EEVblog #762 - How Secure Are Electronic Safe Locks?

[all_repair]

This last video of yours is lacking any scientific information content, it has 0 teaching value.
I thought that the idea of eevblog was of learning about electronics, you know 'real world' electronics, but lately your videos are not about that anymore.
.....

This one exactly not so bad but I have skipped the last few.  For this, I watched from beginning to finish.  There are as much to learn from a failed experiment as from a successful one, if not more.   I kind of think the screw-up was deliberate to add sensation.  It is out of a seasoned engineer habit to pull a cable out for no apparent reason and then does not put it back IMMEDIATELY.

[miguelvp]

Yeah, glitching the supply might throw the MCU into a path not intended.

Disruption of the power fast enough but not enough to halt/reset the processor but fast enough and at the same 8MHz frequency with a bit of bias might make the MCU skip instructions until you reach the needed code.

Kind of forcing NOPs for n cycles at a time until you reach the unlock code. Once you know the delta (if you can make the MCU to glitch and force a NOP per pulse) then the combination doesn't matter. Or maybe you can glitch the part where it tries to get the code and you can force the MCU to miss the reads from the EEPROM so it gets all 0s.

[DrGeoff]

Yeah, glitching the supply might throw the MCU into a path not intended.

One of the attack vectors on smart cards is to inject rubbish on the power supply to force something interresting to happen, at the same time as watching the power supply for current waveforms (smart cards don't have decoupling caps to speak of). Maybe some HF noise or browning the supply around the BOD thresholds to cause rapid resets to occur might show something interesting.

[fvdpol]

The 10 ohm resister used for the current measurement actually reduces your resolution as the decoupling in the circuit will low-pass the cpu glitches. If you can have a much lower source impedance you should be able to see much more detail.

Would be interesting to see how much a micro current adapter (and maybe additionally a lower impedance power source than the 9v battery) would help here. Believe this type of measurement would be THE use-case for a uCurrent :-)

[BillyD]

The 10 ohm resister used for the current measurement actually reduces your resolution as the decoupling in the circuit will low-pass the cpu glitches. If you can have a much lower source impedance you should be able to see much more detail.

Would be interesting to see how much a micro current adapter (and maybe additionally a lower impedance power source than the 9v battery) would help here. Believe this type of measurement would be THE use-case for a uCurrent :-)

Interesting idea. Would it be able to pass everything through or would you lose, say, the very high frequency current changes?

[Fungus]

Believe this type of measurement would be THE use-case for a uCurrent :-)

The maker of the uCurrent doesn't actually use it! 


(Seriously though, he was only looking at timing, not current usage...current usage would be attack #2)

[mikeselectricstuff]

As there didn't seem to be an 'enter' key, I wonder if it is simply testing the last 6 digits entered on each keypress, possibly with a timeout.
If the code isn't written well, the length of time it stays awake after a keypress may be proportional to how many correct digits there are.

[mikeselectricstuff]

I wonder if the case is electrically bonded to the supply -ve, if not, then there may be scope for common-mode spike injection.

[f4eru]

To put it simple, your videos became the cat videos of electronics

Hell No! These are the "cat" videos of electronics :

[ale500]

"Always be careful with your tools"  That was great

[f4eru]

Another good one : https://www.youtube.com/watch?annotation_id=annotation_1658711487&feature=iv&src_vid=L5E4NiP4hpM&v=sI5Ftm1-jik

[EEVblog]

I kind of think the screw-up was deliberate to add sensation.

You wouldn't think that if you heard my four letter expletives because:
a) I was so stupid
and
b) I wasn't going to get the video out on the Friday.
and
c) Had to ask the wife for work time on the weekend in order to fix the screw-up.

[EEVblog]

One of the attack vectors on smart cards is to inject rubbish on the power supply to force something interresting to happen

Smart cards don't have a bunch of power supply rail stuff to screw things up.

[EEVblog]

The maker of the uCurrent doesn't actually use it! 
(Seriously though, he was only looking at timing, not current usage...current usage would be attack #2)

Correct. Not everyone has a uCurrent, so I wanted to see what was visible with just a resistor first.

[rr100]

Not wishing to derail this topic, but that's actually true and I verified it on my Lexmark scanner a couple of years ago. It got about one third of the way through a ten Euro note before packing it in. I can't remember exactly what error message it gave, although I think it did spell out that it had detected currency.

For printers most likely it is in the drivers, especially for cheap one. Now for color copiers, that's another story.
Even way back (I think around 2001 or so) Painshop Pro (and probably some other programs) wouldn't even copy/paste from a picture of euro's or dollars.

[rr100]

Then to the end you say: "Even if we could find the 6 right digits, we don't know the order"
I'd say that depends on how good/poorly they have programmed the software: Say it is kind of an if/else hierarchical thing:

This is precisely what I was thinking as well.

[EEVblog]

Then to the end you say: "Even if we could find the 6 right digits, we don't know the order"
I'd say that depends on how good/poorly they have programmed the software: Say it is kind of an if/else hierarchical thing:

This is precisely what I was thinking as well.

Well yeah, if there is some kind of vulnerability that lets you get at the actual correct sequence, of course. I wasn't testing for that exploit in this video.

[rr100]

This was a fantastic video, I wasn't expecting at all to be able to do it "laparoscopily". I've done my fair share of "remote manipulations" with tweezers and screwdrivers but I was just sure this will end up in sparks (from some kind of saw).

Speaking about the old "studio" ... I watched video Nr 3 I think a few days ago and it looks now .... like Star Trek TOS! NOT like it's coming from the future but from the 60's! Not that there is any criticism, I watched many of the old ones when they were new and they were ok, going to the newer fancy ones again ok, now going back it is like AUCHOMFGWTF!?!

[84GKSIG]

Yikes why so much negativity, ive not been on here in a while and seems like a bunch of you guys are in attack mode, why? whats happened?

I was thinking any way, is the safe considered to be a massive RF shield? if not could you in theory wrap a loop of copper wire around the safe to use as a pick up for microprocessor noise ?

EDIT: is the safe magnetically shielded ?

and also the solenoid pin is magnetic? couldnt you use a cleverly placed high current electromagnet to pull the pin back ? or even induct a burst of current into the solenoid coil ? wouldnt expect any of this work work either but its just for a laugh, if i had one id be trying hell basic stuff. awesome work getting that connector back on through the holes you drilled in the bottom i was cheering with you when you got em back on 

[tszaboo]

Very entertaining episode! I wonder if the programmers thought of the power line attack. Because I believe it is quite easy to write code which would prevent this:
Wait for 6 keypress
Read out EEPROM
Decrypt EEPROM data. Now this can be quite simple, for example XOR it with 0x55 to get the actual code in BCD. If you power line attack it, you would never guess.
If code is wrong, do stuff A (save timeout to eeprom or something)
If code is right, do stuff B (open door)

You need 6 keypress for anything remotely important to happen, and even then, if you get the wrong code always, you don't know what to look for.
The meaning of save codes, that nothing out of the ordinary happens if you press the wrong button. Why would be the firmware any different?

[Fungus]

EDIT: is the safe magnetically shielded ?

It's a big piece of steel, so.... "yes".

[Rasz]

Very entertaining episode! I wonder if the programmers thought of the power line attack. Because I believe it is quite easy to write code which would prevent this:

famous last words

Wait for 6 keypress
Read out EEPROM
Decrypt EEPROM data. Now this can be quite simple, for example XOR it with 0x55 to get the actual code in BCD. If you power line attack it, you would never guess.

all of the above we skip

If code is wrong

this is where attack is happening, how do you compare good code to bad code? you dont have vliw, simd, nor even 32bit alu to make whole comparison in one instruction.

You need 6 keypress for anything remotely important to happen, and even then, if you get the wrong code always, you don't know what to look for.

you dont, attackers do

Yikes why so much negativity

"Im gonna do power analysis" .... doesnt do power analysis(no, looking at the scope at 2 orders of magnitude wrong scale is not it), announces lock is secure

[eneuro]

i would be interested to see the internals of the keypad and how the lock communicates with it

I'm more concerned about such thing, that this keypad lack such quite basic feature like.... displaying those digits 0..9 at random order in 3 x 3 matrix, make this display touchable. than if somone tried record owner hitting those 6 numbers using thermal imagining or classic video cam with huge zoom to remeber position where someone hits this keypad, than whatever they do, if next time those 10 digirs 0..9 will be displayed at another random order (TRNG can be used for this, no need to use PRNG on MCU), than position where you press those numbers is worth nothing, since it changes all the time someone attempts to enter this pin code 
I wonder, why they didn't made this this way? Even on many web sites this is preffered method to avoid mouse logging or keyboard dumping to takee control over someones account? 
Yeah, I don't like this safe lock doesn't have such random numbers placement, but probably it is too cheap or are there as everywhere patene issues which limits manufacturers flexibility who do not want pay too much for patents, so end users gets not the best possible solutions, but something between and still DIY solution can be in many cases better 

Anyway, this hack with driling safe side and using thin USB microscope video to try put this bloody connector inside again was really very creative 


I need to dig at home througth 0.250m -0.500m concrete wall to see closed space in home under stairs and probably this this USB microscope is must to have in my toolbox, especially it can be perfect for my pick & place & reflow PCB machine too, so considering buying something like this below (without useless tripod) but quite cheap, so I think I'll give it a chance-thigs like this can save a lot of frustration one day and... feel like Hollywood epic win compilation star 
http://microscopes.mobi/product/supereyes-b005-0-1x-200x-handheld-usb-digital-microscope-endoscope-loupe-otoscope-magnifier-with-11mm-tube-diameter-tripod-led/
They claim it works under Linux, too  We'll see soon...

[Fungus]

this is where attack is happening, how do you compare good code to bad code? you dont have vliw, simd, nor even 32bit alu to make whole comparison in one instruction.

You don't need any of that. All you need to is reduce it to a single branch instruction.

eg. Subtract the secret number from the input using as many instructions as you like then there's a single branch-on-zero instruction.

The code path will be identical for all incoming keypresses. The only time there's any difference in the instructions executed is when there's a 'pass' and you're going to open the door.

[TheAmmoniacal]

The easiest way to "crack" this safe must be to do exactly what Dave did when re-inserting the connector - but instead using some wires to power the solenoid directly. I see no reason why you can't just bypass the circuitry altogether and connect 9V on the solenoid? What about trying to power the solenoid from outside with resonant inductive coupling? Overpowered induction charger?