EEVblog #762 - How Secure Are Electronic Safe Locks?

[EEVblog]

How secure are electronic locks used on safes?
Dave tries a power line analysis attack on a standard La Gard (LG) 3740/3750 Basic electronic digital lock.
Can you crack an electronic digital safe lock with just a resistor and an oscilloscope?
All sorts of safe cracking techniques are discussed - thermal camera imaging, bumping, drilling, and spiking the solenoid.
And naturally there is a complete teardown of the La Gard lock and a demonstration on how it works.
And then Dave does something incredibly dumb, and has to fix it the old fashioned way, Hollywood style.
It's a tail of epic fails and stunning wins.

http://www.kaba-mas.com/media/654586/v4/File/basic-basic-plus-series-brochure.pdf

ST ST62T25 OTP Microcontroller
http://www.alldatasheet.com/datasheet-pdf/pdf/23746/STMICROELECTRONICS/ST62T25.html

AT93C46 http://www.atmel.com/Images/doc5140.pdf

[G7PSK]

A professional locksmith would attack the hinge on a safe like that. My father had a similar safe that just refused to open one day so he called a locksmith who just punched the hinge pin out, took less than ten minuets in all.

[mauroh]

I think it could be interesting to perform the same analysis on the 6th digit, when the CPU actually verify the code against all the digit pressed.
Mauro

[firewalker]

You should also try to low the voltage to test brown out detection.

Alexander.

[Gecko]

First of all: Very interesting video! And the fail was just hilarious  But could've happend to me as well 

Some comments: My assumption is that the first longer "dip" in the trace (for example at 27:01 in the video) is just the keypress and some currentflow through a pull up/down resistor. Did you check that maybe by holding the button a bit longer?

Then to the end you say: "Even if we could find the 6 right digits, we don't know the order"
I'd say that depends on how good/poorly they have programmed the software: Say it is kind of an if/else hierarchical thing:

Code: [Select]

If 1st digit correct
  If 2nd digit correct
    If 3rd digit correct
      If 4th digit correct
        If 5th digit correct
          If 6th digit correct
            activate_solenoid();
          Else
            Do_nothing();
        Else
          Wait_for_1_more_keypress();
          Do_nothing();
      Else
        Wait_for_2_more_keypress();
        Do_nothing();
    Else
      Wait_for_3_more_keypress();
      Do_nothing();
  Else
    Wait_for_4_more_keypress();
    Do_nothing();
Else
  Wait_for_5_more_keypress();
   Do_nothing();

Then one could find out from the power lines whether the uC takes the IF or the ELSE branch, and hence step by step find out the right combination: First try all digits for the first one, see which triggers the If branch. THat gets you the first digit, e.g. "5". Then knowing the first digit, try all combinations of "5" and any possible digit for the second digit, and see which causes to take the IF branch and so on..


However you're right that decoupling makes that sort of thing more difficult. But thats why the Chipwhisperer sort of automates this task : It does the same thing, with slight variations over and over and over tens and thousands of times. Because, although the information we were looking for is not visible in a single shot trace because of the decoupling, it is still there, buried in noise. If you repeat the same thing long enough, the information will become visible.
However this is of course limited by the "maximum 4 attempts before you have to wait" that you mentioned.

But an interesting thing to do would be to automate the whole thing and do something like this:
Take another uC, and write some simple code that sends the right combination, and after that sends a combination which differs on the last digit. And doing this over and over, so that you don't encounter the maximum 4 attempts limit, because its reset everytime.
And of that you record the powerline traces, a couple of thousand times (thats why you want to automate this whole thing )
And then see group the traces into "the ones with the correct combination" and "the ones with the last digit wrong", avereage each of these groups, and compare the averaged traces.

[boffin]

You could have just plugged a microphone into channel 2 of the scope and compared the waveforms to see if it was the beep.... (yes,I admit to screaming at the screen at that point)

[f4eru]

Yep, as Mauro said, the last digit press would be more interesting.
if it does a strncmp or similar, the length would vary very slightly depending on the first wrong digit -> game over.

You could try a destructive approach :

if you have a solenoid driver with a mosfet, like: http://home.comcast.net/~wahconah98/circuits/flyback.png
you could theoretically give on the supply a massive pulse to break the mosfet, and then power the solenoid directly through the shorted mos. You'll have to "override" the zener fast enough so the polyswitch does not yet react. perhaps possible with a few hundred volts in a short pulse...

You mention a PNP transistor. Not shure if those fail short when overvolting. Also, PNP ? I would expect a NPN...

[Fungus]

Love the sticker on the inside - "Inspected by: Clint".

Perfect name for a safe inspector.

[BillyD]

Very interesting + entertaining!
But how does it lock without power anyway? Is that a spring loaded latch?

[Psi]

Try the "Lift-up-and-drop" attach.

Seriously, quite a few cheap safes can be opened in seconds by lifting the front up to ~30degress and dropping it.
(rotate front 90deg and repeat on 4 front sides)

The locking arm jumps from the impact and the door often pops open.

[EEVblog]

You could try a destructive approach :
if you have a solenoid driver with a mosfet, like: http://home.comcast.net/~wahconah98/circuits/flyback.png
you could theoretically give on the supply a massive pulse to break the mosfet, and then power the solenoid directly through the shorted mos. You'll have to "override" the zener fast enough so the polyswitch does not yet react. perhaps possible with a few hundred volts in a short pulse...

I thought about that, but of course you'd need quite a few of these to experiment, unless you got very lucky.
I'd be surprised if La Gard would have this vulnerability.

[EEVblog]

Very interesting + entertaining!
But how does it lock without power anyway? Is that a spring loaded latch?

Yes, it's all spring loaded, no need for power when you close it.

[EEVblog]

Try the "Lift-up-and-drop" attach.
Seriously, quite a few cheap safes can be opened in seconds by lifting the front up to ~30degress and dropping it.
(rotate front 90deg and repeat on 4 front sides)
The locking arm jumps from the impact and the door often pops open.

I mentioned that, it's called bumping, and tried that later in the video, it doesn't work on this quality lock.

[EEVblog]

Some comments: My assumption is that the first longer "dip" in the trace (for example at 27:01 in the video) is just the keypress and some currentflow through a pull up/down resistor. Did you check that maybe by holding the button a bit longer?

Yes, button press length makes no difference.

[Pentium100]

I did not see a big capacitor inside. It may be possible to override the lockout by disconnecting and reconnecting power, unless the safe does not open for 10 minutes after "replacing the battery".

The software most likely compares the last 6 digits entered with the passcode, so 248123456 would unlock it, otherwise the owner may have to enter the passcode more than once. It also makes it impossible to do the power line attack, since all that is happening is

Code: [Select]

Read_digit;
if_last_6_correct then open_safe;

you could theoretically give on the supply a massive pulse to break the mosfet, and then power the solenoid directly through the shorted mos.

I have never seen a mosfet that's shorted from drain to source - all blown up mosfets that I have seen are always shorted from drain to gate. Also, IIRC I have seen a blown up bipolar transistor that was shorted, but it was probably due to overheating or too high current, not overvoltage.

[TheAmmoniacal]

If you're planning to do anything more with this safe, I'd love to see the difference without the decoupling capacitors. You could simply (temporarily) desolder them and check if it makes much of a difference on the trace.

[Fungus]

Interesting video. I"m surprised how easy it was to drill holes in it. I'd have expected it to be a lot more work with a hand drill. Must be made of a fairly soft steel, the angle grinder would have probably opened it in no time. Angle grinders make a lot of sparks though and can burn the contents (does Aussie plastic cash catch fire easily?) I wonder what a power saw would do to it (one of those "sawzall" things).

I'd like to have seen more sample waveforms of keypresses.  To me it looked like the second, smaller dip in the power was a slightly different shape on "correct" vs. "incorrect" ("Correct" was more rounded, "incorrect" was more triangular).

ie. The timing of the pulses was the same but the power consumption was slightly different.

It's hard to say if that's significant with a sample size of one though.

[Fungus]

If you're planning to do anything more with this safe, I'd love to see the difference without the decoupling capacitors. You could simply (temporarily) desolder them and check if it makes much of a difference on the trace.

You could maybe also automate things with an Arduino to press a key right after power-on. Control the power supply with a MOSFET and don't give the caps time to charge fully. That would mean dismantling the keypad though, probably not what we're after - if you're going to start breaking things then you might as well just saw the thing open. It's not hardened steel.

[Muttley Snickers]

Anyone that is serious about securing cash, jewellery or documents first of all would have a fire rated concrete filled beast with a seismic sensor fitted to the door and interfaced to the security system. Your average Joe wouldn't bother but in cash rooms, jewellers and diamond cutters it is the norm and sometimes even a requirement for insurance purposes, an electronic shock sensor on steroids.

Not a fan of membrane codepads at all as they don't last long in a fire but surprisingly as dodgy Dave found out there are many ways to skin a cat, I didn't get a good look but a borescope and long handled screwdriver to simply loosen the lock through the holes may have worked but again we didn't see what he did so back on the angle grinder we go.

Being electronic I wonder how prone to a RF attack they would be although yours looked like they had thought of that with the shielding around the mechanism, you may have to be careful how much you disclose as we do have rules about hacking stuff, boundary yet unknown.

Some manufacturers have a back door in and this I have witnessed, but they wont tell.


Muttley

[george graves]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

[Psi]

Try the "Lift-up-and-drop" attach.
Seriously, quite a few cheap safes can be opened in seconds by lifting the front up to ~30degress and dropping it.
(rotate front 90deg and repeat on 4 front sides)
The locking arm jumps from the impact and the door often pops open.

I mentioned that, it's called bumping, and tried that later in the video, it doesn't work on this quality lock.

Yeah, i was bad and posted before i'd finished watching the video 

[EEVblog]

I did not see a big capacitor inside. It may be possible to override the lockout by disconnecting and reconnecting power, unless the safe does not open for 10 minutes after "replacing the battery".

It doesn't reset, I tried that.
It can't write the timer value to the EEPROM because that would kill it, and can't use SRAM obviously, so it must write one bit to the EEPROM saying it's in lockout mode. Upon power up if that bit it set it waits 5 minutes, otherwise it starts working right away.

[EEVblog]

I didn't get a good look but a borescope and long handled screwdriver to
simply loosen the lock through the holes may have worked but again we
didn't see what he did so back on the angle grinder we go.

No chance of that.
And you'd have the drill the holes anyway because if the safe is installed properly then it's bolted to a concrete floor and/or butted up against a wall so you'd have n no holes available. If you are drilling, well, you might as well angle grind.

[EEVblog]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

I would be very surprised in this case, because:
a) it would leak
b) it's been the world's most popular lock for decades, and it would be well known if that was the case. La Gard would lose their rep.
c) it wouldn't get the independent ratings it does if it had such a backdoor

Safe manufacturers do publish secret drill details for attacking various model safe's, and they are closely guarded. But even then they don't design it that way, and it's not easy to do with TDR safes, so pretty useless info to your average thief anyway.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

Coincidentally that's been on the cards for months, and I have sample printouts and was just saying to David2 today I should do that video.
Was waiting for some hardware but that's not coming any time soon it seems, so will do it regardless.
And BTW, it's not as involved as you might think.

[BillyD]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

Not wishing to derail this topic, but that's actually true and I verified it on my Lexmark scanner a couple of years ago. It got about one third of the way through a ten Euro note before packing it in. I can't remember exactly what error message it gave, although I think it did spell out that it had detected currency.

[Fungus]

I did not see a big capacitor inside. It may be possible to override the lockout by disconnecting and reconnecting power, unless the safe does not open for 10 minutes after "replacing the battery".

It doesn't reset, I tried that.

Yep, that's a very obvious attack. Not surprising that they thought of that.

[helius]

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

Not wishing to derail this topic, but that's actually true and I verified it on my Lexmark scanner a couple of years ago. It got about one third of the way through a ten Euro note before packing it in. I can't remember exactly what error message it gave, although I think it did spell out that it had detected currency.

https://en.wikipedia.org/wiki/EURion_constellation

[Fungus]

Not a fan of membrane codepads at all as they dont last long in a fire

If it got hot enough to melt the keypad then all the internal cables and connectors have probably gone anyway.

And if your house has burnt down then having to angle-grind the safe is the least of your problems.

Some manufacturers have a back door in and this I have witnessed, but they wont tell.

No way. Not happening.

The entire company is at stake and no back door will remain secret forever. The last thing you want is for every single safe you ever manufactured to be worthless.

Hotel safes? That's a different story. Guests can easily forget their super-secret number so there has to be a way to open them. The safes usually have a hidden RS232 port so the staff can connect up a special unlocking gadget.

Manufacturers aren't stupid though, there has to be a system to stop people figuring out how to open any hotel safe in the world with just a smartphone and an FTDI adapter. Presumably each hotel has its own hardware dongle, etc.

[Deathwish]

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

Long ago circa 1999 I recall a file / hack for photoshop that allowed this to happen. Cant recall the name of the file but it does work as far as I can remember ....

[Fungus]

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?

Yes.

There's another myth for Dave to bust!

It's not a myth.

If you want to do an experiment you can try erasing parts of the note in Photoshop until it decides to print it. See how much you have to remove.

[Deathwish]

OR you can just get the following file.... http://forum.exetools.com/showthread.php?t=3301

[EEVblog]

Manufacturers aren't stupid though, there has to be a system to stop people figuring out how to open any hotel safe in the world with just a smartphone and an FTDI adapter. Presumably each hotel has its own hardware dongle, etc.

Simple, you buy a quality brand hotel safe. But they cost money, hundreds, not $50.

[george graves]

There's another myth for Dave to bust!

It's not a myth.

You and I may know that(actually never tried, but a quick google search shows some 10M pixels scans of the US $100 bill)....but, it makes a good video for Dave.  It's all about the link bate!

[Hydrawerk]

https://www.stream.cz/adost/10003120-trezory-ktere-otevre-i-dite

[HighVoltage]

There is a "fix" for Adobe Photoshop, so you can scan banknotes directly in to the software.

 

[David_AVD]

you could theoretically give on the supply a massive pulse to break the mosfet, and then power the solenoid directly through the shorted mos.

I have never seen a mosfet that's shorted from drain to source - all blown up mosfets that I have seen are always shorted from drain to gate. Also, IIRC I have seen a blown up bipolar transistor that was shorted, but it was probably due to overheating or too high current, not overvoltage.

I haven't watched the video yet, but just a comment on the above.  If it did use a MOSFET, could you take advantage of it's inbuilt protection diode with a reverse polarity supply?  This could not work if there was a diode in series with the supply of course.

[Hole]

Hmmmm. It is clocked with 4 Mhz. Datasheet shows that the majority of opcodes needs 4 clock cycles for execution.

At 30:00 in the video we see that the processing minimum is about 40 ms long, maybe take 5ms. Whatever.

With 40 ms and 4 cycles per opcode at 4 MHz I assume we have about 40.000 executions in that 2 cm of screen resolution.

Do we really expect to see something?

[Supercharged]

How is the Keypad connected to the processor? maybe they screwed something up there and you could access some data thru there.

[Howardlong]

Well, I embarrassed myself by laughing out loud on the tube this morning at the FAIL! Still chuckling about it now.

If only I had a dollar for every time I put something back together and missed something. There are those who have, and those who will.

Luckily my commute is temporary and only 20 odd minutes, so I'm looking forward to the second half this evening on my way home.

[eV1Te]

Dave, what happens if you push the number sequence: 9123456, does it open when you press the last digit (6) or does it fail on (5)?


Sent from my SM-G900F using Tapatalk

[justanothercanuck]

Would a big electromagnet be enough to energize the solenoid and unlock the door?

[TheAmmoniacal]

Would a big electromagnet be enough to energize the solenoid and unlock the door?

The case would shield the insides completely.

[mikerj]

Love the sticker on the inside - "Inspected by: Clint".

Perfect name for a safe inspector.

What I did find interesting is that the label shows the model as an 'H2C' (C=combination lock) but it's clearly an H2D with a digital lock.

[EEVblog]

What I did find interesting is that the label shows the model as an 'H2C' (C=combination lock) but it's clearly an H2D with a digital lock.

Obviously retrofitted after manufacture. Not uncommon.

[Rasz]

Bumping works on very expensive safes and locks.


There is a pin = your safe can be bumped, but you need to practice to know when to rotate, its a skill. Sure pin is small and needs a big bump, but its doable. The secret to bumping is you dont need whole movement in one bump.

"you cant attack this in any other way" is pretty naive. They left hole for another plug in the lock, and three additional holes in front plate. You could jam a wire bend exact way in front plate hole and poke inside the lock until you land on one of selonoid pins, you already control ground over power cable, this will give you direct control of solenoid. It sounds impossible until you see guys from TOOOL doing it casually with coat hangars.

Lockout after 4 bad attempts - you had whole pcb outside and you didnt test it?!?!?!?!  By sniffing I2C while entering bad combinations you would learn if it writes to eprom every key press or every 24 key presses (4x6), or if it writes to eprom at all? You didnt even power cycle to see if that clears the lockout. HELL, you didnt even test if the lock part is responsible for decoding the pin at all by sniffing keypad connection

 If it writes after 4 bad attempts (4x6 presses) it would allow for power cycling after fewer digits(23). And if it writes after every bad key press(stupid) it will be that much more visible in the power analysis.

"there is nothing in that, it comes down to noise" hehe no. 10ms per division is too long and you wont see anything at that scale, you are dealing with micro at 4MHz, data IS in there, you extract it with statistical methods. You didnt even capture and compare whole correct code+opening versus bad sequence.

"I didnt expect vuln, they designed it well" hahaha, nothing is uncrackable.

Some comments: My assumption is that the first longer "dip" in the trace (for example at 27:01 in the video) is just the keypress and some currentflow through a pull up/down resistor. Did you check that maybe by holding the button a bit longer?

There are two micros in this safe. First one in the keypad, second one in the lock. You can get to the keypad easily, that means it can be bypassed cleaning up the trace further (at least the beep).


All in all interesting video, but without the climax (as always ). Proper followup would make an even better one. Team up with Colin O'Flynn (or at least voicechat for advice), and use ChipWhisperer properly overcoming your laziness (cmon, we all know you didnt use ChipWhisperer because it needed learning, setting up, programming, blablabal).

The software most likely compares the last 6 digits entered with the passcode, so 248123456 would unlock it, otherwise the owner may have to enter the passcode more than once. It also makes it impossible to do the power line attack, since all that is happening is

12 keys x 6 long = ~3 mil combinations. If it is testing last 6 digits it is susceptible to De Bruijn sequence attack. If it writes to eprom after 24 bad presses you can reset every 23 ones, that leaves ~130000 sequences to try. Few hours of bruteforcing?

[max666]

Bumping works on very expensive safes and locks.


There is a pin = your safe can be bumped, but you need to practice to know when to rotate, its a skill. Sure pin is small and needs a big bump, but its doable. The secret to bumping is you dont need whole movement in one bump.

The reason why bumping doesn't work on this lock is because of the mass loaded pin opposed to the solenoid pin:



Any acceleration that would move the solenoid pin out of the way would also move the other pin in the way. I'm not saying it's impossible, but this makes this very difficult I guess.

But I have a question, what's the strange cut-out in the latch for?

[kyndal]

Loved the epic fail. And safe cracking part!

Looks to me like you can take the lock apart with a very long screwdriver from the back.

If you can get to the holes anyway
Just like you cant bump or tilt it. If its bolted down.

Also..  i agree that if the software was poorly made.  And you could detect correct keys.  They would be in the right order.

But likely they store all 6 keypresses.
And THEN verify if its "a" correct code.
Could have several..

so you might detect the "success" routine /solenoid...  Which defeats the purpose

/Kyndal

[gman4925]

It's simplified and theoretical but https://microcorruption.com is an online lock debugging/cracking programming challenge, good fun.

[Neddie]

Almost EVERY mosfet I've come across that is blown is short Drain to Source and Gate. Whole this is one big short no matter where you measure.
In an offline power supply circuit , it's a real PITA, as everything connected to the mosfet gate gets 320Vdc and all the smoke comes out :0(

[ivan747]

Come on Dave, you didn't try hard enough! It was a very interesting prospect.

 If you're still interested, you could use a lower value resistor, amplified, to shift up in frequency the -3dB point of the RC filter you're effectively creating. Also, I saw some pulses after the buzzer, maybe you could try analyzing and comparing that. Finally, you could try some digital notch filtering on the buzzer pulse and/or FFT analysis.

Higher vertical resolution and an amplifier would definitely help (I think you have some specialty probes for that, don't you? You also have the guys at Trio Smartcal).

Sent from my XT1063 using Tapatalk

[Gabor]

I use this Spectrum analyzer on my mobile: https://play.google.com/store/apps/details?id=radonsoft.net.spectralview. The rolling time axis and frequency intensity color coding is pretty cool. When running it next to a CNC or in fact next to any motor, shaft rpm exponential behaviour due to the PID controller is clearly visible. Check it out.

Gabor

PS. this was my first ever blogpost, I hope I wrote it in the appropriate field.

[zapta]

Why the solenoid cable is so long? 

Possibly it can be opened by drilling holes and pulling out the connector.

[ivan747]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

That's easy to test.

[G7PSK]

There's another myth for Dave to bust!

It's not a myth.

You and I may know that(actually never tried, but a quick google search shows some 10M pixels scans of the US $100 bill)....but, it makes a good video for Dave.  It's all about the link bate!

I just tried scanning a £20 note with my Epson WF-2530 in greyscale it will scan the note and print it as well but if I try colour it brings up a notice saying that it has detected money and wont continue with the scan. If I photograph the note it will print it.
In the 1970's I worked for a company that had a large Chubb safe in the basement where the days takings were kept. One day we came in and found someone had broken into the premises pulled the safe from the wall and removed the back of it which was only held on by 4x quarter inch screws whoever did it knew their stuff. The company was a locksmiths by the way.

[Fungus]

I just tried scanning a £20 note with my Epson WF-2530 in greyscale it will scan the note and print it as well but if I try colour it brings up a notice saying that it has detected money and wont continue with the scan. If I photograph the note it will print it.

A fun experiment is to cover up parts of the note until it scans.

Try to figure out what it's seeing.

[HighVoltage]

Try to figure out what it's seeing.

The yellow circular spots as shown in the picture are seen by the scanner / scanning software.
It is the triangular combination of three rings, which are repeated differently, depending on the bank notes.

[ivan747]

Some manufacturers have a back door in and this I have witnessed, but they wont tell.
Muttley

I'm not a tin-foil hat kinda of guy, but I wouldn't be surprised if there was.

Reminds me of the "you can't print money with your color inkjet/laser printer, cause there is a chip inside there that will stop you."  Anyone ever tried it?  There's another myth for Dave to bust!

That's easy to test.

I just scanned a $20 US dollar bill on an HP scanner/inkjet combo. It's low resolution, but the EURorion constellation was visible on the scan. For the record, this was an HP Deskjet 3540.

[dexters_lab]

How secure are electronic locks used on safes?
Dave tries a power line analysis attack on a standard La Gard (LG) 3740/3750 Basic electronic digital lock.
Can you crack an electronic digital safe lock with just a resistor and an oscilloscope?
All sorts of safe cracking techniques are discussed - thermal camera imaging, bumping, drilling, and spiking the solenoid.
And naturally there is a complete teardown of the La Gard lock and a demonstration on how it works.
And then Dave does something incredibly dumb, and has to fix it the old fashioned way, Hollywood style.
It's a tail of epic fails and stunning wins.

http://www.kaba-mas.com/media/654586/v4/File/basic-basic-plus-series-brochure.pdf

ST ST62T25 OTP Microcontroller
http://www.alldatasheet.com/datasheet-pdf/pdf/23746/STMICROELECTRONICS/ST62T25.html

AT93C46 http://www.atmel.com/Images/doc5140.pdf

interesting video Dave, i would have liked to see what happens after the 6th digit was entered as others have mentioned, but i would suspect you would have to get quite sophisticated to get something meaningful and then you have to think about glitching the power at the right point.

i would be interested to see the internals of the keypad and how the lock communicates with it

it's a fascinating subject, this is well worth a watch:

[f4eru]

I have never seen a mosfet that's shorted from drain to source - all blown up mosfets that I have seen are always shorted from drain to gate. Also, IIRC I have seen a blown up bipolar transistor that was shorted, but it was probably due to overheating or too high current, not overvoltage.

You broke them wrong.
a G-S short is due to an overstress on gate voltage.
A thermal overstress or G-D overvoltage typically shorts all 3 pins.

I thought about that, but of course you'd need quite a few of these to experiment, unless you got very lucky.

typically, you can rebuild the little part of the circuit that's relevant (zener, polyswitch, transistor, solenoid), and zap that one multiple times until you find the sweet spot in the time-voltage curve that breaks it the way you want, then test it on an original one...

I thought about that, but of course you'd need quite a few of these to experiment, unless you got very lucky.
I'd be surprised if La Gard would have this vulnerability.

I would not be surprised to find a pulse shape that could break the transistor without exploding the polyswitch...

[MartinX]

Looking at the transistor markings the solenoid is driven by a ON PZT751T1 PNP transistor it is a 60V device, there is a large SMC transient suppressor on the supply line before the fuse, marking GEE. I think that is a 12V ON 1SMC5.0AT3G series type. Having a suppressor at 12V and a 60V transistor will probably make it difficult to send a pulse that will open the transistor before the zener clamps or shorts out from overload, possibly you could aim to vaporize the zener completely but I wonder if the PCB tracks will support that.

[SeanB]

12mm front and rest 6mm is typical of safes, which are meant to be bolted to a floor and wall, then built in with brickwork. Dad had a safe he got from his work free, as it had been left as free standing, and the burglars had simply turned it over one Friday evening after breaking in, and then cut through the thin plate under it, then cut through the concrete fill and finally went through the inner skin. Front and the first 20cm of the sides were 20mm steel, but the rest was simply 2mm steel and 1mm underneath. He simply plated the holes with steel sheet and filled the space with gypsum, then used it as the house safe.

Safe at work ( rated for free standing use) is 15mm steel all round, over a tamper resistant core, and at nearly a ton it is not easy to move. Last move I got the pro safe movers in, as it had to move 10m. Took them 20 minutes with the right moving tools and trolleys, and six people to do the carry work. We use it to store backups and documents. The big walk in safe is used as a server room. The old bank next door ( now a shop) uses the 3 walk in safes under the floor as stock storage. I joke with Tony the door key costs more than the stock inside.

[SA007]

I've worked with similar locks (same brand, same form factor, different type) at a previous job and there is a mayor back-door i know of, although this lock would not be susceptible.

These locks were time-delay locks (enter code 1, wait x minutes, enter code 2, safe opens).
The time delays and other settings (such as use only one code, or require both codes to unlock) where programmed in with a special programming tool.
This tool was connected to the same connector as the keypad.

So you would open up the safe, remove the backplate, unplug the keypad, plug in the programmer, program and reverse the process.
The keypad and the programmer use the same connector and pins, and that is the problem.

I found a way to open up the keypad, made an (passive) adaptor to hook the programmer to the wiring attached to the keypad and managed to program the lock without opening the safe first.
I just programmed it 'disable time delay', 'disable code 2' and hooked the keypad back up and opened the safe.
This took about 1 minute, compared to the 10 minute time delay that was programmed in.

Programming does require 'code 1', but most customers left it as factory default (123456 indeed) and only changed code 2.

[Muxr]

I laughed when you closed the door with the solenoid disconnected. That's totally something I would do. Good video Dave. 

[yym]

Hi Dave,

I'm one of those viewers who watches most of your videos but comment rarely and when they the do, they usually have something negative to say.

This last video of yours is lacking any scientific information content, it has 0 teaching value.
I thought that the idea of eevblog was of learning about electronics, you know 'real world' electronics, but lately your videos are not about that anymore.

You set up to do some power line analysis, but in the end you did none of that, and your whole setup was so wrong, I don't even...
I know from be beginning that it would be a fail, you just don't know enough (or it seems that barely anything) about the subject.
To me it seems like you are falling behind, you can not keep up with the modern stuff, you make more and more mistakes, stupid mistakes.
Also it is more and more visible that this blog is driven by making money than by enthusiasm/passion about electronics.
I can see a clear constant drop in the quality(and by that i mean teaching value, not image quality) of your videos, one of them was so boring (well.. to me) that I actually fell asleep.

To put it simple, your videos became the cat videos of electronics, simple stupid/fun stuff for the big majority, because ultimately that is what it counts subscribers and viewer count.

I could go on for pages but I feel you won't give much importance to my opinion anyway, so why should I bother.


If you take away anything from this, then take this: more science, less you

Regards,
Some random dude from the internets

P.S. I know, i know... you can't please everyone, don't get too upset

[jippie]

The thread is getting too long to read as it is time for bed. Allow me to repeat my comment fro the blog:

• Why didn't you use your µCurrent? It may show more details in the current.
• Another thought is to disconnect the beeper, which will suppress the major noise on the power line. I suspect the beeper uses one of the four wires in the cable and is placed in the front handle. Can the handle be opened?
• With so much spare cable inside the vault, *if* the cable snaps, it might be possible to just remove the front disc, then pull out the cable for a couple centimeters and snip off the part that is most likely broken.
• Last but not least: as others have mentioned, I expect the author of the software will have spent excessive time in making all loops and decisions etc take equal time. It is a well known attack nowadays (not entirely sure for 2004)

[MrMetthew]

On a less serious note, after seeing this video, I wanna buy that cheap microscope again :p !

[apis]

As other mention the magic probably happens after pressing the last digit. At first, the uC stores the key presses in RAM then only after the last key is pressed it does a check of the whole sequence, if one can see something it would be then. In theory one might be able to see something at startup as well, but probably more difficult.

But the video is still interesting, it demonstrates the principle and shows you can see evidence of what's going on inside: the beeper, etc!

The reason why bumping doesn't work on this lock is because of the mass loaded pin opposed to the solenoid pin:



Any acceleration that would move the solenoid pin out of the way would also move the other pin in the way. I'm not saying it's impossible, but this makes this very difficult I guess.

I was going to suggest that one could simply put in a second solenoid facing in the opposite direction, or simpler still: a pin attached to a matching mass/spring that is normally out of the way. But you are right, it looks like they thought of that as well! It should make bumping impossible (in theory).

This lock actually seems pretty well designed.

As for keeping track of failed attempts, couldn't the capacitors just keep the microprocessors internal ram powered for long enough that it simply stores that in ram?

[Rick60]

I wonder if would be possible to see the 400Khz i2c clock  and data line as  distinct levels  , either during power up or after the sixth key ?allowing you to decode the eerom contents

[metalhead777]

Something I thought of, but didn't think through entirely, so there might be some errors (posted it under the video, too):
I noticed that decoupling was done with some large Tantalum caps. These are rather slow, what would happen, if we replace the Battery with some sort of DC-Powersource with a higher frequency ripple added? The tantalums shouldn't be able to block that out, would it be possible to see something happen to the RF ripple? Or were there some ceramic caps in parallel I didn't see?
I would expect RF signals to penetrate through the entire power section. With a correctly chose frequency there might be a reaction due to changing the current flow.

Does anybody have any idea, if this might work?

[EEVblog]

I'm one of those viewers who watches most of your videos but comment rarely and when they the do, they usually have something negative to say.
This last video of yours is lacking any scientific information content, it has 0 teaching value.
I thought that the idea of eevblog was of learning about electronics, you know 'real world' electronics, but lately your videos are not about that anymore.

There is an unsubscribe button.

You set up to do some power line analysis, but in the end you did none of that, and your whole setup was so wrong, I don't even...
I know from be beginning that it would be a fail, you just don't know enough (or it seems that barely anything) about the subject.

It was a simple first test to see if there was anything obvious with the simplest approach possible. I expected it to be a fail too, but thought it would be interesting enough for a first video.

To me it seems like you are falling behind, you can not keep up with the modern stuff, you make more and more mistakes, stupid mistakes.
Also it is more and more visible that this blog is driven by making money than by enthusiasm/passion about electronics.
I can see a clear constant drop in the quality(and by that i mean teaching value, not image quality) of your videos, one of them was so boring (well.. to me) that I actually fell asleep.

Please unsubscribe then.

I could go on for pages but I feel you won't give much importance to my opinion anyway, so why should I bother.

Correct, because I can and have proved you are demonstrably wrong that my videos have changed in the quality of "teaching value".

P.S. I know, i know... you can't please everyone, don't get too upset

Correct. And a ton of people loved this video.
Of course I'm going to get a few who hated it or found fault with it, welcome to Youtube.

[VK5RC]

I teach (post graduates,  non electronic field) and some of the best learning occurs when people are having fun and engaged.  I find EEVblog finds that balance well,  a true variety of topics,  bit of fun but backed by good theory in general.

[coflynn]

Very interesting! I found one of the same electronic keypad lock portion on ebay and purchased to do some inspection myself, as have wondered about these for a long time. Was good to see a bit of a teardown & initial test to get some ideas of what's involved.

Last but not least: as others have mentioned, I expect the author of the software will have spent excessive time in making all loops and decisions etc take equal time. It is a well known attack nowadays (not entirely sure for 2004)

It's been known for a long time... but it's easily done wrong or with enough difference between execution paths to still perform the analysis. So I wouldn't be too surprised to find out there is some attack vector. To really start the analysis it's easier to do it right on the chip itself (i.e. NOT something you can do in a practical scenario) and then work backwards to attacking from the front panel.

This gets rid of a ton of noise and eliminates issues w.r.t. decoupling capacitors. If you know the exact time-frame to look at it's often possible to still get very good results, even with decoupling present.

[EEVblog]

I teach (post graduates,  non electronic field) and some of the best learning occurs when people are having fun and engaged.  I find EEVblog finds that balance well,  a true variety of topics,  bit of fun but backed by good theory in general.

It should also be noted that the EEVblog was never conceived to be any sort of teaching channel. It's exactly as advertised, an "off the cuff video blog for electronics engineers and hobbyists."
People are too quick to criticise when I get something wrong, or miss something, or don't present something the way they expect, as if they are owed an absolutely first rate world class teaching channel 

[boffin]

Go Dave!

The EEVBLOG is whatever Dave wants to make of it.  If you don't like it, you don't have to watch. Loved the fact you fessed up to your fail-button moment, and the fact that what you were trying to do, didn't really come through as a possibility.

[Stonent]

Something I thought of, but didn't think through entirely, so there might be some errors (posted it under the video, too):
I noticed that decoupling was done with some large Tantalum caps. These are rather slow, what would happen, if we replace the Battery with some sort of DC-Powersource with a higher frequency ripple added? The tantalums shouldn't be able to block that out, would it be possible to see something happen to the RF ripple? Or were there some ceramic caps in parallel I didn't see?
I would expect RF signals to penetrate through the entire power section. With a correctly chose frequency there might be a reaction due to changing the current flow.

Does anybody have any idea, if this might work?

I think it has a very good possibility of working.  As I was watching the video, I was thinking of electrical attack methods over the exposed battery line.  As was mentioned before trying to brown out the processor and see what happens. The other thought was feed a PWM signal into a mosfet that's connected to the battery to see if you could glitch the processor and get the needle to skip so to speak, causing it to jump to a different subroutine.  Maybe have the PWM have a random duty cycle and cycle through various frequencies and have the input voltage vary up and down.

And there's always the destructive method of trying an over-voltage attack on it.

If anyone's got a handful of cheap ATTiny chips or maybe some PIC10/12 chips you don't mind destroying, you could code up a simple program that runs in a loop with some unreachable code.

Code: [Select]

int x = 0;
while (true)
{
  If (x == 0)
  {
    StayLocked();
  }
  Else
  {
    Unlock();
  }
}

Then just go to town feeding all sorts of signals into the VCC line and see if you can ever get Unlock() to run.

[all_repair]

This last video of yours is lacking any scientific information content, it has 0 teaching value.
I thought that the idea of eevblog was of learning about electronics, you know 'real world' electronics, but lately your videos are not about that anymore.
.....

This one exactly not so bad but I have skipped the last few.  For this, I watched from beginning to finish.  There are as much to learn from a failed experiment as from a successful one, if not more.   I kind of think the screw-up was deliberate to add sensation.  It is out of a seasoned engineer habit to pull a cable out for no apparent reason and then does not put it back IMMEDIATELY.

[miguelvp]

Yeah, glitching the supply might throw the MCU into a path not intended.

Disruption of the power fast enough but not enough to halt/reset the processor but fast enough and at the same 8MHz frequency with a bit of bias might make the MCU skip instructions until you reach the needed code.

Kind of forcing NOPs for n cycles at a time until you reach the unlock code. Once you know the delta (if you can make the MCU to glitch and force a NOP per pulse) then the combination doesn't matter. Or maybe you can glitch the part where it tries to get the code and you can force the MCU to miss the reads from the EEPROM so it gets all 0s.

[DrGeoff]

Yeah, glitching the supply might throw the MCU into a path not intended.

One of the attack vectors on smart cards is to inject rubbish on the power supply to force something interresting to happen, at the same time as watching the power supply for current waveforms (smart cards don't have decoupling caps to speak of). Maybe some HF noise or browning the supply around the BOD thresholds to cause rapid resets to occur might show something interesting.

[fvdpol]

The 10 ohm resister used for the current measurement actually reduces your resolution as the decoupling in the circuit will low-pass the cpu glitches. If you can have a much lower source impedance you should be able to see much more detail.

Would be interesting to see how much a micro current adapter (and maybe additionally a lower impedance power source than the 9v battery) would help here. Believe this type of measurement would be THE use-case for a uCurrent :-)

[BillyD]

The 10 ohm resister used for the current measurement actually reduces your resolution as the decoupling in the circuit will low-pass the cpu glitches. If you can have a much lower source impedance you should be able to see much more detail.

Would be interesting to see how much a micro current adapter (and maybe additionally a lower impedance power source than the 9v battery) would help here. Believe this type of measurement would be THE use-case for a uCurrent :-)

Interesting idea. Would it be able to pass everything through or would you lose, say, the very high frequency current changes?

[Fungus]

Believe this type of measurement would be THE use-case for a uCurrent :-)

The maker of the uCurrent doesn't actually use it! 


(Seriously though, he was only looking at timing, not current usage...current usage would be attack #2)

[mikeselectricstuff]

As there didn't seem to be an 'enter' key, I wonder if it is simply testing the last 6 digits entered on each keypress, possibly with a timeout.
If the code isn't written well, the length of time it stays awake after a keypress may be proportional to how many correct digits there are.

[mikeselectricstuff]

I wonder if the case is electrically bonded to the supply -ve, if not, then there may be scope for common-mode spike injection.

[f4eru]

To put it simple, your videos became the cat videos of electronics

Hell No! These are the "cat" videos of electronics :

[ale500]

"Always be careful with your tools"  That was great

[f4eru]

Another good one : https://www.youtube.com/watch?annotation_id=annotation_1658711487&feature=iv&src_vid=L5E4NiP4hpM&v=sI5Ftm1-jik

[EEVblog]

I kind of think the screw-up was deliberate to add sensation.

You wouldn't think that if you heard my four letter expletives because:
a) I was so stupid
and
b) I wasn't going to get the video out on the Friday.
and
c) Had to ask the wife for work time on the weekend in order to fix the screw-up.

[EEVblog]

One of the attack vectors on smart cards is to inject rubbish on the power supply to force something interresting to happen

Smart cards don't have a bunch of power supply rail stuff to screw things up.

[EEVblog]

The maker of the uCurrent doesn't actually use it! 
(Seriously though, he was only looking at timing, not current usage...current usage would be attack #2)

Correct. Not everyone has a uCurrent, so I wanted to see what was visible with just a resistor first.

[rr100]

Not wishing to derail this topic, but that's actually true and I verified it on my Lexmark scanner a couple of years ago. It got about one third of the way through a ten Euro note before packing it in. I can't remember exactly what error message it gave, although I think it did spell out that it had detected currency.

For printers most likely it is in the drivers, especially for cheap one. Now for color copiers, that's another story.
Even way back (I think around 2001 or so) Painshop Pro (and probably some other programs) wouldn't even copy/paste from a picture of euro's or dollars.

[rr100]

Then to the end you say: "Even if we could find the 6 right digits, we don't know the order"
I'd say that depends on how good/poorly they have programmed the software: Say it is kind of an if/else hierarchical thing:

This is precisely what I was thinking as well.

[EEVblog]

Then to the end you say: "Even if we could find the 6 right digits, we don't know the order"
I'd say that depends on how good/poorly they have programmed the software: Say it is kind of an if/else hierarchical thing:

This is precisely what I was thinking as well.

Well yeah, if there is some kind of vulnerability that lets you get at the actual correct sequence, of course. I wasn't testing for that exploit in this video.

[rr100]

This was a fantastic video, I wasn't expecting at all to be able to do it "laparoscopily". I've done my fair share of "remote manipulations" with tweezers and screwdrivers but I was just sure this will end up in sparks (from some kind of saw).

Speaking about the old "studio" ... I watched video Nr 3 I think a few days ago and it looks now .... like Star Trek TOS! NOT like it's coming from the future but from the 60's! Not that there is any criticism, I watched many of the old ones when they were new and they were ok, going to the newer fancy ones again ok, now going back it is like AUCHOMFGWTF!?!

[84GKSIG]

Yikes why so much negativity, ive not been on here in a while and seems like a bunch of you guys are in attack mode, why? whats happened?

I was thinking any way, is the safe considered to be a massive RF shield? if not could you in theory wrap a loop of copper wire around the safe to use as a pick up for microprocessor noise ?

EDIT: is the safe magnetically shielded ?

and also the solenoid pin is magnetic? couldnt you use a cleverly placed high current electromagnet to pull the pin back ? or even induct a burst of current into the solenoid coil ? wouldnt expect any of this work work either but its just for a laugh, if i had one id be trying hell basic stuff. awesome work getting that connector back on through the holes you drilled in the bottom i was cheering with you when you got em back on 

[tszaboo]

Very entertaining episode! I wonder if the programmers thought of the power line attack. Because I believe it is quite easy to write code which would prevent this:
Wait for 6 keypress
Read out EEPROM
Decrypt EEPROM data. Now this can be quite simple, for example XOR it with 0x55 to get the actual code in BCD. If you power line attack it, you would never guess.
If code is wrong, do stuff A (save timeout to eeprom or something)
If code is right, do stuff B (open door)

You need 6 keypress for anything remotely important to happen, and even then, if you get the wrong code always, you don't know what to look for.
The meaning of save codes, that nothing out of the ordinary happens if you press the wrong button. Why would be the firmware any different?

[Fungus]

EDIT: is the safe magnetically shielded ?

It's a big piece of steel, so.... "yes".

[Rasz]

Very entertaining episode! I wonder if the programmers thought of the power line attack. Because I believe it is quite easy to write code which would prevent this:

famous last words

Wait for 6 keypress
Read out EEPROM
Decrypt EEPROM data. Now this can be quite simple, for example XOR it with 0x55 to get the actual code in BCD. If you power line attack it, you would never guess.

all of the above we skip

If code is wrong

this is where attack is happening, how do you compare good code to bad code? you dont have vliw, simd, nor even 32bit alu to make whole comparison in one instruction.

You need 6 keypress for anything remotely important to happen, and even then, if you get the wrong code always, you don't know what to look for.

you dont, attackers do

Yikes why so much negativity

"Im gonna do power analysis" .... doesnt do power analysis(no, looking at the scope at 2 orders of magnitude wrong scale is not it), announces lock is secure

[eneuro]

i would be interested to see the internals of the keypad and how the lock communicates with it

I'm more concerned about such thing, that this keypad lack such quite basic feature like.... displaying those digits 0..9 at random order in 3 x 3 matrix, make this display touchable. than if somone tried record owner hitting those 6 numbers using thermal imagining or classic video cam with huge zoom to remeber position where someone hits this keypad, than whatever they do, if next time those 10 digirs 0..9 will be displayed at another random order (TRNG can be used for this, no need to use PRNG on MCU), than position where you press those numbers is worth nothing, since it changes all the time someone attempts to enter this pin code 
I wonder, why they didn't made this this way? Even on many web sites this is preffered method to avoid mouse logging or keyboard dumping to takee control over someones account? 
Yeah, I don't like this safe lock doesn't have such random numbers placement, but probably it is too cheap or are there as everywhere patene issues which limits manufacturers flexibility who do not want pay too much for patents, so end users gets not the best possible solutions, but something between and still DIY solution can be in many cases better 

Anyway, this hack with driling safe side and using thin USB microscope video to try put this bloody connector inside again was really very creative 


I need to dig at home througth 0.250m -0.500m concrete wall to see closed space in home under stairs and probably this this USB microscope is must to have in my toolbox, especially it can be perfect for my pick & place & reflow PCB machine too, so considering buying something like this below (without useless tripod) but quite cheap, so I think I'll give it a chance-thigs like this can save a lot of frustration one day and... feel like Hollywood epic win compilation star 
http://microscopes.mobi/product/supereyes-b005-0-1x-200x-handheld-usb-digital-microscope-endoscope-loupe-otoscope-magnifier-with-11mm-tube-diameter-tripod-led/
They claim it works under Linux, too  We'll see soon...

[Fungus]

this is where attack is happening, how do you compare good code to bad code? you dont have vliw, simd, nor even 32bit alu to make whole comparison in one instruction.

You don't need any of that. All you need to is reduce it to a single branch instruction.

eg. Subtract the secret number from the input using as many instructions as you like then there's a single branch-on-zero instruction.

The code path will be identical for all incoming keypresses. The only time there's any difference in the instructions executed is when there's a 'pass' and you're going to open the door.

[TheAmmoniacal]

The easiest way to "crack" this safe must be to do exactly what Dave did when re-inserting the connector - but instead using some wires to power the solenoid directly. I see no reason why you can't just bypass the circuitry altogether and connect 9V on the solenoid? What about trying to power the solenoid from outside with resonant inductive coupling? Overpowered induction charger?

[HP-ILnerd]

Dave,

That was one of the most entertaining episodes you've done.  I love it when you leave in your mistakes.  Nice "The Eagle Has Landed" moment when you got the plug back in.   

It's the complete opposite of home improvement shows where they build something out of magical perfect framing timber that is miraculously clear and laser straight. 

[Rachie5272]

It would be interesting to see an analysis of the keypad serial connector.  If it's I2C, maybe it shares the same bus as the EEPROM.

Also, it could very easily have a backdoor in the form of a second secret passcode.  It could be a unique code for every safe based on the serial number, programmed at the factory.  Any chance of an EEPROM dump?

[bktemp]

It would be interesting to see an analysis of the keypad serial connector.  If it's I2C, maybe it shares the same bus as the EEPROM.

It is a 93C46 EEPROM: It uses Microwire, not I2C. I doubt they would make such a stupid mistake and share the wires between the code storage memory and the external keypad.
Maybe they have deliberately chosen a microwire EEPROM instead of an I2C EEPROM because the I2C data can be seen on the supply current because of the pullups drawing current only during low bits.
And maybe they use the buzzer to hide the current draw of the controller, checking the entered code while the buzzer is beeping?

[Rasz]

It is a 93C46 EEPROM: It uses Microwire, not I2C. I doubt they would make such a stupid mistake and share the wires between the code storage memory and the external keypad.
Maybe they have deliberately chosen a microwire EEPROM instead of an I2C EEPROM because the I2C data can be seen on the supply current because of the pullups drawing current only during low bits.
And maybe they use the buzzer to hide the current draw of the controller, checking the entered code while the buzzer is beeping?

all good points, if only someone did a power analysis of this loc......

[ivan747]

It would be interesting to see an analysis of the keypad serial connector.  If it's I2C, maybe it shares the same bus as the EEPROM.

It is a 93C46 EEPROM: It uses Microwire, not I2C. I doubt they would make such a stupid mistake and share the wires between the code storage memory and the external keypad.
Maybe they have deliberately chosen a microwire EEPROM instead of an I2C EEPROM because the I2C data can be seen on the supply current because of the pullups drawing current only during low bits.
And maybe they use the buzzer to hide the current draw of the controller, checking the entered code while the buzzer is beeping?

Yes I believe this could be a thing. I'd like to see that signal filtered out.

[rotopenguin]

It would be interesting to see an analysis of the keypad serial connector.  If it's I2C, maybe it shares the same bus as the EEPROM.

It is a 93C46 EEPROM: It uses Microwire, not I2C. I doubt they would make such a stupid mistake and share the wires between the code storage memory and the external keypad.
Maybe they have deliberately chosen a microwire EEPROM instead of an I2C EEPROM because the I2C data can be seen on the supply current because of the pullups drawing current only during low bits.
And maybe they use the buzzer to hide the current draw of the controller, checking the entered code while the buzzer is beeping?

They don't have to literally store the digits of the password as an unsigned int in EE, could instead remap each digit to a RLL-like bit pattern. With the right pattern-per-symbol, you'd have a very even distribution of ones and zeroes and hopefully a bland enough square wave to hide.

I doubt they would use the buzzer like that, it's easy enough to drill the bugger dead to take it out of the loop. Also, tiny amounts of timing jitter in the PWM might leak info. It's easier to have the buzz happen far apart from the juicy bits of code than verify the exact behavior of the MCU to be sure. (OH DUH, that noise isn't coming from the important MCU, it's just a ^G being sent to the keypad's controller. DERP.)

[eneuro]

And maybe they use the buzzer to hide the current draw of the controller, checking the entered code while the buzzer is beeping?

They can use high frequency timer interupt so often, than main code runs... step by step and they can have random times it spends in this interupt, so this what you'll see on power line will be... noise 
Common, why do you think you could guess this password based on power waveform? There are endless posibilities to make those readings useless or only looking that it leads to somewhere, but... it is hopeless effort probably not worth amount of money kept in this safe lock 

They don't have to literally store the digits of the password as an unsigned int in EE, could instead remap each digit to a RLL-like bit pattern.

Of course they do not store any passwords, but probably a few times hashed and few times encrypted this what someone enters and... you have no chance to find it the garbage with other random bits, which can be recreated each time someone sets new password 

Brute force solenoid wires or coil, something which could help open those doors, with help of really strong magnetic field or induced this way Eddy-currents designed to hit given parts and materials in mechanical lock, maybe could do the trick

I think, after sucessfull episode one, I hope Dave will try something much more powerfull than osciloscope 
Pure electro-magnetic power is needed, maybe at determined frequency.
I  suggest, this could do the job

MagLab claims record with novel superconducting magnet

Wow 

Built with both traditional and novel superconducting materials, the magnet reached a field of 27 teslas on June 5 in a test that exceeded designers' expectations.

[rotopenguin]

So, the attack vectors I see, especially once you pull the keypad face off and are talking directly to the 4 pin plug are:

1. How does it keep track of too many bad tries? How is a single bad try recorded? Here is one way not to do it. The obvious way is to record a bad attempt to flash after a password check, but there's a tiny window where an attacker might read your poker face and pull the plug before commit. Or a gigantic window where you never had enough voltage for flash writes to succeed at all. If I were writing the firmware, I would FIRST append a failed attempt to flash (and verify it!), then test the password, and then if we have a match we'll go back and erase that black mark. (By append, I mean don't erase a 2 and put a 3 down as the number of failed attempts, somebody's bound to split that transaction with a power outage.)

2. How does the 5 minute timeout work? How goes the last bad try before dropping the timeout hammer? If there's anything special about how the flash writes "uh oh, we're in lockdown mode now", we might be able to take a miss on that and get unlimited retries. If pulling power causes the controller to forget about the timeout, somebody is hankering for a firing.

3. Seriously, how well do you deal with brownouts? Flash is a fat little piggy for voltage requirements, while the processor would probably be okay running significantly leaner. Are they counting on the MCU's BOD to cover the flash chip's needs too?

4. When does the password match actually happen? Lots of folks here are saying "only once the 6th digit is entered" which I like. Some are saying that you are typing into a rolling window of 6 digits, which would give you FAR too many free swings at bat if that were true. The 7th digit you enter must be taken as a clean slate entry of the 1st digit of a new attempt.

5. Does the processor's eyebrow twitch as it matches a correct or incorrect digit? If Dave spent the weekend plugged into that pretty little 4 pin plug instead of leaning against a drill, we might have seen some movement on this front :-P Love the lemonade that Dave made out of the lemons anyway!

6. How well protected is that I2C(?) pin anyway? I've heard of AVRs getting messed up in the head with crazy-fast thwacks on a GPIO, perhaps an ST is as vulnerable.

7. Did a web programmer do the communication code? Those jerks make buffer overflows all the time, geez keep it together guys.

8. Can the CPU skip instructions until it finds itself in the unlock routine? Don't let a few missed instructions just let it fall into the unlock code, put a minefield in between main() and there. Hmm, If I were a 2 stage pipeline CPU being induced to glitch, I think I'd try interleaving the code with tons of small JMPs past very bad instructions. I believe that the pipeline normally starts chewing the next instruction, but has it inhibited by a later clockcycle of JMP. If the JMP gets glitched, the evil instruction may be executed and induce a soft fault, throwing code flow into a (hopefully) more jailable exception handler. And how bout this - wire the board such that only a certain pattern on GPIO will trigger the solenoid without also smacking your own RST line. What are the odds of a drunk processor (a) accidentally falling into the GPIO port write and (b) having the correct magic pattern sitting in a register in the first place?

9. Is there a bitchin' bass frequency where the solenoid pin will dance out of the way? The opposing-mass pin (which is awesome!) may hold shit together when the solenoid is bumped out of the way, but it won't groove to the same tune.

[EEVblog]

Also, it could very easily have a backdoor in the form of a second secret passcode.  It could be a unique code for every safe based on the serial number, programmed at the factory.  Any chance of an EEPROM dump?

No, not possible. It would never have passed the type approvals if it had this.

[EEVblog]

"Im gonna do power analysis" .... doesnt do power analysis(no, looking at the scope at 2 orders of magnitude wrong scale is not it), announces lock is secure

Oh FFS people, get over it.
Yes I did the simplest check possible, it was first simple check, of course there is a ton of more stuff I could do. It could easily be a 10 part video series.
I did mention that further testing would be needed, but that it didn't look promising at this stage.
Yeah, ok, I should have explained this better, but I didn't expect people to take this video to be the be-all end-all attack video on this lock

[EEVblog]

The easiest way to "crack" this safe must be to do exactly what Dave did when re-inserting the connector - but instead using some wires to power the solenoid directly.

You, you can't do this. The company has patent on preventing exactly that "spiking".
That of course does not mean it's not possible, but they have thought of it and have put design measures in place to prevent it.

[Rasz]

The easiest way to "crack" this safe must be to do exactly what Dave did when re-inserting the connector - but instead using some wires to power the solenoid directly.

You, you can't do this.

have you tried? video clearly shows space for two sockets, but only one is used for the keypad/power cable, second one is unpopulated and leaves a lot of space for stiff wire to go inside and poke around

The company has patent on preventing exactly that "spiking".

oh, a patent, well that settles it 

[alien_douglas]

I though I might post a story on power line analysis. Nothing to do with safes!
Back in 1985 I was working for IBM NZ and IBM had just released their new Quietwriter electronic daisy wheel (Remember those?) typewriter to replace the totally mechanical Selectric golf ball machine.
I received a phone call from the NZ Secret Intelligence Service (Don't know why they rang me as I did not have anything to do with typewriters.) asking if there was an anti spying EC (IBM speak. Engineering Change) for the new electronic Quietwriters.
I thought that my leg was being pulled, but I went around to talk to the Office Product guys who told me that there was indeed such a device for the mechanical typewriters.
This is when I learnt about power line analysis.
So way back in 1985 the spies around the world had tiny devices that could be fitted into the back of a mains outlet to read the varying current that uniquely changed as the mechanical golfball typewriter typed different characters. And then transmit the data to a sneaky spy outside the building. Way cool!!

BTW. The anti spy device for the mechanical typewriter was the addition of a large flywheel on the motor. That smoothed out the current draw on the power line.
And the new Quietwriter, that was full of electronics and stepper motors, was almost totally quiet on the power line. Great quality IBM engineering!!

Alien

[rotopenguin]

You, you can't do this. The company has patent on preventing exactly that "spiking".

I sure hope that's a patent on "an integrated device to prevent spiking" rather than a patent on "the business method of injecting power spikes to maximize unauthorized ingress".

[EEVblog]

have you tried? video clearly shows space for two sockets, but only one is used for the keypad/power cable, second one is unpopulated and leaves a lot of space for stiff wire to go inside and poke around

No I have not tried it, doing so could ruin the lock. A one-shot deal.
How about you send me say 20 identical locks and I'll give it a go.
Say what you want about patents, the fact is they have thought about this and implemented measured to protect against it. And it is well know that this lock is not susceptible to spiking any more, they fixed it a long time ago.
*see my previous disclaimer*

And there is no point going in through any side hole and poking around, it's of no consequence. If someone was the drill through the safe side case and try to manipulate through that tiny hole from outside the safe from 25cm away then they might as well just crack the safe open the old fashioned way. It's pointless to even consider.

[apis]

Oh FFS people, get over it.

Hacking security devices is just too much fun! People expected an epic hack but in the end were left hanging.

But a negative result is also interesting as you said! If I had any valuables worth protecting I would look for an LG lock, looks like they knew what they were doing.

9. Is there a bitchin' bass frequency where the solenoid pin will dance out of the way? The opposing-mass pin (which is awesome!) may hold shit together when the solenoid is bumped out of the way, but it won't groove to the same tune.

I would expect that the spring-constant to mass ratio of the solenoid and the opposing system is matched. So they should move similarly. But things get complicated if you apply preasure and thus varying friction by twisting the handle while shaking/bumping it. Might be possible to bump, apply pressure and thus holding the solenoid pin in position, repeat until solenoid is free and hopefully you can get the opposing pin to return out of the way.

[EEVblog]

Oh FFS people, get over it.

Hacking security devices is just too much fun! People expected an epic hack but in the end were left hanging.

Well that is the nature of the EEVblog. It's an "off-the-cuff" blog, publish and be damned, I shoot and upload, even if not finished, knowing I can always do another video. I don't spend weeks on a video, chipping away at it bit by bit until it's done and then upload some magical final product.
People seem to forget this all too often.
I don't think I've ever spend more than a full day on a video.

I would expect that the spring-constant to mass ratio of the solenoid and the opposing system is matched.

I would expect that as well.

So they should move similarly. But things get complicated if you apply preasure and thus varying friction by twisting the handle while shaking/bumping it. Might be possible to bump, apply pressure and thus holding the solenoid pin in position, repeat until solenoid is free and hopefully you can get the opposing pin to return out of the way.

Given that this lock has been the industry standard for about 20 years, I figure someone would have figured a way to beat it by now.

[Fungus]

But things get complicated if you apply preasure and thus varying friction by twisting the handle while shaking/bumping it. Might be possible to bump, apply pressure and thus holding the solenoid pin in position, repeat until solenoid is free and hopefully you can get the opposing pin to return out of the way.

How are you going to shake/bump something that's bolted to a wall/floor?

(And if it isn't bolted down then you've got some big holes in the back to poke things into. You could just unscrew the metal plate on the door lock and dismantle it from inside).

Given that this lock has been the industry standard for about 20 years, I figure someone would have figured a way to beat it by now.

If there was a way in early versions it would have been fixed by now.

It's not as if bumping bumping or timing attacks are amazing secrets of the L33t HaXXors. Safe makers know them, too (probably before the L33t HaXXors).

[Rasz]

have you tried? video clearly shows space for two sockets, but only one is used for the keypad/power cable, second one is unpopulated and leaves a lot of space for stiff wire to go inside and poke around

No I have not tried it, doing so could ruin the lock. A one-shot deal.
How about you send me say 20 identical locks and I'll give it a go.
Say what you want about patents, the fact is they have thought about this and implemented measured to protect against it. And it is well know that this lock is not susceptible to spiking any more, they fixed it a long time ago.
*see my previous disclaimer*

And there is no point going in through any side hole and poking around, it's of no consequence. If someone was the drill through the safe side case and try to manipulate through that tiny hole from outside the safe from 25cm away then they might as well just crack the safe open the old fashioned way. It's pointless to even consider.

I am not talking about hole on the side of the safe 
I am talking about 3(4?) FACTORY holes in the front plate. At least the one used for the handle/power cable goes all the way through. Skilled people are able to use such holes to go in places they werent supposed to with a stiff wire.
You dont risk burning anything it you unplug battery and just measure resistance between ground and your magic wand until you land on specific known one to be sure it landed on second magnet pole/transistor pad.

[Seekonk]

I bought a famous name electronic safe at a garage sale with the door open.  Mfg would give you combination for $3.50.  I figured take off back plastic cover and look at electronics, maybe a combination sticker.  No electronics inside safe.  Just two wires leading from solenoid.  Removing battery cover from front of safe gave easy access to those.  So a wire connected to the battery and a pin to break through insulation is all someone needs to get in.   I don't really use it, just keep it in an obvious location.  If someone breaks in I want them to take all their time moving that heavy safe and leaving the other stuff alone.  That is real security.

[Fungus]

I am not talking about hole on the side of the safe 
I am talking about 3(4?) FACTORY holes in the front plate. At least the one used for the handle/power cable goes all the way through. Skilled people are able to use such holes to go in places they werent supposed to with a stiff wire.

Do you think they didn't think of that? 

[apis]

How are you going to shake/bump something that's bolted to a wall/floor?

You can often just bang on things with a mallet or something, there are plenty of videos on youtube...

It's not as if bumping bumping or timing attacks are amazing secrets of the L33t HaXXors. Safe makers know them, too (probably before the L33t HaXXors).

Surprisingly often that's not the case, and it's hard to tell which manufacturers know what they are doing and who are clueless, price isn't necessary a good indicator. It's easy to make things that work when used as expected, much harder to correctly identify and counter all the corner cases, especially when someone clever is deliberately trying to break things. Some things are simply ridiculous bad even when not cheap and from well known brands.

[Rasz]

I am not talking about hole on the side of the safe 
I am talking about 3(4?) FACTORY holes in the front plate. At least the one used for the handle/power cable goes all the way through. Skilled people are able to use such holes to go in places they werent supposed to with a stiff wire.

Do you think they didn't think of that? 

Make yourself a favour and click on YT clip I linked like 4 pages ago. Professional system (audit log, networked, rfid key) 300Euro electronic door locks are routinely cracked by nothing more than a coat hangar wire. I am talking systems that cost xxK euro to install in whole building.

BTW Dave, I learned today that you became a verb. to 'dave jones' something apparently means to fuk around with it for 2 minutes and toss it in the corner  another ee blogger I follow got X-Carve and people were afraid he would 'dave jones' it in the comments It was such a holy shit Im not alone moment when I read that

[apis]

another ee blogger I follow got X-Carve and people were afraid he would 'dave jones' it in the comments It was such a holy shit Im not alone moment when I read that

To be fair, you have to choose between how much time is spent on each gadget and quantity. You can't get several videos per week if each video takes several days to shoot and this format obviously work well for a lot of people. How many videos per week does the other blogger produce?

Although suppose I wish there was more of everything as well.

[eneuro]

To be fair, you have to choose between how much time is spent on each gadget and quantity.

There is something else too-how much money can someone invest into each of those videos 

If someone uses safe from his house, probably never ever will publish its manufacturer in internet, since this opens serious security hole-someone knows what to expect and can be better prepered to attack it.

Mythbusters S02E03 Ancient Death Ray, Skunk Cleaning


So, now if Myth Busters saw this video, they of course wouldn't try any powerless osciloscopes to hack this thing, but if they knew there is decent amount of gold inside, than thay could see from this Dave video that... there is no good air insulation and it is not water proof too, so they rather... pumped a litle bit of explosive gas inside, inserted two thin wires, added remote controled ignition and... could easy open those dam doors 
Than, in the rush after detonation, dressed in first aid skirts takes gold from already open safe and... there is also no walls in the building and... could live long and in happines 
No need to monitor safe lock power lines, but simply open its doors from inside by means of mechanical forces

[ivan747]

I bought a famous name electronic safe at a garage sale with the door open.  Mfg would give you combination for $3.50.  I figured take off back plastic cover and look at electronics, maybe a combination sticker.  No electronics inside safe.  Just two wires leading from solenoid.  Removing battery cover from front of safe gave easy access to those.  So a wire connected to the battery and a pin to break through insulation is all someone needs to get in.   I don't really use it, just keep it in an obvious location.  If someone breaks in I want them to take all their time moving that heavy safe and leaving the other stuff alone.  That is real security.

Fill it with fake jewelry and fake cash. That will do the trick 

[VK5RC]

I use a couple of the four legged barking variety as our main security, as long as there are a couple of nice  looking houses down the street without a dog, you are OK. Has worked so far (crosses fingers, toes etc).

[EEVblog]

I am not talking about hole on the side of the safe 
I am talking about 3(4?) FACTORY holes in the front plate. At least the one used for the handle/power cable goes all the way through. Skilled people are able to use such holes to go in places they werent supposed to with a stiff wire.
You dont risk burning anything it you unplug battery and just measure resistance between ground and your magic wand until you land on specific known one to be sure it landed on second magnet pole/transistor pad.

My answer to that is exactly the same as before!
Of course the safe has vulnerabilities if you drill it, practically every safe does! Drilling into safes and manipulating is how the pros get into safes without much damage (holes can be resealed).
So do you actually have a point?

[EEVblog]

How are you going to shake/bump something that's bolted to a wall/floor?

You can often just bang on things with a mallet or something, there are plenty of videos on youtube...

In this case, as I demonstrated, and it known in the industry, this particular La Gard lock is not vulnerable to bumping.

[EEVblog]

BTW Dave, I learned today that you became a verb. to 'dave jones' something apparently means to fuk around with it for 2 minutes and toss it in the corner  another ee blogger I follow got X-Carve and people were afraid he would 'dave jones' it in the comments It was such a holy shit Im not alone moment when I read that

Why don't you come here, take care of my kids for me, take care of all the other stuff I have to do, and then convince the wife I can have all the time I like to spend at the lab and I'll happily work on the X-Carve.
WTF is your problem anyway? It's clear you don't like me or the way I do things, and you seem to harass me every chance you get. Why?
You are not the least bit amusing, and it's getting rather tiresome.

[Marc M.]

FFS people, it's an inexpensive electronic lock designed for inexpensive safes to keep your crap safe from street level criminals.  If there was any vulnerability to the design that could be relatively easily exploited it would be all over the internet. 

Anybody can talk - like bullshit, it's free and often worth as much especially on internet forums like this.  For all the arm chair quarterbacks telling Dave how he should have done things, especially Rasz who's really been busting his balls  , I want to see YOU do a video demonstrating your techniques to exploit a design limitation of these locks.  That will remove any doubt as to your superior knowledge of the subject over Dave's (who of course never professed to be an expert in the field to begin with).

[EEVblog]

FFS people, it's an inexpensive electronic lock designed for inexpensive safes to keep your crap safe from street level criminals.  If there was any vulnerability to the design that could be relatively easily exploited it would be all over the internet. 

Actually it's a rather expensive top brand electronic lock (the costs 4 times what a cheap ebay safe costs) that (as mentioned in the video) is used on some very expensive and top class safes.

That will remove any doubt as to your superior knowledge of the subject over Dave's (who of course never professed to be an expert in the field to begin with).

It's not an issue of knowledge it's one of time and inclination to actually do an extensive array of tests and attacks. I have that ChipWhisper after all that is specifically designed for such attacks. This video was purposely limited to one very basic test and nothing more, just to see if there was anything detectable on the power line at all. The plan was a "quick" sub 10 minute video. But is doesn't matter how well I caveat my videos, some people will always not be happy with my effort.

[apis]

How are you going to shake/bump something that's bolted to a wall/floor?

You can often just bang on things with a mallet or something, there are plenty of videos on youtube...

In this case, as I demonstrated, and it known in the industry, this particular La Gard lock is not vulnerable to bumping.

Yes, I didn't mean to imply that it was, only that you don't need to be able to move around one that is vulnerable in order to bump it.

[Rasz]

Of course the safe has vulnerabilities if you drill it, practically every safe does! Drilling into safes and manipulating is how the pros get into safes without much damage (holes can be resealed).

what drilling? there are FACTORY MADE HOLES in the front plate, or maybe front handle connects to the internal mechanism by magic? hmm I dont know, maybe that wire between internal lock and external keyboard is wireless ...I give up

especially Rasz who's really been busting his balls 

just like Dave I dont like bullshit. Reading in video description Dave is going to do power analysis, and then watching him _not do it_ (or attempt without doing any research beforehand and going with his gut?) and pronounce lock safe and uncrackable really pissed me off :/

You know that feeling when you are watching Halt & Catch Fire IBM XT Bios reverse engineering scene and you realize screen writers  have ZERO clue about the subject matter but do it anyway? and you are presented with two grown men looking at a PCB for 30 minutes searching for EEPROM (one of the men is EE/CS with one computer design under his belt). Then they connect said EEPROM to some sort of computer interface driving address bus, and instead of reading data lines directly they display it on led array, read it out loud one byte at a time and write down on paper .... so they can later type it into another computer.

Now imagine that at the start of a scene one of them whips out eprom reader, explains what it does, and then they proceed anyway - this was Dave's power analysis  


Yeah, I over reacted.

[EEVblog]

Yeah, I over reacted.

No kidding 

[EEVblog]

just like Dave I dont like bullshit. Reading in video description Dave is going to do power analysis, and then watching him _not do it_ (or attempt without doing any research beforehand and going with his gut?)

 
"An off-the-cuff video blog"
I showed the proper tool for the job at the start of the video but I did not use it and said I was going to deliberately try a simple simple thing first. Yet you still complain.
This is not the first time you have complained about this sort of stuff, you keep harping on and on about what I didn't do in a video. Why do you even bother watching if it bothers you so much?

[Rasz]

"An off-the-cuff video blog"
I showed the proper tool for the job at the start of the video but I did not use it and said I was going to deliberately try a simple simple thing first. Yet you still complain.
This is not the first time you have complained about this sort of stuff, you keep harping on and on about what I didn't do in a video.

>Dave tries a power line analysis attack
>How Secure Are Electronic Safe Locks

Yes, you didnt do it, instead you looked at the scope while claiming that was it, and announcing lock is secure because you (someone who Im guessing never picked a lock, and has no infosec background nor interest. I certainly never met you at defcon, blackhat or shmoo) dont see any flaws. You promised 800% battery life and failed to deliver. Remember that guy from #708 free energy bullshit? This was basically you doing power/security analysis.
Video on its own is more than fine. Fail, drilling, laparoscopy and teardown all highly entertaining, 10/10 would bang.

Why do you even bother watching if it bothers you so much?

Because I love you Dave 

[EEVblog]

Because I love you Dave 

Just like those people who love me so much they thumbs down every one of my videos within minutes of uploading. It's good to be loved.

[SeanB]

Safe cracking can be hard or easy. Lock picking as well, you find a lot of smaller cheaper locks that can be picked with very simple tools, often stuff that you can carry around without anybody being the wiser. Small locks are easy, I have done them with no more than 2 wire paper clips, which are common things. Was easier than walking over to get the key in some cases to just pick them open, do the work in the cabinet then lock them again with that.

[HighVoltage]

Locks and Safes have gotten much more sophisticated over the years.

In my childhood, it was easy to pick almost every door lock in a short time. I cracked numerical bicycle locks within seconds, no matter what brand it was.  But these days, you have to have special tools to pick modern high quality locks, including modern high quality numerical bicycle locks.

The same is true for safes. There is no general rule that applies for all safes and you have to be specialized for a brand and model to open them successfully. I don't think that good quality safes have a back door.

Dave, your video was a good introduction to the security of safes and I enjoyed watching it.

[EEVblog]

I don't think that good quality safes have a back door.

They don't. They wouldn't be able to pass independent certification if this was the case.
And no company who's business is electronics locks / safes would sell product with such back doors. If the back door leaked out (and it would) the company would be out of business.

[Fungus]

Just like those people who love me so much they thumbs down every one of my videos within minutes of uploading. It's good to be loved.

They subscribe to the videos just so they can give them thumbs down? 

[helius]

They don't. They wouldn't be able to pass independent certification if this was the case.
And no company who's business is electronics locks / safes would sell product with such back doors. If the back door leaked out (and it would) the company would be out of business.

There is little purpose to adding a "back door" with its attendant NRE and assembly cost when your lock can be bypassed with a soda straw or a paperclip. The ability to access the contents is exactly the same. And "independent certification" doesn't test for design insecurity, that is not a criteria that is a part of any testing standard. Hard to see how it could even be possible to standardize on not having bypasses, that's like proving a negative.

Many such vulnerabilities have been disclosed in national magazines, and the companies involved never went out of business. Sometimes the products are still being sold.

It's a basic blind spot for engineers, they only know how to make things work, not how to break things.

[madires]

They don't. They wouldn't be able to pass independent certification if this was the case.
And no company who's business is electronics locks / safes would sell product with such back doors. If the back door leaked out (and it would) the company would be out of business.

There is little purpose to adding a "back door" with its attendant NRE and assembly cost when your lock can be bypassed with a soda straw or a paperclip. The ability to access the contents is exactly the same. And "independent certification" doesn't test for design insecurity, that is not a criteria that is a part of any testing standard. Hard to see how it could even be possible to standardize on not having bypasses, that's like proving a negative.

Many such vulnerabilities have been disclosed in national magazines, and the companies involved never went out of business. Sometimes the products are still being sold.

It's a basic blind spot for engineers, they only know how to make things work, not how to break things.

Yes, a lot can go wrong regarding security while developing a product. There are unintented backdoors which were added for debugging purposes originally, but were not removed when shipping the finished product. Things like fixed passwords, hidden users/IDs and so on. Watch some presentations from DefCon or BlackHat on youtube. Car key fobs, electronic locks for hotel rooms, security tokens, industrial controllers and what have you. Most times the producer tries to ignore the problem and soothes the customer. Or take the producers of SOHO internet routers for example. Security issues get fixed only after a major media coverage and just for current models. If your router is older than a year or so, you won't see any new firmware. The producer wants you to buy a new router. New routers are shipped with old software modules with knows security issues, which are fixed in a later release. But the producer can't be bothered to update the software module. It's really that bad! Another nightmare is Android. When Google fixes a critical security issue in Android, you might never get the fixed version, because of the long tail with the smartphone producers and telcos. It's like someone else is putting your spare key under your door mat, while telling you that everything is secure. And you believe him.

[apis]

It's because the quickest way to develop things is usually by trial and error, once it appears to function the way you want you're done. Forgetting about special cases is the source of most bugs and when it comes to security you have to consider even the most extreme cases which are often difficult to spot unless you fully understand the whole system. Then there is the problem with companies not caring and consumers not knowing on top of that.

[ElGuapo]

I deal with these types of locks everynow and then. I work on safes all day every day.   These LaGards actually have high failure rates. I have often wondered if they are intentionally designed to fail after say, 10,000 uses.

To Dave, send me an email, and I will send you drill point and procedure for this lock.

[Mysion]

Despite all those that seem to be hating on you Dave I am still a huge fan of your video's. I've learned most of what I know up to this point by absorbing information from your videos. What to look for when doing repairs and basic circuits do's and don'ts. Your rants are always extremely informative and I nearly always come away knowing more than before. Even my dad likes your videos. He can't understand how your always so chipper, maybe the aussie air?

Your vids are what turned electronics from magic to some thing that sorta makes sense. The EEvblog made me certain of my choice to become an EE instead of another type of engineering.

Keep up the great vids and ignore those needlessly attack you. If you need cheering up I have a broken AFG2020 tek function gen I could send you. 

[EEVblog]

I deal with these types of locks everynow and then. I work on safes all day every day.   These LaGards actually have high failure rates. I have often wondered if they are intentionally designed to fail after say, 10,000 uses.

What is the usual failure mode?
Are there any known exploits apart from drilling?

[EEVblog]

Your vids are what turned electronics from magic to some thing that sorta makes sense. The EEvblog made me certain of my choice to become an EE instead of another type of engineering.

Great to hear, thanks.

[eilize]

"Are there any known exploits apart from drilling?"

from an electronic point of view, i see one.

you have a direct acess to the opto-transistor from the 9v connector.
you don't have access to the driver, but perhaps you could fire it to force the current to pass


the goal is to open it, not to respect the limit to keep safe the components .
you have drill the box anyway ^^
let's continue in this way :p

i don't know if it work , but if you can unlock it with 5$ spend in batteries of 9v ...

[GoneTomorrow]

Safe cracking can be hard or easy. Lock picking as well, you find a lot of smaller cheaper locks that can be picked with very simple tools, often stuff that you can carry around without anybody being the wiser. Small locks are easy, I have done them with no more than 2 wire paper clips, which are common things. Was easier than walking over to get the key in some cases to just pick them open, do the work in the cabinet then lock them again with that.

This lock would like a word with you  O0

[SeanB]

Don't try the lock. just cut the hasp it is attached to. Otherwise I will introduce it to my little friend Mr Afrox.

Note the steel of many shackles suffers from cold embritterment, so you can simply freeze them with lN2 and then shatter them.

[Fungus]

Don't try the lock. just cut the hasp it is attached to. Otherwise I will introduce it to my little friend Mr Afrox.

I think he was referring to picking it, not breaking it.

I did a web search and it seems like that lock has never been picked (on camera at least). Quite surprising given dedication of people like tool.

Note the steel of many shackles suffers from cold embritterment, so you can simply freeze them with lN2 and then shatter them.

'Many' doesn't include that particular lock:

(Go to 3m28s for the liquid nitrogen test)

And Cutting? Good luck with that. That's some seriously hardened steel.

Still... they cost $265 each so they better be good.

PS: While I was looking up that stuff I also found this. A chain which they guarantee is impossible to bolt-cut.
http://securityforbikes.com/security-chains.php

[SeanB]

500g Semtex, 2 detonators, 100m of detcord and an initiator and whatever it is securing is guaranteed to be either open or spread all over the landscape.

200kg of HE, a half inch housing and an appropriate delivery method ( and aim it right) and you will never find that lock, level 10 rated or not.

[Fungus]

500g Semtex, 2 detonators, 100m of detcord and an initiator and whatever it is securing is guaranteed to be either open or spread all over the landscape.

Yep. Exactly the sort of things being carried around by the average thief.

PS: Keep your head down when that lock comes flying towards you.

[helius]

He said cut the hasp. You know what a hasp is don't you?

This type of padlock looks very formidable but it does not protect the hasp from the front. Some padlocks do, like the S&G 833 or 951 or the cylindrical hidden shackle type.

[Fungus]

This type of padlock looks very formidable but it does not protect the hasp from the front. Some padlocks do, like the S&G 833 or 951 or the cylindrical hidden shackle type.

The Abloy 362 isn't supposed to protect hasps - it's a chain lock.

If you really want to lock a door with a padlock then use something designed for the job, eg:



(Or use one of those hidden shackle types you mentioned ... or any of the other stuff that appears when you google "high security hasp")

PS: Speaking of "looks very formidable but...", here's the famous S&G 833 being picked in a couple of minutes with very basic tools (no semtex required!)



The Abloy has never been picked even by the guys at toool (who will happily take locks apart and manufacture whatever special tools/picks it takes to pick them).

[helius]

The video ends without showing the pins, meaning the sidebar could have been missing the whole time.  fail.

[Fungus]

The video ends without showing the pins, meaning the sidebar could have been missing the whole time.  fail.

If it was the only video on Youtube you might have a point. But it isn't, there's loads of them.

eg. This video has more detail, including dismantling the cylinder at the end (with sidebar!):



Edit: And he didn't even use special Medeco picks, which would have made the job a lot easier...he even admits out loud that he "sucks at rotating pins" and just hacks away at it until it opens. They're also not bump-proof.

[Towger]

500g Semtex, 2 detonators, 100m of detcord and

All readily available at a price from your local King?

Sounds experience.  Over here a 30 euro grinder from the local Aldi/Lidl and a spare pack of disks would do the job. Semtex is of course available to the breaded brethren in the north of the country.

[vinicius.jlantunes]

Dave, to you plan on trying out the chip whisperer on this lock? Could make for an interesting video perhaps?

[SeanB]

500g Semtex, 2 detonators, 100m of detcord and

All readily available at a price from your local King?

Sounds experience.  Over here a 30 euro grinder from the local Aldi/Lidl and a spare pack of disks would do the job. Semtex is of course available to the breaded brethren in the north of the country.

There are still lots of hidden arms caches around, and some are still known of by living people, though most who knew of the locations are dead, either from old age or other causes. Most have been either destroyed or have degraded to nothing, though if you go north onto Mozambique there are still large areas with signs saying Perigo Minas, and a lot of people missing arms and legs.

At one time SA was the third largest producer of mines, after the USA and USSR. Now PRC is the only producer.

[max666]

Is there even a padlock that exhibits any resistance against something like this:


If I were a thief, this would be the first tool in my bag.

[Fungus]

Is there even a padlock that exhibits any resistance against something like this:

Yes. eg. The S&G 833 mentioned earlier has layers of blade-blunting ceramics inside it.

https://securitysnobs.com/Sargent-Greenleaf-S-amp-G-833-Padlock.html

Nobody's going to mark you "+1 Insightful" for that though. Obviously there's tools that can break anything if you go prepared, you're left undisturbed for long enough and have no problem making a lot of noise/sparks.

[max666]

Nobody's going to mark you "+1 Insightful" for that though. Obviously there's tools that can break anything if you go prepared, you're left undisturbed for long enough and have no problem making a lot of noise/sparks.

Yeah sure. It just feels to me that there aren't many demonstrations that show how things hold up against an angle grinder, but I'm not particularly seeking, so I may be biased here.
And they all love to show a huge ass sledgehammer pounding away, which isn't quiet as well, but looks good on video I presume.

[FrankBuss]

Some electronic locks have backdoors, like a manufacturer or master code. Once I was in a hotel and forgot the safe number, and someone entered the master code to open it. Would be interesting to see the assembly code of the chip.

There is a company who claims they can read the code of the ST62T25 (I assume that the read protection bit is set, or the OTP device can't be read at all usually). They don't write how expensive it is (but "low cost"), but I've heard that such services are expensive.

Regarding the power analysis: Dave, you are using 20 ms resolution. The chip is probably running at 8 MHz. You might not see the interesting things. If you measure it after the voltage regulator at the Vcc pin of the CPU on the control board, it might be possible to measure more high frequency signals (I would like to see how the chip whisperer works for this). Then you could try to build a selective amplifier for interesting frequencies to try to detect it at the battery contacts as well.

[Fungus]

It just feels to me that there aren't many demonstrations that show how things hold up against an angle grinder

Sure there are, you just haven't googled it.

eg. Angle grinder vs security chain:




Here's some people testing a safe. It's a "TL30" safe so they get 30 minutes to do whatever the hell they like to it:




PS: A cutting torch works better/quicker on padlocks than an angle grinder. Much quieter, too.

[apis]

Not very practical though! 

[SeanB]

Pretty easy to make a thermal lance though, with only a modest budget for the right tools and common supplies. Will open almost all small non thermally isolated safes in a very short time with little noise. With a little finesse you can open the small safe without cooking the inside contents as well.

BTW, just how do you cut that grinder proof chain?

[Fungus]

Not very practical though! 

Yeah, I saw that episode. The idea is good but I think they used a bit too much explosive there...

Here's a fun one I just saw (this thread has got me watching these sort of videos. There's thousands of them, this is a really imaginative attack on a particular brand of padlock)

[Fungus]

BTW, just how do you cut that grinder proof chain?

Which one? There's plenty of bolt-cutter proof chains but I don't think there's a grinder-proof chain.

Bolt cutter proof, Rockwell hardness 63 chain:



Cutting it with an angle grinder:



It takes two minutes to cut (compared with a couple of seconds for an ordinary hardware store chain) but he manages it.

[Fungus]

OK, just one more - the metal vapor torch - for when you absolutely need to get it open in two seconds:



 

[VK5RC]

Mr 'Cordless vs security chain' mustn't like his Mill or Lathe, grinding near one is REALLY bad for the bed, you can't get carborundum dust out of it.

[max666]

Thanks for the links Fungus.

And am I missing something or why is Mr 'Cordless vs security chain' pushing the grinder? He must not use it very often, otherwise he would have figured out that if he pulls it, he'd get on faster and it wouldn't seize that much.

[kcozens]

Interesting video. Thanks for the reminder about the concept of power line analysis of electronic devices. I don't think it would yield any useful information in this situation. The simple way to write the program is to save the buttons being pressed. Once the 6th button is pressed then you would do a go/no-go check to see if the correct code was entered. "It would make the lock immune to power line analysis.

[max666]

... The simple way to write the program is to save the buttons being pressed. Once the 6th button is pressed then you would do a go/no-go check to see if the correct code was entered. "It would make the lock immune to power line analysis.

Careful there. Saying it would make the lock immune is quite a strong statement. This has already been mentioned in this thread. How exactly do you do the "go/no-go check"? How do you compare an array? Do you maybe compare it bit by bit? Is there maybe a difference once a bit matches or not?

[Stonent]

Don't try the lock. just cut the hasp it is attached to. Otherwise I will introduce it to my little friend Mr Afrox.

Note the steel of many shackles suffers from cold embritterment, so you can simply freeze them with lN2 and then shatter them.

I'm a fan of BosnianBill's locklab channel where he picks locks and takes them apart. He is apparently some kind of federal agent but never specifically says what. 

He does also pick abloy, abus, and other high end locks, he even picked a 7 pin medeco over the course of a few weeks.

I had a recent need for a lock and found a fairly inexpensive lock by Brinks that had a boron steel shackle, ball bearing retainers, and security pins. The shackle has a pry resistance of 5 tons of force. So at least should be resistant against most petty criminals.

[SeanB]

Another channel added, I have some of those locks, but here picking is not much in fashion.

[DanielS]

The fastest way to crack a mechanical combination safe:


Seven times world-champion safe-cracker. Cracks almost any combination safe in about five minutes. All by finger touch alone.

[Rasz]

Seven times world-champion safe-cracker. Cracks almost any combination safe in about five minutes. All by finger touch alone.

if human can do it machine would be able to do it even faster, it seems all you need is arduidiotino, bldc motor controller and strain gage

[John Coloccia]

Seven times world-champion safe-cracker. Cracks almost any combination safe in about five minutes. All by finger touch alone.

if human can do it machine would be able to do it even faster, it seems all you need is arduidiotino, bldc motor controller and strain gage

And there are such contraptions, actually.

[miguelvp]

His fingers wont help him much with a digital lock.

[DanielS]

His fingers wont help him much with a digital lock.

It might not but it is still impressive to see someone crack a four turns bank vault's combination lock just as easily as a three turns gun safe with nothing more than his feather-touch.

For digital safes that lack a mechanical deadlock mechanism (ex.: tempered glass pane) though, the simplest and fastest way to get inside (aside from either knowing the combination or some sort of master code) is to drill the locking pin that keeps the safe locked (a tiny solenoid-activated pin in this case) once you know its exact location.

[John Coloccia]

The thing is that there's a style of combination lock that basically can't be cracked other than brute force trying every combination. The style of lock he's cracking has a fatal flaw, and one that wasn't appreciated for a long time...but anyone who studies locks knows what it is these days.  It's still very impressive because it's not easy to do, and it's dang near impossible to do it at his speed...it's just incredible. I do wonder why anyone with something important to lock up, like a bank, bothers with that style lock. 

[helius]

I guess the inherent difficulty of manipulating disc locks made them seem highly secure, so that even better approaches had trouble getting adoption. Just by adding 3-5 false gates on each disc, it would already be incredibly difficult to manipulate.
But the whole problem of sensing resistance to movement, etc, would be moot if the sidebar was locked outward, out of contact with the discs, until after the knob was locked in place. It's such an obvious idea that I'm sure it was invented a long time ago.

[John Coloccia]

I guess the inherent difficulty of manipulating disc locks made them seem highly secure, so that even better approaches had trouble getting adoption. Just by adding 3-5 false gates on each disc, it would already be incredibly difficult to manipulate.
But the whole problem of sensing resistance to movement, etc, would be moot if the sidebar was locked outward, out of contact with the discs, until after the knob was locked in place. It's such an obvious idea that I'm sure it was invented a long time ago.

It was.  For example, the Sargent and Greenleaf 8500 series.  I don't know any manipulation technique other than brute force, and I doubt one exists.  Still, even with the less secure style of lock he's cracking, it is such a difficult technique to master. I've seen him work before, and I'm always amazed when I see him zip through a lock like that.

[max666]

Totally agree with your statement , locksmith can open the hinge very easily as know to open or unlock the safe locks also.

Is that a shameless self-advertisement?

[Fungus]

Totally agree with your statement , locksmith can open the hinge very easily as know to open or unlock the safe locks also.

Is that a shameless self-advertisement?

If so, it's one of the worst I've ever seen 

Clue: Safe hinges aren't part of the security mechanism. They're just there to let you swing the door open after you unlock it.

[hamdi.tn]

 
i just locked one (with door opened) in my hotel room when trying to program it xD i just passed 5 minutes in the damn room to start doing what i do best 

[zaidbakri]

Is it possible to reset the pin code from inside (ic)

[briangordon]

this is where attack is happening, how do you compare good code to bad code? you dont have vliw, simd, nor even 32bit alu to make whole comparison in one instruction.

... The simple way to write the program is to save the buttons being pressed. Once the 6th button is pressed then you would do a go/no-go check to see if the correct code was entered. "It would make the lock immune to power line analysis.

Careful there. Saying it would make the lock immune is quite a strong statement. This has already been mentioned in this thread. How exactly do you do the "go/no-go check"? How do you compare an array? Do you maybe compare it bit by bit? Is there maybe a difference once a bit matches or not?

In C it would look like:

Code: [Select]

int success = 0;
for (int i=0; i<6; ++i)
  success &= input[i] == secret[i]
if (success)
  turnOnSolenoid();

Notice that the loop doesn't terminate early on an incorrect digit.

Looking at the datasheet for the MCU, it has an 8 bit word size so a decimal digit fits easily in a word. Comparing two words from memory is a single instruction, taking 4 clock cycles. The comparison itself takes place within a single clock cycle. Same goes for accumulating the success value. Unless you think you can detect differences in current draw based on the specific values on the data bus or in RAM or in the status flags or moving through logic gates, this code seems immune from power line analysis.

There's a fantastic little programming manual I found (attached below) which tells you everything you need to know to write assembly code for the ST62. I couldn't resist taking a crack at actually implementing this in assembly, optimized as best as I can manage:

Code: [Select]

; We assume that X starts out holding a pointer to the first byte of the keypad input sequence array
; We assume that Y starts out holding a pointer to the first byte of the secret code array

LDI W,0h

; Check digit 1
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 2
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 3
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 4
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 5
LD A,(X)
SUB A,(Y)
ADD A,W
LD W,A
INC X
INC Y

; Check digit 6
LD A,(X)
SUB A,(Y)
ADD A,W

; There is literally no conditional long jump instruction so we have to conditionally short jump over an unconditional long jump...
JRNZ +1
JP TurnOnSolenoid

[RenThraysk]

this is where attack is happening, how do you compare good code to bad code? you dont have vliw, simd, nor even 32bit alu to make whole comparison in one instruction.

... The simple way to write the program is to save the buttons being pressed. Once the 6th button is pressed then you would do a go/no-go check to see if the correct code was entered. "It would make the lock immune to power line analysis.

Careful there. Saying it would make the lock immune is quite a strong statement. This has already been mentioned in this thread. How exactly do you do the "go/no-go check"? How do you compare an array? Do you maybe compare it bit by bit? Is there maybe a difference once a bit matches or not?

In C it would look like:

Code: [Select]

int success = 0;
for (int i=0; i<6; ++i)
  success &= input[i] == secret[i]
if (success)
  turnOnSolenoid();

Notice that the loop doesn't terminate early on an incorrect digit.

With a decent compiler and optimisation level that loop is eliminated. success always equals zero, lock never opens.

Usual convention for constant time comparisons is using xor and or.

Code: [Select]

    int x = 0;
    for (int i = 0; i < 6; i++) {
        x |= input[i] ^ secret[i];
    }
    if (x == 0) {
       turnOnSolenoid();
    }


[briangordon]

No, I don't think the loop would be optimized away. I'm not sure what you have in mind there.

xor works fine too. I'm not sure what you mean by that being the convention. In C you would always write == to communicate intent, and in assembly I've seen subtraction used where there's no explicit comparison instruction.

[CChin254]

IC Identification for this device:
 La Gard LG 3740_3750 Basic Electronic Digital Lock.pdf (1567.2 kB - downloaded 59 times.)
Predicted Block Diagram:

[helius]

No, I don't think the loop would be optimized away. I'm not sure what you have in mind there.

0 & a & b & c & d & e & f is false for any values of a, b, c, d, e, f;
EEs tend to know this because the AND gate's output is zero whenever any of its inputs is zero. Put another way, the success condition in your code starts out false, and the AND operator can never become true when it has any false inputs. So the loop cannot, by construction, alter the value of success. The C compiler should therefore consider the entire loop as dead code, since it has no effect on the program and does not involve volatile variables.

There are also other problems in the code, such as the absence of blocks (compound statements) following for and if. This leads to "dangling if" problems where the scope of the if is not what it appears to be on the screen. That's the case in your code: the simple omission of a semicolon means that the if is actually inside the loop!

Code: [Select]

int success = 0;
for (int i=0; i<6; ++i)
  success &= input[i] == secret[i] if (success) turnOnSolenoid();

This will produce a syntax error at compile time, but there are other situations where it would pass unnoticed (comma...)

[RenThraysk]

No, I don't think the loop would be optimized away. I'm not sure what you have in mind there.

0 & a & b & c & d & e & f is false for any values of a, b, c, d, e, f;
EEs tend to know this because the AND gate's output is zero whenever any of its inputs is zero. Put another way, the success condition in your code starts out false, and the AND operator can never become true when it has any false inputs. So the loop cannot, by construction, alter the value of success. The C compiler should therefore consider the entire loop as dead code, since it has no effect on the program and does not involve volatile variables.

Exactly. As seen here https://godbolt.org/z/7oqTj6

[briangordon]

Ah I see, there's a bug in my code. success should start out as 1, not 0. Then it works fine.

I wrote the C code correctly first, but then wrote the assembly version and, due to the limited instruction set, it turned out to be easier to write essentially this code (well, the unrolled version of this):

Code: [Select]

int failed = 0;
for (int i=0; i<6; ++i)
  failed += (input[i]-secret[i]);
if (failed != 0)
  turnOnSolenoid();

I went back to the C code to make it more like the ASM, but decided it was less clear and changed it back... messing it up in the process 

[RenThraysk]

Ah I see, there's a bug in my code. success should start out as 1, not 0. Then it works fine.

I wrote the C code correctly first, but then wrote the assembly version and, due to the limited instruction set, it turned out to be easier to write essentially this code (well, the unrolled version of this):

Code: [Select]

int failed = 0;
for (int i=0; i<6; ++i)
  failed += (input[i]-secret[i]);
if (failed != 0)
  turnOnSolenoid();

I went back to the C code to make it more like the ASM, but decided it was less clear and changed it back... messing it up in the process 

Try this with an input of "ababab" and a secret of "bababa", and you'll see why xor and or are used.