With the help of a cheap robot, a group of hackers opened the safe of one of the leading safe manufacturers, SentrySafe company, right on the stage of the DEFCON conference. After 30 minutes of buzzing, the robot picked up the necessary combination of 51.36.93 – the safe door opened and an audience of several hundred people exploded with enthusiastic applause.
In the code lock of this model SentrySafe a million combinations, that is 100 × 100 × 100. To search for such a quantity on the mechanical lock, the robot would take much more time than half an hour. But hackers have found a way to reduce the number of possible combinations, because it turned out that the last number is not taken into account when testing the combination. This is due to the fact that the manufacturer tried to protect itself from the standard methods of hacking the safe. Therefore, on the third code disk, he provided special notches for gripping the rod, so that the cracker could not apply the method with pushing the rod and listening to the moment when the rod passes into the groove. So, as it turned out, one of the notches, corresponding to the correct number, is about two to three millimeters taller than the others. The robot could easily identify it by means of sensors, having carried out a couple of simple measurements.
Thus, the number of possible combinations decreased to 10 thousand (100 × 100). Then the hackers noticed that the design of the safe lock allows some error when entering the code, if a person made a mistake by one digit. That is, in each of the three digits it was possible to reduce the number of possible combinations by three times. So, the number of possible combinations decreased to 1000, and it was already possible for the robot to do it (probably, a person could sort out as many variants in less than a day).
It turned out that after entering each combination, it is not necessary to return the handle Limb in the starting position.
The BBC article says that some models of SentrySafe safes provide additional protection by installing an additional key lock, but the hackers were able to open and these models also with the help of a Bic handle .
There are enough videos on YouTube with the opening of safes with all sorts of tricky methods. Honestly, they remind stories from the book of Richard Feynman "You, of course, are joking, Mr. Feynman!". A well-known physicist and Nobel laureate was also fond of opening locks on safes.
In fact, many safes, even expensive ones, which are claimed to be very safe, are opened very simply. Practically nowhere is there a delay between attempts to enter the code. Some locks are opened with a magnet, they can be opened with a crowbar or an ax. There are other ways to open safes not in 30 minutes, but in a matter of seconds. Locks in such safes can be compared to cheap bike lockers (that is, almost all bike lockers).
In an interview with Wired, Nathan Seidle of SparkFun Electronics said that his hobby for opening safes began last year, when His wife gave him this model of safe SentrySafe for $ 120 with a closed lock. She bought it on Craigslist, the former owner locked the safe and forgot the code. It was a challenge for Nathan – and he designed a robot for bruteforce.
Nathan Seldy is keen on designing various devices and gadgets, so for the next four months they are with colleagues from SparkFun Electronics Made a machine to break into a safe from commercial and home-made parts printed on a 3D printer. The total cost of all the parts was $ 200. This amount includes an Arduino fee of $ 20, a $ 40 engine, aluminum housing parts and various parts printed on a 3D printer, including a coupler for coupling to a limb handle, several magnets for attaching to a safe enclosure and sensors that verify that the robot has successfully turned The pen and when it passes through zero.
In fact, to search through all of the thousand combinations, you need 73 minutes. This is the maximum time, and on the average the process takes 36 minutes, so on the DEFCON the robot was not far from the average result.
This demonstration should be a lesson for manufacturers of safes and other equipment intended for safety. They should understand that each of their products will be tested and tried to crack thousands of geeks like these guys from SparkFun. If there is a bug or a security vulnerability such as a dead third digit on the lock, like here, it will be accurately detected and told to the whole world.