Bumping works on very expensive safes and locks.
There is a pin = your safe can be bumped, but you need to practice to know when to rotate, its a skill. Sure pin is small and needs a big bump, but its doable. The secret to bumping is you dont need whole movement in one bump.
"you cant attack this in any other way" is pretty naive. They left hole for another plug in the lock, and three additional holes in front plate. You could jam a wire bend exact way in front plate hole and poke inside the lock until you land on one of selonoid pins, you already control ground over power cable, this will give you direct control of solenoid. It sounds impossible until you see guys from TOOOL doing it casually with coat hangars.
Lockout after 4 bad attempts - you had whole pcb outside and you didnt test it?!?!?!?! By sniffing I2C while entering bad combinations you would learn if it writes to eprom every key press or every 24 key presses (4x6), or if it writes to eprom at all? You didnt even power cycle to see if that clears the lockout. HELL, you didnt even test if the lock part is responsible for decoding the pin at all by sniffing keypad connection
If it writes after 4 bad attempts (4x6 presses) it would allow for power cycling after fewer digits(23). And if it writes after every bad key press(stupid) it will be that much more visible in the power analysis.
"there is nothing in that, it comes down to noise" hehe no. 10ms per division is too long and you wont see anything at that scale, you are dealing with micro at 4MHz, data IS in there, you extract it with statistical methods. You didnt even capture and compare whole correct code+opening versus bad sequence.
"I didnt expect vuln, they designed it well" hahaha, nothing is uncrackable.
Some comments: My assumption is that the first longer "dip" in the trace (for example at 27:01 in the video) is just the keypress and some currentflow through a pull up/down resistor. Did you check that maybe by holding the button a bit longer?
There are two micros in this safe. First one in the keypad, second one in the lock. You can get to the keypad easily, that means it can be bypassed cleaning up the trace further (at least the beep).
All in all interesting video, but without the climax (as always
). Proper followup would make an even better one. Team up with Colin O'Flynn (or at least voicechat for advice), and use ChipWhisperer properly overcoming your laziness (cmon, we all know you didnt use ChipWhisperer because it needed learning, setting up, programming, blablabal).
The software most likely compares the last 6 digits entered with the passcode, so 248123456 would unlock it, otherwise the owner may have to enter the passcode more than once. It also makes it impossible to do the power line attack, since all that is happening is
12 keys x 6 long = ~3 mil combinations. If it is testing last 6 digits it is susceptible to De Bruijn sequence attack. If it writes to eprom after 24 bad presses you can reset every 23 ones, that leaves ~130000 sequences to try. Few hours of bruteforcing?
Home
Help
Search
Login
Register
