Forget TikTok – Chinese spies want to steal IP by backdooring digital locks
Uncle Sam can use this snooping tool, too, but that's beside the point
Updated There's another Chinese-manufactured product – joining the likes of TikTok, cars and semiconductors – that poses a national security risk to Americans: Electronic locks, such as those used in safes.
In a letter to the US National Counterintelligence and Security Center (NCSC) director Michael Casey, Senator Ron Wyden (D-OR) urged the White House threat-intel arm to sound the alarm on commercial safes and locks. He also accused the Feds of intentionally keeping American businesses in the dark about the data-security risk to trade secrets and other sensitive IP while "quietly protecting government agencies from it."
NCSC spokesperon Dean Boyd told The Register "We've received the senator's letter and are reviewing it."
Most commercially available safes include manufacturer reset codes for their locks to help consumers if they lose or forget the code they set. However, government agencies and law enforcement can request access to these codes – usually via a warrant or subpoena, and ostensibly to help investigate a crime or address some sort of national security concern.
"It would be one thing if these backdoors were only available to US government agencies, but they are not," Wyden wrote [PDF].
We should point out that privacy advocates beg to differ, and aren't fans of Uncle Sam using backdoors to snoop on Americans – but that's not Wyden's concern at the moment.
"These backdoor codes can be exploited by foreign adversaries to steal sensitive information that US businesses store in safes, such as trade secrets and other intellectual property," Wyden warned.
This, he added, is especially risky when it comes to Chinese-made electronic safe locks – such as those manufactured by SECURAM Systems, a major seller of electronic safe locks sold in the US.
"Although DoD has informed my office that the company's products are not approved for US government use, its low-cost products have enabled the firm to dominate the consumer-focused portion of the market," Wyden wrote, noting that SECURAM's website confirms its products include manufacturer reset codes.
"As a China-headquartered company, SECURAM is of course obligated to follow Chinese law, including the requirement to cooperate with secret demands for surveillance assistance," Wyden continued. "Consequently, SECURAM could be forced to share codes with the Chinese government that would enable surreptitious or clandestine access to the safes used by US businesses."
SECURAM did not immediately respond to The Register's request for comment.
- Uncle Sam tells nosy nations to keep their hands off Americans' personal data
- Congress told how Chinese goons plan to incite 'societal chaos' in the US
- Former US Treasury Secretary Steve Mnuchin thinking about buying TikTok
- White House goes to court, not Congress, to renew warrantless spy powers
The US Department of Defense (DoD) is well aware of the issue, according to Wyden, who cites a November 8 email from the DoD calling manufacturer reset codes a security threat.
But while the DoD prohibits government agencies using these locks, it doesn't want the American public to even know they exist, the letter alleges:
DoD also provided my staff with the attached white paper on December 15, 2023, revealing that US government standards for approved locks do not explicitly reference these backdoor codes in order to avoid tipping off the public to their existence. In short, the government has opted to keep the public in the dark about this vulnerability, after quietly protecting government agencies from it.
The Department of Defense did not respond to The Register's inquiries.
In light of this "espionage threat posed by foreign spies," Wyden wants to see the NCSC update its educational materials with recommendations that businesses use locks that also meet US government security standards – and presumably without backdoor codes.
But, he cautioned, people can't do this if they don't even know about the problem in the first place: "US businesses cannot protect their valuable intellectual property, and consequently, America's global economic edge, from foreign espionage if they are kept in the dark about vulnerabilities in the safe locks they use." ®
Updated to add on March 18
Reps for SECURAM have been in touch to say:
SECURAM does not maintain any codes including access codes, management reset or recovery codes. SECURAM locks ship with default access codes, management reset or recovery codes along with operation manuals that clearly state all default codes must be changed by the safe owner upon installation to assure their security.
Our locks are meticulously engineered and manufactured in full compliance with the rigorous American UL-SUB2058 high-security electronic lock standard.