• EEVblog #762 – How Secure Are Electronic Safe Locks?

    How secure are electronic locks used on safes?
    Dave tries a power line analysis attack on a standard La Gard (LG) 3740/3750 Basic electronic digital lock on a CMI home safe.
    Can you crack an electronic digital safe lock with just a resistor and an oscilloscope?
    All sorts of safe cracking techniques are discussed – thermal camera imaging, bumping, drilling, and spiking the solenoid.
    And naturally there is a complete teardown of the La Gard lock and a demonstration on how it works.
    And then Dave does something incredibly dumb, and has to fix it the old fashioned way, Hollywood style.
    It’s a tail of epic fails and stunning wins.

    Forum HERE

    ST ST62T25 OTP Microcontroller
    AT93C46 EEPROM

    Teardown photos:

    Be Sociable, Share!

      About EEVblog

      Check Also

      EEVblog #1047 – Solar Roadways FINALLY BUSTED! Colas Wattway

      Dave finally puts an end to the idea of Solar Roadways. We have the test ...

      • Veda

        One way to implement the software is, is to store all the keypresses that are being done, and after 6 presses, read the keypresses back from memory and check if it was the correct code. That way each key press uses the exact same routine no matter if it is correct or wrong.

        • mike44628

          That’s exactly the way I do it…….build the string and then do a compare

          • rotopenguin

            Building up individual keypresses sounds a bit more sensible softwarewise. Once the 1st keypress is seen, the MCU probably stays fairly awake waiting for the next 5 presses. If there’s too long a wait between keypresses it should time out, assume the presses were a mistake, discard state and return to deep sleep. The battery drain for at most a few seconds full wakefulness would be just fine working with interrupt-driven I2C(?). They must also use a fairly high wake state to count off the 5 minute time out, wouldn’t want you simply skipping out by pulling power.

            Now, what do you do if you have a full set of 6 inputs sitting in queue, and are about to make the big test against your secret value? If you’re Apple, you do dumbshit stuff like this – http://blog.mdsec.co.uk/2015/03/bruteforcing-ios-screenlock.html . Give out the fact that a password is wrong, and LATER commit to long term storage the fact that you got a failed attempt. Nobody could unplug the battery that fast, right? If LG is smart, they use that gigantic 1K EErom to (a) rotate a log for lots of write endurance and (b) mark down each failed attempt. Probably best to START by marking a failed attempt no matter what, and then do the compare (all 6 characters, balanced code paths), and take back the bad mark on success. And make sure that the flash write actually took, don’t want anybody taking advantage of how picky that part is about brownout.

            So, did they actually do all of that? Maybe not, given that this is an older model. It may leak information before the failed attempt is written to flash, and be vulnerable to attack there. The flash might be vulnerable to power attack. I’ve heard of AVRs being vulnerable to glitching with high frequency noise sneaking in past GPIOs, how about that ST? How complicated is the protocol talking to the keypad/buzzer?

        • Yes, that is likely, but you should always check the single keypresses first for any vulnerability in that area.,

      • Alejandro Varela

        very interesting dave! thanks

      • Skyr

        Have you tried replacing the battery with a lab power supply and drop the voltage to the edge of functionality of the microprocessor? You might be able to see something interesting here – different branches in the program can result in different power consumption, so some branches will succeed while others will expose random errors.

      • mike44628

        Good video…….love how you were able to get that cable reconnected

      • blipton

        So the eeprom contain the code in plain text?

      • okojobee dakota

        hey thanks dave! i learned a lot (no, im not going to ‘Prison Safecracking School’ !! at least not yet ..
        Question: It’d be great if you could make an addendum to your vid in which you video’d the ‘thermal camera button presses’ and actually show us where heat-retention latency could really yield the intact sequence of number presses!!
        A slow-motion view of the keypresses could peerhaps reveal a 250ms time diff between the sequential extinguishing of the heat signature, making it trivial to hack the code ..

        oh by the way .. i improved my model style of my own ‘Outback Letter Opener’ . .it’s at the post office now … a 16″ beauty wyhich i had ordered to be engraved with: ” THIS is a knife! ” , lol

        Tnx dave for all this work you do and from which we do benefit … (eg, i DONT have to pick up a 40 lb safe to do what you demo’d !! )
        See ya at Ayer’s Rock!
        jon anderson, Me.Eng, M.D. , Hatfield, Ma., USA (2hrs west of Boston)

        • There is really no point trying thermal camera attack on safes like this, as it’s very unlikely you’d ever be in a position to use such an attack.

          • rotopenguin

            If you are in such a position, why not have a little plexi pamphlet dispenser with a camera capture the actual button taps?

      • jippie

        Why didn’t you use your µCurrent? It may show more details in the current. Another thought is to disconnect the beeper, which will suppress the major noise on the power line. I suspect the beeper uses one of the four wires in the cable and is placed in the front handle. Can the handle be opened? Last but not least: With so much spare cable inside the vault, *if* the cable snaps, it might be possible to just remove the front disc, then pull out the cable for a couple centimeters and snip off the part that is most likely broken.

        • Most people won’t have a uCurrent, so I tried the simplest approach first.

      • Johm

        A great one Dave, what about ripping the code out of the micro?

      • Pingback: 1 – How secure are electronic safe locks? [video] | Exploding Ads()

      • Joel

        Dave, you looked at the wrong time for a power consumption vulnerability test. You need to look at what happens after you put in the 6th keypress. So try it once with the right first digit and once with the wrong first digit (make all the other digits correct for initial tests), and see if you see a power draw difference – you want to measure the part of the program that is looking at each digit.

        Of course there are ways to make this more difficult such as not using an array of keypresses, securely hashing the keypresses (to essentially randomize them), etc.

      • Steve Offer

        Also, the pre-able pulse you saw could have been wakeup plus overuse strategy check and initialisation. The buzzer should have disconnected and an analysis conducted at lower voltage during buzzer time. If I were a designer I would use the buzzer noise to hide sensitive power line activity. Also, sounded a bit like Dave did not want to offend the manufacturer.

      • eili

        i see there is a phototransistor, you could try to use 40v instead of 9v.

        wil you have the time to open your box at the moment where everything will blow up? ^^

      • Harvey

        Thanks for the investigation Dave. I’m a locksmith by trade and work with these on a day to day basis. I’ve posted your video onto the Locksmiths Guild of Australia forum for other guild members to check out too.
        I can assure you there are a number of vulnerabilities that we exploit to open these, but many are related to the typical problems we get (cable break, keypad failed, code incorrectly entered, etc) and typically we work without time constraints (unlike thieves), and we have replacement locks to install afterwards if needed.
        I can appreciate your work.

      • I’m reminded of the time in WarGames where he recorded the details of the pin presses on his walkman. If you had a little time with access to that 4 pin connector could you slip something in between the keypad and solenoid?

        • But you’d have to have someone enter the code and record it.

      The EEVblog Store generally ships twice a week, on Tuesdays & Fridays, Sydney time. Dismiss