Automatic enumeration of combinations in mechanical safe locks
At the Ruxcon conference in Melbourne, two Australian hackers showed off a homemade device on the Arduino that picks up combinations on mechanical locks in some safes.
Pentesters Jay Davis and Luke Jahnke explain that cracking equipment is expensive and not available for sale. Using 3D printing and Arduino, they made an “auto-dialer” from very cheap parts with a total cost of only $ 150. The device is capable of picking up a code for a mechanical lock of UL Group 2 standard, where the combination consists of three numbers from 0 to 99, with an error tolerance of ± 1 in each number.
The design uses a stepper motor that connects to the Arduino board through an expansion module.
First, it was necessary to solve three problems: 1) fastening the stepper motor to the lock; 2) how to check the accuracy of rotation of the rotor; 3) how to test the device.
To solve the third problem, they took a simple lock, solely to verify the concept.
The first problem was solved by printing a homemade adapter. We did not have to buy a 3D printer and use complex editors like AutoCAD. On the Internet, they found a simple but suitable program for 3D-design Tinkercad.
The adapter from the stepper drive to the lock is ready! It was printed out from acquaintances, although you can use one of the commercial services, it will still cost inexpensively.
For control, we wrote a code for the controlled movement of the rotor to the desired angle. The program even supports cool features like acceleration. Now you can specify a numerical combination with Arduino, and the rotor rotates to the desired position.
After the initial testing of the drive, it was decided to buy a real safe lock. The choice fell on the La Gard 3330 model. For him, the same procedure was repeated with a printout of the adapter.
It was still necessary to come up with a way to determine that the castle was open. For this, the developers used magnetic sensors using the Hall effect.
The design for attaching to the safe was borrowed from the game Payday 2.
In Tinkercad, it did not work out, I had to use SketchUp.
Here is the result.
Further it is clear: the device establishes a combination, checks whether the lock is open, and then repeats the cycle. Checking one combination takes 4 seconds, so it is unlikely that you will meet one session. Therefore, the library supports downloading combinations from an SD card and working in several sessions with remembering already tested combinations. You can create a pre-generated list of the most commonly used combinations, such as birth dates. The maximum possible number of combinations is 100,000 (taking into account the peculiarity of the specifications of UL Group 2: a ban on the use of numbers from 0 to 20 in the last category), which gives 4.6 days of pure brute force.
Files with device design and source code for controlling the drive, the authors will soon publish in the public domain. At least they promise.