August 2007
Electronic Voting Machines (1 August 2007)
Are Secure Systems Possible? (3 August 2007)
Dealing With Security Problems (6 August 2007)
Minnesota Court Orders Release of Alcohol Breath Tester Source Code (10 August 2007)
Safes, Locks, and Override Codes (14 August 2007)
The Skype Outage (20 August 2007)
Defending Against the Owner (24 August 2007)
The Amtrak Ticket System Outage (26 August 2007)
Update on the Amtrak Outage (28 August 2007)
The FBI and Computer Security (Updated) (29 August 2007)

Safes, Locks, and Override Codes

14 August 2007

According to a news story, a 10-year-old boy locked himself into a gun safe at a store. He was released via an override code. The story, though, raises a number of interesting questions.

The first question is how the safe was opened in the first place. This is a gun safe, a device intended children away from guns. But the article notes:

"My brother saw a safe and opened it somehow. He just pressed numbers," Daniel said.
As it turns out, there was a simple-to-guess default combination. The safe is also advertised as burglar-resistant; I’ll return to that point below.

The next question is why there should be an override code. It was useful this time, of course, but what happened here is hardly a common occurrence. More likely, it’s to prevent loss of access to the contents when the owner forgets the combination.

What appears to be the manufacturer’s instruction page gives some hints. (Note: the incident happened at a Sam’s Club. Its web site shows just one safe that appears to fit the description in the article; a simple search query found the safe’s web page. The specifications on that page are identical to those given in the article. That said, I’m not 100% certain I found the right page, though I do think it likely.) The purpose is indeed error recovery:

Q. Who do I contact if I lose my combination?
A. In the event that you lose your combination, you will need to write a letter stating that you are the owner of the safe, including your serial number. The letter will have to be notarized and faxed to us at 817-xxx-yyyy. Please include in the letter how you would like your combination to be released and someone will contact you.

This system seems dubious, but for its intended purposes may provide adequate security. It’s good enough against a burglar, who probably would not interrupt a break-in to get a letter notarized and faxed, let alone to wait for a response. It will likely deter most children, who may run into skeptical adults if they tried to get such a letter notarized. An adult confederate? Sure, that’s possible, but the adult confederate could just as easily buy guns for the children. The biggest risk may be a clever teenager who could fake the notary seal; it’s hard to tell that a faxed page has an embossed stamp.

From a security perspective, though, there may have been a failure. The article says that "Sams Club employees were able to obtain an override code from the manufacturer." How was the call to the manufacturer authenticated? Did someone call the phone number listed on the web page, claim to be the store manager, and explain the emergency? Did they put on someone who claimed to be the local fire chief? How would you authenticate such a call if you received it? (I won’t even bother discussing email security….)

Perhaps the call went via the Sam’s Club internal chain of command first, since this particular gun safe appears to be custom-made for Sam’s Club. That only postpones the issue, even assuming that an internal call can be authenticated. A good answer would rely on a call from someone who’s personally known to the recipient. "Hi, Pat. This is Chris at Sam’s Club in Worcester; we have an emergency." If Chris knows Pat and recognizes Pat’s voice, it’s probably secure. It’s even better of Chris looks up Pat’s number in a personal directory and returns the call. Relying on things like CallerID would be dangerous, as would assuming that any caller from Sam’s Club is legitimate. (Remember that many teenagers work as store clerks, and they’re part of the threat model.) Also note that unless the safe manufacturer rep has access to the override codes, there’s an internal authentication chain, too.

The best answer, of course, is if there was some pre-arranged emergency authentication code. Did they have that much foresight? It’s possible but I tend to doubt it.

We don’t know the details about how the authentication took place. I suspect that if I asked, I’d be told that for security reasons, they can’t reveal that information. What is clear, though, is that most of the likely scenarios involve people who are properly trained in security, and who will do the right thing and stick to the procedures even in an emergency. In other words, people are the weak link. In this case, there was a happy outcome. However, failure to protect the combination could easily result in a tragic result. What is the proper balance?

Update: Matt Blaze, an expert on safes, notes that safes of this type with electronic locks rarely have override codes. (The factory-set combinations to mechanically-locked safes are typically recorded, however.) He suggests that perhaps the manufacturer simply supplied the default 1-2-3-4-5-6 combination, plus information on the 5-minute lock-out that occurs after several failed entry attempts. The article mentions troubles with it. There are clearly no security implications to supplying public data. However, the web page clearly states that some form of combination recovery is possible (perhaps only for mechanical locks); everything I wrote above would apply to that data.