[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe.
[Etienne] hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets — both for password entry and for password change. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. That code entry is a separate kind of packet from the “change password” one.
More after the break…
Armed with an Arduino able to send packets imitating those produced by the keypad, [Etienne] found a critical bug – sending the password change command didn’t actually require the factory code packet to be sent first. By sending a single packet saying “please change the code to 00000”, the PIN code will be reset. All you need for that is an MCU injecting serial packets, and [Etienne] built just that, embedding an ATmega circuit into a shell of a marker, tip replaced with a two-pin header.
If you want to hack such a safe, you just need to remove the keypad, take the cap off the marker, touch two pins to test points on the keypad board, and press a button that sends a packet to the safe — as shown in a video by [Etienne]. Just a bit shy of a James Bond-suited tool, this marker will yield you a gun in times of need, or perhaps a wad of cash, as long as you can locate a Sentry Safe out in the wild.
This is exceptionally bad, obviously – given that this safe is advertised for storing valuables and firearms. The company was notified of the problem but never responded. If you have a safe that’s affected, however, [Etienne] designed a replacement solenoid board that isn’t susceptible to any malicious packets. The designs for everything are open-source, in the best of hacker traditions. With this board, your safe’s safety is one PCB order away. As if [Etienne]’s work had to be any cooler, he also wrote a firmware that adds OTP code support to this board, so you can use your favorite 2FA app to open this safe, too.
We tip our hats to [Etienne] finding this bug, making a cool proof-of-concept, and then even creating a fix – in the face of the manufacturer straight up ignoring the problem. We often see hardware hackers upgrading their safes or breaking into them, and it’s nice to see a project that manages to do both.
Hi @SentrySafe & @MasterLockUS,
I just found a software vulnerability in your electronic safe firmware that allow to open safe without secret code.
I made a pocket payload injector as PoC.
Is it possible to discuss with you to provide details and help fix ?Cc @LockPickingLwyr pic.twitter.com/B4A75Ws1OG
— Etienne Sellan (@etienne_sellan) February 21, 2022
If Masterlock gave two hoots about security the lock picking lawyers you tube stream would have dried up long ago.
$5 logic analyzer?
Yes indeed. Go buy yourself a “EZ-USB FX2LP CY7C68013” on Aliexpress and you are in business. You may want to add a level shifter if you don’t intend to use it with 3.3 volts all the time. pulseview and sigrok know all about it and can use it straight out of the box, no need to even flash new firmware to it. $4.37 plus some shipping last time I checked.
Thank you! Most websites I looked at were in the +$10 range!
https://www.aliexpress.com/wholesale?catId=0&initiative_id=SB_20220605125345&SearchText=EZ-USB+FX2LP+CY7C68013&spm=a2g0o.home.1000002.0
yeah, it’s wonderful! thank you for giving the specific reference, I appreciate the help ^__^
Genius case mod! I’ve been in the process of designing a more general instrument front end that can attach to devices, but this is a great option for only a few wires!
Did I read “solenoid”? Sounds like there might be an even faster way to open that “safe”…
I would assume the case of the safe is solid steel, and thus effectively Faraday-cages the bolts and actuators from external magnetic fields.
I’d be interested to see if these are vulnerable to that exploit. Previous models of SentrySafe have been known to be vulnerable to this attack. Not sure about the Master model he featured…but I have a nearly identical looking safe that is definitely vulnerable.
Here’s a YouTube link: https://youtu.be/TBhfnIu9lTw?t=50
The outsides look very similar, so wouldn’t be surprised if the same manufacturer produces both, and simply brands it Master. Not to say it couldn’t be different and have less vulnerable internals…but Master’s (and Sentry’s) track record would generally indicate they didn’t bother fixing it.
Thankfully LPL loves to show people how seriously they take security, which is to say, NOT AT ALL.
In my experience, the problem with solenoids in locks is usually that they are spring-loaded with a light spring; which means that they can be influenced from the outside by injecting mechanical energy into the system.
There are tons of videos out there about cheap safes being opened when someone hits them with a fist and turns the handle at the right moment.
This weakness is also present in other types of locks, where there is no solenoid but still a spring-loaded locking element, like https://youtu.be/5G2jMhXlWzs , or other types of safes like https://youtu.be/FLCHqalm2Y8 (while for that small key safe, later versions protect themselves).
If you visit MCH2022, I will have more examples for you ;)
Safes are only rated to resist entry or fire for a specified period. I know some models for government use had a 1-hour rating and those are expensive quarter-ton units.. Given that this is a consumer product and the manufacturer probably doesn’t give a hoot, probably about 3 minutes is all they care about or until your payment clears.
The fire specifications are based on standards that rarely are a good equivalent of what’s happening in a real fire. Anything less than a 2 hour safe is not going to bode well for what’s inside.
On the upside, those 2 hour safes do work. As folks not too far from where I live found out when a forest fire took out lots of homes. It also helps to locate the safe away from the center of combustibles in the house, preferably on a concrete slab.
And of course all safes can be cracked, so they should only be counted on to deter casual access and protect contents from a fire.
“this marker will yield you a gun in times of need, or perhaps a wad of cash”
Um
Not used to this tone on hackaday, usually we hide our crimes here
James Bond has a licence to kill, and probably a permit to nick stuff off of baddies. The author was referencing how this might feel like a spy gadget, rather than suggesting you put on a tuxedo and go stealing yourself, probably :-)
As far as I am aware, nobody really had a license to kill… it was more a designation of an operators ability to kill on command… to actually go through with it. Kinda like the shoot the dog thing in Kingsman.
Master to slave in 5 seconds, nice.
Always a slave… Just didn’t know it.
I had one of those safes. Forgot the combo. Couldn’t find the manual with the combo to change the forgotten combo. Contacting sentry safe was no help.
I sh*t you not when I tell you it took me less than 3 minutes to open that thing with an old, manually powered no less, crowbar.
So does it surprise anyone sentry safe did not bother?
This is the coolest thing in a while – especially the marker case.
Absolute pimp.
Seems like this may have been a known vulnerability for a while. This guy has been selling a similar tool since 2017.
https://www.mrlocksmithtraining.com/product/black-box/
Yes, and he also sells a magnet for them. I wonder why he doesn’t also sell rubber mallets, but the sales margin would probably lower…