Anyone in the know about IoT security is likely to steer clear of a physical security product that’s got some sort of wireless control. The list of exploits for such devices is a long, sad statement on security as an afterthought, if at all. So it’s understandable if you think a Bluetooth-enabled lock is best attacked via its wireless stack.
As it turns out, the Master 5440D Bluetooth Key Safe can be defeated in a few minutes with just a screwdriver. The key safe is the type a realtor or AirBnB host would use to allow access to a property’s keys. [Bosnianbill] embarked on an inspection of the $120 unit, looking for weaknesses. When physical attacks with a hammer and spoofing the solenoids with a magnet didn’t pay off, he decided to strip off the resilient skin that Master so thoughtfully provided to prevent the box from marring the finish of a door or gate. The denuded device thus revealed its awful secret: two Phillips screws, each securing a locking shackle to the cover. Once those are loose, a little prying with a screwdriver is all that’s need to get the keys to the kingdom.
In a follow-up video posted later, [Bill] took a closer look at another key safe and found that Master had made an anemic effort to fix this vulnerability with a squirt of epoxy in each screw head. It’s weak, at best, since a tap with a hammer compresses the gunk enough to get a grip on the screw.
When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.
[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.
This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.
It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.
The ability to duplicate keys with a 3D printer is certainly nothing new, but so far we’ve only seen the technique used against relatively low hanging fruit. It’s one thing to print a key that will open a $15 Kwikset deadbolt from the hardware store or a TSA-approved “lock” that’s little more than a toy, but a high-security key is another story. The geometry of these keys is far more complex, making them too challenging to duplicate on a consumer-level printer. Or at least, you’d think so.
Inspired by previous printed keys, [Tiernan] wanted to see if the techniques could be refined for use against high security Abloy Protec locks, which are noted for their resistance to traditional physical attacks such as picking. The resulting STLs are, unsurprisingly, beyond the capabilities of your average desktop FDM printer. But with a sub-$300 USD Anycubic Photon DLP printer, it’s now possible to circumvent these highly regarded locks non-destructively.
Of course, these keys are far too intricate to duplicate from a single picture, so you’ll need to have the physical key in hand and decode it manually. [Tiernan] wisely leaves that step of the process out, so anyone looking to use this project will need to have a good working knowledge of the Abloy Protec system. Hopefully this keeps bad actors from doing anything too nefarious with this research.
Once you have the decoded values for the key you want to duplicate, you just need to provide them to the OpenSCAD library [Tiernan] has developed and print the resulting STL on your sufficiently high-resolution printer. Generally speaking, the parts produced by resin-based printing have a high tensile strength but are very brittle, so perhaps not the kind of thing you want to stick in your expensive Abloy lock. That said, there are some “Tough Resin” formulations available now which produce parts that are at least as strong as those made with thermoplastics. So while the printed keys might not be strong enough for daily use, they’ll certainly work in a pinch.
It seems a bit unfair to pile on a product that has already been roundly criticized for its security vulnerabilities. But when that product is a device that is ostensibly deployed to keep one’s family and belongings safe, it’s plenty fair. And when that device is an alarm system that can be defeated by a two-dollar wireless remote, it’s practically a responsibility.
The item in question is the SimpliSafe alarm system, a fully wireless, install-it-yourself system available online and from various big-box retailers. We’ve covered the system’s deeply flawed security model before, whereby SDRs can be used to execute a low-effort replay attack. As simple as that exploit is, it looks positively elegant next to [LockPickingLawyer]’s brute-force attack, which uses a $2 RF remote as a jammer for the 433-MHz wireless signal between sensors and the base unit.
With the remote in close proximity to the system, he demonstrates how easy it would be to open a door or window and enter a property guarded by SimpliSafe without leaving a trace. Yes, a little remote probably won’t jam the system from a distance, but a cheap programmable dual-band transceiver like those offered by Baofeng would certainly do the trick. Not being a licensed amateur operator, [LockPickingLawyer] didn’t test this, but we doubt thieves would have the respect for the law that an officer of the court does.
The bottom line with alarm systems is that you get what you pay for, or sadly, significantly less. Hats off to [LockPickingLawyer] for demonstrating this vulnerability, and for his many other lockpicking videos, which are well worth watching.
In our search for big-box convenience, we tend to forget that locksmiths once not only copied keys but also created complex locks and other intricate mechanisms from scratch. [my mechanics] hasn’t forgotten, and building a lock is his way of celebrating of the locksmith’s skill. Building a combination lock from a single stainless bolt is probably also showing off just a little, and we’re completely fine with that.
Granted, the bolt is a rather large one – an M20x70 – and a few other materials such as brass rod and spring wire were needed to complete the lock. But being able to look at a single bolt and slice it up into most of the stock needed for the lock is simply amazing. The head became the two endplates, while the shank was split in half lengthwise and crosswise after the threads were turned off; those pieces were later turned down into the tubes and pins needed to create the lock mechanism. The combination wheels probably could have come from another – or longer – bolt, but we like the look of the brass against the polished stainless, as well as the etched numbers and subtle knurling. The whole thing is a locksmithing tour de force, and the video below captures all of it without any fluff or nonsense.
At a far flung, wind blown, outpost of Hackaday, we were watching a spy filmwith a bottle of suitably cheap Russian vodka when suddenly a blonde triple agent presented a fascinating looking gadget to a lock and proceeded to unpick it automatically. We all know very well that we should not believe everything we see on TV, but this one stuck.
Now, for us at least, fantasy became a reality as [Peterthinks] makes public his 3D printed lock picker – perfect for the budding CIA agent. Of course, the Russians have probably been using these kind of gadgets for much longer and their YouTube videos are much better, but to build one’s own machine takes it one step to the left of center.
The device works by manually flicking the spring (rubber band) loaded side switch which then toggles the picking tang up and down whilst simultaneously using another tang to gently prime the opening rotator.
The size of the device makes it perfect to carry around in a back pocket, waiting for the chance to become a hero in the local supermarket car park when somebody inevitably locks their keys in their car, or even use it in your day job as a secret agent. Just make sure you have your CIA, MI6 or KGB credentials to hand in case you get searched by the cops or they might think you were just a casual burglar. Diplomatic immunity, or a ‘license to pick’ would also be useful, if you can get one.
As mentioned earlier, [Peter’s] video is not the best one to explain lock picking, but he definitely gets the prize for stealth. His videos are below the break.
The movie version of lockpicking tends to emphasize the meticulous, delicate image of the craft. The hero or villain takes out a slim wallet of fine tools, applies them with skill and precision, and quickly defeats the lock. They make it look easy, and while the image isn’t far from reality, there are other ways to pick a lock.
This expedient electric toothbrush lockpick is a surprisingly effective example of the more brute force approach to lockpicking. As [Jolly Peanut] explains, pin tumbler locks work by lining up each pin with the shear line of the cylinder, which allows the lock to turn. This can be accomplished a pin at a time with picks, or en masse by vibrating the pins until they randomly line up with the shear line just long enough for the lock to turn. A locksmith might use a purpose-built tool for the job, but a simple battery-powered electric toothbrush works in a pinch too. [Jolly Peanut] removed the usual business end of the brush to reveal a metal drive rod that vibrates at a high frequency. The rod was slimmed down by a little grinding to fit into the keyway of a lock, and with the application of a little torque, the vibration is enough to pop the pins into the right position. He tries it out on several locks in the video below, and it only takes a few seconds each time.
Such brute force methods have their drawbacks, of course. They’re not exactly subtle, and the noise they create may attract unwanted attention. In that case, hone your manual lockpicking skills with a giant 3D-printed see-through lock.