A light blue marker with a two-pin header replacing the tip, being pressed against the back of the keypad baord that's removed from the safe

Anyone Can Be The Master Of This Master Lock Safe

June 5, 2022 by Arya Voronova 21 Comments

[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe.

[Etienne] hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets — both for password entry and for password change. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. That code entry is a separate kind of packet from the “change password” one.

More after the break…

Continue reading “Anyone Can Be The Master Of This Master Lock Safe” →

A flat LiIon battery shown attached inside the gun safe, wired to the original control board

Gun Safe Made Safer With Lithium Battery Upgrade

April 18, 2022 by Arya Voronova 37 Comments

A proper gun safe should be difficult to open, but critically, allow instant access by the authorized party.[Dr. Gerg] got a SnapSafe and discovered that, while it was quite easy to use, it would also lock the owner out easily whenever the batteries would run out. Meant to be used with four AAA batteries and no way to recharge them externally, this could leave you royally screwed in the exact kind of situation where you need the gun safe to open. This, of course, meant that the AAA batteries had to go.

Having torn a few laptop batteries apart previously, [Dr. Gerg] had a small collection of Li-ion cells on hand – cylindrical and pouch cells alike. Swapping the AAA battery holder for one of these was no problem voltage-wise, and testing showed it working without a hitch! However, replacing one non-chargeable battery with another one wasn’t a viable way forward, so he also added charging using an Adafruit LiPo charger board. One 3D printed OpenSCAD-designed bracket later, he fit the board inside the safe’s frame – and then pulled out a USB cable for charging, turning the battery into a backup option and essentially creating an UPS for this safe. Nowadays, the safe sits constantly plugged into a wall socket, and [Dr. Gerg] estimates it should last for a few weeks even in case of USB power loss.

When you read about hacking gun safes, it’s usually because of their poor security, with even biometric models occasionally falling victim to prying fingers. There’s talk about moving the locking features into the guns themselves, but we remain skeptical. “Powering an electronically locked box with internal batteries” is a fun problem, and just recently, we’ve seen it solved in a different way in this intricate voice-activated lockbox.

Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds

October 3, 2019 by Donald Papp 38 Comments

When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.

push button to reset safe fingerprint reader — Small button used to register a new fingerprint. It can be reached by inserting a thin shim in the gap between the door and the frame while the safe is closed and locked.

[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.

This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.

It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.

As for fooling sensors in a more traditional sense, here’s a reminder that we’ve seen a 3D printer and a photo of a fingerprint used to defeat a fingerprint sensor.

Continue reading “Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds” →