back to article Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

There's another Chinese-manufactured product – joining the likes of TikTok, cars and semiconductors – that poses a national security risk to Americans: Electronic locks, such as those used in safes. In a letter to the US National Counterintelligence and Security Center (NCSC) director Michael Casey, Senator Ron Wyden (D-OR) …

  1. An_Old_Dog Silver badge
    Pirate

    Ah, Physical Security

    As for the government/police using a backdoor (default codes, reset codes, etc.) on a citizen-of-its-country's device: if they've gotten a proper warrant for it, then sure, that's okay.

    As for the existance of backdoors in locks, electronic or otherwise: boo, hiss, that's bad, because the "secret" info, like hydrogen, inevitably escapes. At that point, the end-user is fucked.

    If you want true security, you have to design and build it yourself, or perhaps have a trusted friend with the skills do so for you. Traditional lock/safe-making corporations such as Chubb, Schlage, Mosler, Diebold*, etc., are not within my "circle of trust." YMMV.

    *Yes, the same Diebold who also is the maker of proven-flawed voting machines. "It's not who votes that counts. It's who counts the votes." -- attributed to Stalin.

    1. veti Silver badge

      Re: Ah, Physical Security

      If you design and build your own security, unless you're a world-leading expert in security, it won't be secure. Indeed, unless you're in the top 1% of security engineers it probably won't even pretend to work at all.

      I have no problem with the government (or anyone else) having a digital means to, metaphorically, kick down a locked door. They've always had that ability anyway, I think it's foolish to try to take it away from them. But I make the proviso, when they do so, it should be obvious that they've done so - there should be some equivalent of a kicked-in door lying in the space to tell everyone, immediately, what's happened.

      So if the manufacturer's code has the effect of resetting the passcode to "000000" or whatever, I'm fine with it. It's only really nefarious if you can undo the change and set the whole thing back to its previous configuration, to make it look as if nothing has happened.

      1. PB90210 Silver badge

        Re: Ah, Physical Security

        A while back there was a story about a gang who communicated using a homebrew crypto that turned out to be so crap that it was less foolproof and more proof-of-fools.

        (in Excel iirc)

      2. Doctor Syntax Silver badge

        Re: Ah, Physical Security

        "They've always had that ability anyway"

        The critical thing is whether you can reuse the door afterwards.

      3. Anonymous Coward
        Anonymous Coward

        Actually, no

        I'd say the state of mass market locks is such garbage that a decent portion of the population could make a latch at least as secure. It also would confuse the crap out of anyone trying to spring it. But the majority of locks are either easily picked, bypassed, or broken(often combinations of all three).

        That said I welcome the government defining a secure lock standard with a re-settable (not hard coded) recovery mechanism. Once it can survive three Defcon's in a row I might even buy them.

  2. Bebu
    Windows

    Too much tech?

    You have to wonder whether the old mechanical locks were better at least in this respect. (No default reset code.) And no batteries to go flat.

    Digital locks seem to reduce to some processing/electronic component (for the code(s)) and a electro-mechanical actuator (for the locking mechanism.)

    I imagine you could replace the electronics with RPi and program it to accept longer codes or one time codes (totp,hotp.)

    Not all that secure as I can imagine any number of attacks against the electronics or the actuator. But having to haul the equipment to the safe itself might make it harder to covertly open the safe without detection.

    A subpoena is the nicer version of lead pipe cryptanalysis.

    What would modern organisations be storing in safes? Documents and plans would be stored encrypted on secured electronic systems and backup encrypted media kept in a safe?

    1. Mike 137 Silver badge

      Re: Too much tech?

      "You have to wonder whether the old mechanical locks were better at least in this respect"

      I was a witness once when a manufacturer's tech opened a safe when a business folded. He made two measurements on the front of the door, drilled one 6 mm or so hole, pushed a piece of stiff wire in and the door opened. This was a commercial grade safe by a reputable manufacturer, not a consumer contraption.

      1. TeeCee Gold badge

        Re: Too much tech?

        It doesn't really matter what sort of lock it is, if you allow someone who knows what they're doing physical access with power tools and no worries about time, noise or alarms.

        If all else fails he can just blow the bloody doors off.

      2. Anonymous Coward
        Anonymous Coward

        Re: Too much tech?

        No need for holes...

        Had a pre-audit before a government security audit and happened to mention we had a couple of office-grade secure cupboards out back that we didn't use as no-one knew the combinations... took the guy 10 mins to open both

        (we still never bothered to use them as simply locking stuff away was far easier than fiddling with a combination lock)

        1. ITMA Silver badge

          Re: Too much tech?

          Quite....

          There is a very interesting related snippet in the excellent BBC series "Auschwitz: The Nazis and the Final Solution".

          A guy who was one of the SS guards dealing with the currency the SS stole from those sent there, described an incident when a SS officer was sent to investigate alleged theft by the aforementioned SS guards. That is theft of their ill gotten gains by SS guards instead of sending it all on to Germany.

          All their lockers had padlocks on and had been sealed until they had been inspected. When they needed to get in to one locker to remove "contraband" without alerting the investigating office, they just took the back of the (wooden) locker off.

    2. martinusher Silver badge

      Re: Too much tech?

      YouTube has numerous lock picking videos. To some people opening safes and picking locks is a hobby.

      Secrets are like backups. You're well advised not to keep them in one place, especially not a well marked safe with "Important Company Secrets" marked clearly on it, and it might be useful to keep some in some place and some in another. But then our lords & masters and their advisers still think that having "the blueprints" gives you access to the secret.

  3. Potemkine! Silver badge
    Black Helicopters

    "As a China-headquartered company, SECURAM is of course obligated to follow Chinese law, including the requirement to cooperate with secret demands for surveillance assistance,"

    This is a true concern. I've got the same with European data in the hands of US companies, because of the Cloud act.

  4. Roopee Silver badge
    Big Brother

    Presumably...

    “US government security standards – and presumably without backdoor codes” seems to be something of a non sequitur?

    1. Version 1.0 Silver badge
      Big Brother

      Re: Presumably...

      So the Chinese and other countries are collecting and stealing our data, while American companies are only collecting and selling it. Basically if you are storing your data locally then, if it's accessible or publicly used, it's probably not completely safe everyday - the environment everywhere these days is that data is always "collected" for corporate benefits, but only occasionally "stolen" - this is not a completely fresh environment ...

      "The most famous of the Dead Sea Scroll caves is also the most significant in terms of finds. More than 15,000 fragments from over 200 books were found in this cave, nearly all by Bedouin thieves." - originally data created 2000 years ago and then stolen later.

  5. Pascal Monett Silver badge

    Electronic locks

    The only place they should exist is in the tiny safes of cheap hotel rooms, for the occupant to throw his valuables and pray that nobody is going to try anything on the obvious target within the day or three that said occupant is there.

    Anywhere else, an electronic lock is a no-go proposal because, if you actually have the need for a safe to put stuff in, the last thing you want is a power outage to keep you from accessing said stuff when you need it. Mechanical locks have made a lot of progress since the days of the Wild West, and there are numerous ways of protecting a safe beyond just the lock on the safe itself.

    If your "valuables" (whatever they may be) are worthy of a safe, the go the whole hog. Camera surveillance, multiple locked doors, access via airgapped sas, etc.

    Just chucking a safe in a corner of the office isn't secure anyway.

    1. Anonymous Coward
      Anonymous Coward

      Re: Electronic locks

      I saw a local news report a few years ago of a Safe being stolen and all the bits of the Safe (but no contents) found by the police in a field by a road outside town. The theft had not been easy (it was a very big Safe full of money) but someone made the "data theft" work. Theft has been a human "feature" now for thousands of years so complaining about data theft is not going to be helpful ... we can see that theft has always been normal.

      Human features don't change easily - we're still walking around, we've done in on the Moon and may be walking on Mars in the future ... but theft will probably still be normal in our future.

    2. Anonymous Coward
      Anonymous Coward

      Re: Electronic locks

      Upvoted you, but power outage isn't necessarily a problem. We have a great big media safe at work with an electronic lock. When the 2 9V batteries that power it died, the manufacturer gave me instructions on replacing them. Turns out the batteries are accessible from the outside.

      Of course, so is the 3-wire cable going into the safe, which is probably just power directly to the actuator. Good thing our main use for it is fire protection.

  6. This post has been deleted by its author

  7. Brew

    I would be wary of any brand of electric lock. I make sales calls on an electric lock company in the Pacific Northwest of the US which has found illegal copies of its locks being made in China.

  8. James Dore
    Pint

    Why bother...?

    The phrase "This is the Lock-Picking Lawyer, and what I have for you today..." should make worrying about the existence of manufacturer reset codes for electronic locks somewhat moot.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why bother...?

      Yeah, physical security is kinda a nuclear triad, the physical lock, electronic components, and the physical case, door or container all need to be matched for purpose.

      A brutally hard to pick lock is still going to fall to power tools from the hardware store. So past a certain level of criminal effort or interest, it's just an expensive delaying tactic. And if the thieves can just wheel the whole thing off on a hand truck they can tinker at their leisure.

      That said the industry need to try a little harder on the low end. The damn things are just too easy now, and 3/4 of the locks on the market die at the hands of a screwdriver or a rubber mallet.

    2. Michael Wojcik Silver badge

      Re: Why bother...?

      To be fair, LPL videos are pretty good for quelling worries of whatever sort. So soothing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like