Information Leakage from Keypads

Can anyone guess the entry codes for these door locks?

digital lock security keypad

There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234.

Posted on July 2, 2009 at 12:09 PM • 79 Comments

Comments

Joel FJuly 2, 2009 12:39 PM

The first may have few possibilities, but I would start with 1968, followed by 1986.

MarkHJuly 2, 2009 12:57 PM

Talk about leakage! The left-hand picture discloses not only the combination that was in use for the longest time, but also a second shorter-term combination, helpfully highlighted with a ball-point pen!

mphJuly 2, 2009 1:14 PM

That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

EnderJuly 2, 2009 1:22 PM

I've seen plenty of these used instead of intercoms on apartment buildings. The elderly residents never can figure out how the youngsters manage to get in without knowing the code.

The funnier part is that guessing the order is not even really needed in most cases. Pressing all 4 'correct' buttons simultaneously for a few times within a short interval tends to confuse the keypad into thinking you've typed the correct code.

jcJuly 2, 2009 1:36 PM

If the locks always look for a match in the four last numbers, which is very common, you can type in the 24 combinations so they overlap each other, with a sequence like:

123412314231243121342132413214321

which is only 33 key presses instead of 96.

noahJuly 2, 2009 1:52 PM

So that's why IT departments insist you change your password every 30 days. Same attack works on keyboards, right?

MarkJuly 2, 2009 1:57 PM

These are nice examples, thank you.

Those of you with more robust keypads don't be smug - you know who you are. There are various techniques to recognise frequently used combinations.

One technique used to be to paint the keyboard with a solution containing washing powder. The keys that aren't part of the combination glow under UV light.

A former employer inherited an office with a mechanical combination lock, but no combination. I examined it and told them the sequence. They asked if I could change that sequence, to which I replied "Yes, but I recommend you replace the lock".

I like these combination locks: http://www.kaba-mas.com/a.php?page=x-09_main. Shame about the price.

bobJuly 2, 2009 2:07 PM

Our combo locks here have blank caps and LED displays underneath which generate a pseudorandom layout of numbers each time you use it. This makes them hard to shoulder surf, since you have to be right over them to see the numbers, and makes it irrelevant to see which physical key is pressed since the number each key represents is randomized every access.

Of course the 7-segment LED layout makes it hard to tell a "1" from a "7" or "9" from "8" etc; so you cant enter your code as rapidly as you would if you knew where the key was going to be cause you actually have to hunt them up each time.

CerebusJuly 2, 2009 2:08 PM

The first one's more likely 1968; it's a more probable birthdate for the owner/installer of the lock, given the age of it. :)

-- C

McGregorMortisJuly 2, 2009 2:11 PM

Years ago I worked in an office that had those 5 button "Simplex" door locks.

They didn't suffer from this obvious wear (the buttons are just matte finished metal with no printing or engraving on them), and they actually did change the combinations occasionally.

But it occurred to me that it would be fairly straightforward to get substantial information about the combination by surreptitiously applying a tiny dot of ink to each of the five buttons. Then come back later to see which dots have been worn off.

If only three buttons are used, the search space is only 240 possible combinations (including the chords that Simplex locks allow.) A feasible attack, given enough time alone in the office at night.

McGregorMortisJuly 2, 2009 2:13 PM

Sorry, that was silly of me...

240 is the space of all possible 3-digit combinations. If you know which three digits are involved, the search space is only 24 combinations.

Jeff KentonJuly 2, 2009 2:56 PM

A related thought:

The old Master combination locks would reveal the final digit of the combination if you pulled the shackle and turned the dial. And, there was a pattern to the digits that eliminated all but 100 possible combinations once you knew the last digit. I used to be able to open one in 10 minutes. (The new ones are a little better.)

user@example.comJuly 2, 2009 3:01 PM

And, of course, if you want to be sure to open it first time, once you've found the digits you can apply your ink (although I've been reliably informed that a tiny bit of butter works fine - not to mention being easy for people to explain away as some filthy git smearing their lunch-covered hands all over the place) to one of them and figure out that number's position in the code.

BahggyJuly 2, 2009 3:04 PM

@McGregorMortis,
i have come across many of these Simplex locks, I have yet to find one that has taken me more than 90 seconds to get into without ANY knowledge of the combination, this includes combinations with chords and 4-digit combinations.

RHJuly 2, 2009 3:13 PM

@Bahggy: do those locks leak information as you type the combo? or do people just pick weak combos that are easy to guess?

UCJuly 2, 2009 3:25 PM

For newer door locks:
1) Wipe the buttons clean.
2) Apply a thin layer of olive oil on the buttons.
2) Wait for someone to enter.
3) Blow flour (or some other powder) on keys.
4) Try the 24 combination sequentially or pressing all of the four buttons at once many times.

McGregorMortisJuly 2, 2009 3:27 PM

I have read documents describing how the Simplex locks are subject to the same kinds of attacks as other combination locks. Mechanical tolerances that let you feel out which buttons are offering more resistance than others.

I've tried (briefly) using those methods to crack them, but I guess my gorilla fingers don't have the magic touch.

mcbJuly 2, 2009 3:42 PM

@ Angel One

"Where are those pictures from?"

Everywhere...

We once came off a park trail a few minutes after closing time and found ourselves locked behind a access control gate. While my family began debating who to call for assistance I drove up to the control box, punched in 1, 2, 3, 4 and we were on our way.

Clive RobinsonJuly 2, 2009 4:38 PM

As Bob noted above you can get locks with LED/LCD 7 seg displays in or adjacent to the buttons that change randomly.

The big disadvantage of them is that due to "security" the keypad has to be placed at "eye hight" and key entry is slow. Which means that you can easily see which keys have been pressed.

"So what" you say "it does not matter as it's random and there is no information to be gained". The chances are there actualy is...

Now being an engineer of embedded security and safety systems for many many long and weary years ;) I learnt one thing about my co-workers and their bosses KISS is a mantra that gives rise to insecurity big time.

I'm willing to make a small bet that if you examine the code used for the random selection in the average "random" lock, you will find,

1, It's entirely determanistic.

2, It is time based or of a short sequence.

3, The sequence is likley to be easily worked out either forwards or backwards.

4, There are likley to be easy ways to "reset" the sequence to a known state (for when one or more 7seg displays fail and a service tech needs to open the door for a customer).

So if you see which keys are pressed and either before or after have made a note of the "random selection" then the chances are you will be able to move forwards or backwards in the sequence and work out what the door code is (and chances are in England it will be 1966).

I'm guessing within a year or two we will see Bruce blog about such an exploit against a "high tech random keypad lock".

ColoZJuly 2, 2009 5:52 PM

Clive -- what is special about 1966 in the UK? (1066 I could understand!)

ErikJuly 2, 2009 6:32 PM

I noticed this problem on the keypad at a friend's house and pointed it out to him. He said he wasn't worried because most thieves are drug addicts and most drug addicts aren't very smart (otherwise why would they become addicts?) so they wouldn't be able to figure it out. Fortunately he didn't live there long enough to be proven stupid.

JakeJuly 2, 2009 6:44 PM

@noah

No, the same trick should not work on a computer keyboard, unless the only keys you ever press happen to be the same keys that make up your password.

For almost all users, the amount of normal typing they do should dwarf the keypresses used to enter their password.

On a lock keypad, typically the only keys pressed will be those belonging to the access code (unless someone typos or is just pressing buttons randomly)

philJuly 2, 2009 7:11 PM

@McGregorMortis

Years ago I worked in an office that had those 5 button "Simplex" door locks. ... If only three buttons are used, the search space is only 240 possible combinations (including the chords that Simplex locks allow.) A feasible attack, given enough time alone in the office at night.

Those locks suffer from a security weakness caused by the mechanics: a button can only be used once in a combination -- you cannot have a repeated button press. This dramatically reduces the total number of possible combinations. It's possible to try every possible valid three-digit combination in under 5 minutes (the voice of experience).

HeronJuly 2, 2009 7:24 PM

My laptop's keyboard has the keys A, S, D, M, and N partially worn off. A, S, and D are probably from all the video gaming, but I can't explain M and N...

Clive RobinsonJuly 2, 2009 7:33 PM

@ ColoZ,

"what is special about 1966 in the UK?"

Ahh it has to do with something refered to as "the glorious game", for non Americans Football and for Americans Socca.

Also as I said it is specific to England not the rest of the UK (Scotland Wales, NI is technicaly not part of the UK).

1966 was the last time England officialy won the "World Cup".

As for 1066 that was when we Anglo Saxons got invaded by that illegitamate Norman upstart, who later started the hate of all good honest men the Census, by which taxation could be imposed on those undertaking honest toil.

I think most would agree 1066 it is a date to associate with infamy, not national achivment.

Bruce ClementJuly 2, 2009 10:13 PM

@Clive Robinson

I think you'll find that the UK government considers NI to be part of the "United Kingdom of Great Britain and Northern Ireland"

Not part of Great Britain, but part of the UK.

jammitJuly 2, 2009 10:49 PM

I was going to say to dust the keypad for prints, but others beat me to it. At a place I used to work at, I made sure to press every key after typing in my code, just to make sure there was no easy pattern wear.

NimbyJuly 2, 2009 11:18 PM

Not so foolish people, actually. The first combination may be 2430 or some other number that does not include 1689. Artificially wear down the covers on four incorrect number pads and any would-be thief may spend hours trying to guess the combination.

Once at a facility in Angola, I was given a key and directions to the door it would unlock. When I got there, instead of a keyhole, I was presented with a combination pad. I was about to give up and return when the man who had given me the key came around the corner, apologized, and showed me how the keypad flipped open presenting a keyhole behind it. Interesting security.

brainfartJuly 3, 2009 3:08 AM

Information Leakage: in the second picture you can see a face on the keys.

Daniel WijkJuly 3, 2009 3:12 AM

Nimby: Yes, "security by obscurity" can create some interesting solutions even thou they are no good at deterring a true threat :-)

Economics...July 3, 2009 4:21 AM

Why is this a security issue? You have failed to consider the economics. Maybe this keypad is in a nursery, on the door to the toilets. Children are prevented from wandering in. But adults can access with ease.

We have an insecure keycode for the baby changing room in our building -- is this a security risk?

A nonny bunnyJuly 3, 2009 5:07 AM

@brainfart
"Information Leakage: in the second picture you can see a face on the keys."

It looks more like a hand.

Nicholas BohmJuly 3, 2009 5:48 AM

Using my RSA SecureId password generator requires entry of a six digit number. Each time after I use it I then press all the unused numbers several times to even up any wear or other markings. Simples.

Jonadab the Unsightly OneJuly 3, 2009 6:09 AM

Cerebus: It's at least as likely to be a graduation date as a birthdate.

One of the BIG problems with this kind of lock is that the same combination is used by everyone who has access. If you're going to do that, you may as well hand out physical keys.

The *advantage* to a keypad system, in theory, is that you can give everyone a different password (possibly to be combined with swiping an ID card), and so this provides an audit capability: you can tell who came and went at what time; this protects against the "inside job", which is a significant value.

If you aren't going to do that, just use a regular old lock and hand out metal keys. It's cheaper.

MarkJuly 3, 2009 8:43 AM

@Jonadab the Unsightly One

One of the BIG problems with this kind of lock is that the same combination is used by everyone who has access. If you're going to do that, you may as well hand out physical keys.

Actually you'd probably be better off handing out physical keys. Whilst it might be harder for someone to forget a short number than lose a physical object it's also a lot easier for this information to be copied. There is also no easy equivalent to taking a key away from someone. You'd need to change the number and ensure that everyone who needs to know is made aware of the change.

@Jonadab the Unsightly One

The *advantage* to a keypad system, in theory, is that you can give everyone a different password (possibly to be combined with swiping an ID card), and so this provides an audit capability: you can tell who came and went at what time; this protects against the "inside job", which is a significant value.

The latter is a "two factor" system. Effectivly the ID card is performing the function of a physical key. In this kind of setup a smart insider would need to both memorise someone's number and get hold of their card to leave a false trail.

withheldJuly 3, 2009 9:36 AM

I encountered this type of lock when I worked as a government auditor. Our copy of the database of all medical records for 'the jurisdiction we were responsible for' (I won't name the jurisdiction but it encompassed millions of individuals) was protected by a lock I could, and did, bypass in minutes. Other controls were installed after my demonstration.

Clive RobinsonJuly 3, 2009 11:04 AM

@ Bruce Clement,

'I think you'll find that the UK government considers NI to be part of the "United Kingdom of Great Britain and Northern Ireland"'

Yes but what is the overriding operator and why...

That is, is it,

(United Kingdom of Great Britain) and Northern Ireland

United Kingdom of (Great Britain and Northern Ireland)

You are saying the latter, whilst I'm saying the former which is the historical order it happened.

Also politicaly NI is in a very peculiar position as it is (supposadly) jointly governed under a power sharing agreement with what is now another sovrign nation which was once part of the greater whole.

Likewise people born in NI are the only people who are officialy have dual nationality and two passports (this minor little problem was the real nail in the ID card plans coffin)

datagramJuly 3, 2009 12:01 PM

Hi Bruce,

Great example of a problem with most keypad-based combination locks. Do you own the rights on these photos? If so, would you let me use them on my site (www.lockpickingforensics.com) ? They'd go in the Decoding section as a "visual decoding" type attack.

Let me know!

Thanks,
datagram

David WebbJuly 3, 2009 1:31 PM

Fingerprint dust is also very useful for working out which 4/6 numbers make up the combination.

Joel FJuly 3, 2009 3:19 PM

@Ramki B Ramakrishnan
"1234, 0000, 4567, 0123 all are fine; wondering whats the logic behind 1986 & 1968..."

Actually, 0000, 4567, and 0123 are not indicated by the second picture. The keys for 1, 2, 3, 4, and Enter are the ones that are worn (they're shiny, polished smooth by many finger-presses).

In the first picture, the logic behind guessing 1986 and 1968 is that important years (wedding, birthdate or graduation of oneself or a loved-one, etc.) are too often used as numeric codes because they are easy to remember.

partdavidJuly 3, 2009 6:37 PM

Keyboards can't be subject to the same kind of attack, because surely your password is one of the more unusual things you type on it. I would be surprised if every keyboard didn't more or less reflect the letter frequency of the user's language, right?

Clive RobinsonJuly 4, 2009 7:31 AM

@ partdavid,

"I would be surprised if every keyboard didn't more or less reflect the letter frequency of the user's language, right?"

Wrong but your idear is correct.

It will reflect the letter frequency of the data entry performed at the keyboard.

So if it's word proc (about 80% of keyboard use) then you are likley to be correct.

However if they are a sloppy German programer who does not comment code for instance, then the keys are more likley to reflect a limited subset of English than German. If however they are a good German programer who comments their code well then it would be nearer to German...

So first you have to "know your target" or have a list of "frequency tables".

It has been suggested that the likes of the NSA have many lists of frequency tables not just of individual letters but bi-grams, tri-grams and conectives for many languages and activities.

However I suspect that that is not the primary way they deal with recovering encrypted files these days (but the method would be invaluable for the first steps in automated cataloging etc of plaintext).

I suspect NSA&Co use automated probable plain text bassed on the "style" gumf that modern applications put in files and "rainbow tables". (think a more upto date version of the Unix "magic file").

jlc3July 4, 2009 10:28 AM

Cipher locks are subject to this as well. A friend, whos job is manage the cipher locks on safe rooms (SCIF's etc) pointed out that a light dusting of graphite on the buttons will quickly show use patterns as well.

Jose DelaFuenteJuly 4, 2009 10:22 PM

What if it is a 6-digit code, or an 8-digit code?

Your smart, clever, happy smiling face will turn in a not-so-happy face, standing "at this side" of the lock door :-)

got toast? ;-PJuly 5, 2009 9:59 PM

"Information Leakage: in the second picture you can see a face on the keys."
"It looks more like a hand."

no, the figment is *always* mother mary, gbus, the proctology & gamble man, or the like. (smeary specs)

tommyJuly 6, 2009 8:37 AM

We had a brilliant system where I used to work that anyone could bypass in a matter of seconds. There was no limit to the number of key-presses, and it
simply tested if the last four keys matched one of the correct codes; typing 123456789 would open the door if e.g. 3456 or 4567 was correct. On top of that we all had unique 4-digit codes. :)

RossJuly 6, 2009 10:40 AM

"12345?! That's amazing. I got the same combination on my luggage!"
-- Spaceballs

markJuly 7, 2009 4:15 AM

This makes me think of last month when joining a reward club at our local casino.

I had to choose my own 4 digit pin, but when I chose 2580 I was told by the clerk that I "couldn't have a recognised pattern" and when I tried my birth year I was told I "couldn't have two consecutive numbers".
After five attempts I finally got an "acceptable pin code" (and a grumpy clerk)

My guess is that after all the validation rules the 10000 random possible codes is reduced to 70 really hard to guess ones.

Trust a casino to calculate odds on this stuff.

RogerJuly 7, 2009 7:46 AM

@Jonadab the Unsightly One:
> If you aren't going to do that, just use a regular old lock and hand out metal keys. It's cheaper.

Actually, it's often not. The cheapest grade of these electronic locks are under a hundred dollars, so it doesn't take many system users before the cost of cutting keys for the mechanical system outweighs the electronic system and its free key issuance. If you pay $40 for a really nastily cheap mechanical lock and $3 for each key cut (the price varies widely but this is the ballpark for simple pin tumbler keys), then you only need to issue about 20 keys before the electronic lock would have been cheaper.

If the lock is for the lobby of an apartment building with 50 apartments and 100 residents, and if they change the key / code each time someone moves out, then you quickly discover that:
a) even a reasonable quality $600 electronic lock becomes cheaper after just a few weeks; but also
b) issuing individual PINs is not only better security, it also requires *less* management work in changing and re-issuing PINs.

(Of course, if you have 100 valid PINs in the system, you really should have more than 4 digits for a PIN!!)

friJuly 7, 2009 1:57 PM

"If however they are a good German programer who comments their code well then it would be nearer to German..."
A good german programmer who comments his/her code... nearer to German?

Who comments their code in German?
Except for children, commenting programming code in any other language than english is uncommon even among programmers that speak German.

Leroy F. BervenJuly 8, 2009 12:51 AM

After a decade-plus as security administrator of this type of lock system, I began to appreciate the merits of:
(1) assigning a (significantly) different code to each of the different user groups for the same set of locks;
(2) identifying an easy-to-use aid to memorization for each change of code for a specified user group, which kept the code for that group substantially distinct from the code currently used by each of the other user groups; and
(3) making damn sure that I had designated enough distinct user groups, to keep the frequency of change (based primarily on employee departure) down to a workable level.

TomJuly 15, 2009 11:38 PM

@ Heron:

"My laptop's keyboard has the keys A, S, D, M, and N partially worn off. A, S, and D are probably from all the video gaming, but I can't explain M and N..."
**************
Hypothesis: "M" and "N" are typed with the first finger of the right hand, which for the majority is the strongest at poking motions, hence more force applied. Same applies to "J", but the letter is used much less often. "U" and "Y" require an upward-reaching movement with a more-extended finger, which would produce significantly less force than M/N, which put the finger in its strongest position, about 90 degrees flexed. ... the same reason that on a biceps-curl exercise machine, your arm is strongest at about the 90-degree flex position.

For A/S/D, going a little farther out on a limb here (so to speak), but for the majority, the left arm and wrist are weaker, and so the hand may rest more heavily of its own weight on these keys than on the right-hand home keys. Add the fact that it would take some muscular effort to rotate the forearms inward to even the pressure; therefore, "F" receives less natural resting pressure than ASD. Perhaps a stronger right arm reduces the effect of this phenomenon on "K", "L", ";".

Theory concocted on the spot on a US laptop keyboard. Check it for yourself. Comments from all testers welcomed.
**

@ All of our British friends: Nothing for 1215? Surely a great date in the history of freedom, and this Yank thanks you for one of the seminal incidents leading to the Enlightenment and to the ideas that inspired the US's Founding Fathers. Cheers.


JLJuly 16, 2009 8:39 AM

Many of the rolling medication carts that were once used in hospitals (and are still used in many nursing homes) have similar locks.

The default combination on them was 1986. Never could decide why similar medication carts from different manufacturers used 1986 as the code, but I worked in dozens of hospitals and the codes had never been changed.

Bob OliverJuly 28, 2009 6:19 AM

I saw exactly the same thing at a farm where my son's band were practising in the studio there. However, I would not stand around trying more than a few attempts due to the number of rottweilers that were also proetcing the premises!

KerryAugust 12, 2010 10:36 AM

After you open a door using a 4-digit combination, before you pass, take a moment to press the remaining 6 digits on the keypad.

GuyAugust 12, 2010 11:25 AM

I found a bug with my apartment entry system: the resident pushes 9 to allow the person outside to enter when they call, but though the box disables the outside keypad during a call, it will still open the door if you hold your cell phone up to the microphone and press 9. So you just need to call someone, and during the phone ringing, push '9' on your cellphone to make the tone, and the door will open.

The manual for the system was available online, and it mentioned that it is designed for use in military installations and other secure facilities.

I thought about testing it on more systems and writing a security paper on it, but I figured there wouldn't be much interest in it, and that it would be hard to get published.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..