EEVblog #762 - How Secure Are Electronic Safe Locks?

[EEVblog]

How secure are electronic locks used on safes?
Dave tries a power line analysis attack on a standard La Gard (LG) 3740/3750 Basic electronic digital lock.
Can you crack an electronic digital safe lock with just a resistor and an oscilloscope?
All sorts of safe cracking techniques are discussed - thermal camera imaging, bumping, drilling, and spiking the solenoid.
And naturally there is a complete teardown of the La Gard lock and a demonstration on how it works.
And then Dave does something incredibly dumb, and has to fix it the old fashioned way, Hollywood style.
It's a tail of epic fails and stunning wins.

http://www.kaba-mas.com/media/654586/v4/File/basic-basic-plus-series-brochure.pdf

ST ST62T25 OTP Microcontroller
http://www.alldatasheet.com/datasheet-pdf/pdf/23746/STMICROELECTRONICS/ST62T25.html

AT93C46 http://www.atmel.com/Images/doc5140.pdf

[G7PSK]

A professional locksmith would attack the hinge on a safe like that. My father had a similar safe that just refused to open one day so he called a locksmith who just punched the hinge pin out, took less than ten minuets in all.

[mauroh]

I think it could be interesting to perform the same analysis on the 6th digit, when the CPU actually verify the code against all the digit pressed.
Mauro

[firewalker]

You should also try to low the voltage to test brown out detection.

Alexander.

[Gecko]

First of all: Very interesting video! And the fail was just hilarious  But could've happend to me as well 

Some comments: My assumption is that the first longer "dip" in the trace (for example at 27:01 in the video) is just the keypress and some currentflow through a pull up/down resistor. Did you check that maybe by holding the button a bit longer?

Then to the end you say: "Even if we could find the 6 right digits, we don't know the order"
I'd say that depends on how good/poorly they have programmed the software: Say it is kind of an if/else hierarchical thing:

Code: [Select]

If 1st digit correct
  If 2nd digit correct
    If 3rd digit correct
      If 4th digit correct
        If 5th digit correct
          If 6th digit correct
            activate_solenoid();
          Else
            Do_nothing();
        Else
          Wait_for_1_more_keypress();
          Do_nothing();
      Else
        Wait_for_2_more_keypress();
        Do_nothing();
    Else
      Wait_for_3_more_keypress();
      Do_nothing();
  Else
    Wait_for_4_more_keypress();
    Do_nothing();
Else
  Wait_for_5_more_keypress();
   Do_nothing();

Then one could find out from the power lines whether the uC takes the IF or the ELSE branch, and hence step by step find out the right combination: First try all digits for the first one, see which triggers the If branch. THat gets you the first digit, e.g. "5". Then knowing the first digit, try all combinations of "5" and any possible digit for the second digit, and see which causes to take the IF branch and so on..


However you're right that decoupling makes that sort of thing more difficult. But thats why the Chipwhisperer sort of automates this task : It does the same thing, with slight variations over and over and over tens and thousands of times. Because, although the information we were looking for is not visible in a single shot trace because of the decoupling, it is still there, buried in noise. If you repeat the same thing long enough, the information will become visible.
However this is of course limited by the "maximum 4 attempts before you have to wait" that you mentioned.

But an interesting thing to do would be to automate the whole thing and do something like this:
Take another uC, and write some simple code that sends the right combination, and after that sends a combination which differs on the last digit. And doing this over and over, so that you don't encounter the maximum 4 attempts limit, because its reset everytime.
And of that you record the powerline traces, a couple of thousand times (thats why you want to automate this whole thing )
And then see group the traces into "the ones with the correct combination" and "the ones with the last digit wrong", avereage each of these groups, and compare the averaged traces.

[boffin]

You could have just plugged a microphone into channel 2 of the scope and compared the waveforms to see if it was the beep.... (yes,I admit to screaming at the screen at that point)

[f4eru]

Yep, as Mauro said, the last digit press would be more interesting.
if it does a strncmp or similar, the length would vary very slightly depending on the first wrong digit -> game over.

You could try a destructive approach :

if you have a solenoid driver with a mosfet, like: http://home.comcast.net/~wahconah98/circuits/flyback.png
you could theoretically give on the supply a massive pulse to break the mosfet, and then power the solenoid directly through the shorted mos. You'll have to "override" the zener fast enough so the polyswitch does not yet react. perhaps possible with a few hundred volts in a short pulse...

You mention a PNP transistor. Not shure if those fail short when overvolting. Also, PNP ? I would expect a NPN...

[Fungus]

Love the sticker on the inside - "Inspected by: Clint".

Perfect name for a safe inspector.

[BillyD]

Very interesting + entertaining!
But how does it lock without power anyway? Is that a spring loaded latch?

[Psi]

Try the "Lift-up-and-drop" attach.

Seriously, quite a few cheap safes can be opened in seconds by lifting the front up to ~30degress and dropping it.
(rotate front 90deg and repeat on 4 front sides)

The locking arm jumps from the impact and the door often pops open.

[EEVblog]

You could try a destructive approach :
if you have a solenoid driver with a mosfet, like: http://home.comcast.net/~wahconah98/circuits/flyback.png
you could theoretically give on the supply a massive pulse to break the mosfet, and then power the solenoid directly through the shorted mos. You'll have to "override" the zener fast enough so the polyswitch does not yet react. perhaps possible with a few hundred volts in a short pulse...

I thought about that, but of course you'd need quite a few of these to experiment, unless you got very lucky.
I'd be surprised if La Gard would have this vulnerability.

[EEVblog]

Very interesting + entertaining!
But how does it lock without power anyway? Is that a spring loaded latch?

Yes, it's all spring loaded, no need for power when you close it.

[EEVblog]

Try the "Lift-up-and-drop" attach.
Seriously, quite a few cheap safes can be opened in seconds by lifting the front up to ~30degress and dropping it.
(rotate front 90deg and repeat on 4 front sides)
The locking arm jumps from the impact and the door often pops open.

I mentioned that, it's called bumping, and tried that later in the video, it doesn't work on this quality lock.

[EEVblog]

Some comments: My assumption is that the first longer "dip" in the trace (for example at 27:01 in the video) is just the keypress and some currentflow through a pull up/down resistor. Did you check that maybe by holding the button a bit longer?

Yes, button press length makes no difference.

[Pentium100]

I did not see a big capacitor inside. It may be possible to override the lockout by disconnecting and reconnecting power, unless the safe does not open for 10 minutes after "replacing the battery".

The software most likely compares the last 6 digits entered with the passcode, so 248123456 would unlock it, otherwise the owner may have to enter the passcode more than once. It also makes it impossible to do the power line attack, since all that is happening is

Code: [Select]

Read_digit;
if_last_6_correct then open_safe;

you could theoretically give on the supply a massive pulse to break the mosfet, and then power the solenoid directly through the shorted mos.

I have never seen a mosfet that's shorted from drain to source - all blown up mosfets that I have seen are always shorted from drain to gate. Also, IIRC I have seen a blown up bipolar transistor that was shorted, but it was probably due to overheating or too high current, not overvoltage.

[TheAmmoniacal]

If you're planning to do anything more with this safe, I'd love to see the difference without the decoupling capacitors. You could simply (temporarily) desolder them and check if it makes much of a difference on the trace.

[Fungus]

Interesting video. I"m surprised how easy it was to drill holes in it. I'd have expected it to be a lot more work with a hand drill. Must be made of a fairly soft steel, the angle grinder would have probably opened it in no time. Angle grinders make a lot of sparks though and can burn the contents (does Aussie plastic cash catch fire easily?) I wonder what a power saw would do to it (one of those "sawzall" things).

I'd like to have seen more sample waveforms of keypresses.  To me it looked like the second, smaller dip in the power was a slightly different shape on "correct" vs. "incorrect" ("Correct" was more rounded, "incorrect" was more triangular).

ie. The timing of the pulses was the same but the power consumption was slightly different.

It's hard to say if that's significant with a sample size of one though.

[Fungus]

If you're planning to do anything more with this safe, I'd love to see the difference without the decoupling capacitors. You could simply (temporarily) desolder them and check if it makes much of a difference on the trace.

You could maybe also automate things with an Arduino to press a key right after power-on. Control the power supply with a MOSFET and don't give the caps time to charge fully. That would mean dismantling the keypad though, probably not what we're after - if you're going to start breaking things then you might as well just saw the thing open. It's not hardened steel.

[Muttley Snickers]

Anyone that is serious about securing cash, jewellery or documents first of all would have a fire rated concrete filled beast with a seismic sensor fitted to the door and interfaced to the security system. Your average Joe wouldn't bother but in cash rooms, jewellers and diamond cutters it is the norm and sometimes even a requirement for insurance purposes, an electronic shock sensor on steroids.

Not a fan of membrane codepads at all as they don't last long in a fire but surprisingly as dodgy Dave found out there are many ways to skin a cat, I didn't get a good look but a borescope and long handled screwdriver to simply loosen the lock through the holes may have worked but again we didn't see what he did so back on the angle grinder we go.

Being electronic I wonder how prone to a RF attack they would be although yours looked like they had thought of that with the shielding around the mechanism, you may have to be careful how much you disclose as we do have rules about hacking stuff, boundary yet unknown.

Some manufacturers have a back door in and this I have witnessed, but they wont tell.


Muttley

[george graves]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

[Psi]

Try the "Lift-up-and-drop" attach.
Seriously, quite a few cheap safes can be opened in seconds by lifting the front up to ~30degress and dropping it.
(rotate front 90deg and repeat on 4 front sides)
The locking arm jumps from the impact and the door often pops open.

I mentioned that, it's called bumping, and tried that later in the video, it doesn't work on this quality lock.

Yeah, i was bad and posted before i'd finished watching the video 

[EEVblog]

I did not see a big capacitor inside. It may be possible to override the lockout by disconnecting and reconnecting power, unless the safe does not open for 10 minutes after "replacing the battery".

It doesn't reset, I tried that.
It can't write the timer value to the EEPROM because that would kill it, and can't use SRAM obviously, so it must write one bit to the EEPROM saying it's in lockout mode. Upon power up if that bit it set it waits 5 minutes, otherwise it starts working right away.

[EEVblog]

I didn't get a good look but a borescope and long handled screwdriver to
simply loosen the lock through the holes may have worked but again we
didn't see what he did so back on the angle grinder we go.

No chance of that.
And you'd have the drill the holes anyway because if the safe is installed properly then it's bolted to a concrete floor and/or butted up against a wall so you'd have n no holes available. If you are drilling, well, you might as well angle grind.

[EEVblog]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

I would be very surprised in this case, because:
a) it would leak
b) it's been the world's most popular lock for decades, and it would be well known if that was the case. La Gard would lose their rep.
c) it wouldn't get the independent ratings it does if it had such a backdoor

Safe manufacturers do publish secret drill details for attacking various model safe's, and they are closely guarded. But even then they don't design it that way, and it's not easy to do with TDR safes, so pretty useless info to your average thief anyway.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

Coincidentally that's been on the cards for months, and I have sample printouts and was just saying to David2 today I should do that video.
Was waiting for some hardware but that's not coming any time soon it seems, so will do it regardless.
And BTW, it's not as involved as you might think.

[BillyD]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

Not wishing to derail this topic, but that's actually true and I verified it on my Lexmark scanner a couple of years ago. It got about one third of the way through a ten Euro note before packing it in. I can't remember exactly what error message it gave, although I think it did spell out that it had detected currency.