Brute-Force Safecracking

This safecracking robot tries every possible combination, one after another:

Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination “forbidden zones”, we reduced the number of possible combinations by about an order of magnitude.

Opening the safe took “just a few hours.”

Along the same lines, here’s a Lego robot that cracks combination locks. I wrote about another, non-Lego, brute-force combination lock cracker a few years ago. The original link is broken, but the project is here.

EDITED TO ADD (2/13): In this video, champion safecracker Jeff Sitar opens a similar safe by feel and sound in just 5 minutes and 19 seconds.

Tags: , , ,

Posted on January 24, 2011 at 6:15 AM40 Comments

Comments

Jim January 24, 2011 6:40 AM

“Combination space optimization” — that’s what Feynman did with safes too. Add in some more jargon to make us think this is news … perhaps the robot should have a fake stethoscope too …

Gabriel January 24, 2011 6:56 AM

Remember any idiot can buy a robot if it is cheap enough, as opposed to hiring a professional safe cracker. Also, robots can work faster than fingers.

Of course the fact remains that physical security is often not as robust as electronic. Look at your house key. But how many safes are available for access undetectable for several hours? Physical access to a location to commit crime is always going to limit the effort an attacker can expend, even if the attacker would be willing to expend an infinite amount of effort.

What any technology that speeds up the process does, however, is force safe owners to evaluate if 1-2 hours is good enough for their needs. For a store, probably yes. For a wealthy homeowner with valuables, probably not.

BF Skinner January 24, 2011 6:59 AM

“manipulation proof” For a given value of manipulation I guess.
Mosler lost their GSA certification on one of their models when they decided to replace the workings with plastic. The tester drilled a hole, shot liquid nitrogen into it, gave the locking lever a yank and shattered the workings. Counting the drilling time he was inside the container in under 10 minutes.

I suppose they refer to the inability of a manual cracker to feel mechanical movement. But it seems they were still able to stress the hardware parts of the lock.

But any combination lock, even electronic, should fall to a comparable method. Shouldn’t it?
Unless the lock is programmed to lock out further attempts for XX amount of time after X bad attempts for XX amount time.

What’s nice about the electronic locks to my mind is they can be routed to an auditing subsystem and a unique combination can be assigned to each individual (really useful in TPI if all you’ve got is two guys on the blue team) and yay! no combo changes just because someone transfers. What I don’t like is the thought of being 1000 miles out to sea and having it fail. You’d be surprised how much it costs to get Mosler or Greeleaf to air freight a locksmith.

Gweihir January 24, 2011 7:02 AM

21’000 combinations to success is not impressive at all. However, given that safes are only intended to stop attackers for a few hours (overnight at best) and that truly secure safe installation will have motion detectors and timed locks that only open during business hours, this machine is not really an increased risk, except for those that do not understand safe security.

It is a very neat hardware hack though.

Les January 24, 2011 7:15 AM

One possible countermeasure would be to add a mechanical timer that enforces a minimum interval between attempts.

For instance, 21,000 attempts at one per minute is just over two weeks. That’s doable, but it would definitely stop someone who is in a hurry.

Of course, this solution brings with it a number of new failure modes:
Should the clockwork be designed to fail in an active or inactive state?
Is there a denial of service attack that forces the contents owner to take them out of the safe?

csrster January 24, 2011 7:33 AM

Am I the only one who saw the title of the post and immediately thought “You were only supposed to blow the bloody doors off!”

Phil January 24, 2011 7:48 AM

“Unless the lock is programmed to lock out further attempts for XX amount of time after X bad attempts for XX amount time.”

I believe class one safes for the US Gov’t are required to have this feature these days.

Dirk Praet January 24, 2011 8:45 AM

Combination space optimisation is a popular technique in more than one field. Watch Samy Kamkar reduce PHP’s session cookie/ID – supposed to be 160 bits of random data – at Defcon 18 at http://www.youtube.com/watch?v=fEmO7wQKCMw&feature=related .

I was wondering if there are already safes on the market that apply a similar technique as with cell phone SIM cards: three attempts for the 4-digit pin-code, then requiring an 8-digit PUK. n attempts at the PUK will invalidate the SIM, or in the case of a safe would require vendor intervention.

Tim January 24, 2011 8:56 AM

Dirk: I saw that video, but it’s not clear that he actually implemented the technique successfully.

Related anecdote: I cracked the three-digit code for our student house fire alarm system using brute force. You can reduce the number of button presses from 30,000 to 1002 because that particular system had no “Ok” button. I.e. if you type 1234 and the code is 234 it will let you in. There is a 1002 digit number that has all 3 digit numbers within it.

The code was 123. :-/

Fred P January 24, 2011 9:44 AM

@Phil-

The only safe I had to deal with at work (around a decade ago) locked someone out for 24 hours after 3 bad attempts in a row (and lesser amounts of time for fewer failed attempts – I think even after 1 failure it was a couple of minutes). The standard entry method was pin & key.

However, my recollection is that if you disconnected the power, you could ignore all the electronics and use a mechanical key (which was needed since external access to the battery was non-trivial and the battery could fail while locked). I have no idea if the type of safe you’re specifying has this sort of backdoor, but to me it seemed to make the safe only slightly more complex to hack than a cylinder lock.

Dirk Praet January 24, 2011 9:54 AM

@ Tim

“I saw that video, but it’s not clear that he actually implemented the technique successfully.”

He probably did, but I guess it was not in his best interest to actually disclose that, being a known worm author doing his very best to stay out of jail.

Alan Kaminsky January 24, 2011 9:58 AM

There’s another technique much more effective than brute force. Dark Helmet of Planet Spaceball was able to extort Planet Druidia’s air shield combination from King Roland by threatening Princess Vespa with a nose job. Where a brute force search would have taken Helmet over three hours (at a rate of one combination per second, starting from 0), Helmet got the combination in a matter of minutes. It turned out to be the same as President Skroob’s luggage combination.

http://www.imdb.com/title/tt0094012/

Tony January 24, 2011 11:58 AM

Wasn’t there a bit in an early/Connery James Bond film that used this method to get into a safe?

Talk about a movie plot threat …

Anon January 24, 2011 12:28 PM

It was George Lazenby playing James Bond back in ’69 in the film “On Her Majesty’s Secret Service”. As I recall, they used a second man and a crane to lift the device into the building…

Tony January 24, 2011 1:05 PM

Right, right – they got the auto-knob-turner up to him via crane. I thought it was Connery, but why not go with Lazenby? He was pretty cool anyway.

Steven Hoober January 24, 2011 1:08 PM

The device in OHMMS also had a photocopier. That seemed to be a lot of the mass involved. I did like the safecracker, as it did usefully neat stuff like kicked itself off the safe when done.

One possible countermeasure would be to add a mechanical timer that enforces a minimum interval between attempts.

Before there were ICs everywhere, people solved these sorts of problems with clockwork and air logic and other silly things. I have seen numerous safes and access control systems that recorded last-time and locked after a certain number of failed attempts.

Anton January 24, 2011 2:12 PM

I have an old save, the key still sticking in it, but do not know the combination which is required in addition to the key. I’d quite happily pay $200 for someone to open it so that I can recycle the safe.

Must me more of these safes around. Could turn into a great business.

BF Skinner January 24, 2011 2:27 PM

@kingsnake Moscow Airport bombing “bomb before going through security ”

yeah…thought of that too.
The intial CNN report further annoyed and puzzled me
http://www.cnn.com/2011/WORLD/europe/01/24/russia.airport.explosion/index.html
It was almost a random string of partially related facts.

They quote Lufthansa as annoucing their flight scheduled changes?
The British FM talking about British Citzens.
NATO Secretary General Anders Fogh Rasmussen ? NATO? Why Nato?

But this line “Russia has a long history of dealing with terror attacks.”
Reporters need some rigor in their language.

What is the value of ‘dealing’ here.
Medvedev anounced “additional security.” predictable.

Pieter January 24, 2011 2:47 PM

I really like the Kaba Mas X-09 safe lock the article links to.

Designed for the paranoid people among us:
– You rotate the dial to charge the electronic lock, so no failing battery.
– It knows how far a human can rotate the lock, so take it further before stopping and it concludes you are a robot dialer -> reset.
– It knows how fast a human can rotate the lock, so take it faster -> reset
– At each rotation direction change (R -> L or L -> R) the lock randomizes the number on the dial, so you have to see where it is and really rotate to the correct value, so no 30 degrees left, 40 degrees right, etc. This also helps against a person looking at the operator and trying to copy the combination.
– Wrong try time penalty.

I want one!

Bit expensive though, to just buy one and put it on a shelf for display…

Bruce Clement January 24, 2011 4:03 PM

@Pieter

Features like those you list on the Kaba would be great to have and fairly cheap to implement for an electronic lock.

Having a purely mechanical lock means you can work it: in a power cut, if the batteries go flat, following a lightning strike, etc, etc. Following the old KISS adage, I worry about features like that as they adds complexity, and in a mechanical or electromechanical system would greatly reduce reliability.

Bob T. January 24, 2011 4:58 PM

“There is a 1002 digit number that has all 3 digit numbers within it.”

This sounds like a fun puzzle – construct such a 1002 digit string. Easy to see that at least 1002 digits required…
What if the string wraps around? – is there a 1000 digit string that will do?
Leave me a hint in a day or two if you know the answer ….

BF Skinner January 24, 2011 6:23 PM

“dealing with terror attacks.”
Now know what the value of dealing is for Russia. Airport is claimed back to normal ops after several hours. Any guesses as to how long it take to restore LAX, SeaTAC or JFK to normal ops after a similar attack.

tensor January 25, 2011 2:28 AM

Feynman exploited two facts: some users would leave the safe combination as set at the factory (he had learned that exact combination) and the safe’s resolution was poor: each “number” was actually a range of numbers on either side. That latter fact drastically reduced the total set of possible combinations.

As noted above, Mr. Bond used an electromechanical device to open Gumbold’s safe; in the film, it seemed to try various numbers at random for each place in the three-place combination. I wonder if anyone here can comment on that algorithm?

Clive Robinson January 25, 2011 3:59 AM

@ tensor,

“Feynman exploited two facts: some users would eave the safe combination as set at the factory”

It was a bit more than that, he also realised some of the Manhattan Project’s humans were more human than others, and would set the combination of the safe to some mathmatical or physical constant.

He could usually find out which one just by glancing at the dial when the safe was open and with his back towards the safe whilst chatting to the safes “owner” sureptitiously turn the dial whilst feeling the retractor, this would give him two of the digits thus guessing the mathmatical constant was easy.

He got so good at it that apparently the official security persons sent memos around saying Feynman should not be alowed near any safe.

Doug Coulter January 25, 2011 12:34 PM

In a small town near me they had a bank-safe breakin. It showed how “security theater” a bank safe usually is. Sure, it had the big door, time-enabled locking, all thick and pretty covering of stainless steel, on the part you could see inside the bank.

The thieves simply backed up a truck into the brick wall outside the bank, walked into the safe from behind, got what they wanted, and drove away.
You don’t think a small town bank can afford hundreds of tons of thick hard steel for all the walls, do you?

Komori January 25, 2011 1:16 PM

@Bruce Clement

Note the first feature: the lock is powered by the movement of the dial. This eliminates the first two of your objections, as there is no battery to go flat or connection to mains power to go out. As far as lightning strikes go, I venture to suggest that lightning rods are far more common than safes, so if your safe is in a position where a lightning strike is even possible you’ve already completely lost the physical security battle.

There is a series of books titled Locks, Safes and Security that go in to detail on lock and safe construction and bypass (the amount of detail greatly depends on which version you can get; general public, locksmith, or government). I don’t have my set at hand, but as I recall the Mas X series locks were actually significantly more reliable than the mechanical locks. The electronics involved are pretty much trivially simple by today’s standards, whereas the best mechanical locks are still pushing the boundary of material science and are inherently quite complex mechanisms in any case.

Richard Steven Hack January 25, 2011 10:28 PM

“But how many safes are available for access undetectable for several hours?”

That’s why the pros buy the same model safe and practice on it in private. That would probably narrow it down even more for the robot in some way. Also, safes in empty offices overnight would be available “for several hours”.

Bob T January 26, 2011 12:04 AM

“There is a 1002 digit number that has all 3 digit numbers within it.”

“http://en.wikipedia.org/wiki/De_Bruijn_sequence”

Thanks for the hint! actually, this was a fun puzzle, and I couldn’t resist programming it up to see the odd randomish sequences that come out. Without the hint I had generalized the problem and converted it to a graph traversal problem just as described in the article; it turns out that for the resulting (directed) graph, each node has the same number of incoming and outgoing arcs, which means the graph is easily traversed (Eulerian Circuit) by a simple depth first search (so I learned).

My conjecture about wrapped around sequences was correct too – in fact that is the way mathematicians prefer to frame the problem.

There are lots of such sequences (including some beginning with “123”) – the heavy-duty mathematics seems to be in counting the number of distinct sequences for a given alphabet size and substring length.

bob (the original bob) January 26, 2011 7:10 AM

@Tony, Anon: That was actually a step backwards in technology. He had time to read a Playboy (“Spieljunge”, since it was in CH?) while waiting for that one to crack; in the previous movie (“You Only Live Twice”) Bond had one that fit in his shirt pocket. It was manually operated rather than automatic, but was able to defeat the combo in Osato’s office in <30 seconds with it.

I hate it when people lose technology; in Star Trek (“By any other name”) some aliens modified the Enterprise to go Warp 12, but then by the next episode it was limited to Warp 8 again.

Of course the OHMSS safecracker had a copier “built-in” so its not a direct comparison; but a Minox or equiv would have solved the imaging problem and still been 1/50 the size, and equally faster than a copier, especially ca 1969.

There’s also the issue of nosy people watching the construction site seeing a construction worker put a big suitcase in a concrete bucket and holding it at an apartment window to be added/removed. And of course the reliability of the crane operator. The concealable tools in YOLT didn’t generate any suspicion in casual passersby.

And finally of course there’s the hottie in the rare Toyota 2000 sports car…

Anοnymous February 21, 2011 6:44 AM

The Kaba MAS X-09 is pretty impressive; but yeah, it’s extremely expensive, for a lock.

But rate limiting (usually called “wrong try penalty” or “penalty lockout”) is very easy to implement in electronics so it’s now a standard feature in all but the cheapest electronic locks, including Kaba Mas models that are under $200.

Most medium-security electronic safe locks nowadays seem to give 3 ~ 5 free tries, then a 3 minute, 5 minute or 15 minute penalty (lockout) after each successive wrong entry. Even a 3 minute penalty seems pretty adequate, really. With the 15 minute penalty, over a long weekend an autodialler gets just 340 guesses, or about 340 chances in a million for a random passcode. Of course its odds are better if the passcode is less than strictly random, but it doesn’t get to certainty even for very weak passcodes, such as if the attacker definitely knows the passcode is actually a child’s birthday, and knows the child’s approximate age!

And pretty well all of them log the failed attempts, so a long weekend is about the greatest number of attempts you are likely to get away with.

Anοnymous February 21, 2011 7:29 AM

@Doug Coulter:

I guess things are different in the US, but around here, a bank branch (regardless of size) can’t get insurance unless the vault meets certain standards. Those standards certainly exclude brick walls.

However, they don’t need to be hundreds of tons of steel, either. The most common modern construction is made of prefabricated concrete panels assembled on site. Typically each panel is 190 mm (7½”) thick, 3m (10′) high, 500 mm (20″) wide. The concrete composition is resistant to drilling. Panels weigh about 600 kg each so they are easily moved on site. They are prefabricated in steel frames that are integrally welded to their rebar, and once on site these frames then interlock on the outside, and are bolted or welded together on the inside.

This sort of structure has several advantages. It can be assembled fast (sometimes in as little as a week.) Unlike older vault construction techniques, which made the vault a positive liability if the premises were sold, this type can be dismantled and reused elsewhere.

It weighs only ~20 tons for a 3 x 3 m vault, which makes it practical to assemble more than one storey above the ground, a significant security advantage provided the adjacent floors are also monitored.

Of course 190 mm of concrete, even antidrilling concrete, is by no means impenetrable, but it only needs to resist attack for as long as the police take to respond to the alarms.

Paul September 13, 2021 2:25 AM

The sophisticated electronics of the Kaba Mas X-series of locks is security theater. Why do I say that despite the numerous electronic safeguards against unauthorized entry?

Read below:

All the sophisticated electronics in the Kaba Mas X-series of locks exists for one ultimate purpose, to rotate the motor.

So cut to the chase, totally bypass all the electronics and rotate the motor with an external mechanical energy input.

That mechanical energy is vibrations induced by the portable rechargeable battery-powered sander (links below) (without sandpaper, the rubber pad of the foot of the sander transfers the vibrations to the surface the lock is mounted on).

As far as I can see in the photos below, the Kaba Mas motor allows the knob to engage the bolt.

The motor direction is constrained by the gear train.

Mechanical vibration will make the motor try to turn back and forth, but the gear train will allow motor movement in only one direction, the unlocking direction.

Shake (vibrate) the lock until the knob can withdraw the bolt.

“Shake it ’till you make it”

https://roundybox.com/wp-content/uploads/2018/08/0925A-09A-768×768.jpg

http://i1146.photobucket.com/albums/o525/GWiens2001/KABA%20MAS%20X-09/1AF4C503-E689-4FEB-8B95-94D72FB30E02-2870-00000593585D195E_zpscebfb880.jpg

https://c8.alamy.com/comp/B5HA2H/internal-view-of-the-kaba-mas-x-09-electronic-safe-lock-B5HA2H.jpg

https://www.wired.com/story/atm-lock-hack-electric-leaks/

Maybe a SQUID would pick up the magnetic fields from the data transfer?

But it may not need such a sophisticated nation-state level attack. Maybe your nearest Home Depot, Lowe’s, Bunning’s, etc. (depending on your location) has just the right tool for the job?

I wonder if there’s anything mechanical in the locks to prevent vibrations driving the X-08, X-09 and X-10 motor. Maybe put a powerful vibrator like this sander:

https://shop.goldpeaktools.com.ph/products/bosch-gss-18v-li-cordless-finishing-sander-bare-tool

https://vintalicious.net/vibrating-plate-sander/
https://www.ebay.co.uk/p/3032717802?iid=391922303181

against the door of the filing cabinet or safe and the bolt can be retracted? The sander usually has a rubber pad on the bottom that grips sandpaper but for vibrating a filing cabinet or safe the rubber pad provides helpful friction to transfer the shaking. I’m thinking the vibrations may cause the motor and gear train to turn, thus allowing retracting the bolt. I don’t have a sander and X-series lock to try it out but you may wish to try it.

PS September 17, 2021 9:14 PM

Proof Of Concept:

I was repairing some equipment, a DAT machine and had the gear train opened.
I was also drilling something nearby.
I found the gear train moved.
Also, one isolated gear spun very rapidly.
The drill vibrated the workbench, which in turn vibrated the gears.
The gear shafts were supported by bearings and the only way the gears could move was by rotation.
That makes me think vibration can cause the motor of the Kaba Mas X-series locks to rotate and also cause the lock’s gears to rotate.
That’s why I view the sophisticated electronics of the Kaba Mas X-series locks as clever (and expensive) security theater.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.