Cracking A Manipulation-proof, Million Combination Safe

So you spent the big bucks and got that fancy safe but if these guys can build a robot to brute-force the combination you can bet there are thieves out there who can pull it off too. [Kyle Vogt] mentioned that we featured the first iteration of his build back in 2006 but we can’t find that article. So read through his build log linked above and then check out the video of the new version after the break. It’s cracking the combination on a Sargent and Greenleaf 8500 lock. There’s an interesting set of motions necessary to open the safe. Turn the dial four revolutions to the first number, three revolutions to the second, two revolutions to the final number, then one revolution to zero the dial. After that you need to press the dial inward to activate the lever assembly. Finally, rotate the dial to 85 to retract the bolt which unlocks the safe.

The propaganda on this lock says it stood up to 20-hours of manual manipulation. But [Kyle] thinks his hardware can get it open in a few hours. His hardware looks extremely well-engineered and we’d bet some creative math can narrow down the time it takes to brute force the combo by not going in sequence.

54 thoughts on “Cracking A Manipulation-proof, Million Combination Safe

  1. To me, this is the most interesting part of the article:


    Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination “forbidden zones”, we reduced the number of possible combinations by about an order of magnitude.

    They even provide a reference (that I did not read) explaining the method.

    Very cool!

  2. @cboy2us: Did anyone else read the part of the article where it states that the torque required to open the door is beyond the capabilities of the stepper motor and that it detects this state instead of actually opening the door ?.

  3. I believe the mechanical tolerances is what also makes the cracking of a Master Lock quite a bit easier. It greatly lowers the possible combinations.

    Check out Mark Edward Campos’ site, and click on the Master Lock graphic.

    http://markedwardcampos.com

    Makes me want to play around with my Arudino and a Master Lock! :) But then again there’s a new shiny object on this site every day!

  4. Seems like an easy way to defeat (or rather drastically slow down) this type of brute force attack would be to include some sort of centrifugal clutch into the mechanism that prevented you from turning the knob too quickly.

    Humans tend to not need into a safe that often, so if this required a person to go slowly and take 2 to 3x the time a fast human could actually open the safe it probably wouldn’t be that inconvenient.

  5. I don’t know how this safe works, but in regular safes, the speed would be always limited by the fact that you are “pushing” the discs with the dial, a sudden movement would make the discs to spin freely beyond the point in which you stopped the dial.

    Anyway, regular stepper motors are slow, a gear or belt system could be used to improve speed, or if going really serious, an industrial servo motor instead of the stepper. A servo with a proper controller could drive the safe as fast as it can be turned without destroying the mechanism.

  6. “we’d bet some creative math can narrow down the time it takes to brute force the combo by not going in sequence.”

    Pardon the confusion, but this doesn’t really seem right. Brute forcing a combination implicitly assumes that the solution is some random point in the set of possibilities.

    Say for instance I’m trying to guess a three digit number. I guess 001, and that’s wrong. There’s still 10^3-1=999 possibilities left, the solution is still assumed to be distributed randomly among them, so I have a 1/999 chance of guessing correctly whether my next guess is 002 or 999.

    Now, if the summary means that a “mechanical tolerance” attack could be employed – that is, you could increment the guess by some arbitrary amount instead of 1 each time (like guessing 001, 003, 005…), that would make sense.

    Or is there some magical property of safes that makes an “out-of-sequence” guess more probable than an “in-sequence” one?

    1. The way you could speed it up would be to start with combinations that are closer numbers on the dial to reduce dial spin time. For instance, one combo ends on a number near the next combo’s starting number to reduce unnecissary travel.

      1. Except that you must rotate it to 85 after every combination to slide the bolt free. so, no matter what, you’ll always end up on 85. I suppose you could start with the combinations that use 85/86 as the first number, But that doesn’t seem to help too much…

  7. @CPX I think Szczys mixed up:


    Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination “forbidden zones”, we reduced the number of possible combinations by about an order of magnitude.

    With not going in sequence. There’s no real benefit to doing the combos none sequentially.

  8. Out of sequence may lower the travel distance from the current state, thus improving the total time to span the space.

    For example, if you have to rotate 360deg to reset the lock, if you are currently at 90deg, it is faster to check a combination starting at 100deg than it is to check one at 80deg:

    rotation to starting position:
    100deg => 90 + 360 + 10 = 460deg vs
    80deg => 90 + 360 + 350 = 800deg.

    That can make a huge difference when you’re checking 1m combinations.

  9. Pretty sure this wont work regardless of whether the robot is capable of moving the mechanism fast enough or having enough strength to open the door mechanism. These sorts of locks are designed to wear out under a brute force attack. The lock itself will fail permanently before they get the combo – of course they may just luck it in the first couple of thousand, but probably not.

  10. I belive commercial autodialers are available. A locksmith I talked to said they can put one on a 4-3-2-1 combination and have it open in a couple of days. Way less if you know one of the numbers.

  11. @G2

    Man, I hope that isn’t true. If the people who sold me my super expensive safe included the feature of the dial breaking after a certain number of spins to *reduce* the chances of a brute force attack being successful, when they could have simply included a feature like the one frozenlazer described above, I would be pissed.

  12. @Chalkbot – yeah tell me about it. I am not an expert by any means, but I’ve worked with guys responsible for maintaining TS safes – and those ones are definately designed to wear out.

  13. As with most combinations, this one is exploting a feature where you set the first 3 disks to the first 3 numbers, then try all the 4th numbers in sequence.

    Same with a master lock. Try the first 2 numbers, then on the third, start immediately after the 2nd number, pull, rotate slightly, pull, rotate, pull, etc 13 times, then move the 2nd number over one counterclockwise, and attempt all the third number clockwise again. You can reduce the attempts greatly by not retrying the first numbers nearly as often.

  14. **double post yay!

    And to defeat this type of attack, simply have a ‘mechanical diode clutch’ like was featured a few months back that takes all rotation of the knob and turns it into forward rotation. Use that to increment a mechanical lockout latch on a timer that slowly retracts. As you attempt, it extends the lockout timer to block the ‘thingy’ from entering the channels in the tumblers. After too many tries it locks out for a day. Tada, broot foars proof.

  15. The linked paper is amusing — turns out the black art of safecracking is easy, but bringing enough bullets to lay down suppressing fire to make it to the Ferrari is a pain.

    I’ll be seeing you guys in Rio de Janeiro.

  16. I’m curious if the 20 hours is a professional safe cracker or a random person. I’ve seen safes that aren’t supposed to be able to be cracked in hours and I’ve seen a professional do it in 5 minutes forget who it was he did it all by touch the borascope method on the same safe about 30 minutes so I’m curios if the person that tested this safe was a professional or not.

  17. Looks like (in hardware) my program to solve sudoku. You pay attention to the rules, fix whatever is possible, and use brute force for the remaining more constrained possibilities. Well, it works at most in a fraction of a second for any valid puzzle.

  18. Cool, build. Current generation of electronic locks like the X-09 defeat this by locking out if you:
    Spin too fast
    Spin over ~270 w/o stopping (max rotation of the wrist)
    get the combo wrong more than 3 times.

    On top of that, these locks place you randomly on the dial w/ every change in direction.

    There is a good write up of these locks from Defcon 2006.

  19. I have a small safe that uses a 10 digit keypad. It supports up to 12 digits for a pass-phrase. It also enforces a .5 second delay between key presses. So 12^10 possible combination entered at half second intervals would take just under 1,000 years to brute force this safe. Also, a sledge hammer could do it in about 15 seconds.

  20. “Of course you can always just drop it on one of it’s corners from 10-12 feet up and open it quick and easy (well easy except for lifting it 10-12 feet high).”

    You mean: “Of course you can always apply G-force equivalent to dropping it from 10-12 feet to one of its corners …”

    “When in doubt, always ‘see fore’ :D!”
    (Jamie Hyneman)

  21. A “good” safe will NOT open when dropped from 10-12 feet. Good fire-proof safes are actually tested by burning them at super-high temperatures for an extended period (couple hours), then literally dropped from a height of about 10 feet. If the safe opens, or the contents (specific type of paper) is damaged, the safe FAILS the test.

    I doubt your common “motel safe” is tested to those standards though…

  22. @CPX

    Wouldn’t it be safe to assume that if you had to select a 3 digit combination, you would be required to select 3 DIFFERENT numbers? That removes some of the possibilities. Then you combine that with your research into patterns of combination requirements for the specific model, mechanical specifications, and forbidden zones and you could eliminate quite a lot of numbers.

  23. An ex Forign Affairs agent once told me of such brute force safe cracker being powered by a power drill and the necissary mechanics. It was being used on the recovered safe of a decessed diplomat and took two weeks to get it open.

  24. The Mas-Hamilton SoftDrill was designed to solve the problem of opening this kind of lock quickly. It uses a very sensitive accelerometer to detect the position of the gates. It can open any dial-type mechanical safe lock in 45 minutes.

  25. Just to correct a poster here, the stepper motor is too weak to open the safe. That’s why there are two motors!

    The stepper motor spins the dial, then a second, stronger but less accurate, servo motor turns the butterfly dial (the bit that acts like a door-handle!). The butterfly dial provides the torque to open the door (usually by hand) and needs strength to turn, but will only move at all if it’s mechanism isn’t blocked. Which it usually is, by a link to the dial mech, only opening when the right combination’s in.

    Just a small point but important to understanding the concept.

  26. How do you build it? Where are the plans? I would really like to build one. I have several safes that I have bought at auctions and would like to have them opened without spending a great deal of money for each safe.

Leave a Reply to G2Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.