Author Topic: EEVblog #762 - How Secure Are Electronic Safe Locks?  (Read 62477 times)

0 Members and 1 Guest are viewing this topic.

Offline max666

  • Frequent Contributor
  • **
  • Posts: 367
  • Country: at
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #175 on: August 07, 2015, 03:11:15 pm »
... The simple way to write the program is to save the buttons being pressed. Once the 6th button is pressed then you would do a go/no-go check to see if the correct code was entered. "It would make the lock immune to power line analysis.

Careful there. Saying it would make the lock immune is quite a strong statement. This has already been mentioned in this thread. How exactly do you do the "go/no-go check"? How do you compare an array? Do you maybe compare it bit by bit? Is there maybe a difference once a bit matches or not?
 

Offline Stonent

  • Super Contributor
  • ***
  • Posts: 3824
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #176 on: August 08, 2015, 07:18:30 pm »
Don't try the lock. just cut the hasp it is attached to. Otherwise I will introduce it to my little friend Mr Afrox.

Note the steel of many shackles suffers from cold embritterment, so you can simply freeze them with lN2 and then shatter them.

I'm a fan of BosnianBill's locklab channel where he picks locks and takes them apart. He is apparently some kind of federal agent but never specifically says what. 

He does also pick abloy, abus, and other high end locks, he even picked a 7 pin medeco over the course of a few weeks.

I had a recent need for a lock and found a fairly inexpensive lock by Brinks that had a boron steel shackle, ball bearing retainers, and security pins. The shackle has a pry resistance of 5 tons of force. So at least should be resistant against most petty criminals.
The larger the government, the smaller the citizen.
 

Offline SeanB

  • Super Contributor
  • ***
  • Posts: 15433
  • Country: za
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #177 on: August 08, 2015, 07:48:35 pm »
Another channel added, I have some of those locks, but here picking is not much in fashion.
 

Offline DanielS

  • Frequent Contributor
  • **
  • Posts: 798
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #178 on: August 09, 2015, 04:07:49 am »
The fastest way to crack a mechanical combination safe:


Seven times world-champion safe-cracker. Cracks almost any combination safe in about five minutes. All by finger touch alone.
 

Offline Rasz

  • Super Contributor
  • ***
  • Posts: 2437
  • Country: 00
    • My random blog.
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #179 on: August 09, 2015, 04:59:14 am »
Seven times world-champion safe-cracker. Cracks almost any combination safe in about five minutes. All by finger touch alone.

if human can do it machine would be able to do it even faster, it seems all you need is arduidiotino, bldc motor controller and strain gage :o
Who logs in to gdm? Not I, said the duck.
My fireplace is on fire, but in all the wrong places.
 

Offline John Coloccia

  • Super Contributor
  • ***
  • Posts: 1199
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #180 on: August 10, 2015, 03:10:55 am »
Seven times world-champion safe-cracker. Cracks almost any combination safe in about five minutes. All by finger touch alone.

if human can do it machine would be able to do it even faster, it seems all you need is arduidiotino, bldc motor controller and strain gage :o

And there are such contraptions, actually.
 

Offline miguelvp

  • Super Contributor
  • ***
  • Posts: 5549
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #181 on: August 10, 2015, 05:34:48 am »
His fingers wont help him much with a digital lock.
 

Offline DanielS

  • Frequent Contributor
  • **
  • Posts: 798
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #182 on: August 10, 2015, 08:06:35 pm »
His fingers wont help him much with a digital lock.
It might not but it is still impressive to see someone crack a four turns bank vault's combination lock just as easily as a three turns gun safe with nothing more than his feather-touch.

For digital safes that lack a mechanical deadlock mechanism (ex.: tempered glass pane) though, the simplest and fastest way to get inside (aside from either knowing the combination or some sort of master code) is to drill the locking pin that keeps the safe locked (a tiny solenoid-activated pin in this case) once you know its exact location.
 

Offline John Coloccia

  • Super Contributor
  • ***
  • Posts: 1199
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #183 on: August 10, 2015, 10:01:20 pm »
The thing is that there's a style of combination lock that basically can't be cracked other than brute force trying every combination. The style of lock he's cracking has a fatal flaw, and one that wasn't appreciated for a long time...but anyone who studies locks knows what it is these days.  It's still very impressive because it's not easy to do, and it's dang near impossible to do it at his speed...it's just incredible. I do wonder why anyone with something important to lock up, like a bank, bothers with that style lock. 
 

Offline helius

  • Super Contributor
  • ***
  • Posts: 3158
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #184 on: August 10, 2015, 11:46:43 pm »
I guess the inherent difficulty of manipulating disc locks made them seem highly secure, so that even better approaches had trouble getting adoption. Just by adding 3-5 false gates on each disc, it would already be incredibly difficult to manipulate.
But the whole problem of sensing resistance to movement, etc, would be moot if the sidebar was locked outward, out of contact with the discs, until after the knob was locked in place. It's such an obvious idea that I'm sure it was invented a long time ago.
 

Offline John Coloccia

  • Super Contributor
  • ***
  • Posts: 1199
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #185 on: August 11, 2015, 01:40:48 am »
I guess the inherent difficulty of manipulating disc locks made them seem highly secure, so that even better approaches had trouble getting adoption. Just by adding 3-5 false gates on each disc, it would already be incredibly difficult to manipulate.
But the whole problem of sensing resistance to movement, etc, would be moot if the sidebar was locked outward, out of contact with the discs, until after the knob was locked in place. It's such an obvious idea that I'm sure it was invented a long time ago.

It was.  For example, the Sargent and Greenleaf 8500 series.  I don't know any manipulation technique other than brute force, and I doubt one exists.  Still, even with the less secure style of lock he's cracking, it is such a difficult technique to master. I've seen him work before, and I'm always amazed when I see him zip through a lock like that.
 

Offline max666

  • Frequent Contributor
  • **
  • Posts: 367
  • Country: at
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #186 on: January 01, 2016, 10:14:13 pm »
Totally agree with your statement , locksmith can open the hinge very easily as know to open or unlock the safe locks also.

Is that a shameless self-advertisement?
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 11390
  • Country: 00
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #187 on: January 02, 2016, 09:09:02 am »
Totally agree with your statement , locksmith can open the hinge very easily as know to open or unlock the safe locks also.

Is that a shameless self-advertisement?

If so, it's one of the worst I've ever seen  :-DD

Clue: Safe hinges aren't part of the security mechanism. They're just there to let you swing the door open after you unlock it.
« Last Edit: January 02, 2016, 09:10:37 am by Fungus »
 

Offline hamdi.tn

  • Frequent Contributor
  • **
  • Posts: 620
  • Country: tn
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #188 on: June 13, 2016, 09:33:41 pm »
 :-DD :-DD :-DD :-DD :-DD
i just locked one (with door opened) in my hotel room when trying to program it xD i just passed 5 minutes in the damn room to start doing what i do best  :-DD
 

Offline zaidbakri

  • Newbie
  • Posts: 1
  • Country: il
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #189 on: July 25, 2018, 10:46:56 am »
Is it possible to reset the pin code from inside (ic)
 

Offline briangordon

  • Contributor
  • Posts: 8
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #190 on: September 11, 2020, 09:10:09 am »
this is where attack is happening, how do you compare good code to bad code? you dont have vliw, simd, nor even 32bit alu to make whole comparison in one instruction.

... The simple way to write the program is to save the buttons being pressed. Once the 6th button is pressed then you would do a go/no-go check to see if the correct code was entered. "It would make the lock immune to power line analysis.

Careful there. Saying it would make the lock immune is quite a strong statement. This has already been mentioned in this thread. How exactly do you do the "go/no-go check"? How do you compare an array? Do you maybe compare it bit by bit? Is there maybe a difference once a bit matches or not?

In C it would look like:

Code: [Select]
int success = 0;
for (int i=0; i<6; ++i)
  success &= input[i] == secret[i]
if (success)
  turnOnSolenoid();

Notice that the loop doesn't terminate early on an incorrect digit.

Looking at the datasheet for the MCU, it has an 8 bit word size so a decimal digit fits easily in a word. Comparing two words from memory is a single instruction, taking 4 clock cycles. The comparison itself takes place within a single clock cycle. Same goes for accumulating the success value. Unless you think you can detect differences in current draw based on the specific values on the data bus or in RAM or in the status flags or moving through logic gates, this code seems immune from power line analysis.

There's a fantastic little programming manual I found (attached below) which tells you everything you need to know to write assembly code for the ST62. I couldn't resist taking a crack at actually implementing this in assembly, optimized as best as I can manage:

Code: [Select]
; We assume that X starts out holding a pointer to the first byte of the keypad input sequence array
; We assume that Y starts out holding a pointer to the first byte of the secret code array

LDI W,0h

; Check digit 1
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 2
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 3
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 4
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 5
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 6
LD A,(X)
SUB A,(Y)
ADD A,W

; There is literally no conditional long jump instruction so we have to conditionally short jump over an unconditional long jump...
JRNZ +1
JP TurnOnSolenoid
 

Offline RenThraysk

  • Regular Contributor
  • *
  • Posts: 77
  • Country: gb
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #191 on: September 12, 2020, 05:17:50 pm »
this is where attack is happening, how do you compare good code to bad code? you dont have vliw, simd, nor even 32bit alu to make whole comparison in one instruction.

... The simple way to write the program is to save the buttons being pressed. Once the 6th button is pressed then you would do a go/no-go check to see if the correct code was entered. "It would make the lock immune to power line analysis.

Careful there. Saying it would make the lock immune is quite a strong statement. This has already been mentioned in this thread. How exactly do you do the "go/no-go check"? How do you compare an array? Do you maybe compare it bit by bit? Is there maybe a difference once a bit matches or not?

In C it would look like:

Code: [Select]
int success = 0;
for (int i=0; i<6; ++i)
  success &= input[i] == secret[i]
if (success)
  turnOnSolenoid();

Notice that the loop doesn't terminate early on an incorrect digit.


With a decent compiler and optimisation level that loop is eliminated. success always equals zero, lock never opens. :)

Usual convention for constant time comparisons is using xor and or.

Code: [Select]
    int x = 0;
    for (int i = 0; i < 6; i++) {
        x |= input[i] ^ secret[i];
    }
    if (x == 0) {
       turnOnSolenoid();
    }


« Last Edit: September 12, 2020, 05:31:36 pm by RenThraysk »
 

Offline briangordon

  • Contributor
  • Posts: 8
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #192 on: September 13, 2020, 12:59:38 am »
No, I don't think the loop would be optimized away. I'm not sure what you have in mind there.

xor works fine too. I'm not sure what you mean by that being the convention. In C you would always write == to communicate intent, and in assembly I've seen subtraction used where there's no explicit comparison instruction.
 

Offline CChin254

  • Contributor
  • Posts: 38
  • Country: us
    • My Blog
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #193 on: September 13, 2020, 05:24:52 am »
IC Identification for this device:
[attach=1]
Predicted Block Diagram:
[attach=2]
 

Offline helius

  • Super Contributor
  • ***
  • Posts: 3158
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #194 on: September 13, 2020, 06:08:50 am »
No, I don't think the loop would be optimized away. I'm not sure what you have in mind there.

0 & a & b & c & d & e & f is false for any values of a, b, c, d, e, f;
EEs tend to know this because the AND gate's output is zero whenever any of its inputs is zero. Put another way, the success condition in your code starts out false, and the AND operator can never become true when it has any false inputs. So the loop cannot, by construction, alter the value of success. The C compiler should therefore consider the entire loop as dead code, since it has no effect on the program and does not involve volatile variables.

There are also other problems in the code, such as the absence of blocks (compound statements) following for and if. This leads to "dangling if" problems where the scope of the if is not what it appears to be on the screen. That's the case in your code: the simple omission of a semicolon means that the if is actually inside the loop!

Code: [Select]
int success = 0;
for (int i=0; i<6; ++i)
  success &= input[i] == secret[i] if (success) turnOnSolenoid();

This will produce a syntax error at compile time, but there are other situations where it would pass unnoticed (comma...)
 

Offline RenThraysk

  • Regular Contributor
  • *
  • Posts: 77
  • Country: gb
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #195 on: September 13, 2020, 12:23:17 pm »
No, I don't think the loop would be optimized away. I'm not sure what you have in mind there.

0 & a & b & c & d & e & f is false for any values of a, b, c, d, e, f;
EEs tend to know this because the AND gate's output is zero whenever any of its inputs is zero. Put another way, the success condition in your code starts out false, and the AND operator can never become true when it has any false inputs. So the loop cannot, by construction, alter the value of success. The C compiler should therefore consider the entire loop as dead code, since it has no effect on the program and does not involve volatile variables.

Exactly. As seen here https://godbolt.org/z/7oqTj6
 

Offline briangordon

  • Contributor
  • Posts: 8
  • Country: us
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #196 on: September 14, 2020, 10:46:47 am »
Ah I see, there's a bug in my code. success should start out as 1, not 0. Then it works fine.

I wrote the C code correctly first, but then wrote the assembly version and, due to the limited instruction set, it turned out to be easier to write essentially this code (well, the unrolled version of this):

Code: [Select]
int failed = 0;
for (int i=0; i<6; ++i)
  failed += (input[i]-secret[i]);
if (failed != 0)
  turnOnSolenoid();

I went back to the C code to make it more like the ASM, but decided it was less clear and changed it back... messing it up in the process  :-X
 

Offline RenThraysk

  • Regular Contributor
  • *
  • Posts: 77
  • Country: gb
Re: EEVblog #762 - How Secure Are Electronic Safe Locks?
« Reply #197 on: September 14, 2020, 11:37:32 am »
Ah I see, there's a bug in my code. success should start out as 1, not 0. Then it works fine.

I wrote the C code correctly first, but then wrote the assembly version and, due to the limited instruction set, it turned out to be easier to write essentially this code (well, the unrolled version of this):

Code: [Select]
int failed = 0;
for (int i=0; i<6; ++i)
  failed += (input[i]-secret[i]);
if (failed != 0)
  turnOnSolenoid();

I went back to the C code to make it more like the ASM, but decided it was less clear and changed it back... messing it up in the process  :-X

Try this with an input of "ababab" and a secret of "bababa", and you'll see why xor and or are used. 

« Last Edit: September 14, 2020, 12:26:28 pm by RenThraysk »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf