Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

There’s another Chinese-manufactured product – joining the likes of TikTok, cars and semiconductors – that poses a national security risk to Americans: electronic locks, such as those used in safes.

In a letter to National Counterintelligence and Security Center (NSCS) director Michael Casey, US senator Ron Wyden (D-OR) urged the White House threat-intel arm to sound the alarm on commercial safes and locks. He also accused the Feds of intentionally keeping American businesses in the dark about the data-security risk to trade secrets and other sensitive IP while “quietly protecting government agencies from it.”

NSCS spokesperon Dean Boyd told The Register “We’ve received the senator’s letter and are reviewing it.”

Most commercially available safes include manufacturer reset codes for their locks to help consumers if they lose or forget the code they set. However, government agencies and law enforcement can request access to these codes – usually via a warrant or subpoena, and ostensibly to help investigate a crime or address some sort of national security concern.

“It would be one thing if these backdoors were only available to US government agencies, but they are not,” Wyden wrote [PDF].

We should point out that privacy advocates beg to differ, and aren’t fans of Uncle Sam using backdoors to snoop on Americans – but that’s not Wyden’s concern at the moment.

“These backdoor codes can be exploited by foreign adversaries to steal sensitive information that US businesses store in safes, such as trade secrets and other intellectual property,” Wyden warned.

This, he added, is especially risky when it comes to Chinese-made electronic safe locks – such as those manufactured by SECURAM Systems, a major seller of electronic safe locks sold in the US.

“Although DoD has informed my office that the company’s products are not approved for US government use, its low-cost products have enabled the firm to dominate the consumer-focused portion of the market,” Wyden wrote, noting that SECURAM’s website confirms its products include manufacturer reset codes.

“As a China-headquartered company, SECURAM is of course obligated to follow Chinese law, including the requirement to cooperate with secret demands for surveillance assistance,” Wyden continued. “Consequently, SECURAM could be forced to share codes with the Chinese government that would enable surreptitious or clandestine access to the safes used by US businesses.”

SECURAM did not immediately respond to The Register‘s request for comment.

The US Department of Defense (DoD) is well aware of the issue, according to Wyden, who cites a November 8 email from the DoD calling manufacturer reset codes a security threat.

But while the DoD prohibits government agencies using these locks, it doesn’t want the American public to even know they exist, the letter alleges: 

The Department of Defense did not respond to The Register‘s inquiries.

In light of this “espionage threat posed by foreign spies,” Wyden wants to see the NCSC update its educational materials with recommendations that businesses use locks that also meet US government security standards – and presumably without backdoor codes.

But, he cautioned, people can’t do this if they don’t even know about the problem in the first place: “US businesses cannot protect their valuable intellectual property, and consequently, America’s global economic edge, from foreign espionage if they are kept in the dark about vulnerabilities in the safe locks they use.” ®

READ MORE HERE