An illustration of a key sitting on an ID card. The key is light grey and the ID card is a darker grey gradient. The ID card says ID-1 Card 85.60 by 53.98 mm

All Your Keys Are Belong To KeyDecoder

Physical security is often considered simpler than digital security since safes are heavy and physical keys take more effort to duplicate than those of the digital persuasion. [Maxime Beasse and Quentin Clement] have developed a smartphone app that can duplicate a key from a photo making key copying much easier.

KeyDecoder is an open source Android app that can generate all the necessary bitting info to duplicate a key from just an image. Luckily for the paranoid among us, the image must be taken with the key laying flat without a keyring on an ISO/CEI 7810 ID-1 ID or credit card. A passerby can’t just snap a photo of your keys across the room and go liberate your home furnishings, but it still would be wise to keep a closer eye on your keys now that this particular cat hack is out of the bag.

The project’s GitHub page is awash in warnings that this tool is designed solely for “pentesters and security enthusiasts” to warn their friends and clients about the dangers of leaving their keys exposed. After learning about this tool, we wouldn’t be surprised if some in the audience start rethinking how they carry and store their physical keys from now on.

If you want to see some more hacks to duplicate keys, checkout Copying High Security Keys With OpenSCAD And Light and Methods Of Copying High Security Keys.

A robotic machine turning the wheel of a safe

Adventures In Robotic Safe Cracking

When [Zach Hipps] was faced with a locked safe and no combination, it seemed like calling a locksmith was the only non-destructive option. Well, that or doing something crazy like building a safe-opening robot. Since you’re reading this on Hackaday, we bet you can guess which path he took.

So far, [Zach] has managed to assemble the custom chuck and spindle for the safe cracker. This construction is then mated with an appropriately precise Trinamic controller for the motor, which is perfect for this heist project. After some early consternation around the motor’s stall detection capabilities, the project was able to move forward with extra microcontroller code to ensure that the motor disengages when sensing a ‘hard stop’ during cracking.

Precision is absolutely essential in a project like this. When dealing with a million potential combinations, any potential misconfiguration of the robot could cause it to lose its place and become out-of-sync with the software. This was encountered during testing — while the half-assembled robot was (spoilers) able to open a safe with a known combination, it was only able to do so at slow speed. For a safe with an unknown combination, this slow pace would be impractical.

While the robot isn’t quite ready yet, the Part 1 video below is a great introduction to this particular caper. While we wait for the final results, make sure to check out our previous coverage of another auto dialing robot cracking the code in less than a minute.

Continue reading “Adventures In Robotic Safe Cracking”

This Week In Security: Rackspace Falls Over, Poison Ping, And The WordPress Race

In what’s being described as a Humpty-Dumpty incident, Rackspace customers have lost access to their hosted Exchange service, and by extension, lots of archived emails. The first official word of trouble came on December 2nd, and it quickly became clear that this was more than the typical intern-tripped-over-the-cable incident. Nearly a week later, Rackspace confirmed what observers were beginning to suspect, it was a ransomware attack. There’s not a lot of other answers yet, and the incident FAQ answers are all variations on a theme.

Our investigation into the incident is ongoing and will take time to complete. To ensure the integrity of the ongoing investigation, we do not have additional details to share at this time.

Knowing the security issues that have plagued Microsoft Exchange over the last couple of months, one has to wonder if Rackspace was breached as a result of the PowerShell problems. What’s staggering is that a week after the incident, Rackspace still has no timeline for service restoration.

Rackspace isn’t the only major ransomware attack this week, as a hospital in Versailles has partially shut down due to another ransomware attack. Operations were canceled, and work has to be done the old fashioned way, without the network to support.

Continue reading “This Week In Security: Rackspace Falls Over, Poison Ping, And The WordPress Race”

A machine that holds a combination padlock and turns its dial, with two padlocks next to it

Robot Opens Master Combination Locks In Less Than A Minute

A common trope in bank heist B-movies is someone effortlessly bypassing a safe’s combination lock. Typically, the hero or villain will turn the dial while listening to the internal machinery, then deduce the combination based on sounds made by the lock. In real life, high-quality combination locks are not vulnerable to such simple attacks, but cheap ones can often be bypassed with a minimum of effort. Some are so simple that this process can even be automated, as [Mew463] has shown by building a machine that can open a Master combination lock in less than a minute.

A machine that holds a combination padlock and turns its dialThe operating principle is based on research by Samy Kamkar from a couple of years ago. For certain types of Master locks, the combination can be found by applying a small amount of pressure on the shackle and searching for locations on the dial where its movement becomes heavier. A simple algorithm can then be used to completely determine the first and third numbers, and find a list of just eight candidates for the second number.

[Mew463]’s machine automates this process by turning the dial with a stepper motor and pulling on the shackle using a servo and a rack-and-pinion system. A magnetic encoder is mounted on the stepper motor to determine when the motor stalls, while the servo has its internal position encoder brought out as a means of detecting how far the shackle has moved. All of this is controlled by an Arduino Nano mounted on a custom PCB together with a TMC2208 stepper driver.

The machine does its job smoothly and quickly, as you can see in the (silent) video embedded below. All design files are available on the project’s GitHub page, so if you’ve got a drawer full of these locks without combinations, here’s your chance to make them sort-of-useful again. After all, these locks’ vulnerabilities have a long history, and we’ve even seen automated crackers before.

Continue reading “Robot Opens Master Combination Locks In Less Than A Minute”

This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly

There’s a problem in the unrar utility, and as a result, the Zimbra mail server was vulnerable to Remote Code Execution by simply sending an email. So first, unrar is a source-available command-line application made by RarLab, the same folks behind WinRAR. CVE-2022-30333 is the vulnerability there, and it’s a classic path traversal on archive extraction. One of the ways this attack is normally pulled off is by extracting a symlink to the intended destination, which then points to a location that should be restricted. unrar has code hardening against this attack, but is sabotaged by its cross-platform support. On a Unix machine, the archive is checked for any symbolic links containing the ../ pattern. After this check is completed, a function runs to convert any Windows paths to Unix notation. As such, the simply bypass is to include symlinks using ..\ traversal, which don’t get caught by the check, and then are converted to working directories.

That was bad enough, but Zimbra made it worse by automatically extracting .rar attachments on incoming emails, in order to run a virus and spam check. That extraction isn’t sandboxed, so an attacker’s files are written anywhere on the filesystem the zimbra user can write. It’s not hard to imagine how this turns into a full RCE very quickly. If you have an unrar binary based on RarLab code, check for version 6.1.7 or 6.12 of their binary release. While Zimbra was the application specifically called out, there are likely to be other cases where this could be used for exploitation.
Continue reading “This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly”

A lock picking robot

This 3D Printed Robot Can Actually Pick Locks

Lockpicking is more of an art than a science: it’s probably 10% knowledge and 90% feeling. Only practice will teach you how much torque to apply to the cylinder, how to sense when you’ve pushed a pin far enough, or what it feels like when a pin springs back. Surely a robot would never be able to replicate such a delicate process, wouldn’t it?

Well, not according to [Lance] over at [Sparks and Code], who thought that building a lock picking robot would be an interesting challenge. He started out with a frame to hold a padlock and a servo motor to apply torque. A load cell measures the amount of force applied. This helps to keep the lock under a constant amount of tension as each pin is picked in succession. Although slow, this method seemed to work when moving the pick manually.

The difficult part was automating the pick movement. [Lance] built a clever system driven by two motors that would keep the pick perfectly straight while moving it horizontally and vertically. This was hard enough to get working correctly, but after adding a few additional clamps to remove wobble in the leadscrew, the robot was able to start picking. A second load cell inside the pick arm would detect the amount of force on each pin and work its way across the lock, pin by pin.

At least, that was the idea: as it turned out, simply dragging the pick across all pins in one go was enough to open the lock. A much simpler design could have achieved that, but no matter: designing a robot for all these intricate motions was a great learning experience anyway. It also gave [Lance] a good platform to start working on a more advanced robot that can pick higher-quality locks in which the dragging technique doesn’t work.

We haven’t come across lockpicking robots before; perhaps the closest equivalent would be this 3D-printed Snap Gun. If you’re interested in all aspects of locks and how to apply them, check out our Physical Security Hack Chat with Deviant Ollam.

Continue reading “This 3D Printed Robot Can Actually Pick Locks”

Making A Car Key From A Ratcheting Wrench

Car keys these days are remarkably complex beasts. Covered in buttons and loaded with security transponders, they often cost hundreds of dollars to replace if you’re unlucky enough to lose them. However, back in the day, keys used to just be keys — a hunk of metal in a mechanical pattern to move some levers and open a door. Thus, you could reshape a wrench into a key for an old car if that was something you really wanted to do.

The concept is simple. Take a 12mm ratcheting wrench, and shape the flat section into a profile matching that of a key for an older car without any electronic security features. The first step is to cut down the shaft, before grinding it down to match the thickness and width of the original key.

The profile of the key is then drawn onto the surface, and a Dremel used with a cutting disc to create the requisite shape.  Finally, calipers are used to mark out the channels to allow the key to slide into the keyway, before these are also machined with the rotary tool.

Filing and polishing cleans up the final result to create a shiny, attractive ratchet wrench key. Even better, it does a great job of opening the car, too.

Similar machining techniques can be used to duplicate a key from just a photo (something I did back in 2019 to prank my friend). Alternatively, 3D printing can be great for reproducing even high-security keys. Video after the break.

Continue reading “Making A Car Key From A Ratcheting Wrench”