Teardown: An Electronic Master Lock

[rohare] has an interesting teardown for us over on the keypicking lock picking forums. It’s a Masterlock combination lock – specifically the Masterlock 1500eXD – and yes, it’s a completely electronic lock with buttons and LEDs. Think that’s the mark of a terrible lock? You might be surprised.

The first impressions of this lock were surprisingly positive. It was heavy, the shackle doesn’t move at all when you pull on it. Even the buttons and LEDs made sense. Once the back of the lock was drilled open, things got even more impressive. This lock might actually be well-built, with a ‘butterfly’ mechanism resembling a legendary padlock, actuated by a small but sufficient motor. Even the electronics are well-designed, with the programming port blocked by the shackle when it’s closed. [rohare] suspects the electronics aren’t made by Masterlock, but they are installed in a very secure enclosure.

The teardown concludes with a fair assessment that could also be interpreted as a challenge: [rohare] couldn’t find any obvious flaws to be exploited, or a simple way to break the lock. He concludes the most probable way of breaking this lock would be, “knowing some trick of logic that bypasses the codes on the electronics”. That sounds like a good enough challenge for us, and we’re eagerly awaiting the first person to digitally unlock this physical lock.

35 thoughts on “Teardown: An Electronic Master Lock

    1. All of you misinterpreted this guy’s comment. In the context of his comment “mark” refers to Masterlock, the trademark. “This lock” is the lock in his posted URL. So it follows that this electronic lock has the mark of a terrible lock.

    1. Yep, the final post I did on keypicking the thread at keypicking was how I managed to get this to work one time, but couldn’t repeat it. If you spent the time to build a nice tool for the purpose, you could probably make it a repeatable bypass.

  1. I wonder if you can supply the lock with an external power input, even when the main battery is not empty.
    I bet it would be easy to find a side channel attack: Just eavesdrop the power usage, and you can determine if the currently entered button would be the correct one or not. Narrows down the number of tries to max 4*12 tries for a 12 “digit”-combinaton.

    1. I would think that any programmer who is worth anything wouldn’t be validating the input on a digit-by-digit basis. Collect all digits, then verify. With that approach you won’t notice anything different on a per-digit basis.

      1. So then what happens when you go to validate? you’re working on a per-clock basis of each of the entered digits, unless you made a hash of the number or something one way encrypted. So then the question is, did they do this?

      2. Even if all the digits are verified only once collected, there would still be differences in power consumption

        “1111” = X power
        “2111” = X+1 power, first digit verifies so more power is used to verify second digit
        “2211” = X+1 power

        “2711” = X+2 power, second digit verified
        “2721” = X+2

        “2741” = X+3 power, third digit verified
        “2742” = X+4 power, passcode verified

        The real question is, did they take this into account? IIRC even mainstream crypto libraries struggle with handling hiding this, since at some point the paths must diverge for verified vs nonverified.

        1. It’s not that hard to do this right, though. Just verify all of the digits every time and store the results as bits (0 -> correct) in an int16 (msp430 is 16-bit so that’s fine) and then check at the end if the result is nonzero.

          1. Uhm, each comparison of a bit results in an output, each comparison output of ‘0’ (in this case a correct digit) will cause a specific power signature at a specific point in time, what you’re describing is exactly what shouldn’t be done if you want it secure.

            Basically if you can figure out where it is comparing numbers and if it’s doing it simply in 1 step the lock is as good as compromised.

  2. Have heard that you could move the motor with a strong magnet from the outside, but the manufacturer has fixed that some time ago.
    But there was another project from one ccc guy. He wanted to reprogram the microcontroller, a msp430.
    Don’t know what became of the project.

  3. This is a good lock? He opened it by drilling 3 holes! And he did it the hard way. I could break into this thing in seconds with a cordless dremel and diamond bits. And I’m no locksmith…

    1. OMG! I just found out that safes and vaults are vulnerable to drilling as well!

      Okay, end of snarky response. In all seriousness, any lock is vulnerable to drilling if you stick it in a drill press. It’s only steel after all. The question is not whether or not you can break in. The question is; how long will it take and how much attention will you attract doing it? Sure, the dremel would work… eventually. But do you really believe that 20 minutes in an industrial drill press(I admit I was being extremely careful because I didn’t want to damage any of the electronic or mechanical components inside) translates to seconds with a dremel? Now if you had said seconds with a thermal lance I’d have believed you.

      I don’t consider a home/office grade lock insecure because I can break it with power tools. Especially when I can take it to my shop and there’s nobody around who will call the police.

  4. I do not mind that the lock is already cracked. Pretty much inevitable. We are the “Greatest Apes”..

    But to you really have to lead all the degenerate chimps with a netbook to the crack?

    There is a level of social responsibility which we all share….

    … and it only takes one.

    We used to say “It takes a whole village to raise a child.”

    WTF are WE raising now?

    Please excuse my outburst. It is needed that we stop teaching “them how” so that we can preserve some security.

    YOUR part comes next.

    1. The problem with your reasoning is that “they” (i.e. the degenerates) already know how to do it, you don’t need to teach them anything! If you believe otherwise, you are just fooling yourself into a false sense of security. If find these posts really useful mainly to remember us that anyone sufficiently motivated will find a way to crack it anyway, and we should always keep that in mind. The best thing to do is to simply create additional obstacles to make the target less appealing than the others. As someone else said you don’t need to run faster than the lion, only faster than the slowest gazelle…

    2. Do you really believe that?
      Before the Renault hack was known to the public, burglars already have stollen dozens of cars.
      This kind of information is usefull as companies can improve their security.
      Bad people always find a way, and I this way, at least, we’re contributing for them (company) to make it better.
      Unless you’re “XPUZMAG” (https://www.youtube.com/watch?v=-9k4pn0P3cI) LOOLLL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.