Interview with a Safecracker

The legal kind. It's interesting:

Q: How realistic are movies that show people breaking into vaults?

A: Not very! In the movies it takes five minutes of razzle-dazzle; in real life it's usually at least a couple of hours of precision work for an easy, lost combination lockout.

[...]

Q: Have you ever met a lock you couldn't pick?

A: There are several types of locks that are designed to be extremely pick-resistant, as there are combination safe locks that can slow down my efforts at manipulation.

I've never met a safe or lock that kept me out for very long. Not saying I can't be stumped. Unknown mechanical malfunctions inside a safe or vault are the most challenging things I have to contend with and I will probably see one of those tomorrow since you just jinxed me with that question.

Posted on May 29, 2012 at 6:03 AM • 25 Comments

Comments

Clive RobinsonMay 29, 2012 7:26 AM

I've never met a safe or lock that kept me out for very long. Not saying I can't be stumped

And in the physical world he never will....

It's almost a given that all mechanical devices have "slop" in their design, it's actuall more important than "lubrication" to the long and successful working of a mechanical device.

Without it the lock would due to a whole host of reasons "bind" up and be usless.

Also at the end of the day all mechanical things break no matter how well you design them "entropy" will have it's way. And if you. are designing a safe it's important that you have weak points so you can still get it open even if the lock does break.

Anyone who things otherwise is going to be in for a sad and sorry awakening at some point unless they are short lived.

We people who work with information think we can design unbreakable information systems and in certain respects we can. But to be usefull all of these fancy information systems have to work in the physical universe we inhabit that we sometimes call "the real world". This means even fancy information systems are vulnerable to times arrow and it's hand maiden entropy.

As has been observed before "-ou can't cheat Old Father Time"...

Which is why those dealing in physical security talk of security absoluts but time. In France they have one word for both security and safety, and we know very well from safty systems we don't talk about fire proof but time ratings for resistance such as A30 and A60, where those numbers mean minutes.

Mike BMay 29, 2012 7:56 AM

Shame this guy didn't cover new digital technologies which are a lot more resistant against many of the physical cracking attacks that make use of the manufacturing imperfections of the older spin dial type locks. Of course at the end of the day that's all moot because a good old oxy-Acetylene cutting torch will make short work of even the stoutest safe door.

Wired magazine had a good article on a jewel heist where the robbers obtained the code for the vault by simply installing covert cameras to capture the combination as employees entered it.

PaeniteoMay 29, 2012 7:58 AM

Beware of the "Kuchenblechmafia" (~ baking tin mafia):
http://www.youtube.com/watch?v=PVhYhLQ4Y64
Hilariously funny dialogue (only in German, unfortunately -- couldn't find an english version).

Short synopsis:
Safe building firm wants to discredit a competitor (whose products they consider being made of "baking tin") by forcefully opening one of their safes.

epic failMay 29, 2012 8:19 AM

In the last line, the guy tells the reporter that he "jinxed" him by asking a question.
this 'don't speak of it' concept is real, when up against murphys law, I try never to postulate the negative outcome though I am very much aware of it. Like actors never calling the play Macbeth, and only refering to "the scottish play"

Clive is great, even on his short posts he works in "times arrow and its handmaiden entropy"
I love to read stuff like that.
yes, everything breaks eventually.

Michael BradyMay 29, 2012 9:35 AM

@ Mike B

"Of course at the end of the day that's all moot because a good old oxy-Acetylene cutting torch will make short work of even the stoutest safe door."

Try that on my gun safe and you'll experience an unpleasant outcome. I'll take a financial hit, but no weapons will hit the street (except maybe in pieces).

paulMay 29, 2012 9:47 AM

Everything breaks eventually, especially if you know exactly which part to drill out so that it will break sooner rather than later.

That's one place where digital solutions (properly instantiated) may be able to do better.

Fred PMay 29, 2012 10:13 AM

@ Mike B

Actually, there are defenses against torches and other heat-based cutting methodologies (though they can get to be uselessly expensive). If you look through the archives, there's an article on cracking safes which goes through heat-based attacks and defenses.

Clive RobinsonMay 29, 2012 12:49 PM

@ Mike B,

Shame this guy didn't cover new digita technologies which are a lot more resistan against many of the physical cracking attacks...

They are and they are not...

The mechanical parts of all types of lock are just as vulnerable as they have always been (in fact more so in many "digital" or electronic locks).

Now a traditional mechanical lock has a lot more mechanical parts to do with "key detection" so you would thus expect more "mechanicaly vulnerable" points.

A modern digital lock however does the "key detection" electronicaly, and this introduces new mechanical and electrical attacks on the electronics.

Now there are two basic types of electronic lock based on their power source (battery or mains) and this has very very significant design effects not just on the electronic but on the mechanics as well, and the additional "electro-mechanical" interface be it a motor, solenoid, speaker coil, or piezo clutch plate etc.

In a mains powered system such as a "door entry system" you can use an "open solenoid" where you have a feromagnetic metal plate bolted to a strong point on the wall/door and a bracket bolted to another strong point on the door/wall, bolted onto the bracket is a low current high intensity "electro magnet". If you cut the current in any way then the electromagnet "fails open" good for an emergency door, bad for a safe door.

Thus most safes are designed to "fail in the last state" that is they remain in the previous locked or open state irespective of if the power is there or not. That is they have some kind of mechanical latch that is bi-stable it is either open or it is closed in it's rest or unpowered state and is only powered to transition the latch from one state to the other.

Now obviously such a bi-stable latch can be fairly easily and robustly designed if you have effectivly unlimited "mains power" available. You don't have to overly worry about friction or weight or orientation of the bi-stable latch as there will be sufficient electrical power to overcome it.

This is not true of a battery powered lock where you might be looking at a specification calling for a years life time or minimum of 4000 state changes before a battery change (or both). This is a very tough spec to meet on a battery even though it's only 11 state changes a day.

This means you have to use quite clever mechanical designs using very low powered motors or solenoids. Almost invariably they do not actually have the power to move the latch, what they do is put a "dogtooth" into a "drive chain" or act as a "clutch" in a drive chain. In almost all cases the drive chain is between the "human driven" handle and the latch.

Because of the low power of the solenoid the "dogtooth" is almost without exception very light and held back out of the drive chain by a very weak spring, just sufficient to pull back from the unloaded drive chain and against gravity. Usually the drive chain will have a stronger spring on the handle end sufficient to open the chain in the unloaded state so little or no friction is present on the dog tooth and it can be thus pulled back by the weak spring or pulled in by the almost as weak solenoid.

Thus all sorts of new avenues for attack come up including,

1, hitting the lock with a rubber hammer and twisting the handle, this is just like "bumping" a mechanical lock.

2, Spin and jerk on the handle, as some rotational drive chains will due to "centrifugal" (or centripetal depending on design) force catch without the dog tooth being activated.

3, A powerfull magnet, in practice you can not cost effectivly shield the solenoid from external magnetic fields so the solenoid will "pull in" with a sufficiently strong applied magnetic force (the way to stop it is to have another dog tooth that has no solenoid but when activated by a magnet locks out the drive chain so it won't work).

4, Drill the lock, all locks have deliberate "weak pointss" so they can be opened, even if they don't if you know where to make a small hole you can poke in a small piece of wire to activate the drive chain.

Oh and many other attacks on the mechanics.

Then of course you can attack the electronics in a whole vatiety of ways that I won't detail simply because way way to many electronic "digital" locks fail to very very simple and very easy to implement attacks that usually leave neither physical or electronic evidence, usually because the designer does not know what they are doing as they have little or no experiance in designing "security electronics" and have to deal with parts of the specification that include "emergancy opening proceadures".

Peter A.May 29, 2012 3:19 PM

@Clive: very nice description of the mechanical parts of "electronic" safes.

An anecdote is due.

A long-unseen friend of mine have come to my city to replace a card in a router. We've met at his hotel room. He locked the card in the hotel room's safe and we went out for a beer or two. When we've returned in the middle of the night (the replacement was scheduled for 3 a.m.) the safe would not open. We could here the mechanism actuating in response to the combination input but otherwise nothing happened.

My friend called the reception desk and a hotel tech guy opened the safe in no time. He said the antistatic bag of the card has been caught in the lock mechanism so it got jammed.

I don't trust hotel safes since.

Peter A.May 29, 2012 3:22 PM

Hmm, I must have caught typoitis from Clive. Replace 'here' with 'hear' in my previous post :-)

Jim KMay 29, 2012 4:30 PM

We used to call them 'security containers'. The aim was not so much to keep people out - you could open them with an angle grinder - but provide ample evidence if someone tried to open them in an unauthorized manner.

tOM TrottierMay 29, 2012 5:27 PM

Re a "battery-powered lock"
Rather than a replaceable battery which is slowly exhausted, why not a mostly lossless capacitor which is recharged by the opening and closing of the door, or by some other mechanical action which can be done even after a succession of unsuccessful openings? This should allow more power, tho it is another thing to fail. Or recharge wirelessly & continuously.

Dirk PraetMay 29, 2012 6:30 PM

Clive needs to team up with Charlize Theron in the sequel to "The Italian Job" !

My favorite story on safe cracking is still that of some really stupid eastern european criminals who a couple of years ago decided to have go against a local teller machine using brute force. Unfortunately, they kinda miscalculated the amount of explosives necessary and ended up blowing up the entire building, including themselves. The teller survived, they didn't.

Clive RobinsonMay 30, 2012 4:04 AM

@ Tom,

Rather than a replaceable battery which is slowly exhausted, why not a mostly lossless capacitor which is recharged by the opening and closing of the door, or by some other mechanical action which can be done even after a succession of unsuccessful openings?

You would need some type of generator, and they are natoriously inefficient (10% or less is not abnormal for small generators). The other problem is you would add physical load to the door handle and you then run into either the "little old lady" at one end or the "Gorilla Grippers". LOL's have the advantage they don't break the lock but the disadvantage they cann't open the door so need room service to get in and out of their rooms. GG's not only need room service they break the lock and thus also need maintenance... The design of the door handle and permisable load the lock can put on it is quite a significant design consideration.

Or recharge wirelessly & continuously

That does not work either (unless you embed the charging coil within millimeters of the lock pickup coil.

If you assume that the coil is a point radiator and you do the maths an equally sized coil will only get ~1/50 of the power at 2 wavelengths distance. It then drops according to the usual inverse square law so it would be ~1/200th at 4 wavelengths and so on.

This it is not realy a practical system.

llamasMay 30, 2012 5:14 AM

I designed ATM safes for several years, viewed many UL timed-entry tests to make sure that they made their rated performance.

No safe will keep everyone out forever. A safe is a cost-benefit analysis - it makes getting at the contents just a tiny bit more trouble than it's worth. As noted, safe ratings are expressed in units of time - how long it will take to get it open (or how long it will keep fire out).

Safes come in a great range of capacities, some of which are extremely resistant to brute-force methods like an oxy-acetylene torch. What, you think safe designers are stupid? Just as some safe materials respond to drilling by becoming more-resistant to drilling, some safe materials respond to heat by becoming more-resistant to heat. Torching a safe is generally an extremely bad idea anyway since it will usually incinerate the contents. Same goes for the classic movie-plot approach of dripping just a little nitro into the lock and setting it off. Think you used enough dynamite there, Butch? You can blow most safe locks into their constituent atoms and still be no nearer to opening the safe. It's all a trade-off between what the insurance company requires the safe to do and how much the safe will cost.

I once had to brute-force open a TL-15 safe in which the lock had been extensively damaged, to the point where the normal drill-and-lift approach would not work. It took me and a helper 6 hours to get it open. But I designed the safe, so I knew what to do. That same safe kept an (unknown) larger number of well-equipped but unskilled miscreants out for two days and three nights in a classic "stay-behind"-based attempt.

llater,

llamas

NeedyMay 30, 2012 10:02 AM

@Dirk Praet

>> Clive needs to team up with Charlize Theron ...

If he's busy, I'll take that job!

B. D. JohnsonMay 30, 2012 10:24 AM

I have quite a bit of respect for the skill required here. About ten years ago my mother's husband died and there was a huge safe in his garage, about the size of a rifle safe and nobody knew the combination.

I told them I'd take a shot at opening it as the nearest locksmith who would try was about 200 miles away and it was going to be hugely expensive. So they put it in my garage and it became a summer project for me. I learned a whole lot about safes just trying to open that one. Took almost two months of tinkering and research, I probably put near 200 hours into it. The hardest part was getting information about the safe itself. The company was, understandably, reluctant to give out details about how it worked.

And the first thing I tried was the whole stethoscope thing. That doesn't work. Movies lie.

wumpusMay 30, 2012 1:14 PM

@bob I assume things have improved since Feynman's time...

This assumes that safe buyer's knowledge and ability to determine a quality safe has improved. I doubt that very much. It may be possible to design a better safe cheaper to the specs of the typical safe buyer, but I suspect it is still easier to design an even cheaper design that is worse to the specs of the typical safe buyer.

Many of the attacks are not obvious. A manufacturer could meet all the specs that most of the readers of this board would expect and still miss some very common attacks, thus rendering it less secure than the common case.

MMay 31, 2012 5:59 AM

My friend called the reception desk and a hotel tech guy opened the safe in no time. He said the antistatic bag of the card has been caught in the lock mechanism so it got jammed.

I don't trust hotel safes since.

You assumed that the hotel tech guy wouldn't be able to get into the safe? If that was the case, the hotel would have to buy new safes every month! (Actually I find it surprising that I have only once found a hotel safe left locked by the previous occupant -- maybe the cleaning staff usually check and get the safes opened before the next guest checks in).

Ken DoyleJune 4, 2012 4:06 PM

To those who commented on or at least believe in the fallacy that burglary-resistant safe's are vulnerable to oxy-acetyline torch attacks: UL TRTL-60 X6 safes are designed to resist that kind of attack as tested by UL and real world burglary attempts. Safes resistant to torch attacks have existed since the 1920s and safes designed to foil common explosive attacks were also invented about the same time.

FYI: following link is a cool video showing Russian Army attacks on a UL TL-30 safe designed in New Jersey.

Click here to watch our Modul X "torture test" video

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..