[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe.
[Etienne] hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets — both for password entry and for password change. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. That code entry is a separate kind of packet from the “change password” one.
A proper gun safe should be difficult to open, but critically, allow instant access by the authorized party.[Dr. Gerg] got a SnapSafe and discovered that, while it was quite easy to use, it would also lock the owner out easily whenever the batteries would run out. Meant to be used with four AAA batteries and no way to recharge them externally, this could leave you royally screwed in the exact kind of situation where you need the gun safe to open. This, of course, meant that the AAA batteries had to go.
Having torn a few laptop batteries apart previously, [Dr. Gerg] had a small collection of Li-ion cells on hand – cylindrical and pouch cells alike. Swapping the AAA battery holder for one of these was no problem voltage-wise, and testing showed it working without a hitch! However, replacing one non-chargeable battery with another one wasn’t a viable way forward, so he also added charging using an Adafruit LiPo charger board. One 3D printed OpenSCAD-designed bracket later, he fit the board inside the safe’s frame – and then pulled out a USB cable for charging, turning the battery into a backup option and essentially creating an UPS for this safe. Nowadays, the safe sits constantly plugged into a wall socket, and [Dr. Gerg] estimates it should last for a few weeks even in case of USB power loss.
When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.
[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.
This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.
It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.