A common trope in bank heist B-movies is someone effortlessly bypassing a safe’s combination lock. Typically, the hero or villain will turn the dial while listening to the internal machinery, then deduce the combination based on sounds made by the lock. In real life, high-quality combination locks are not vulnerable to such simple attacks, but cheap ones can often be bypassed with a minimum of effort. Some are so simple that this process can even be automated, as [Mew463] has shown by building a machine that can open a Master combination lock in less than a minute.
The operating principle is based on research by Samy Kamkar from a couple of years ago. For certain types of Master locks, the combination can be found by applying a small amount of pressure on the shackle and searching for locations on the dial where its movement becomes heavier. A simple algorithm can then be used to completely determine the first and third numbers, and find a list of just eight candidates for the second number.
[Mew463]’s machine automates this process by turning the dial with a stepper motor and pulling on the shackle using a servo and a rack-and-pinion system. A magnetic encoder is mounted on the stepper motor to determine when the motor stalls, while the servo has its internal position encoder brought out as a means of detecting how far the shackle has moved. All of this is controlled by an Arduino Nano mounted on a custom PCB together with a TMC2208 stepper driver.
The machine does its job smoothly and quickly, as you can see in the (silent) video embedded below. All design files are available on the project’s GitHub page, so if you’ve got a drawer full of these locks without combinations, here’s your chance to make them sort-of-useful again. After all, these locks’ vulnerabilities have a long history, and we’ve even seen automated crackers before.
Continue reading “Robot Opens Master Combination Locks In Less Than A Minute”
Lockpicking is more of an art than a science: it’s probably 10% knowledge and 90% feeling. Only practice will teach you how much torque to apply to the cylinder, how to sense when you’ve pushed a pin far enough, or what it feels like when a pin springs back. Surely a robot would never be able to replicate such a delicate process, wouldn’t it?
Well, not according to [Lance] over at [Sparks and Code], who thought that building a lock picking robot would be an interesting challenge. He started out with a frame to hold a padlock and a servo motor to apply torque. A load cell measures the amount of force applied. This helps to keep the lock under a constant amount of tension as each pin is picked in succession. Although slow, this method seemed to work when moving the pick manually.
The difficult part was automating the pick movement. [Lance] built a clever system driven by two motors that would keep the pick perfectly straight while moving it horizontally and vertically. This was hard enough to get working correctly, but after adding a few additional clamps to remove wobble in the leadscrew, the robot was able to start picking. A second load cell inside the pick arm would detect the amount of force on each pin and work its way across the lock, pin by pin.
At least, that was the idea: as it turned out, simply dragging the pick across all pins in one go was enough to open the lock. A much simpler design could have achieved that, but no matter: designing a robot for all these intricate motions was a great learning experience anyway. It also gave [Lance] a good platform to start working on a more advanced robot that can pick higher-quality locks in which the dragging technique doesn’t work.
We haven’t come across lockpicking robots before; perhaps the closest equivalent would be this 3D-printed Snap Gun. If you’re interested in all aspects of locks and how to apply them, check out our Physical Security Hack Chat with Deviant Ollam.
Continue reading “This 3D Printed Robot Can Actually Pick Locks”
Every time manufacturers bring a new “unpickable” lock to market, amateur and professional locksmiths descend on the new product to prove them wrong. [Shane] from [Stuff Made Here] decided to try his hand at designing and building an unpickable lock, and found that particular rabbit hole to be a lot deeper than expected. (Video, embedded below.)
Most common pin tumbler locks can be picked thanks to slightly loose fits of the pins and tiny manufacturing defects. By lifting or bumping the pins while putting tension on the cylinder the pins can be made to bind one by one at the shear line. Once all the pins are bound in the correct position, it can be unlocked.
[Shane]’s design aimed to prevent the pins from being set in unlocked position one by one, by locking the all pins in whatever position they are set and preventing further manipulation when the cylinder is turned to test the combination. In theory this should prevent the person doing the picking from knowing if any of the pins were in the correct position, forcing them to take the difficult and time-consuming approach of simply trying different combinations.
[Shane] is no stranger to challenging projects, and this one was no different. Many of the parts had to be remade multiple times, even with his well-equipped home machine shop. The mechanism that holds the pins in the set position when the cylinder is rotated was especially difficult to get working reliably. He explicitly states that this lock is purely an educational exercise, and not commercially viable due to its mechanical complexity and difficult machining.
A local locksmith was unsuccessful in picking the lock with the standard techniques, but the real test is still to come. The name [LockPickingLawyer] has probably already come to mind for many readers. [Shane] has been in contact with him and will send him a lock to test after a few more refinements, and we look forward to seeing the results! Continue reading “Making A “Unpickable” Lock”
This week, the first details of BleedingTooth leaked onto Twitter, setting off a bit of a frenzy. The full details have yet to be released, but what we know is concerning enough. First off, BleedingTooth isn’t a single vulnerability, but is a set of at least 3 different CVEs (Shouldn’t that make it BleedingTeeth?). The worst vulnerability so far is CVE-2020-12351, which appears to be shown off in the video embedded after the break.
Continue reading “This Week In Security: BleedingTooth, Bad Neighbors, And Unpickable Locks”
If you are smart, you wouldn’t hand your house key over to a stranger for a few minutes, right? But every time you use your key to unlock your door, you are probably broadcasting everything an attacker needs to make their own copy. Turns out it’s all in the sound of the key going into the lock.
Researchers in Singapore reported that analyzing metallic clicks as the key slides past the pins gives them the data they need to 3D print a working key. The journal published research is behind a paywall, but there is a copy on co-author [Soundarya Ramesh’s] website which outlines the algorithm used to decode the clicks of key teeth on lock pins into usable data.
The attack didn’t require special hardware. The team used audio capture from common smartphones. While pushing your phone close to the lock while the victim inserts a key might be problematic, it isn’t hard to imagine a hacked phone or smart doorbell picking up the audio for an attacker. Long-range mikes or hidden bugs are also possible.
There are practical concerns, of course. Some keys have a plateau that causes some clicks to skip, so the algorithm has to deal with that. It sounds like the final result be a small number of key possibilities and not just converge on one single key, but even if you had to carry three or four keys with you to get in, it is still a very viable vulnerability.
The next step is to find a suitable defense. We’ve heard that softening the pins might reduce the click, but we wondered if it would be as well to put something in that deliberately makes loud clicks as you insert the key to mask the softer clicks of the pins.
While a sound recording is good, sometimes a picture is even better. Of course, if you want to go old school, you can 3D print your lockpicks.
Continue reading “Stealing Keys From The Sound Of The Lock”
Join us on Wednesday, June 3 at noon Pacific for the Physical Security Hack Chat with Deviant Ollam!
You can throw as many resources as possible into securing your systems — patch every vulnerability religiously, train all your users, monitor their traffic, eliminate every conceivable side-channel attack, or even totally air-gap your system — but it all amounts to exactly zero if somebody leaves a door propped open. Or if you’ve put a $5 padlock on a critical gate. Or if your RFID access control system is easily hacked. Ignore details like that and you’re just inviting trouble in.
Once the black-hats are on the inside, their job becomes orders of magnitude easier. Nothing beats hands-on access to a system when it comes to compromising it, and even if the attacker isn’t directly interfacing with your system, having him or her on the inside makes social engineering attacks that much simpler. System security starts with physical security, and physical security starts with understanding how to keep the doors locked.
To help us dig into that, Deviant Ollam will stop by the Hack Chat. Deviant works as a physical security consultant and he’s a fixture on the security con circuit and denizen of many lockpicking villages. He’s well-versed in what it takes to keep hardware safe from unauthorized visits or to keep it from disappearing entirely. From CCTV systems to elevator hacks to just about every possible way to defeat a locked door, Deviant has quite a bag of physical security tricks, and he’ll share his insights on keeping stuff safe in a dangerous world.
Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, June 3 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.
Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
The security conference LayerOne 2018 took place this past weekend in Pasadena, California. A schedule conflict meant most of our crew was at Hackaday Belgrade but I went to LayerOne to check it out as a first-time attendee. It was a weekend full of deciphering an enigmatic badge, hands-on learning about physical security, admiring impressive demos, and building a crappy robot.
Continue reading “Badge Bling And More At LayerOne 2018”