Easily Cracking a Master Combination Lock

Impressive.

Kamkar told Ars his Master Lock exploit started with a well-known vulnerability that allows Master Lock combinations to be cracked in 100 or fewer tries. He then physically broke open a combination lock and noticed the resistance he observed was caused by two lock parts that touched in a way that revealed important clues about the combination. (He likened the Master Lock design to a side channel in cryptographic devices that can be exploited to obtain the secret key.) Kamkar then made a third observation that was instrumental to his Master Lock exploit: the first and third digit of the combination, when divided by four, always return the same remainder. By combining the insights from all three weaknesses he devised the attack laid out in the video.

Tags: , , ,

Posted on May 5, 2015 at 6:59 AM21 Comments

Comments

Elijah May 5, 2015 7:35 AM

As a kid I always had a feeling that those resistance points could be used to figure out the lock combination. Apparently I was right.

Are there any less vulnerable combination locks that consumers can buy?

Alex L May 5, 2015 7:39 AM

This is the same guy who made KeySweeper (USB charger / keystroke logger – http://bit.ly/1Pl86dj) and a few other fun hacks. Love the ethos of testing the limits just for the intellectual challenge and to challenge our assumptions on security

ramriot May 5, 2015 7:48 AM

A clear demonstration of why you should not use this lock outside of its original intended use. That being to secure school lockers against minor brute force. He has some insight though in optimising the algorithm, but I suspect that reduces its usefulness against locks with end of the curve tolerances.

School Dude May 5, 2015 7:48 AM

Some time ago, a panic was circulating among the local schools because there was a YouTube video on how to open these locks with some thin aluminum cut from a pop can. Faster than 100 tries too.

JimFive May 5, 2015 9:06 AM

@ramriot
These dial combination locks still take more time to crack than a regular 4 pin keyed padlock or a 4 number lever combination, so that’s what I have on my bike.

herman May 5, 2015 9:10 AM

Which makes me think about the old 6 dial combination lock featured in the logo of this blog. It would be so cool to have a new one like that.

did.not.work May 5, 2015 9:53 AM

Alas, the steps don’t work for every master lock. Some have run into a problem where I could not identify the correct two numbers less than 11. Finding the resistance number also proved to be an elusive goal. The author has promised an update.

RSaunders May 5, 2015 11:22 AM

It just shows that, like cryptosystems, the implementation makes all the difference. Also of note, the S&G 8077AD = very good padlock, says that it’s purpose is not ‘keep evildoers out of your stuff’, but rather “designed to show obvious evidence of any forced entry attempt”.

Anura May 5, 2015 12:06 PM

@Scared

That actually is an old padlock. You can see similar ones by searching for “Antique Combination Padlock.”

Anonymoose May 5, 2015 12:18 PM

If you haven’t already seen it, check out Ollam’s lecture on lockpicking from defcon. Try googling “youtube deviant ollam lockpicking defcon”. (He talked a bit shims.)

These combination locks can be opened by hitting them on the side with a hammer. Finding the combination is more of an academic exercise.

There are 40 choices for each of 3 numbers. Manufacturers claim 64,000 combinations. However, you can try multiple last-digit numbers in a single pass, so it’s more like 1,600 combinations. That said, the manufacturing tolerances are really sloppy. There may be 40 numbers on the dial, but it’s more like 16 or maybe less on the underlying hardware. It’s common to find numbers near the actual combination that work more reliably than the original factory specified combination. So try every 2.5 digits and you’re down to 256 combinations. And then there are ways to reduce it further.

Many years ago, back in college, my landlord forgot the combination to the lock on the house I was renting. He knew one digit. I had the lock open in less than a minute. Not much of a challenge.

That was a bad neighborhood. Lot of crime. Lot of theft. My “security” solution was to put a note on the door that read: “Mike, be careful opening the door. The snake got out of its cage again.” Never got robbed in all the years I lived there.

Fred P May 5, 2015 12:36 PM

@School Dude-

I had an old combination lock that I’d forgotten the combination for.

I attempted the 100 tries method, but either it was slightly different internally, or I made an error in execution. I didn’t want to try it a second time, as the first cost quite a bit of time.

I then looked up shimming it. I think it took less than 5 minutes from watching a video to unlocking the lock.

Vaughn May 5, 2015 12:39 PM

What’s new about this? I recall doing this 10 years ago to get into locks I forgot the combination to, and I don’t recall it being anything new then either.

Steve May 5, 2015 12:58 PM

Oh, noes! Someone may steal my sweaty gym clothes!

Oh, wait. . . I’ve been out of high school for (mumble) years. . .

dragonfrog May 5, 2015 12:58 PM

As Anonymoose mentioned – on those locks you open the hasp when the dial is pointed at the last number, so really only the first two numbers have to be entered for each guess. For any given guess at the first two numbers, you can try every possible third number by working your way once around the dial.

Real combination dial locks require you to move the dial to the last number, then move it back some way to open it – so if you guessed wrong, you have to start over from the first number

Marcos El Malo May 5, 2015 2:46 PM

Bruce can open a combination lock in three tries. The first attempt unlocks it, the second two discover heretofore unknown combinations.

Clive Robinson May 6, 2015 2:41 AM

@ Anonymoose,

… That said, the manufacturing tolerances are really sloppy. There may be 40 numbers on the dial, but it’s more like 16 or maybe less on the underlying hardware…

Slop is a requirment in all mechanical devices to stop binding etc happening when the temprature etc changes. It’s this reason why mechanical locks can be “felt” and thus will always be pickable with sufficient time and patience. As such most locks are not for “access security” but “response security”, that is they delay an attacker sufficiently that they get discovered by other means such as watchmen which then alows a physical response from guards etc.

With regards the reduced number of real positions to dial positions, it’s a similar problem with all combination locks be they a dial or wheel type.

The gate mechanism where you have to back off the dial from the last number was originally an extra internal wheel that was set to a well known position like “zero”, the idea being it stopped people seeing the last digit of the dial when the vault/safe door was open.

In later designs it worked differently to make the dial only work in one direction such that the reverse image combination could not be used. On cheap dial combinations still being put in safes the image combination is still there and thus there are two combinations that open it depending on which way you start turning the dial.

Combination locks might look good but the mechanical ones do have quite a few issues the mitigation of which makes the lock not just more expensive but less reliable. So there is always going to be weaknesses to be exploited to reduce the number of real combinations with mechanical only combination locks…

Cynthia S. Marchese May 10, 2016 12:25 AM

While the combinational locks aren’t meant only for preventive damage purposes but also for responsive purposes. By this, I mean to say that, these kind of locks are made to delay the thieve from robbery so that by that time he could be found out by watchman etc. They are mainly available as combinations of Lock and laser, lock and eye recognizer, and most commonly as lock and key LA.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.