Schneier on Security
A blog covering security and security technology.
« Why the Top-Selling Antivirus Programs Aren't the Best |
| Britain Adopts Threat Levels »
August 2, 2006
Brute Forcing Combination Locks
This computerized servomotor opens combination locks by brute forcing all the combinations. This isn't particular surprising, but it is nice to see some actually build one.
What's more interesting is the link describing how to open a common Master brand lock in about 10 minutes. The design makes those 403 possible combinations collapse to 121. It's a physical metaphor for bad cryptography.
Posted on August 2, 2006 at 1:54 PM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
James Bond comes to life. I always thought that giant safecracker/copier machine in "On Her Majesty's Secret Service" was one of the few Bond inventions that might be possible. Huge and took an hour to work. (One reason I like that movie: no ridiculous gadgets.)
As always Richard Feynman was first :-)
In the book, Surely You're Joking Mr Feynman, he describes experimenting with combination locks and discovering that because of the "slackness" in the mechanism he could try far less than the theoretical maximum combinations and succeed in opening the lock.
i once had a friend who had a locker broken into at the gym and had to stand there adn explain to the deputy how to crack a masterlock in about 5 minutes. he was impressed, but also thought i stole the wallet.
Way back in high school we were forced to buy these big Master padlocks for our gym lockers.
Because the mechanism relied on making a full turn, by simply knowing the first number in the combination and never making a full turn, I was able to pick it blind in under 2 minutes. About 30 seconds with my eyes opened.
If I didn't know the first number it would take me 10-15 mins.
It was actually pathetic since combos were either all odd or all even, and the middle number was always (X mod 4 = 2) in relation to the first and last. The first and last were the same mod 4. One could also be about 1-2 numbers off and still get it.
Needless to say, I demonstrated to the school authorities that we shouldn't be forced to deposit $12 for a lock that I can pick (or can teach others how to).
Of course the point was not good security and privacy between students, but rather a method for easy violation of the student's privacy by the school authorities (combos centrally kept on file). Granted students are not the paying patrons of their compulsory education, so they don't have 'rights'.
Or you could drink a beverage from a can, create a shim, and open the lock that way.
Deviant had an interesting presentation at ShmooCon 2006 (http://www.shmoocon.org/2006/videos/Ollam-Lockpicking.mp4). You can find the relevant slides here (http://deviating.net/lockpicking/03.01-combination.html).
The device is very interesting as far as safe locks are concerned however, as it's shown in the video, it's more of a "because I can" rather than a needed tool. "Because I can" is still a great thing.
Nice link Bruce,
This is good to show to my alumns the bad examples of cryptography exists in real world.
... or just use a padlock shim and open the lock in a couple seconds.
So, a good "physical metaphor for bad cryptography" as well as a good example of poor hardware design.
The question I have is, of course, what's the best padlock solution?
At my university, here was a rash of locker thefts at our largest gym, involving locks just like the one the robot is attacking. The head of crime prevention for the campus police gave a talk on theft prevention. Turns out if you hit those cheap combination locks really hard with a hammer right where the bar goes into the body they'll pop open. While noisy, it was very fast and very effective in practice.
His recommendation for securing your locker? Buy a key-operated MasterLock, but be sure to use some rubbing alcohol to wipe off the numbers at the bottom of the lock, because you can use those to get a key to open the lock.
University of Texas,
I got the exact same lecture from my junior high assistant principal, minus the bit about the rubbing alcohol.
--"The question I have is, of course, what's the best padlock solution?"
Depends on what you're trying to do, of course ^_^
For instance, Chubb makes some heavy-duty ones with Medeco or Ava (disc) keys.
For combination padlocks I'm not sure. I sincerely doubt there's any padlock out there equivalent to a Mas-Hamilton X09 (combination lock for safes), simply because that'd be massive overkill for the application. There's too many attack vectors for a padlock to go too overboard on the lock mechanism itself, so if you need something like an X09 you're going to be putting in a vault anyway.
I remember seeing a robot built out of Lego Mindstorms that would brute-force combination locks a few years ago. If I remember correctly, the lock had to be put into the robot, so it couldn't break a lock that was locked to anything.
On second thought, I could just be misremembering Locracker, which is linked in the article.
I could use one of those. I was given a small rolling safe some years ago that I've tried several times (unsuccessfully) to crack. The combination had been lost, and the owner had moved to Alaska leaving no forwarding address and dropped off the face of the planet. The only condition was, "If you get it open and there's any personal-looking papers in there, please send them back to me. Anything else is yours."
in Italy is not uncommon to break the code of locks and steal them, instead of the bicycle...
p.s. Feynman showed also how to simulate the universe on a pocket calculator (ok, the lesson was only about 2-body gravitation, but you get the idea).
no need of massively parallelized computing (or distributed one, you remember seti and so on...).
you know: universe moving not so smoothly, step by step. but we do not notice anything...
Back when I was in college, back in the late 80's, I was moving into a new [rental] house. The landlord had forgotten the combination to the lock on the garage. He "thought" he remembered one of the numbers, but wasn't too sure.
I figured if I hit the combination within +/- 1.25 for each number, the lock would open. Or at least give enough that I'd know I was close. (These things are *NOT* made to mil-spec manufacturing standards. Often a digit off will open easier than the "correct" combination.)
Of course, you can try every possible 3rd number in a single run. Noisy, but fast. So this takes us down from 40*40*40 = 64,000 combinations to a mere 16*16 = 256 combinations. With one digit known, a mere 16 combinations to try.
I had that lock open in under 2 minutes.
Key-based systems are not necessarily more secure. Lockpicking techniques are well know. (Google "lockpicking faq". The MIT one is quite nice!)
There are those vibrating lockpick thingies, which move the pins up and down quite fast. (Sometimes referred to as "cheating" in lockpicking circles.)
Anyone remember the fiasco with those Kryptonite U-shaped bike locks and bic pen caps?
Or you can just skip the locking mechanism entirely. As a freshman in college, I used to use a piece of plastic cut from a 2-liter coke bottle to enter my room. The key would not go into the lock easily. 10 minutes of jiggling to get it to turn. The plastic was much faster. Just slip it into the door jam. And make sure you have the right room...
@TheMatt: The best thing about OHMSS was Diana Rigg...
Actually, I preferred the safecracker Bond used in You Only Live Twice. It was semiautomatic rather than fully automatic so you couldnt read a magazine (or even look at the pictures) while it worked, but it fit in your coat pocket, and at least on network TV, only took a couple of minutes. Of course it didnt have a copier built in; which in '69 was pretty neat too.
"Key-based systems are not necessarily more secure. Lockpicking techniques are well know."
Right. Most M***r key-operated locks aren't much of a barrier to a good lockpicker.
A good choice is a lock that operates with rotating discs instead of pin tumblers - like the Abus Granit (Abus Plus/Abus X-Plus) or the Abloy locks. Alternatively use a lock that does not only rely on pin tumbler locking mechanisms, like Medeco, Assa Twin, Chubb AVA or Evva 3KS.
A year or so ago, the UK government sent out a leaflet to every home in the country, mine included, called "Preparing For Emergencies" which aimed to give just the sort of practical advice you speak of. That leaflet is replicated online here:
Unfortuntely it was complete bollocks, and a fantastic piss-take was published here:
Personally I think the latter is fantastically more useful in the fight against terrorism because it takes people who might otherwise be living in fear and makes them laugh, thus helping them to get on with enjoying their lives and not living in fear of the absolutely tiny probability of being caught up in a terrorist act.
An institution in this area uses two different types of push-button combination lock on the same building, but with the same combination. The different nature of the locks means that the number of combinations on one of the locks is reduced to 5. Yes, _five_.
Do the X09 series door locks have a fire rating and if so would the lock rating effect the door rating?
If you want people to show a real intrest, then I would advise you to cut down the amount of writing. There is far too much on this page!
Business neighbors just tossed out a huge combination safe which noone has the combi to. I have it and would love advice on how to open it non - destructively. No name, very rusty, double door and a dial wheel with "PAT'D Oct 2 88" and a five digit serial number.
thanks its very good information for us ı like it
@Sailorman & Unixronin
Start by posting photos of your safe at www.lockpicking101.com and ask for mfg, model and advice.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.