EEVblog #762 - How Secure Are Electronic Safe Locks?

[Gabor]

I use this Spectrum analyzer on my mobile: https://play.google.com/store/apps/details?id=radonsoft.net.spectralview. The rolling time axis and frequency intensity color coding is pretty cool. When running it next to a CNC or in fact next to any motor, shaft rpm exponential behaviour due to the PID controller is clearly visible. Check it out.

Gabor

PS. this was my first ever blogpost, I hope I wrote it in the appropriate field.

[zapta]

Why the solenoid cable is so long? 

Possibly it can be opened by drilling holes and pulling out the connector.

[ivan747]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

That's easy to test.

[G7PSK]

There's another myth for Dave to bust!

It's not a myth.

You and I may know that(actually never tried, but a quick google search shows some 10M pixels scans of the US $100 bill)....but, it makes a good video for Dave.  It's all about the link bate!

I just tried scanning a £20 note with my Epson WF-2530 in greyscale it will scan the note and print it as well but if I try colour it brings up a notice saying that it has detected money and wont continue with the scan. If I photograph the note it will print it.
In the 1970's I worked for a company that had a large Chubb safe in the basement where the days takings were kept. One day we came in and found someone had broken into the premises pulled the safe from the wall and removed the back of it which was only held on by 4x quarter inch screws whoever did it knew their stuff. The company was a locksmiths by the way.

[Fungus]

I just tried scanning a £20 note with my Epson WF-2530 in greyscale it will scan the note and print it as well but if I try colour it brings up a notice saying that it has detected money and wont continue with the scan. If I photograph the note it will print it.

A fun experiment is to cover up parts of the note until it scans.

Try to figure out what it's seeing.

[HighVoltage]

Try to figure out what it's seeing.

The yellow circular spots as shown in the picture are seen by the scanner / scanning software.
It is the triangular combination of three rings, which are repeated differently, depending on the bank notes.

[ivan747]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

That's easy to test.

I just scanned a $20 US dollar bill on an HP scanner/inkjet combo. It's low resolution, but the EURorion constellation was visible on the scan. For the record, this was an HP Deskjet 3540.

[dexters_lab]

How secure are electronic locks used on safes?
Dave tries a power line analysis attack on a standard La Gard (LG) 3740/3750 Basic electronic digital lock.
Can you crack an electronic digital safe lock with just a resistor and an oscilloscope?
All sorts of safe cracking techniques are discussed - thermal camera imaging, bumping, drilling, and spiking the solenoid.
And naturally there is a complete teardown of the La Gard lock and a demonstration on how it works.
And then Dave does something incredibly dumb, and has to fix it the old fashioned way, Hollywood style.
It's a tail of epic fails and stunning wins.

http://www.kaba-mas.com/media/654586/v4/File/basic-basic-plus-series-brochure.pdf

ST ST62T25 OTP Microcontroller
http://www.alldatasheet.com/datasheet-pdf/pdf/23746/STMICROELECTRONICS/ST62T25.html

AT93C46 http://www.atmel.com/Images/doc5140.pdf

interesting video Dave, i would have liked to see what happens after the 6th digit was entered as others have mentioned, but i would suspect you would have to get quite sophisticated to get something meaningful and then you have to think about glitching the power at the right point.

i would be interested to see the internals of the keypad and how the lock communicates with it

it's a fascinating subject, this is well worth a watch:

[f4eru]

I have never seen a mosfet that's shorted from drain to source - all blown up mosfets that I have seen are always shorted from drain to gate. Also, IIRC I have seen a blown up bipolar transistor that was shorted, but it was probably due to overheating or too high current, not overvoltage.

You broke them wrong.
a G-S short is due to an overstress on gate voltage.
A thermal overstress or G-D overvoltage typically shorts all 3 pins.

I thought about that, but of course you'd need quite a few of these to experiment, unless you got very lucky.

typically, you can rebuild the little part of the circuit that's relevant (zener, polyswitch, transistor, solenoid), and zap that one multiple times until you find the sweet spot in the time-voltage curve that breaks it the way you want, then test it on an original one...

I thought about that, but of course you'd need quite a few of these to experiment, unless you got very lucky.
I'd be surprised if La Gard would have this vulnerability.

I would not be surprised to find a pulse shape that could break the transistor without exploding the polyswitch...

[MartinX]

Looking at the transistor markings the solenoid is driven by a ON PZT751T1 PNP transistor it is a 60V device, there is a large SMC transient suppressor on the supply line before the fuse, marking GEE. I think that is a 12V ON 1SMC5.0AT3G series type. Having a suppressor at 12V and a 60V transistor will probably make it difficult to send a pulse that will open the transistor before the zener clamps or shorts out from overload, possibly you could aim to vaporize the zener completely but I wonder if the PCB tracks will support that.

[SeanB]

12mm front and rest 6mm is typical of safes, which are meant to be bolted to a floor and wall, then built in with brickwork. Dad had a safe he got from his work free, as it had been left as free standing, and the burglars had simply turned it over one Friday evening after breaking in, and then cut through the thin plate under it, then cut through the concrete fill and finally went through the inner skin. Front and the first 20cm of the sides were 20mm steel, but the rest was simply 2mm steel and 1mm underneath. He simply plated the holes with steel sheet and filled the space with gypsum, then used it as the house safe.

Safe at work ( rated for free standing use) is 15mm steel all round, over a tamper resistant core, and at nearly a ton it is not easy to move. Last move I got the pro safe movers in, as it had to move 10m. Took them 20 minutes with the right moving tools and trolleys, and six people to do the carry work. We use it to store backups and documents. The big walk in safe is used as a server room. The old bank next door ( now a shop) uses the 3 walk in safes under the floor as stock storage. I joke with Tony the door key costs more than the stock inside.

[SA007]

I've worked with similar locks (same brand, same form factor, different type) at a previous job and there is a mayor back-door i know of, although this lock would not be susceptible.

These locks were time-delay locks (enter code 1, wait x minutes, enter code 2, safe opens).
The time delays and other settings (such as use only one code, or require both codes to unlock) where programmed in with a special programming tool.
This tool was connected to the same connector as the keypad.

So you would open up the safe, remove the backplate, unplug the keypad, plug in the programmer, program and reverse the process.
The keypad and the programmer use the same connector and pins, and that is the problem.

I found a way to open up the keypad, made an (passive) adaptor to hook the programmer to the wiring attached to the keypad and managed to program the lock without opening the safe first.
I just programmed it 'disable time delay', 'disable code 2' and hooked the keypad back up and opened the safe.
This took about 1 minute, compared to the 10 minute time delay that was programmed in.

Programming does require 'code 1', but most customers left it as factory default (123456 indeed) and only changed code 2.

[Muxr]

I laughed when you closed the door with the solenoid disconnected. That's totally something I would do. Good video Dave. 

[yym]

Hi Dave,

I'm one of those viewers who watches most of your videos but comment rarely and when they the do, they usually have something negative to say.

This last video of yours is lacking any scientific information content, it has 0 teaching value.
I thought that the idea of eevblog was of learning about electronics, you know 'real world' electronics, but lately your videos are not about that anymore.

You set up to do some power line analysis, but in the end you did none of that, and your whole setup was so wrong, I don't even...
I know from be beginning that it would be a fail, you just don't know enough (or it seems that barely anything) about the subject.
To me it seems like you are falling behind, you can not keep up with the modern stuff, you make more and more mistakes, stupid mistakes.
Also it is more and more visible that this blog is driven by making money than by enthusiasm/passion about electronics.
I can see a clear constant drop in the quality(and by that i mean teaching value, not image quality) of your videos, one of them was so boring (well.. to me) that I actually fell asleep.

To put it simple, your videos became the cat videos of electronics, simple stupid/fun stuff for the big majority, because ultimately that is what it counts subscribers and viewer count.

I could go on for pages but I feel you won't give much importance to my opinion anyway, so why should I bother.


If you take away anything from this, then take this: more science, less you

Regards,
Some random dude from the internets

P.S. I know, i know... you can't please everyone, don't get too upset

[jippie]

The thread is getting too long to read as it is time for bed. Allow me to repeat my comment fro the blog:

• Why didn't you use your µCurrent? It may show more details in the current.
• Another thought is to disconnect the beeper, which will suppress the major noise on the power line. I suspect the beeper uses one of the four wires in the cable and is placed in the front handle. Can the handle be opened?
• With so much spare cable inside the vault, *if* the cable snaps, it might be possible to just remove the front disc, then pull out the cable for a couple centimeters and snip off the part that is most likely broken.
• Last but not least: as others have mentioned, I expect the author of the software will have spent excessive time in making all loops and decisions etc take equal time. It is a well known attack nowadays (not entirely sure for 2004)

[MrMetthew]

On a less serious note, after seeing this video, I wanna buy that cheap microscope again :p !

[apis]

As other mention the magic probably happens after pressing the last digit. At first, the uC stores the key presses in RAM then only after the last key is pressed it does a check of the whole sequence, if one can see something it would be then. In theory one might be able to see something at startup as well, but probably more difficult.

But the video is still interesting, it demonstrates the principle and shows you can see evidence of what's going on inside: the beeper, etc!

The reason why bumping doesn't work on this lock is because of the mass loaded pin opposed to the solenoid pin:



Any acceleration that would move the solenoid pin out of the way would also move the other pin in the way. I'm not saying it's impossible, but this makes this very difficult I guess.

I was going to suggest that one could simply put in a second solenoid facing in the opposite direction, or simpler still: a pin attached to a matching mass/spring that is normally out of the way. But you are right, it looks like they thought of that as well! It should make bumping impossible (in theory).

This lock actually seems pretty well designed.

As for keeping track of failed attempts, couldn't the capacitors just keep the microprocessors internal ram powered for long enough that it simply stores that in ram?

[Rick60]

I wonder if would be possible to see the 400Khz i2c clock  and data line as  distinct levels  , either during power up or after the sixth key ?allowing you to decode the eerom contents

[metalhead777]

Something I thought of, but didn't think through entirely, so there might be some errors (posted it under the video, too):
I noticed that decoupling was done with some large Tantalum caps. These are rather slow, what would happen, if we replace the Battery with some sort of DC-Powersource with a higher frequency ripple added? The tantalums shouldn't be able to block that out, would it be possible to see something happen to the RF ripple? Or were there some ceramic caps in parallel I didn't see?
I would expect RF signals to penetrate through the entire power section. With a correctly chose frequency there might be a reaction due to changing the current flow.

Does anybody have any idea, if this might work?

[EEVblog]

I'm one of those viewers who watches most of your videos but comment rarely and when they the do, they usually have something negative to say.
This last video of yours is lacking any scientific information content, it has 0 teaching value.
I thought that the idea of eevblog was of learning about electronics, you know 'real world' electronics, but lately your videos are not about that anymore.

There is an unsubscribe button.

You set up to do some power line analysis, but in the end you did none of that, and your whole setup was so wrong, I don't even...
I know from be beginning that it would be a fail, you just don't know enough (or it seems that barely anything) about the subject.

It was a simple first test to see if there was anything obvious with the simplest approach possible. I expected it to be a fail too, but thought it would be interesting enough for a first video.

To me it seems like you are falling behind, you can not keep up with the modern stuff, you make more and more mistakes, stupid mistakes.
Also it is more and more visible that this blog is driven by making money than by enthusiasm/passion about electronics.
I can see a clear constant drop in the quality(and by that i mean teaching value, not image quality) of your videos, one of them was so boring (well.. to me) that I actually fell asleep.

Please unsubscribe then.

I could go on for pages but I feel you won't give much importance to my opinion anyway, so why should I bother.

Correct, because I can and have proved you are demonstrably wrong that my videos have changed in the quality of "teaching value".

P.S. I know, i know... you can't please everyone, don't get too upset

Correct. And a ton of people loved this video.
Of course I'm going to get a few who hated it or found fault with it, welcome to Youtube.

[VK5RC]

I teach (post graduates,  non electronic field) and some of the best learning occurs when people are having fun and engaged.  I find EEVblog finds that balance well,  a true variety of topics,  bit of fun but backed by good theory in general.

[coflynn]

Very interesting! I found one of the same electronic keypad lock portion on ebay and purchased to do some inspection myself, as have wondered about these for a long time. Was good to see a bit of a teardown & initial test to get some ideas of what's involved.

Last but not least: as others have mentioned, I expect the author of the software will have spent excessive time in making all loops and decisions etc take equal time. It is a well known attack nowadays (not entirely sure for 2004)

It's been known for a long time... but it's easily done wrong or with enough difference between execution paths to still perform the analysis. So I wouldn't be too surprised to find out there is some attack vector. To really start the analysis it's easier to do it right on the chip itself (i.e. NOT something you can do in a practical scenario) and then work backwards to attacking from the front panel.

This gets rid of a ton of noise and eliminates issues w.r.t. decoupling capacitors. If you know the exact time-frame to look at it's often possible to still get very good results, even with decoupling present.

[EEVblog]

I teach (post graduates,  non electronic field) and some of the best learning occurs when people are having fun and engaged.  I find EEVblog finds that balance well,  a true variety of topics,  bit of fun but backed by good theory in general.

It should also be noted that the EEVblog was never conceived to be any sort of teaching channel. It's exactly as advertised, an "off the cuff video blog for electronics engineers and hobbyists."
People are too quick to criticise when I get something wrong, or miss something, or don't present something the way they expect, as if they are owed an absolutely first rate world class teaching channel 

[boffin]

Go Dave!

The EEVBLOG is whatever Dave wants to make of it.  If you don't like it, you don't have to watch. Loved the fact you fessed up to your fail-button moment, and the fact that what you were trying to do, didn't really come through as a possibility.

[Stonent]

Something I thought of, but didn't think through entirely, so there might be some errors (posted it under the video, too):
I noticed that decoupling was done with some large Tantalum caps. These are rather slow, what would happen, if we replace the Battery with some sort of DC-Powersource with a higher frequency ripple added? The tantalums shouldn't be able to block that out, would it be possible to see something happen to the RF ripple? Or were there some ceramic caps in parallel I didn't see?
I would expect RF signals to penetrate through the entire power section. With a correctly chose frequency there might be a reaction due to changing the current flow.

Does anybody have any idea, if this might work?

I think it has a very good possibility of working.  As I was watching the video, I was thinking of electrical attack methods over the exposed battery line.  As was mentioned before trying to brown out the processor and see what happens. The other thought was feed a PWM signal into a mosfet that's connected to the battery to see if you could glitch the processor and get the needle to skip so to speak, causing it to jump to a different subroutine.  Maybe have the PWM have a random duty cycle and cycle through various frequencies and have the input voltage vary up and down.

And there's always the destructive method of trying an over-voltage attack on it.

If anyone's got a handful of cheap ATTiny chips or maybe some PIC10/12 chips you don't mind destroying, you could code up a simple program that runs in a loop with some unreachable code.

Code: [Select]

int x = 0;
while (true)
{
  If (x == 0)
  {
    StayLocked();
  }
  Else
  {
    Unlock();
  }
}

Then just go to town feeding all sorts of signals into the VCC line and see if you can ever get Unlock() to run.