Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic

Anyone in the know about IoT security is likely to steer clear of a physical security product that’s got some sort of wireless control. The list of exploits for such devices is a long, sad statement on security as an afterthought, if at all. So it’s understandable if you think a Bluetooth-enabled lock is best attacked via its wireless stack.

As it turns out, the Master 5440D Bluetooth Key Safe can be defeated in a few minutes with just a screwdriver. The key safe is the type a realtor or AirBnB host would use to allow access to a property’s keys. [Bosnianbill] embarked on an inspection of the $120 unit, looking for weaknesses. When physical attacks with a hammer and spoofing the solenoids with a magnet didn’t pay off, he decided to strip off the resilient skin that Master so thoughtfully provided to prevent the box from marring the finish of a door or gate. The denuded device thus revealed its awful secret: two Phillips screws, each securing a locking shackle to the cover. Once those are loose, a little prying with a screwdriver is all that’s need to get the keys to the kingdom.

In a follow-up video posted later, [Bill] took a closer look at another key safe and found that Master had made an anemic effort to fix this vulnerability with a squirt of epoxy in each screw head. It’s weak, at best, since a tap with a hammer compresses the gunk enough to get a grip on the screw.

We really thought [Bosnianbill]’s attack would be electronic, like that time [Dave Jones] cracked a safe with an oscilloscope. Who’d have thought a screwdriver would be the best way past the wireless stack?

Thanks to [Jay] for the tip.

49 thoughts on “Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic

      1. Though just reminding myself of El Reg, after avoiding it for how depressing it is, and looking at the front pages, it appears they no longer indulge themselves in this much any more.

    1. Reminds of high school when the baseball team had the unmitigated gall to put their stuff in the Football teams designated area!!!! So they had to go….

      and its almost like the wanted us to protect our ‘BLOCK’. I mean, why else would they store the dumbbells in the locker room instead of the weight room? one whack and your locker has been moved to its appropriate location.

      Guess which team I was on….

  1. Look for TheLockPickingLawyer on YouTube. You may never sleep again seeing how quickly he opens most locks. The “unpickable” locks requireva little longer to open…perhaps a full minute in most cases!

      1. Which is pretty realistic actually. Some thieves will case a target and find out what is securing it and then work on trying to bypass that device on the bench before attempting it in real life. There are a lot of things out there that are under secured for what they are worth.

        Ive seen a warehouse full of high end sports cars with nothing but a pad lock, electronics warehouses secured with an easy to bypass thumb scan, and a chemical processing plant secured with nothing more than a dead bolt and the hope that no one knows what chemicals are being used there.

        That being said, the custom tools are nothing compared to the fact that a whole lot of physical security relies on the general public thinking that lock manufacturers dont reuse key combinations.

        1. I 3/4 agree with you. I do have the reservation that the spectacularly quick youtube lock picks have practised on the exact same, well lubed and loosened up, lock plenty of times before videoing it. Now while techniques will be similar between differently keyed versions of it, I doubt the flip twitch ping turn sequence of muscle memory will be identical and they would take longer to feel it out on a fresh example.

          I was told many years ago “You only need a half dozen assorted GM keys and you’ll never be short of a ride home.” which stayed true for an astoundingly long period of time, and may still hold true for vehicles with a retrofitted remote start that required a chip key fob concealing in the car somewhere for it to work. It’s a bit like the https://en.wikipedia.org/wiki/Birthday_problem really, in that you don’t need a whole lot of keys to have good odds of getting into one or more vehicles in a parking lot full.

      1. Yes, that kind of seems like lock 101. I know when I looked at locking exterior doors it was obvious you don’t put the hinge pins outside. :-) But it also looks like my 3# hammer would make quick work of this lock. But pictures can be deceiving. Certainly seems overpriced.

        I think, for me, the moral of the story is: when defeating “hi tech” don’t forget “low tech”. :-D Same for the designers.

        1. Yes – lock design is one area of security where “resisting a brute force attack” needs to be considered literally in addition to metaphorically. Building a lock that you can easily get into by using a screwdriver for its intended purpose – well, it’s a very creative way to make a horrible lock.

        2. Three pound hammer may well defeat some front doors also, the standard style of north american deadbolt locks have a vulnerability that if the lock is displaced from the hole much, by brute force or levering, then a thin tool, bit of hacksaw blade say, can be inserted and used to turn the bolt. Therefore it is wise to fit the versions that are internally shielded to prevent this from happening. There’s a dozen other approaches, but at least that 10 second one won’t work. Sometimes the method was to drill hole above or below the lock and use that hole to work bolt. Less bangy, but more whirry, for the few seconds it takes to go through the thin mild steel sheet skin of the door though, the drill can be wrapped in a coat, or pillow or something without overheating.

          We should probably worry about exactly how cheap and available those “earwax” cameras and borescope type things have got, they allow more precision in the “fishing for the latch” type approaches and can probably be forced around or under a lot of door seals, or the door can be wedged top or bottom to admit them.

      2. When I was a kid, my brother had a lock on his cabinet of Mad magazines.
        When he caught me reading one, he was mad (no pun intended) but also curious how I got them.
        (the cabinet door had exposed screws on the hinges.)

    1. screws are fine to have, but they belong on the inside, accessibly only while unlocked.

      The problem is it is much cheaper to assemble if you don’t have to unlock it first. What’s weird is Master will spend more on marketing than they will on manufacturing. As a result we mainly only see sub-standard locks from them. They have the supply chain and retail channel access that they could built a really good lock for significantly lower cost (75%? 50%?) of the premium high end locks. There really is no place in the market for a $5 padlock. (I just looked, 2 locks for $8 on amazon).

      If you stuff is only worth $5, then I guess tie a shoelace around the hasp. nobody will honest will mess with it.

    1. good quality screws can be roll hardened. I’ve trashed more than one drill bit trying to extract a broken bolt.

      these aren’t good quality screws, I haven’t tried but I suspect even a harden steel drill bit will cut through it like butter.

      and finally, I’ve removed screws that I didn’t have the bit for using my left handed drill bits. They bite into the head and twist it right out. sadly a good set of extraction bits is expensive and I hate to break them. Of course it’s cheaper to just drill forward with a cheap bit if you’re going to throw it away anyways.

  2. This really proves the point: Manufacturers are selling the illusion that something is secure, not security itself. It says Master Lock, it’s $120, and looks really hard to open unless you know the code. Most AirBNB owners aren’t going to do a destructive teardown of the lockbox before they put it in place. They *feel* secure and that’s what matters to them. Too bad it’s all just an illusion.

  3. Having long ago subscribed to the “locks only keep honest people honest.” school of thought, I have tended towards “security by obscurity” in my padlock needs. Meaning I seek out off-brand models that seem to have limited availability, in the hope that run of the mill thieves won’t have seen one before and won’t want to risk 5 or 10 minutes figuring it out for the first time. It’s like bearproof coolers, they’re not, you just hope to keep the bear occupied for a good 25 minutes before it goes looking for easier pickings.

  4. I think your average friendly neighbourhood burglars would just bust a window or kick the door down, and not bother with picking locks. The more aspirational ones might try to pry a window open or bring some sort of a cutting tool.

    Unfortunately, I’m speaking from personal experiences.

    1. True, they also tend not to perform cost benefit analyses as to whether it’s worth breaking $500 worth of window to grab the $50 worth (at the pawnbrokers) TV they can see through it.

      1. sure they do because they aren’t the ones paying for the window! the best home security you can have is a big four legged furry friend though, neighborhood burglars will definitely pick a house with no dog over a house with a dog.

        Spoken from experience.

  5. (In the video)
    > Locking pins are still in place, so the lock doesn’t know it is open…

    What about that micro-switch down in the bottom of the door? That should tell the electronics something… I still won’t be buying a “smart” lock though.

    Usually when a traditional lock maker makes a “smart” lock, they get the physical security right but it’s the wireless protocol they screw up. (e.g. using the Bluetooth MAC address of the lock to derive an AES key.)

    Usually when an IoT company makes a “smart” lock, they sometimes get the wireless comms right (nice and secure), but then the physical security is rubbish as they have no lock-making experience.

    Bosnianbill didn’t evaluate the Bluetooth comms, so we don’t know what horrors lurk there. However Master have quite some experience making physical locks. They ought to know better!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.