Anyone Can Be The Master Of This Master Lock Safe

A light blue marker with a two-pin header replacing the tip, being pressed against the back of the keypad baord that's removed from the safe

[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe.

[Etienne] hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets — both for password entry and for password change. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. That code entry is a separate kind of packet from the “change password” one.

More after the break…

Picture of the internals of the marker, with an ATMega in DIP, two CR2032 cells in red 3d-printed holder, a two-pin header attached to the ATMega by wires, and a simple button glued into the side of the markerArmed with an Arduino able to send packets imitating those produced by the keypad, [Etienne] found a critical bug – sending the password change command didn’t actually require the factory code packet to be sent first. By sending a single packet saying “please change the code to 00000”, the PIN code will be reset. All you need for that is an MCU injecting serial packets, and [Etienne] built just that, embedding an ATmega circuit into a shell of a marker, tip replaced with a two-pin header.

If you want to hack such a safe, you just need to remove the keypad, take the cap off the marker, touch two pins to test points on the keypad board, and press a button that sends a packet to the safe — as shown in a video by [Etienne]. Just a bit shy of a James Bond-suited tool, this marker will yield you a gun in times of need, or perhaps a wad of cash, as long as you can locate a Sentry Safe out in the wild.

The intermediate board design, with an ATMega and an ESP-01 module on it, three connector-ended two-wire cables going away from the board.This is exceptionally bad, obviously – given that this safe is advertised for storing valuables and firearms. The company was notified of the problem but never responded. If you have a safe that’s affected, however, [Etienne] designed a replacement solenoid board that isn’t susceptible to any malicious packets. The designs for everything are open-source, in the best of hacker traditions. With this board, your safe’s safety is one PCB order away. As if [Etienne]’s work had to be any cooler, he also wrote a firmware that adds OTP code support to this board, so you can use your favorite 2FA app to open this safe, too.

We tip our hats to [Etienne] finding this bug, making a cool proof-of-concept, and then even creating a fix – in the face of the manufacturer straight up ignoring the problem. We often see hardware hackers upgrading their safes or breaking into them, and it’s nice to see a project that manages to do both.

21 thoughts on “Anyone Can Be The Master Of This Master Lock Safe

    1. Yes indeed. Go buy yourself a “EZ-USB FX2LP CY7C68013” on Aliexpress and you are in business. You may want to add a level shifter if you don’t intend to use it with 3.3 volts all the time. pulseview and sigrok know all about it and can use it straight out of the box, no need to even flash new firmware to it. $4.37 plus some shipping last time I checked.

  1. Genius case mod! I’ve been in the process of designing a more general instrument front end that can attach to devices, but this is a great option for only a few wires!

      1. I’d be interested to see if these are vulnerable to that exploit. Previous models of SentrySafe have been known to be vulnerable to this attack. Not sure about the Master model he featured…but I have a nearly identical looking safe that is definitely vulnerable.

        Here’s a YouTube link: https://youtu.be/TBhfnIu9lTw?t=50

        The outsides look very similar, so wouldn’t be surprised if the same manufacturer produces both, and simply brands it Master. Not to say it couldn’t be different and have less vulnerable internals…but Master’s (and Sentry’s) track record would generally indicate they didn’t bother fixing it.

        Thankfully LPL loves to show people how seriously they take security, which is to say, NOT AT ALL.

      2. In my experience, the problem with solenoids in locks is usually that they are spring-loaded with a light spring; which means that they can be influenced from the outside by injecting mechanical energy into the system.
        There are tons of videos out there about cheap safes being opened when someone hits them with a fist and turns the handle at the right moment.

        This weakness is also present in other types of locks, where there is no solenoid but still a spring-loaded locking element, like https://youtu.be/5G2jMhXlWzs , or other types of safes like https://youtu.be/FLCHqalm2Y8 (while for that small key safe, later versions protect themselves).

        If you visit MCH2022, I will have more examples for you ;)

  2. Safes are only rated to resist entry or fire for a specified period. I know some models for government use had a 1-hour rating and those are expensive quarter-ton units.. Given that this is a consumer product and the manufacturer probably doesn’t give a hoot, probably about 3 minutes is all they care about or until your payment clears.

    1. The fire specifications are based on standards that rarely are a good equivalent of what’s happening in a real fire. Anything less than a 2 hour safe is not going to bode well for what’s inside.

      On the upside, those 2 hour safes do work. As folks not too far from where I live found out when a forest fire took out lots of homes. It also helps to locate the safe away from the center of combustibles in the house, preferably on a concrete slab.

      And of course all safes can be cracked, so they should only be counted on to deter casual access and protect contents from a fire.

    1. James Bond has a licence to kill, and probably a permit to nick stuff off of baddies. The author was referencing how this might feel like a spy gadget, rather than suggesting you put on a tuxedo and go stealing yourself, probably :-)

      1. As far as I am aware, nobody really had a license to kill… it was more a designation of an operators ability to kill on command… to actually go through with it. Kinda like the shoot the dog thing in Kingsman.

  3. I had one of those safes. Forgot the combo. Couldn’t find the manual with the combo to change the forgotten combo. Contacting sentry safe was no help.

    I sh*t you not when I tell you it took me less than 3 minutes to open that thing with an old, manually powered no less, crowbar.

    So does it surprise anyone sentry safe did not bother?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.