The illusion of security is often worse than no security at all. However, it is often difficult to tell how good a security product really is. Purchasers usually consider the specifications and reputation of the vendor. Most customers don’t have the ability to thoroughly test security products and are essentially forced to rely upon the manufacturer.
A recent personal experience demonstrates the urgent need to address how security products are designed, tested, sold, and supported.
I wanted an additional small safe to secure items such as USB drives, keys, and authentication tokens in my home office. There are many products similar to hotel room safes available in the sub-$200 range; after some research I ordered an American Security Products (AMSEC) EST1014.
AMSEC manufactures a range of security products, including high-end UL-listed commercial fire and burglary safes. I felt confident that AMSEC would understand the security issues that have plagued many consumer products. According to their web site, AMSEC is, “the largest and most respected safe manufacturer in the industry.”Their page on the EST series states, “These small burglary resistant electronic security safes are perfect for a variety of home security needs and come with AMSEC’s new state-of-the-art DL5000 electronic touch-screen locking system.”
Upon receipt of the safe, I examined it carefully and was shocked to find that it suffered from a critical design flaw. With the safe placed on a table or on the floor, I can open it by simply slamming my hand on top and turning the knob to retract the bolt. This results in no damage, and the safe can be relocked without leaving any evidence of being opened.
Another common flaw in these type of products is that they usually include a reset button inside the safe. Pressing the button resets the digital lock and allows a new combination to be selected. The intent is to allow consumers to open the safe with a physical override key, press the button, and reset the lock. However, a common attack method is to slide a thin piece of metal around the door, press the button, reprogram the safe, and open it.
AMSEC was obviously aware of the reset button issue and the EST1014 includes a rubber cap over the reset button. Unfortunately, it is trivial to flip off the rubber cap. This is an example of exceptionally poor security engineering. It would be easy to modify the circuit so that the button is disabled until the boltwork is retracted, or leverage the override key as a reset mechanism. But instead, AMSEC chose a cheap rubber cap that increases attack difficulty instead of eliminating the vulnerability.
I immediately reached out to AMSEC executives. David Lazier, president of AMSEC, replied that the company’s VP of sales would contact me. He did not. Tony Maniaci, vice president of Engineering and Technology, replied that the EST1014, “has been discontinued for about two years.”When I pointed out that the product is currently displayed on their web site, and asked if they are aware of the issue, whether a fix is available, and if any sort of notice or bulletin has been provided to customers, Maniaci failed to respond.
Documentation provided with the safe indicates that AMSEC provides a one-year warranty. AMSEC support did not respond to my request. The message to consumers is clear: You’re on your own.
I was able to detect these serious flaws, and as a result my loss was limited to the purchase price. I now own a $150 AMSEC paperweight. However, it is alarming that many consumers and small business are likely depending on this family of products to protect valuables. Even more alarming is that some consumers might chose this product to keep a handgun away from children. The consequences could prove deadly.
Vendors have a duty to provide products that perform substantially as advertised. Security products with serious flaws should be recalled. It is imperative that government agencies take immediate action to protect consumers from products that don’t provide the security they claim, including safes that aren’t safe.
Eric Jacksch is a leading cybersecurity analyst with over 20 years of practical security experience. He has consulted to some of the world’s largest banks, governments, automakers, insurance companies and postal organizations. Eric was a regular columnist for Monitor Magazine and has contributed to several other publications.