[Teatree] tells a sad, sad story about the lost password for his fire safe. The electronic keypad comes with a manufacturer’s code as well as a user selected combination. Somehow he managed to lose both of them, despite storing the user manual safely and sending the passwords to himself via email. He didn’t want to destroy the safe to get it open, and turning to the manufacturer for help seemed like a cop-out. But he did manage to recover the password by brute forcing the electronic keypad.
There is built-in brute force protection, but it has one major flaw. The system works by enforcing a two-minute lockout if a password is entered incorrectly three times in a row. But you can get around this by cutting the power. [Teatree] soldered a relay to each set of keypad contacts, and another to the power line and got to work writing some code so that his Arduino could start trying every possible combination. He even coded a system to send him email updates. Just six days of constant attacking netted him the proper password.
24 thoughts on “Brute Force Finds The Lost Password For An Electronic Safe”
Certainly a valid hack for recovering the correct password. I am afraid however this is not of much use to a thief. for them the method of a circular saw and about 30 seconds still much more effective!
Now the question is which code did you recover? My safe has 3 codes.
The master code (6 digit) assigned by the manufacturer, from that I can set the master user code (5 digit) and from that I can set a sub user code (5 digit).
Circular saw? I suspect you meant angle grinder. One is for wood the other is for metal. Anyway it would take a great deal longer than 30 seconds to get in. Probably an hour at minimum. Even cheap safes are at minimum case hardened. Ever try working 55+ rockwell steel? It is not fun.
There are two easy, non destructive ways into this safe that I know of:
1. If it still has it’s serial on it just mail the manufacturer with the appropriate forms. Usually costs 15 dollars or so.
2. Apply slight opening pressure to handle, I recommend a very light bungie cord, then drop from two to three feet high. Check handle. If it does not open, change angle of drop and continue.
The idea is to apply momentum to the solenoid that prevents the boltwork from retracting into the door. Usually the solenoid is downward actuating, thus the angle is simply straight down. Though tilting it slightly to encourage the boltwork to move, thus making it less likely that the solenoid will relock is helpful.
Once inside it is generally easy to access a handy reset mechanism. Generally it is behind a bolted on plate behind the door.
Wow that was poorly written. Well, you get the idea anyway.
naah, hole saw would be more appropriate, it is a fire safe, built from ~3mm sheet metal some gooey substance inside and ~3mm sheet metal on the other side, regardless of the materials used (yes i drilled it through with hole saw) it also has a key you can use to open it without use of the electronic lock.
No, I meant circular saw. I saw a video about 6 months ago of a guy literally cutting a document safe in two in under a minute using a circular saw with a wood blade. The safe is sheet metal on the outside, foam and plastic inside. He cut through it faster than cutting 2 x lumber. Can’t remember where I saw it, but I didn’t believe it, I had the same safe, so I decided to find out and did the same thing, I think it took me 3 minutes and did destroy the blade, but…
This is not a regular safe, but a document safe, it is only meant to keep the stuff inside from burning.
Dude, I can bump that safe open in 6 seconds without causing it any damage. Honestly there is a ton of informationall over the internet about this trick and ALL electronic safes like that have the problem that you can bump them open easily.
Hello once again fartface. I missed your ignorant hate. By the by, bumping is quite damaging. It applies years of wear to a lock with every attempt. Not covert, not surreptitious, not non-destructive, and not smart.
Considering it uses an ACE key, I doubt you will be able to bump it….picking it though would be simple enough. I do wonder if the processor that contains the passcodes could be read and decoded.
Considering that safe uses an ACE key, I don’t think you are going to bump it. Picking it though would be simple. I do wonder if the processor that contains the passcodes could be read and the codes retrieved from the dump.
Wait. “He didn’t want to destroy the safe.”
So, he dissambled the elctronics and soldered relays to the keypad.
All easily undone. Sawed off Hinges and bolts, not so easily undone.
Can the bit 11 be the light on/off? Some models has lights…
That comment is in the wrong post.
MFG codes seem like a bad idea. The user should be able to delete those codes. Also, the more codes you have the higher the probability of being able to open the safe (quicker brute force time).
Although, yes a circular saw is the fastest. haha.
Paul – but the number of possible codes is much more than the number of codes used. Also, if the mfg code is 6 digits versus 5 for the other codes and is set uniformly from all possible 6 digit codes, there are 10^6 choices of that versus 10^5. We don’t know how far he got on the 5 digit cracking thing, but thats potentially 10 times longer. And 6 days isn’t super bad, say if you’re hiding something from a spouse whose on a business trip or something, where you wouldnt want to use a saw or leave any traces.
Wouldn’t it have been simpler and no damage at all, to use 10 solenoids to press the buttons.
Alternatively If there’s a flat bed plotter around, cover the keypad in a flexible layer of plastic, and reverse the pen. Fix the plotter to the safe so that when the “pen” is up it’ll depress a key. draw line from [X1,Y1],[X2,Y2] to change which key will be pressed. draw small circle line origin of [X2,Y2] tiny radius to actually press the key. Use a NC micro switch with a long lever as an extra button to interrupt the power. If more time needed for say a capacitor to discharge. just loop the drawing of the circle.
Shouldn’t take much work at all to write a script that’ll generate a vector graphics file which could then be printed to start the brute force attack.
This is most likely a cheap department store safe if they could get to circuitry. In that case you have to wonder why not just cut they safe? It’s the same thin case hardened steel.
I’ve seen TXTL-60 class safes that had biometrics and RSA time-schedule dongles with different compartment for different groups. These are commonly free to defense contractors under government contract…
When I use to be into lockpicking, I realized old 19th century safes were actually more secure when you take away the material factor. You put old concept locks on a TXTL-60 class and you have a more solid solution…
In fact the only two UL TXTL-60 safes on the market do this, except they went a cheaper route because of the market…
I’d go with in-home safekeeping through complete obfuscation… like… evil genius style.
have a neural interface that uses bio-metrics and a thought pattern. This is actually possible for under two hundred bucks… It’s no more vulnerable than UL approved combo+key safes…
Price of replacement safe: $100.
Cost of electronics and expertise: $3500.
I both love and dislike this hack and many others like it. The sense I get that this is over-engineered leaves a bad taste in my mouth. Really, if this person doesn’t value his time as worth money, that’s interesting (it’s one thing that changed for me when I had kids — now I value every minute I get to do what I want, because they’re so few and far between).
I would have chosen to destroy the safe because I have lots of appropriate tools but not so much time. And now I’m too old for a “just for the hell of it” learning experience.
However: to each, his own. It is pretty cool
True… but for some of us, figuring out and doing stuff like this is fun. I really doubt he did this just to save money… he probably enjoyed it.
I would, at that stage just powered the solenoid and had it fall open in my hands.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)