Hacking Electronic Safes

Vulnerabilities in electronic safes that use Securam Prologic locks:

While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method for locksmiths that’s the more widespread and dangerous. “This attack is something where, if you had a safe with this kind of lock, I could literally pull up the code right now with no specialized hardware, nothing,” Omo says. “All of a sudden, based on our testing, it seems like people can get into almost any Securam Prologic lock in the world.”

[…]

Omo and Rowley say they informed Securam about both their safe-opening techniques in spring of last year, but have until now kept their existence secret because of legal threats from the company. “We will refer this matter to our counsel for trade libel if you choose the route of public announcement or disclosure,” a Securam representative wrote to the two researchers ahead of last year’s Defcon, where they first planned to present their research.

Only after obtaining pro bono legal representation from the Electronic Frontier Foundation’s Coders’ Rights Project did the pair decide to follow through with their plan to speak about Securam’s vulnerabilities at Defcon. Omo and Rowley say they’re even now being careful not to disclose enough technical detail to help others replicate their techniques, while still trying to offer a warning to safe owners about two different vulnerabilities that exist in many of their devices.

The company says that it plans on updating its locks by the end of the year, but have no plans to patch any locks already sold.

Tags: backdoors, disclosure, locks, patching, safes, vulnerabilities

Posted on September 17, 2025 at 7:05 AM • 20 Comments

Comments

Privacy • September 17, 2025 9:25 AM

Just disclosing that a vuln exists helps people find it. That’s NOT a reason to hide vulns, the disclosure done responsibly helps improve security.
My guess is that backdoors exist in all electronic safes.

Privacy • September 17, 2025 9:25 AM

Mexaly • September 17, 2025 10:20 AM

For your hotel safe to be truly secure,
the entire staff has to practice master-key hygiene.
Do you believe that?
When a guest wants their safe unlocked now,
because they have to catch a plane,
don’t you think all the front desk staff
have access to the file with the master codes?
Or even one master code for all the safes
written on a sticky note in the office.

bowlingb • September 17, 2025 11:35 AM

It’s almost like if you build in a back door, someone will find and exploit it.

cb • September 17, 2025 11:49 AM

Liberty Safe was shockingly eager to lick the FBI’s boot during the 2023 incident, and now we see their lock supplier Securam expressing extreme arrogance over their laughable vulnerability. Just goes to show, nobody is going to protect your interests except you.

Clive Robinson • September 17, 2025 12:57 PM

@ cb, ALL,

With regards,

“Just goes to show, nobody is going to protect your interests except you.”

Actually it is worse than that as ordinary citizens in the UK are finding out.

We used to hear about criminal gangs running protection rackets, and sometimes having,

“Bent coppers, on the pay roll”

Well in the UK, the Thames Valley Police, the Met Police, and some say the City Police forces are now all “owned” by businesses and in effect on corporation payrolls.

Unfortunately there is sufficient evidence that this might well be the case.

If you want more details look up the abuse of,

1, The ‘Single justice Procedure’.
2, UK ‘Jarassment act(s)’.

By the likes of the British Broadcasting “Goons” who are trying to sell an unneeded licence on commission and have been known to,

1, Knowingly commit false testimony to court.
2, Obtain false warrants
3, Equivalent of “swat” people in their homes.

And quite a bit more, that you would probably not believe even if it had happened to a person known to you for years for their “Honesty and Probity”…

Is it any wonder there is more and more said about “two tier justice” in the UK.

The UK is being turned into a nation in fear of “rights stripping” by corporates and politicos through what are in effect corrupt practices from the very top.

lurker • September 17, 2025 1:37 PM

Master keys? Secret unlock codes? I must be getting old. I come from the days of drills and acid, or for the hard jobs knowing just how much dynamite to put just where …

KC • September 17, 2025 3:04 PM

To be a little birdie on Ron Wyden’s window sill.

Rowley and Omo give an enlightening walk-thru of their security research here. (It’s an entertaining and quick-moving review.)

Clive Robinson • September 17, 2025 4:27 PM

@ lurker, ALL,

With regards,

“I come from the days of drills and acid, or for the hard jobs knowing just how much dynamite to put just where…”

Those where “kinder, gentler, safer and more secure times.”

That have been stolen away from us by the avarice of greed as clearly demonstrated through politicians, lobbyists, and their neo-con mantra run self entitled C-Suite. Who in turn are on bent knee to what we politely call “shareholders” but in reality is what others call the “finance industry”. That is designed to work by parasitic means to,

“take all, any way, any how”.

And that includes the futures of our children and mankind in general…

The thing is we’ve always had a choice with “technology” on how we do or do not use it.

Unfortunately in general we’ve allowed the “shiny bauble of possibility” to seduce us. Whilst the self entitled have seen and used it to oppress in ways not imagined to most of us.

So now we have what is rapidly becoming a serf society, where the majority are controlled and surveilled for the gain at the majorities expense by the self entitled, and their authoritarian followers acting as enforcers.

We kind of know how this is going to end as history shows such social systems are unstable and most often end in significant conflict and strife.

The thing about electronics and the resulting computer systems is how they are to most and all in ordinary use to be “black boxes” with hidden information and states.

These,

“… legitimate unlock method for locksmiths…”

Are in reality “hidden technical means” that are,

“short cuts, around security”

Just like any other hidden and illicit “backdoor”

That as we can not see them or get told about them, we cannot account for in our own personal security and perhaps more importantly privacy.

Society can not work if people do not have either or both of “Privacy” and “Personal Security”. History has shown this over and over…

Yet we just don’t appear to learn…

We see,

“Convenience as king”

So we walk on mass into the guilded cage thence to the slaughter pen.

Dave • September 17, 2025 8:58 PM

I must be getting old. I come from the days of drills and acid, or for the hard jobs knowing just how much dynamite to put just where …

I’m slightly more recent, Egon Olsen and a stethoscope.

Dave • September 17, 2025 9:04 PM

Ugh, headline severity inflation:

Hackers Went Looking for a Backdoor in High-Security Safes

Those aren’t high-security safes (or at least locks), those are the toy locks on equally toy hotel-room safes, enough to keep the room cleaners out but probably not much more. It’s like every gun reported in a shooting is a “high-powered rifle”. Unless they used a 700 Nitro Express it’s just a rifle, not a high-powered rifle.

Ian Stewart • September 18, 2025 3:16 AM

@lurker

“I come from the days of drills and acid, or for the hard jobs knowing just how much dynamite to put just where …”

I wonder if someone who breaks into electronic safes is still called a peterman.

Jon • September 19, 2025 1:17 AM

@Mexaly

One can hope that only the boss of the front desk staff can, after jumping through several logging hoops and assuming responsibility, generate and issue a special one-use-only code for that specific room’s safe.

By the way, I’d also like a pony. 😉 Thanks,

John Freeze • September 19, 2025 5:32 AM

@Clive
for posting no.1: wow :-/
for no.2: now i’m depressed – let’s see how much of the (former) 1st and 2nd world will happily follow the dictatorship plot

Clive Robinson • September 19, 2025 6:38 AM

@ Ian S, Lurker,

With regards,

“I wonder if someone who breaks into electronic safes is still called a peterman.”

Ah from a time when the safe breaker was called “Butch” and he spent time “minding the baby”

See the short story collection “Furthermore” of Damon Runyon’s “Broadway tales”,
https://hackneybooks.co.uk/books/88/136/ButchMindsTheBaby.html

I’ve a first edition copy of Furthermore in my Dead Tree Cave, care of my father who had it with him when he was in India during WWII as he can be seen holding it in one of the very many photos of his “tour” there with the Royal Signals supposedly as a mobile “Pay Clerk”.

Clive Robinson • September 19, 2025 7:51 AM

@ Jon,

Speaking of things past, you say,

“One can hope that only the boss of the front desk staff can, after jumping through several logging hoops and assuming responsibility, generate and issue a special one-use-only code for that specific room’s safe.”

Back in the last century when I used to design electronic “guest locks” for “the entertainment industry” for amongst other things hotel door, safe, and similar… That was almost exactly how it worked.

The difference that made it secure was it was a “rolling one time code” that was injected into the lock from a hand held computer (Psion II organiser with modifications).

The procedure was the hand held computer was first plugged into the “Front Desk Unit” and the “shift supervisor” (usually a manager) would put in their key etc into the front desk unit. They would go into the “house menu” and type in the room/lock number and authorisation code. The Front Desk Unit would program the hand held computer with a secret code that was only valid for a short period. All of this plus other admin details would also be written to the “write only logs” in both the Front Desk Unit and the Psion hand held computer.

The other reason for doing this was the Psion had a battery, realtime clock and a reset circuit in it. The most likely cause for the lock to not work was a “soft fail” due to amongst other things the clock getting out of sync. Thus resetting the lock microcontroller and reprogramming it with the required details and correct time usually fixed the problem.

But there was also a “magic code” that was part of the “manufacturing test” that would tell the microcontroller to activate the door lock solenoid.

Unbeknown to nearly every one there was also a “magic component”. Marked on the circuit diagrams as a “low loss back EMF protection circuit” to protect the microcontroller, it was shown as one of a pair of “de-couple” capacitors. With a later “engineering note” changing it to what in fact it was a Zener diode. Such diodes have the same characteristics of silicon diodes except that the “reverse break down voltage” is just a few volts not 50-600 you normally would think of. It’s why they are used as low voltage regulator diodes.

With a little thinking you can see how the Zener when placed in the circuit in the right place can act as an extra “snubber diode” for circuit protection from the solenoid back EMF.

So few go on to realise that also if you turn up the supply voltage, it turns on, and draws current through the solenoid thereby activating it…

The supply was brought out via the connector, so just flashing it with an appropriate voltage was “open sesame”…

Jon • September 20, 2025 11:01 PM

@ M. Robinson,

Sounds like fairly sound design – with a few backdoors! So much for ‘sound design practices’. When the cryptographers get defeated by some ‘convenience’ setting – or hardware – it rather defeats the purpose, no?

And when I put snubber diodes across my solenoid coils they’re in reverse-parallel! Popping more voltage onto them would be useless. What a Zener was doing in there in series such that over-volting it would fire the solenoid is difficult to imagine as accidental.

Clive Robinson • September 21, 2025 5:36 AM

@ Jon, ALL,

With regards,

“When the cryptographers get defeated by some ‘convenience’ setting – or hardware – it rather defeats the purpose, no?”

Sadly there are a great many things that defeat not just cryptographers and security engineers but just engineers in general from doing what is known to be “sound practice”.

However follow the reasons down and at the root you find one or both of,

1, Greed
2, Convenience

The first by the producer, the second to entice the user.

What you might call a “successful business model” is,

To produce a good or service at the lowest possible cost, with the convenience that brings in the greatest profit from the customer.

The problem is as a “leading edge” producer you don’t know what “new thing” a customer will see as the next greatest “must have convenience”…

It’s why I joke that,

“I’m waiting for that Swiss Army Knife hook-thingy that gets boy scouts out of horses hoves[1] on the side of a mobile phone.”

You really don’t know as TicToc showed what will excite the “cash rich kids”. Who arguably have “more money than sense” but as a group do act as both a wind-vane and direction-setter to profit.

But as with most things “consumer”[2] trying to set a trend is hard work. Thus letting someone else dig the furrow and you skip along it as second mouse can be very very lucrative.

But moving onward, you make comment about “when I put snubber diodes across my solenoid coils” that was not where I was hinting at.

Consider a supply with a solenoid and transistor in series across it. Now consider two ordinary diodes that are reverse to the power supply one across the solenoid as in a simple snubber network. The second across the transistor, thus you appear to have exactly the same type of protection circuit you see built into IC pads to protect the I/O circuit from static and other excess voltage etc. Further if you want to make it harder for the average design engineer to get their head around, flip the circuit upside down and use a PNP not NPN transistor. Most design engineers are digitally trained and biased these days thus PNP tends to be the domain of old school audio and other analogue engineers, who are really quite scarce, more so than RF engineers.

Now consider what happens when that diode is actually a zena at about 1.2 times the supply voltage. Nothing out of the ordinary happens till you take the supply voltage up to around 1.7-2 times the ordinary / design supply voltage.

In practice you have to also add another “battery protection” or similar “diode” that you can hide in a voltage regulator design. I chose to do it by tricking the voltage sense to turn the series regulator transistor off.

Few engineers ever design a “four quadrant” power supply for driving reactive or storage loads so won’t know about such tricks. And even if they do it has an innocent explanation due to the reactance of solenoid and snubber capacitor and “emergency supply replacement” with the battery being lithium long life thus a fire hazard.

[1] No this is not a euphemism for “girl guides” which is what others are known to say…

[2] In the world there are a couple of museums to do with “product development” one of them makes it expressly clear that at best only 1 in 10 new products make it to the shop shelves, and nobody knows why. One exhibit on cloths washing powder shows the identical powder being successful in one box, but not in another box in one place, but that unsuccessful box being the success in another country/region. My favourite two in the UK however are,

2.1, Curry flavoured penuts. Trialed to great success in the UK in Birmingham, Cambridge, Oxford, but failed most other places… Then some one realised “University Towns”.

2.2 Ginger Hob-Nob style biscuits with a bitter mint cream and dark chocolate half cover. These were wildly popular and sold out quickly which gave rise to a rumour they had an addictive possibly illegal substance added… So they had to be dropped, which is a shame because I’ve made my own and they really are very very morish and make nice gifts.

Oh and speaking of containers of products, it’s been well known “in marketing” that women tend to pay more for less shampoo if the bottle it comes in is phallic shaped.

Jon • September 22, 2025 9:16 AM

@ M. Robinson

Okay, I can see that if you’ve deliberately put a zener “protection” diode backwards across your transistor (high- or low- side driving) by jacking up the voltage you can fake the transistor turning on. Which will throw the solenoid, if calculated correctly, without incinerating any of the components.

Can’t think of why you would, though, unless deliberately putting in a hardware backdoor. Protecting a low-voltage transistor against voltage spikes that, although they open the lock, allow it to work properly again when the spike has gone away? Perhaps.[1]

MOSFETs generally have a parasitic reverse diode in them anyhow as fundamental to their construction, but drive them into reverse conduction you’ll most likely get a puff of smoke and a bad smell.

Anyhow, I think we’ve gotten a bit OT here. Tallyho!

[1] Another really silly idea occurred to me – use it to ‘take the peak off’ your battery. If the battery gets over-voltage charged, dump current through the solenoid (against its spring) and through the zener until the battery voltage has dropped enough to let the lock close. It would work, but sounds really harsh on every component involved!

Clive Robinson • September 22, 2025 1:35 PM

@ Jon,

With regards,

“Can’t think of why you would, though, unless deliberately putting in a hardware backdoor.”

That is indeed one reason.

But consider another reason.

The Front Desk Unit is broken, or the hand held unit is broken or worse the lock is broken or the software has gone for a walk in space. So a service engineer is called in as an emergency, because the Hotel does not want to “smash the door down” or “drill the lock” (this does happen).

You get the service engineer to take a “magic box” they have to sign out and in again along with a hotel manager signature.

Because you are in reality just dealing with the solenoid and the zena diode the lock will open.

However the important think to realise is those who get hold of locks and take them apart or get hold of a circuit diagram that just shows an ordinary diode, will try just using a new battery across the pins, but as it will have insufficient voltage, it will power up the lock circuit BUT it won’t open the door.

Of course now I’ve revealed this little secret/trick I designed way back then such locks will nolonger get through “Underwriters Laboratory”(UL) and similar testing any longer….

So why reveal it?

Well as you note,

“MOSFETs generally have a parasitic reverse diode in them anyhow as fundamental to their construction”

Yes they do and actually if you get the right type, they won’t go phut.

Have a look at the use of MOSFETs in high efficiency bridge rectifiers in SMPSUs to see that a great many are designed to work under these conditions.

The thing is such MOSFETs are about the cheapest thing on the market you can use for reactive loads like solenoids or inductors.

Oh and the latest are nolonger “traditional silicon” but “Silicon Carbide”(SiC) devices,

https://www.sciencedirect.com/science/article/abs/pii/S277301232500055X

Due to various “niceties” you can use them in Class D,E,F,H amplifiers well up in frequency. Build them into a Walsh Transform Transformer Combiner amplifier and you can very efficiently get them to act as binary controlled output level for Digital to AM. The advantage of the Walsh Transform is you very easily get a sinewave which is clean to the 16th harmonic,

https://www.semanticscholar.org/paper/Waveform-synthesis-via-inverse-Walsh-transform-Chen-Sun/29b776a6b8f2ef849b30c9ba024ece7b85fb8ddc

Thus you have a very easy, low component, and easy to manufacture low loss filter all the way up the spectrum, with 5kW or more output into the feedline. You also don’t have to “switch the filter with frequency” as the system is clean from 0.5-2MHz.

Anyway as you say “we’ve gotten a bit OT here” 😉

Hacking Electronic Safes

Comments

Leave a comment Cancel reply