Last chance to enter The Hackaday Prize.

Brute force finds the lost password for an electronic safe

brute-force-an-electronic-safe

[Teatree] tells a sad, sad story about the lost password for his fire safe. The electronic keypad comes with a manufacturer’s code as well as a user selected combination. Somehow he managed to lose both of them, despite storing the user manual safely and sending the passwords to himself via email. He didn’t want to destroy the safe to get it open, and turning to the manufacturer for help seemed like a cop-out. But he did manage to recover the password by brute forcing the electronic keypad.

There is built-in brute force protection, but it has one major flaw. The system works by enforcing a two-minute lockout if a password is entered incorrectly three times in a row. But you can get around this by cutting the power. [Teatree] soldered a relay to each set of keypad contacts, and another to the power line and got to work writing some code so that his Arduino could start trying every possible combination. He even coded a system to send him email updates. Just six days of constant attacking netted him the proper password.

Comments

  1. Tech Joker says:

    Certainly a valid hack for recovering the correct password. I am afraid however this is not of much use to a thief. for them the method of a circular saw and about 30 seconds still much more effective!

    Now the question is which code did you recover? My safe has 3 codes.

    The master code (6 digit) assigned by the manufacturer, from that I can set the master user code (5 digit) and from that I can set a sub user code (5 digit).

    • thingsies says:

      Circular saw? I suspect you meant angle grinder. One is for wood the other is for metal. Anyway it would take a great deal longer than 30 seconds to get in. Probably an hour at minimum. Even cheap safes are at minimum case hardened. Ever try working 55+ rockwell steel? It is not fun.

      There are two easy, non destructive ways into this safe that I know of:

      1. If it still has it’s serial on it just mail the manufacturer with the appropriate forms. Usually costs 15 dollars or so.

      2. Apply slight opening pressure to handle, I recommend a very light bungie cord, then drop from two to three feet high. Check handle. If it does not open, change angle of drop and continue.

      The idea is to apply momentum to the solenoid that prevents the boltwork from retracting into the door. Usually the solenoid is downward actuating, thus the angle is simply straight down. Though tilting it slightly to encourage the boltwork to move, thus making it less likely that the solenoid will relock is helpful.

      Once inside it is generally easy to access a handy reset mechanism. Generally it is behind a bolted on plate behind the door.

      • thingsies says:

        Wow that was poorly written. Well, you get the idea anyway.

      • Max Planck says:

        naah, hole saw would be more appropriate, it is a fire safe, built from ~3mm sheet metal some gooey substance inside and ~3mm sheet metal on the other side, regardless of the materials used (yes i drilled it through with hole saw) it also has a key you can use to open it without use of the electronic lock.

      • Tech Joker says:

        No, I meant circular saw. I saw a video about 6 months ago of a guy literally cutting a document safe in two in under a minute using a circular saw with a wood blade. The safe is sheet metal on the outside, foam and plastic inside. He cut through it faster than cutting 2 x lumber. Can’t remember where I saw it, but I didn’t believe it, I had the same safe, so I decided to find out and did the same thing, I think it took me 3 minutes and did destroy the blade, but…

        This is not a regular safe, but a document safe, it is only meant to keep the stuff inside from burning.

    • fartface says:

      Dude, I can bump that safe open in 6 seconds without causing it any damage. Honestly there is a ton of informationall over the internet about this trick and ALL electronic safes like that have the problem that you can bump them open easily.

      • hads says:

        Hello once again fartface. I missed your ignorant hate. By the by, bumping is quite damaging. It applies years of wear to a lock with every attempt. Not covert, not surreptitious, not non-destructive, and not smart.

      • Luke says:

        Considering it uses an ACE key, I doubt you will be able to bump it….picking it though would be simple enough. I do wonder if the processor that contains the passcodes could be read and decoded.

      • Considering that safe uses an ACE key, I don’t think you are going to bump it. Picking it though would be simple. I do wonder if the processor that contains the passcodes could be read and the codes retrieved from the dump.

  2. 'Murica says:

    Wait. “He didn’t want to destroy the safe.”
    So, he dissambled the elctronics and soldered relays to the keypad.
    Makes sense.

  3. Douglas Poza says:

    Can the bit 11 be the light on/off? Some models has lights…

  4. Paul says:

    MFG codes seem like a bad idea. The user should be able to delete those codes. Also, the more codes you have the higher the probability of being able to open the safe (quicker brute force time).
    Although, yes a circular saw is the fastest. haha.

    • Icy says:

      Paul – but the number of possible codes is much more than the number of codes used. Also, if the mfg code is 6 digits versus 5 for the other codes and is set uniformly from all possible 6 digit codes, there are 10^6 choices of that versus 10^5. We don’t know how far he got on the 5 digit cracking thing, but thats potentially 10 times longer. And 6 days isn’t super bad, say if you’re hiding something from a spouse whose on a business trip or something, where you wouldnt want to use a saw or leave any traces.

  5. stevebb says:

    Wouldn’t it have been simpler and no damage at all, to use 10 solenoids to press the buttons.
    Alternatively If there’s a flat bed plotter around, cover the keypad in a flexible layer of plastic, and reverse the pen. Fix the plotter to the safe so that when the “pen” is up it’ll depress a key. draw line from [X1,Y1],[X2,Y2] to change which key will be pressed. draw small circle line origin of [X2,Y2] tiny radius to actually press the key. Use a NC micro switch with a long lever as an extra button to interrupt the power. If more time needed for say a capacitor to discharge. just loop the drawing of the circle.

    Shouldn’t take much work at all to write a script that’ll generate a vector graphics file which could then be printed to start the brute force attack.

  6. xorpunk says:

    This is most likely a cheap department store safe if they could get to circuitry. In that case you have to wonder why not just cut they safe? It’s the same thin case hardened steel.

    I’ve seen TXTL-60 class safes that had biometrics and RSA time-schedule dongles with different compartment for different groups. These are commonly free to defense contractors under government contract…

  7. Price of replacement safe: $100.
    Cost of electronics and expertise: $3500.

    I both love and dislike this hack and many others like it. The sense I get that this is over-engineered leaves a bad taste in my mouth. Really, if this person doesn’t value his time as worth money, that’s interesting (it’s one thing that changed for me when I had kids — now I value every minute I get to do what I want, because they’re so few and far between).

    I would have chosen to destroy the safe because I have lots of appropriate tools but not so much time. And now I’m too old for a “just for the hell of it” learning experience.

    However: to each, his own. It is pretty cool

  8. rob says:

    I would, at that stage just powered the solenoid and had it fall open in my hands.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,175 other followers