Schneier on Security
A blog covering security and security technology.
« Blowfish in Good Time Max |
| Hacking Tamper-Evident Devices »
January 24, 2011
This safecracking robot tries every possible combination, one after another:
Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination "forbidden zones", we reduced the number of possible combinations by about an order of magnitude.
Opening the safe took "just a few hours."
Along the same lines, here's a Lego robot that cracks combination locks. I wrote about another, non-Lego, brute-force combination lock cracker a few years ago. The original link is broken, but the project is here.
EDITED TO ADD (2/13): In this video, champion safecracker Jeff Sitar opens a similar safe by feel and sound in just 5 minutes and 19 seconds.
Posted on January 24, 2011 at 6:15 AM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Richard Feynman was, according to his book, practicing the very same approach to picking combination locks long time ago
"Combination space optimization" -- that's what Feynman did with safes too. Add in some more jargon to make us think this is news ... perhaps the robot should have a fake stethoscope too ...
Remember any idiot can buy a robot if it is cheap enough, as opposed to hiring a professional safe cracker. Also, robots can work faster than fingers.
Of course the fact remains that physical security is often not as robust as electronic. Look at your house key. But how many safes are available for access undetectable for several hours? Physical access to a location to commit crime is always going to limit the effort an attacker can expend, even if the attacker would be willing to expend an infinite amount of effort.
What any technology that speeds up the process does, however, is force safe owners to evaluate if 1-2 hours is good enough for their needs. For a store, probably yes. For a wealthy homeowner with valuables, probably not.
"manipulation proof" For a given value of manipulation I guess.
Mosler lost their GSA certification on one of their models when they decided to replace the workings with plastic. The tester drilled a hole, shot liquid nitrogen into it, gave the locking lever a yank and shattered the workings. Counting the drilling time he was inside the container in under 10 minutes.
I suppose they refer to the inability of a manual cracker to feel mechanical movement. But it seems they were still able to stress the hardware parts of the lock.
But any combination lock, even electronic, should fall to a comparable method. Shouldn't it?
Unless the lock is programmed to lock out further attempts for XX amount of time after X bad attempts for XX amount time.
What's nice about the electronic locks to my mind is they can be routed to an auditing subsystem and a unique combination can be assigned to each individual (really useful in TPI if all you've got is two guys on the blue team) and yay! no combo changes just because someone transfers. What I don't like is the thought of being 1000 miles out to sea and having it fail. You'd be surprised how much it costs to get Mosler or Greeleaf to air freight a locksmith.
21'000 combinations to success is not impressive at all. However, given that safes are only intended to stop attackers for a few hours (overnight at best) and that truly secure safe installation will have motion detectors and timed locks that only open during business hours, this machine is not really an increased risk, except for those that do not understand safe security.
It is a very neat hardware hack though.
One possible countermeasure would be to add a mechanical timer that enforces a minimum interval between attempts.
For instance, 21,000 attempts at one per minute is just over two weeks. That's doable, but it would definitely stop someone who is in a hurry.
Of course, this solution brings with it a number of new failure modes:
Should the clockwork be designed to fail in an active or inactive state?
Is there a denial of service attack that forces the contents owner to take them out of the safe?
Am I the only one who saw the title of the post and immediately thought "You were only supposed to blow the bloody doors off!"
"Unless the lock is programmed to lock out further attempts for XX amount of time after X bad attempts for XX amount time."
I believe class one safes for the US Gov't are required to have this feature these days.
Combination space optimisation is a popular technique in more than one field. Watch Samy Kamkar reduce PHP's session cookie/ID - supposed to be 160 bits of random data - at Defcon 18 at http://www.youtube.com/watch?... .
I was wondering if there are already safes on the market that apply a similar technique as with cell phone SIM cards: three attempts for the 4-digit pin-code, then requiring an 8-digit PUK. n attempts at the PUK will invalidate the SIM, or in the case of a safe would require vendor intervention.
Dirk: I saw that video, but it's not clear that he actually implemented the technique successfully.
Related anecdote: I cracked the three-digit code for our student house fire alarm system using brute force. You can reduce the number of button presses from 30,000 to 1002 because that particular system had no "Ok" button. I.e. if you type 1234 and the code is 234 it will let you in. There is a 1002 digit number that has all 3 digit numbers within it.
The code was 123. :-/
Bruce, hackaday covered two similiar systems back in 2009 and 2006.
I've also seen an arduino+servo+solenoid solution somewhere for this. Even more interesting was an LCD hack for brute-forcing biometrics, but again it's been awhile.
The only safe I had to deal with at work (around a decade ago) locked someone out for 24 hours after 3 bad attempts in a row (and lesser amounts of time for fewer failed attempts - I think even after 1 failure it was a couple of minutes). The standard entry method was pin & key.
However, my recollection is that if you disconnected the power, you could ignore all the electronics and use a mechanical key (which was needed since external access to the battery was non-trivial and the battery could fail while locked). I have no idea if the type of safe you're specifying has this sort of backdoor, but to me it seemed to make the safe only slightly more complex to hack than a cylinder lock.
"I saw that video, but it's not clear that he actually implemented the technique successfully."
He probably did, but I guess it was not in his best interest to actually disclose that, being a known worm author doing his very best to stay out of jail.
There's another technique much more effective than brute force. Dark Helmet of Planet Spaceball was able to extort Planet Druidia's air shield combination from King Roland by threatening Princess Vespa with a nose job. Where a brute force search would have taken Helmet over three hours (at a rate of one combination per second, starting from 0), Helmet got the combination in a matter of minutes. It turned out to be the same as President Skroob's luggage combination.
Wasn't there a bit in an early/Connery James Bond film that used this method to get into a safe?
Talk about a movie plot threat ...
It was George Lazenby playing James Bond back in '69 in the film "On Her Majesty's Secret Service". As I recall, they used a second man and a crane to lift the device into the building...
Right, right - they got the auto-knob-turner up to him via crane. I thought it was Connery, but why not go with Lazenby? He was pretty cool anyway.
The device in OHMMS also had a photocopier. That seemed to be a lot of the mass involved. I did like the safecracker, as it did usefully neat stuff like kicked itself off the safe when done.
> One possible countermeasure would be to add a mechanical timer that enforces a minimum interval between attempts.
Before there were ICs everywhere, people solved these sorts of problems with clockwork and air logic and other silly things. I have seen numerous safes and access control systems that recorded last-time and locked after a certain number of failed attempts.
I have an old save, the key still sticking in it, but do not know the combination which is required in addition to the key. I'd quite happily pay $200 for someone to open it so that I can recycle the safe.
Must me more of these safes around. Could turn into a great business.
@kingsnake Moscow Airport bombing "bomb before going through security "
yeah...thought of that too.
The intial CNN report further annoyed and puzzled me
It was almost a random string of partially related facts.
They quote Lufthansa as annoucing their flight scheduled changes?
The British FM talking about British Citzens.
NATO Secretary General Anders Fogh Rasmussen ? NATO? Why Nato?
But this line "Russia has a long history of dealing with terror attacks."
Reporters need some rigor in their language.
What is the value of 'dealing' here.
Medvedev anounced "additional security." predictable.
I really like the Kaba Mas X-09 safe lock the article links to.
Designed for the paranoid people among us:
- You rotate the dial to charge the electronic lock, so no failing battery.
- It knows how far a human can rotate the lock, so take it further before stopping and it concludes you are a robot dialer -> reset.
- It knows how fast a human can rotate the lock, so take it faster -> reset
- At each rotation direction change (R -> L or L -> R) the lock randomizes the number on the dial, so you have to see where it is and really rotate to the correct value, so no 30 degrees left, 40 degrees right, etc. This also helps against a person looking at the operator and trying to copy the combination.
- Wrong try time penalty.
I want one!
Bit expensive though, to just buy one and put it on a shelf for display...
Features like those you list on the Kaba would be great to have and fairly cheap to implement for an electronic lock.
Having a purely mechanical lock means you can work it: in a power cut, if the batteries go flat, following a lightning strike, etc, etc. Following the old KISS adage, I worry about features like that as they adds complexity, and in a mechanical or electromechanical system would greatly reduce reliability.
Jeff Sitar - Champion Locksmith/Safecracker cracks one of these by feel and sound in just 5 minutes and 19 seconds!! Move to the 8 minute mark to see him crack it!!
"There is a 1002 digit number that has all 3 digit numbers within it."
This sounds like a fun puzzle - construct such a 1002 digit string. Easy to see that at least 1002 digits required...
What if the string wraps around? - is there a 1000 digit string that will do?
Leave me a hint in a day or two if you know the answer ....
"dealing with terror attacks."
Now know what the value of dealing is for Russia. Airport is claimed back to normal ops after several hours. Any guesses as to how long it take to restore LAX, SeaTAC or JFK to normal ops after a similar attack.
Feynman exploited two facts: some users would leave the safe combination as set at the factory (he had learned that exact combination) and the safe's resolution was poor: each "number" was actually a range of numbers on either side. That latter fact drastically reduced the total set of possible combinations.
As noted above, Mr. Bond used an electromechanical device to open Gumbold's safe; in the film, it seemed to try various numbers at random for each place in the three-place combination. I wonder if anyone here can comment on that algorithm?
"Feynman exploited two facts: some users would eave the safe combination as set at the factory"
It was a bit more than that, he also realised some of the Manhattan Project's humans were more human than others, and would set the combination of the safe to some mathmatical or physical constant.
He could usually find out which one just by glancing at the dial when the safe was open and with his back towards the safe whilst chatting to the safes "owner" sureptitiously turn the dial whilst feeling the retractor, this would give him two of the digits thus guessing the mathmatical constant was easy.
He got so good at it that apparently the official security persons sent memos around saying Feynman should not be alowed near any safe.
In a small town near me they had a bank-safe breakin. It showed how "security theater" a bank safe usually is. Sure, it had the big door, time-enabled locking, all thick and pretty covering of stainless steel, on the part you could see inside the bank.
The thieves simply backed up a truck into the brick wall outside the bank, walked into the safe from behind, got what they wanted, and drove away.
You don't think a small town bank can afford hundreds of tons of thick hard steel for all the walls, do you?
Note the first feature: the lock is powered by the movement of the dial. This eliminates the first two of your objections, as there is no battery to go flat or connection to mains power to go out. As far as lightning strikes go, I venture to suggest that lightning rods are far more common than safes, so if your safe is in a position where a lightning strike is even possible you've already completely lost the physical security battle.
There is a series of books titled Locks, Safes and Security that go in to detail on lock and safe construction and bypass (the amount of detail greatly depends on which version you can get; general public, locksmith, or government). I don't have my set at hand, but as I recall the Mas X series locks were actually significantly more reliable than the mechanical locks. The electronics involved are pretty much trivially simple by today's standards, whereas the best mechanical locks are still pushing the boundary of material science and are inherently quite complex mechanisms in any case.
"But how many safes are available for access undetectable for several hours?"
That's why the pros buy the same model safe and practice on it in private. That would probably narrow it down even more for the robot in some way. Also, safes in empty offices overnight would be available "for several hours".
"There is a 1002 digit number that has all 3 digit numbers within it."
Thanks for the hint! actually, this *was* a fun puzzle, and I couldn't resist programming it up to see the odd randomish sequences that come out. Without the hint I had generalized the problem and converted it to a graph traversal problem just as described in the article; it turns out that for the resulting (directed) graph, each node has the same number of incoming and outgoing arcs, which means the graph is easily traversed (Eulerian Circuit) by a simple depth first search (so I learned).
My conjecture about wrapped around sequences was correct too - in fact that is the way mathematicians prefer to frame the problem.
There are lots of such sequences (including some beginning with "123") - the heavy-duty mathematics seems to be in counting the number of distinct sequences for a given alphabet size and substring length.
@Tony, Anon: That was actually a step backwards in technology. He had time to read a Playboy ("Spieljunge", since it was in CH?) while waiting for that one to crack; in the previous movie ("You Only Live Twice") Bond had one that fit in his shirt pocket. It was manually operated rather than automatic, but was able to defeat the combo in Osato's office in
I hate it when people lose technology; in Star Trek ("By any other name") some aliens modified the Enterprise to go Warp 12, but then by the next episode it was limited to Warp 8 again.
Of course the OHMSS safecracker had a copier "built-in" so its not a direct comparison; but a Minox or equiv would have solved the imaging problem and still been 1/50 the size, and equally faster than a copier, especially ca 1969.
There's also the issue of nosy people watching the construction site seeing a construction worker put a big suitcase in a concrete bucket and holding it at an apartment window to be added/removed. And of course the reliability of the crane operator. The concealable tools in YOLT didn't generate any suspicion in casual passersby.
And finally of course there's the hottie in the rare Toyota 2000 sports car...
The Kaba MAS X-09 is pretty impressive; but yeah, it's extremely expensive, for a lock.
But rate limiting (usually called "wrong try penalty" or "penalty lockout") is very easy to implement in electronics so it's now a standard feature in all but the cheapest electronic locks, including Kaba Mas models that are under $200.
Most medium-security electronic safe locks nowadays seem to give 3 ~ 5 free tries, then a 3 minute, 5 minute or 15 minute penalty (lockout) after each successive wrong entry. Even a 3 minute penalty seems pretty adequate, really. With the 15 minute penalty, over a long weekend an autodialler gets just 340 guesses, or about 340 chances in a million for a random passcode. Of course its odds are better if the passcode is less than strictly random, but it doesn't get to certainty even for very weak passcodes, such as if the attacker definitely knows the passcode is actually a child's birthday, *and* knows the child's approximate age!
And pretty well all of them log the failed attempts, so a long weekend is about the greatest number of attempts you are likely to get away with.
I guess things are different in the US, but around here, a bank branch (regardless of size) can't get insurance unless the vault meets certain standards. Those standards certainly exclude brick walls.
However, they don't need to be hundreds of tons of steel, either. The most common modern construction is made of prefabricated concrete panels assembled on site. Typically each panel is 190 mm (7½") thick, 3m (10') high, 500 mm (20") wide. The concrete composition is resistant to drilling. Panels weigh about 600 kg each so they are easily moved on site. They are prefabricated in steel frames that are integrally welded to their rebar, and once on site these frames then interlock on the outside, and are bolted or welded together on the inside.
This sort of structure has several advantages. It can be assembled fast (sometimes in as little as a week.) Unlike older vault construction techniques, which made the vault a positive liability if the premises were sold, this type can be dismantled and reused elsewhere.
It weighs only ~20 tons for a 3 x 3 m vault, which makes it practical to assemble more than one storey above the ground, a significant security advantage provided the adjacent floors are also monitored.
Of course 190 mm of concrete, even antidrilling concrete, is by no means impenetrable, but it only needs to resist attack for as long as the police take to respond to the alarms.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.