRam.