How secure are electronic locks used on safes?
Part 3 is where I show 5 ways to crack into a cheap safe! https://www.youtube.com/watch?v=Y6cZrieFw-k
Dave tries a basic first attempt power line analysis attack on a standard La Gard (LG) 3740/3750 Basic electronic digital lock on a CMI home safe.
Can you crack an electronic digital safe lock with just a resistor and an oscilloscope?
All sorts of safe cracking techniques are discussed - thermal camera imaging, bumping, drilling, and spiking the solenoid.
And naturally there is a complete teardown of the La Gard lock and a demonstration on how it works.
And then Dave does something incredibly dumb, and has to fix it the old fashioned way, Hollywood style.
It's a tail of epic fails and stunning wins.
Part 2 is here: https://www.youtube.com/watch?v=mdnHHNeesPE
Forum: http://www.eevblog.com/forum/blog/eevblog-762-how-secure-are-electronic-safe-locks/'>http://www.eevblog.com/forum/blog/eevblog-762-how-secure-are-electronic-safe-locks/
http://www.kaba-mas.com/media/654586/v4/File/basic-basic-plus-series-brochure.pdf
ST ST62T25 OTP Microcontroller
http://www.alldatasheet.com/datasheet-pdf/pdf/23746/STMICROELECTRONICS/ST62T25.html
AT93C46 http://www.atmel.com/Images/doc5140.pdf
EEVblog Main Web Site: http://www.eevblog.com
The 2nd EEVblog Channel: http://www.youtube.com/EEVblog2
Support the EEVblog through Patreon!
http://www.patreon.com/eevblog
EEVblog Amazon Store (Dave gets a cut):
http://astore.amazon.com/eevblogstore-20
T-Shirts: http://teespring.com/stores/eevblog
Donations:
http://www.eevblog.com/donations/
Projects:
http://www.eevblog.com/projects/
Electronics Info Wiki:
http://www.eevblog.com/wiki/

Hi, this one's going to be a bit of an unusual one. I Came across this Si Mi home safe it made in Australia you bloody beauty and it's got one of these our Lagarde digital locks on it and I thought hmmm I wonder if there's any way that we can sort of, you know, have a look to see if we can hack into this lock and actually open the thing rather than you know, like try not like physically crack into the safe I wonder how easy these things are if there's any vulnerabilities in these locks? So I thought we'd do a video just seeing if we can do what's called a power line analysis power line attack on one of these things and you'll see what I'm talking about in a few minutes now. This is a Si Mi branded safe. They make out really top-quality Our safes here in Australia here in not Sydney I Believe actually and this is the one of their home.

You know, one of their basic home models and it's the H to deal link in the datasheet down below and it's a pretty, you know, entry-level home safe. It's probably the absolute minimum you'd want to actually protect anything as opposed to those pieces of that you get at Bunnings Just like at the home, you know Home Depot where where whatever country in those you know, fifty hundred dollar, couple of hundred dollar safes. This is like it. You know, a seven, eight hundred dollar safe.

It's about the minimum you can get. If we have a look inside this thing, we'll see that's got a twelve millimeter thick front steel plate. That's not too bad. It's got a deadbolt on the thing.

Looks like maybe it has an anti drill plate there. I'm not entirely sure. I Don't think it's like a proper manganese steel or some other type of anti drill plate still, but it's not too bad at all. It's got some reinforcement around the front here, and it's got mounting holes down the bottom and at the back as well, and six millimeter art steel all around.

So it's just a basic safe that would probably protect you against just the a casual opportunistic thief with their crowbar. They probably couldn't get into this in a hurry, but of course, any professional Feith were just, you know, rip through this with our power tools and things that no problems. But if you securely mount this to the back wall and the floor to work on concrete for example, it's going to stop your basic fear. So it's pretty much the minimum that you'd want for a home safe.

But I thought yeah, is there any vulnerabilities in these electronic locks? Hmm. Now this is actually a LG brand not to be confused with LG The electronic company. This is a Lagarde and these are pretty much the industry standard basic electronic lock lagarde. I one of less than a handful of top companies in the world who make these electronic locks you know as other brands like SMG Sargent and Greenleaf for example are some of the world leaders in this thing.

and I believe this is the 3750 model. It's their basic model so this is used on safes up to a couple of thousand dollars worth this. CMI home model by the way has a recommended cash rating, insurance, cash rating about $5,000 so it's not. You know it's not a real SuperDuper safe, but as I said, probably good enough really.
if you're interested in what are actually good saves unit you really. if you want a real proper one, you need one. What's called a TDR safe? They're called different things in different countries but that's what they're called here and TDR stands for torch and drill resistant. So as I said, it's got our like any mega knees drill plates.

It's got a glass relocker in there so has a glass plate so if you try and drill through to access the solenoid mechanism and stuff like that it shatters the glass plate and lockers come in place and things like that. This one as I as I show it only has the one deadbolt here. others have you know multiple dead bolts and they'll have you know anti cut in anti grind Indian materials built into the steel walls and you know things like that. So yeah, pretty much now.

if you want a real real safe in quote marks, you need a TDR class safe. So to open one of these it's a six digit combination. It must be at six digits and you can program it to be any six digits. This one happens to have I believe like the original factory code.

so it's just one, two, three four five. If we actually do it incorrect that beeped at us, flash the lead and if this is actually the handle to turn the thing, some actually have a separate handle to turn the the bolts in the thing, but this one like that. So if we go one, two, three, four five six bingo you might have heard the solenoid click in place and we're in likely now. There's a few attack methods for these electronic locks, one which I will just mention because well everyone also want me to mention it is to use a thermal imaging camera and if somebody has just operated the lock like you know seconds or minutes maybe are before then it'll show up as a thermal signature.

So if I go in there and touch, touch those like that. you can see that my thermal signatures shown up there on the buttons and you can actually determine the order they were pressed in based on how quickly they fade out. You can see that's faded out pretty quickly. so that's not really a valid attack.

and by the way, if you do that, you can just go like that afterwards. you know and nobody's going to be able to see a thing. And this is how people can steal your PIN numbers at checkouts and things like that. They can just have one of those phone thermal imaging cameras and they can steal your PIN number if you're that paranoid.

The second method is what's called the bump method where you actually just pick up the safe and drop it down on the floor I kid you not or just bang it on the top like that. Now this is a valid method for like those real cheap our safes that you buy at the hardware store that I mentioned you know is fifty hundred dollar. In a real basic say so the ones that you get in hotel rooms and things like that. They're susceptible to this bump method.
So you can just like bang on the top of these cheap safes and you can open it. But hey, no, this is actually at least a, you know, a decent basic safe. This one is not susceptible to any sort of bump method. It man basically means just this: the spring loaded solenoid inside.

Just by bumping it, you can actually operate the solenoid. You don't actually have to defeat it electronically. So anyway, I might do a video, might get one of those cheap fifty dollars, say some Bunnings and actually demonstrate that. But yeah, those things are useless.

Just do not by hardware store safes. They're ridiculous. Now the third method, which it was actually quite a valid method and might still be on some really old safes. I'm talking like you know, 20 years old early 90s when I believe Lagarde were the first to introduce a commercial digital lock.

Anyway, the early digital locks were apparently susceptible to what's known in the industry as Spike In and what that means is you can actually remove this upfront and you could actually get access inside this front electronic lock mechanism to the pins which go to the solenoid. And of course if you got that, you can just come along with your you know like a battery and you can like despite what's called Spike the pins and operate the solenoid and bingo open the thing. But no, they pretty much fix that, you know, a long, long time ago. So I don't believe there's a single electronic lock at least not a quality one on the market these days that would be susceptible to that sort of spiking.

And of course the fourth method would of course be to like you know, drill through and things like that, but you know they're that they're like physical attacks I don't you know? I'm not interested in that sort of thing. But what I am interested in is Tada the 9-volt battery that comes down. These are now why these are the only wires that we have available. and I'm wondering: can we subject this thing to a power line analysis attack ie.

be able to tap into here, measure the current going through, and see if we can actually detect any process, Any changes on the power line, any spikes on the power line based on the internal processor when it changes when you enter either a correct digit or an incorrect digit for example. So I'm thinking that maybe like, you know, if you enter, if you press the correct digit, it goes into one subroutine. If you press an incorrect digit, it goes into another subroutine and that could manifest itself as different variations in timing on current pulses taken from here. and well, this is all.

I Don't know if it's valid, if we're going to be able to measure anything at all, it depend on how much decoupling they've actually designed into this thing and stuff like that, but because it's available I Thought we'd give it a go. Now before we do that, let's just take a look at the deadbolt lock mechanism. This one actually comes in two types: a deadbolt like this, or a swing bolt mechanisms. Let's just take this plate off and see what sort of up wiring we got coming through from the front.
Now, if you see inside that battery holder there, there's really nothing else inside there apart from the wires going up into the mechanism and through the hole in the front door. Here's the deadbolt lock itself. It's got all the requisite standards. It's ul listed.

it's VDS it's E'en 1300 rated and all that sort of jazz. so you know it really is a proper electronic lock and they've actually conveniently tied up. Can I get that out? Oh, there we go. I Just push that in.

That's nice and that connector comes out. We've got ourselves a four pin connector. That's not surprising at all. So the solenoid the circuit for the solenoid is inside this, so it does not penetrate to the outside.

So that's why I said you can't actually spike these things and operate the solenoid from the outside. It's pretty much impossible. So, but all we've got is the power. Of course, these four pins, you'd have the 9 volt battery power and the two data pins coming from the keypad.

That's it. So you know pretty much you can't attack this thing in any other way. Apart from the power line analysis attack, that's it. That's pretty much the only thing you could do.

now. We might see if we can open up this thing later and have a squiz. If it's easy enough, it looks like that top plate there might actually come off. But for now, let's try the Power Line Analysis attack now.

I Do actually have a dedicated tool for this job. This is the chip Whisperer light which was a Kickstarter and was in the hackaday prising. You've seen this a little bit before and this is designed for power line analysis attack. Exactly like this, but not everyone's got one of these.

or you know it can take this out in the field to crack locks like this. So I thought that we just try it. with the basic and the most basic tool available a resist up for power line current sensing and an oscilloscope. Let's see what we can get from that first.

Well, this is embarrassing I got my 10 ohm resistor I was going to whack in series with the battery here, hook my scope up and umm yeah, hang on it no longer beeps at all. Can you guess what? I've done well in case you haven't figured it out yet. No. I cannot get back into this safe I have locked myself out oh how well a lot of people were probably screaming at me I forgot to reconnect the cable back in there that goes from the keypad to the solenoid and I was like playing around with it I thought well I thought I'd played it back in, relock the thing in the closed position and note because I was you know I was going to go yeah I want to do the shot where I you know open the you know I do the power line attack and try and open it blah blah blah and know the solenoid is disconnected inside the keypad the battery.
there's nothing I can do I have to crack into the to fix this I have to crack into this safe the old-fashioned wait are they going to reach through and reconnect the bloody connector? Oh Hi Welcome to the Eevblog? Yes! I'm back in the old lab at the garage here and I bought it here see if we can drill through the sucker and try and fix it. Oh, let's go. considering that we've already got the holes in the bottom and we've also got holes in the back as well. these are the mounting holes.

You can mount it to the wall and/or floor, why not? I'm drill a couple more holes in the bottom and that shouldn't actually affect the safer door really. In fact, it provides a couple of more convenient bolt down points. Got six mill steel? I'm not sure if it's like hardened steel or mild steel or whatever it is, but yeah, we'll give it a go. shouldn't be that hard now.

unfortunately. I've actually learned to help my power drill so I'm gonna have to use my cordless drill and I'm through. But of course I'm gonna need a much bigger hole from the fist to manipulate it. but when I have a look and shine a torch in there and I can see the pesky plug so I want to be a bit above it? it's down like here or something like that.

and of course I could use like the angle grinder and I'd probably cut through this thing pretty quick and you know if you're a pro Feith and you can care about noise and you know this is what you've been using to crack into, you know, a safe unless it's a TDR safe as I mentioned torch and drill resistant and then it just blunt these like you know and blunted drill bits and just getting a couple of millimeters into the thing so let alone through all the material because this safe is only just six millimeters stilling. Get my 12 millimeter plate of ones for example. but your good ones actually have steel plate outside. then they have inner material which actually contains all sorts of particles which actually blunt all your drill bits and blunt or your are grinding bits and things like that.

and then they have another inner steel plate. so that's what the TDR safes have got. Now the thing with this of course is that you've got to go real slow because if you accidentally push through, you can easily cut the cable inside so definitely don't want to do that. I drilled another one which is basically bang on to what I want and even with these clamp scissor forcep things, it's just short I can't reach it bloody Murphy every time.

The second hole is really handy for being able to actually see through and see what you're actually doing while shining a torch through the hole in the back here to light it all up. but I think I might ultimately you know you could use like a a borescope. one of these little you know microscope. This is actually a microscope like this, but it can set infinity distance focal distance on it and it's got a little light on the front and it can work as a webcam.
so I can hook that up to the PC it's a USB thing and have my notebook next to it and I can actually use that as a borescope to see inside exactly what I'm doing. You can see the cable just flapping around in the breeze, they're dull and you could use a view like this to manipulate it as you come in from the side. well, from the bottom bottom holes. There we go.

you can see the hole drilled in the bottom there and the two holes. but I can put this cam in the top. oh let's have a look at that well. I knew I was going to try and break into a safe but I didn't think I'd have to do it this way.

Geez. I haven't got long enough Scissor clamp forcibiy things never try and get in. they're made with some metal skewers and get the thing anyway. I've got my camera set up here with some blue tack.

I've got a little screen to look at and manipulate, but jeez, it's not gonna be easy and it's important yet to tug at the right angle. So let's see if we can actually get in here and use a metal skewer. it's gonna lift it a bit higher. Yes, yes, yes.

any of the screwdriver now. I Remember that I had to push this in - it's almost like I've got to do maybe two things I might have to push I like I'm hoping that the tension of the cable is enough to push it in because the cable is all tied at the top there. See, it's almost falling in off its own bad. it's almost like it there.

we go. Hang on now. all I've got to do I think is push that you get two screwdrivers in there and I think Bob's your uncle? almost have it? Come on, Got it? Got it? Got it? Yeah buddy? I think I got it bloody? Ripper whoa Bobby Dazzler No worries. Alright, the moment of truth, let's plug in a battery.

hope it's good and let's see. we can't leave back. Will it be for naught? Two three, four five six haha no bloody. Ripper look at that beauty.

Don't think I'll give up my day job though and that actually went in like a treat. It's perfect with that matching connector and once it's in it then slips over and the latch pulls back and Bob's your uncle. We're in in like Flynn too easy. haha.

And the good part about going in the bottom is as I said, we really haven't damaged this thing I could still resell this no problems at all and we just got an extra two bold holes on the bottom. No big deal at all because these things are traditionally bolted down to the floor and this one's got holes on the back as well. But yeah, no big deal. Beauty, it's like a ball one.

Okay, after that little fun detour. sorry about that, but hey, it was kind of fun. Very Hollywood style break into the safe I Love it. Beauty Anyway, we've got a resistor in series with the battery here.
Just chosen nominal value: 10 Ohms You want it to be high enough value so that you get sufficient voltage drop across it based on the current pulses. Any current pulses from the CPU so that you can actually see it on the scope so you don't want, you know. Microvolts? Hundreds of micro volts, you want, you know, tens, hundreds of millivolts? Something like that. But you don't want to be too high so that the voltage drops out, it's got to be are able to operate the solenoid too as well.

So anyway, I got a 10 Ohm in there and I've got single shot capture on my scope. Let's press a button. Tada. look at that.

That's pretty good. That's 100 millivolts per division. So we've got like about 250 Mille volts or thereabout, so we can actually go in there and look at the data packets. Look at that.

I'm actually quite surprised we're actually getting significant data detail on that. So we've got some sort of packet. We'll see how long it's last in, but we're obviously getting some sort of regular oscillation. They're very interesting.

We'll go look at the frequency and the detail of that. But really, what I'm after for power power line analysis attack like this: if there is as I said, any difference between when you press the correct button in sequence and an incorrect button? Maybe the timing changes or some other data inside here changes. And of course this is where you want a deep memory scope because you've got long packet like this and you want to go in and see all the details. So you want the deepest memory possible.

So you go into the acquire menu and we're at 14 Meg points at the moment. Heck, you know we can go like the full 56 Meg points of this circuit if we want. That's a phenomenal amount of data and so we can single-shot capture that again And bingo that's actually an incorrect one. Oops! I Set the wrong time base there.

so you set that and you don't to waste all your memory. so you want to set it to the way you want to maximize the UCM memory. So you want as much what a single data packet on there as possible. You want to make sure it's one packet too.

so you turn the time base down at 200 milliseconds per division. Reasonable. Not. It looks like we've only got the one packet there.

So as I said, you want the maximum amount of that packet on the screen like that and then Bingo! You can capture that and get the absolute maximum detail based on the sample memory escape. Doing something like this, you know you're going to want like a Meg or two of memory at least. And just remember, when playing around with these locks, you can't Just, you know, have unlimited attempts at this because these have lockout features to prevent just people going in and try and hack the numbers. For example, if you came along and try to detect somebody's up fingerprint in there by dusting it or something like that.
okay, you might get your six digits, but you don't know in what order or combination they are. especially if they've used a number multiple times or something. And if you enter the incorrect combination four times I think this lockers four times in a row, then it'll lock you out for five or ten minutes or something like that before you can actually try again. So that just limits just the brute force code attack.

Now first thing we want to do is go in and see if there's any time difference in this packet. Based on entering the correct number. first the correct number in sequence, and then an incorrect number in sequence, you'll be able to reach Rigor It. So we're forty-nine point two milliseconds here, so if we single shot capture that again, we enter the correct digit number one.

Bingo. That's what we get. Now if we go in there single-shot capture that again and we enter, say the number eight note. Looks like we're getting exactly the same time period.

I Mean you can go in there and check for like a count the number of you know, pulses and things like that, but generally. um, that looks like it's exactly the same. Hmm, scrub that one now. I'm actually curious to know the frequency of this signal that we're getting there because it looks like just repeating like that.

So I suspect it might not be the processor. It could be that buzzer that we're actually are hearing that beep every time. You would have to actually know how long the beep goes for and that could be the data packet. but the frequency could be the frequency of the beep.

So we have to actually sample that audio and see what frequency that buzzes beeping at and compare it to this. In this case, it looks like there we go. Four Point, Zero, Seven, Two Kilohertz. So let's see if we can measure the buzzer frequency now.

I Just downloaded one of these our little spectrum analyzer apps for my phone frequency. I Don't know it was the same. It was the one that the first one that pops up. and let's have a look there we go.

it is around about you saw that around about that four kilohertz mark. and here's another one called spec Scope that will actually hold and freeze the display. So let's try that. So I think that's a bit too coincident.

All that. this is so repetitive like this. it happens to be practically exactly the same frequency just over four kilohertz mark. I Think it's pretty safe bet to think that the maximum time period here will actually equal the amount of time that that sound buzzes forth.

Let's round that to say 50 milliseconds or so for that packet. Let's actually do it a bit better than that. I Can actually capture the audio with my Zoom H1 here and then load it into Audacity and then we can check it out that way. much better, much more accurate.
And here it is here in Audacity. I Didn't get the amplitude right, but it's going to be good enough. We can actually. yeah, well, we can get the length of that.

But let's actually go in and have a good look at the spectrum and what do we get? Here's our peak here: What is it? Tada? Four Point Zero, Seven Seven. We measured four Point Oh Seven Five. Bingo. My hunch was correct that this is just the PWM signal drive in the piezo transducer in the things.

and I'm getting about 54 milliseconds there for that packet. And well, yeah, because it's such low amplitude, not quite sure where to stop it. Yep, it's near enough. It's absolute certainty that this signal that we're seeing is just the piezo transducer.

So because we've gotten that massive amplitude there, you know a couple of hundred millivolts. Well, we're not going to be able to see anything down on that. so that was DC couple. What I'm going to do now is go into AC couple mode and wind the wick down to 20 millivolts per division.

And so you know if we run that like it's just going to sit there right like that. So we just get it like it's nothing, right? The micros in sleep mode it's You know it's going to do absolutely nothing till it gets a button press and wakes up. So I'm going to set my trigger level. You know, just down below it.

You know, somewhere below that get as close as you can so it's not triggering and then bingo like that. So well got a couple spikes in there. I'm sure it's going on there, but it's gone down and back up. That's interesting.

And Bingo there's our packet. Don't worry about this overshoot here. that's just because of the AC coupling. This is what I'm interested in here.

So there's our packet that we saw before. that's the buzzer. but this could be the process are starting up waking up and doing something. so uh-huh Now we're getting somewhere.

Hmm, so ignore all that. that's just out the packet that we saw before and because it's 20 milliseconds per division, there it is. 2040. That's our 50 millisecond packet.

Mmm. The process is doing something in here and that's what you'd expect. You expect the processor. When you push the key, you expect the processor to wake up, do some processing, figure it out if it's the correct key or whatever, and then do the buzzer and that's exactly what we're seeing.

Set your time base back like that. Maybe you know, set it back here or something. right to that point. So then we can start actually measuring that period there, because maybe that time period will vary.

so we should be able to reach Rigor that one now and have a look. Let's try it again. Single shot? No, no, we've got another no that just could be some other RF or garbage or something like that. So I'm not sure what the deal is there.

There we go. That's better. That's better. And damn it.
I've put myself in lockout mode. It just won't respond to any more beeps. It'll just flush that light every like 10 seconds or something. There we go.

and Damn. I'm going to wait like 5 or 10 minutes. And as I shown in a previous video, you've got to be careful with stuff like this. You can pick up crap and all sorts of things.

In this case, all this crap here is coming from my LED lights up there. so switch those off. Bingo. Look at that.

Now this is the data I captured here for the correct number I've turned high-res mode on just to get rid of some of that noise and crap and we can see that we've got a nice little current draw there, then another little blip, and maybe another little blip. and then we've got the packet, which we've seen before. So anyway, I could actually save this as a reference waveform for ample and then we can try and capture it again. So there we go.

We can store that as a reference waveform and now we can capture it again and we can just see the difference visually on-screen of course. I can export this data to a file and then I can go analyze it on a PC or something like that if I really want. So here we go. Got my reference waveform there in white.

Now let me press an incorrect button. Say number 8. Whoa. Look at that.

It looks pretty darn identical to me. Well, there's there's nothing in that, it just comes down to noise. so there's no difference in the pulse width there. That's that's got to be the process of starting up doing something.

We even get that little blip there and we kind of even get that little blip there. So yeah. hmm. so unless there's some more data out here, I'll check.

but I don't believe there is. We've pretty much come a gutsy here and well, a no result. which is kind of what I expected. I Didn't expect to find a power line vulnerability in this thing like I Actually didn't expect to get, well, anything out anything useful out of this.

but we've actually gotten and analyzed some useful data here and well, we just can't pick it. So they've obviously designed this thing really well. Of course you know to get around all this sort of stuff, all they've got to do is design indecent decoupling into this thing and well, you know you can't do any power line attacks if there's all that local. you know, a massive amount of local decoupling near the processor.

You just won't be able to see it from right back at the battery terminals. Just a quick explanation on that in Dave CAD If this is inside the safe, as we'll see in a second, it is like literally inside the safe. It's not outside the our keypad, so we only have access to the current out here. Now, if this is the CPU inside that's drawing little gulps of current when it powers up and and does that sort of stuff, if you've got sufficient bulk decoupling inside the safe like this, then it's going to get all those high frequency current Spike's from the decoupling and then then the cut and then the capacitor is going to charge up at a much slower rate like this and it's all going to be hidden insert.
So all the detail is going to be hidden inside here, which you can't actually probe. It's not going to be hidden outside here when you actually measure the current going into the things. So yep, if you if you try and design a safe like this and one of these electronic locks and you don't want it to be susceptible to power line attacks, well you just filter the crap out of this line. You know you could put in big LC filters and all sorts of you know, massive amount of decoupling in there and that's they haven't actually done that by a huge amount because we were actually able to measure some things on there.

but hey, I think they've taken things into account in the software so a smart programmer would ensure that the length of the software loops regardless of whether or not you press a good or a bad button, they will be exactly the same so that you can't do any power line analysis attack. You know we could probably get in there and and I like try and maybe get some minor differences and things, but geez. Edit: yeah it's it's looking completely shot at this point and if I make that time base a bit slower, you can see that there's just nothing out here so that reference waveform stays the same period. So there's our our buzzer and that's the AC coupling recovery.

But yeah, we've got like near nothing and of course it goes without saying that the main processor is in here and also the flashy squared prom storage whatever it is for, the pin code is all inside this thing which is sealed inside the Se. So when these things wear out, in particular, this one because it rotates like this is not the world's most reliable design because, well, you know cables have to rotate and things like that, So the ones with the levers on them are a much much more reliable design than this one. But hey, this is only on a relatively cheap save, so it's okay. But yet, you might have to replace this thing.

The buttons wear out. for example, the wires inside wealthwise inside break is screwed as I mentioned in a second. But you can actually physically take this off and actually replace these things without losing your passcode. So if those things break, it doesn't matter.

You just replace the keypad on the front and the passcode is still stored in there so you can still get back into your safe. no problems at all. Now if you can see right down in there, you can actually see the cable there. And if I rotate this, you can see that cable inside move.

And you know if you do this too many times, then yeah, yeah, cable might. you might eventually get a break in the cable. so, but I'm sure they've used you know, top quality multi strand cable in there, so it's designed to be rotated like that, but still. Yeah, it eventually could wear out if you open and shut this thing too many times.
So let's see if we can actually see anything useful inside here. I Hope it can come apart. Okay, that came out. no problems at all.

And by the way, this is the older model, the 37 40, the newer ones. The 3750 looks identical, but no surprises that this thing's over ten years old. And as that version 1.00 is that the firmware? huh? That's a worry and we're in like Flynn Check it out. There's the cable going off to the solenoid in there.

There's some decoupling action happening there that's a decent amount of tantalum, so that's all right. But obviously wasn't enough for us to see some sort of stuffed surprise surprise I Expected. Like a microchip pic in there, perhaps. But now we've got an ST Micro-st 62 T25 and this is a one-time programmable OTP microcontroller.

None. It's modern flash rubbish. Heck, it's not even a squared prom. It is yet an OTP micro.

Very. you know I'd Like discontinued these days. they use these anymore so there's no internal a squared prom in that to actually store the code. So Tada, that's why you can just see it in 93 C64.

So they get a net once again, that's St. So they've got an external 1k cereal, a square prom and that's what stores yet pin-code in there. but this is yeah, very old school. But considering that this design no doubt dates back to Lagarde's you know, very early design.

Maybe like back in like Nineteen Ninety or very early nineties? then yeah. I Guess it's not that surprising and the legacy my girls still continued over. Hey, they got the code. It's all been verified and proven so you know you don't want to go messing with it when you've got a winning product and market leading product like that.

and there's nothing too exciting happen in external our four megahertz crystal. Here we've got the decoupling. As I said, we're going to have some regulation. We've got a PMP drive transistor up here for our solenoid.

No problems whatsoever. and yeah, that's a bit. It looks like we've got a big-ass tire protection little poly switch in there and Bob's your uncle. Now if we have a look to see how this thing works from the inside sorry I haven't screwed it back in, but you can see that the only thing stopping pulling that back is that little plate which drops down there which actually has a taper on it like that and well let's punch in the right code and see what we get and Bingo! It allows that to go through in there so there's something in there that actually releases that pin and then once it goes back of course boom it just drops back into place and locks like that.

Nothing you can do. there's the back of the mainboard. Actually got lots of test pads on here, all numbered so obviously some sort of decent amount of bed of nails production tests in there. If we take this all apart, forget our solenoid out there.
Here we go we can have a look at. there is our little plate that has this spring on it so it keeps it sprung down in there. That's what keeps it sprung to solenoid and that just sits in there. So let me see if I can now power this thing up with this backing plate off and you can have a look in there.

and if you want to have a look this just there, this is the rotating plate in the bottom there which then just when you rotated to just pull this thing back then we've just got this little metal rod in there and obviously when the solenoid kicks in, it's going to suck that all the way in there. and then of course this thing is free to move up and this whole thing push back to easy. So if we try that again, oh you can see that I Hopefully you saw that, but it fell out. oops and gravity's a well for a minute there.

I Thought I Found a massive vulnerability in this thing. Like if you hold it up like that, no problems at all. but if you hold it up like that, boom it come. it opens and I thought what the hell? Shirley if you just tip the safe on its side, there is it acts that no way that what that vulnerability would have been found.

It's because the pin was able to slip via gravity all the way back in to the solenoid without having it actually on well. But no, as it turns out, no, there's nothing wrong with it at all because look what? I found I Realized that they must have something else in the shaft. Why? I found a little spring on the floor which must have fell out and that's what keeps the pin pushed out of that thing. So maybe technically you know some bump vulnerability there.

but the pin. There's not enough mass in that pin though. it's all to do with the mass of the pin in that solenoid and the spring behind it which normally keeps it out. Oops.

I Gotta disassemble it and reassemble it with the right part. Hmm, so maybe you can see what I mean by bumping I've put the spring in there now which keeps it out and that's fine and dandy. but if you have boom, you know if you bump the safe like that, boom, the spring could technically go back into there, but it has to go all the way back in and you've got to turn it at the right time. So I'm surely God have done their homework on that anyway.

like yeah, trying to bump a forty kilo safe like this. Hmm. note that seems pretty good I can't can't do anything to that at all. can't get it to release.

so no, you can't bump these locks. And what about a drilling attack are like through the front for example, to try and you know, get that solenoid pin to operate and stuff like that. Well I think good luck with that I mean maybe in theory, but jeez, either. in practice that are just yeah.

I Like you're better off just you know, cutting into it some other way I think so. Yeah, that wouldn't be terribly easy, so these things aren't particularly. I Don't think these are particularly easy to defeat in this particular scenario. I Mean, you know there's no eating, sort of cracking there from outside and get access to the E Squared prom and read the code out.
You can't do para line analysis attack. You can't bump the things, so they're They're pretty darn secure. electronic locks. No wonder this is like you know, the industry-leading almost de facto standard electronic lock on even.

You know, quite decent medium to high range safes. So there you go I Hope you liked that video. Even though we didn't successfully defeat this electronic lock, we did, actually, well, kinda sorta crack into it Hollywood style via the drilling and the camera and also so there things I Thought it was a great fun and it's an interesting engineering exercise to see how these things are designed and built to be secure. And even though we didn't find the of our vulnerability in these things, it's A that's actually good to know and well, we don't want any.

You know publication bias here, so it's always good to publish even negative results like this cuz that actually even though it's negative, it proves that these things are pretty done Secure I Like it. But one of the issues is even if we were successful in our power line attack and we could figure out what the combination was, well, what the numbers are and that's the key point. You can only figure out what digits are actually used in the combination, but you still got a six digit combination. So when you have the lockout feature of these electronic locks for unsuccessful attempts, locks you out for five minutes.

Well how the hell are you going to do it in any reasonable amount of time? you can't You're going to be screwed. So if you're a thief getting in there, even if you had a little automated jig you know, micro to plug up to it and it go told you what six digits there. you don't have hours to sit there and try and hopefully guess the combination. it's that you know you want to be BAM In and out.

So yeah, these things are still secure even if we were able to do something here. So I Hope you enjoyed that. If you want to discuss it, jump on over to the eevblog com. I'll probably have some high res are photos of the lock and inside the thing up on eevblog comm as well.

They'll be link to the forum down below and follow me on twitter and then I all that sort of jazz and subscribe and you know give it a thumbs up if you liked it the other way. Catch you next time you.

Avatar photo

By YTB

25 thoughts on “Eevblog #762 – how secure are electronic safe locks?”
  1. Avataaar/Circle Created with python_avatars Jim Locke says:

    You could replace the battery with a power supply with adjustable voltage. It you set a low enough voltage, the circuitry will function but not in the way it is designed to function. The internal logic circuits may get into a state where they power the solenoid when the voltage is suddenly increased to normal, even though the code has not been entered. This hack would require providing varying voltages, both up and down, below the normal operating voltage and then bringing the voltage up to normal. The circuit's behavior is probably not predictable and may vary from safe to safe.

  2. Avataaar/Circle Created with python_avatars P A says:

    I see a person that puts a personal fail online, I respect it and I like it. Few can do that.

  3. Avataaar/Circle Created with python_avatars BobWa43 says:

    How about using a magnet to retract the solenoid pin?

  4. Avataaar/Circle Created with python_avatars Duane Ross says:

    They should just put some flash powder in the sides of the safe. That would wake ya up.

  5. Avataaar/Circle Created with python_avatars LegoTekFan486 says:

    Actually, this makes me want to experiment with writing a keypad lock program for a microcontroller, and doing it different ways to see which ones are more vulnerable to power line analysis attack

  6. Avataaar/Circle Created with python_avatars Neil Fraser-Smith says:

    CMI Safes are now made in China.

  7. Avataaar/Circle Created with python_avatars 309Electronics says:

    Funny that everyone wanys to kill the mcu to open the lock but its a good methode cause semiconductors mostly always fail short circuit

  8. Avataaar/Circle Created with python_avatars Steve Banks says:

    If there are holes in the back can't you get in with very long screwdriver, remove the lock backplates and inject power direct to the solenoid? then re-assemble once open for the perfect crime

  9. Avataaar/Circle Created with python_avatars flobbie says:

    In like Flynn.

  10. Avataaar/Circle Created with python_avatars Josh Ruiz says:

    You talk way to much

  11. Avataaar/Circle Created with python_avatars Mikko Rantalainen says:

    Would it be possible to use strong magnet (permanent or electronic) to either move the pin inside solenoid or to create suitable magnetic field for the solenoid to activate?

  12. Avataaar/Circle Created with python_avatars model rogers says:

    thank you dave. that was great fun

  13. Avataaar/Circle Created with python_avatars Ian Montgomery says:

    I did QC checks on some of the cheaper units in China prior to our acceptance of them. I found that you could open them with a bump on the top before they were installed but once bolted down you couldn't. I couldn't work out why that was so. I also had my laptop in a hotel safe and it would not open with the code I set. I asked the girl in charge if she could open it for me using the master code. She did not know whether it had one so i took a guess and used the factory code – yep it opened so then I had her get the manager and I showed her how to reset all her safes with a new code. She was really grateful, especially as i hadn't just kept quiet and opened the other safes!

  14. Avataaar/Circle Created with python_avatars kpn5000 says:

    please, sir, bob is not my uncle.

  15. Avataaar/Circle Created with python_avatars Curtis LEE says:

    That let me remember I left my car,but key was inside the car, and car locked by itself,😢

  16. Avataaar/Circle Created with python_avatars Dermot Fixter says:

    Next idea: overclock the Safe??

  17. Avataaar/Circle Created with python_avatars Terry Stephens says:

    Wasting your time – these locks are used on many different brands of quality safes.

  18. Avataaar/Circle Created with python_avatars DDDSSDDDSSDDDSS says:

    Dril to the solenoid wire and power it.

  19. Avataaar/Circle Created with python_avatars Vega says:

    Take it from someone who knows, they aren't secure, but really aren't designed to be impenetrable but to provide resistance to certain types of attacks for a certain period of time. If you need security, you can swap your lock for a group 1 lock, or something more serious like a Kaba X- series lock (if you can find one) but be prepared to pay.

  20. Avataaar/Circle Created with python_avatars Maks F. says:

    So… You should always use secondary power supply unit in this kind devices.

  21. Avataaar/Circle Created with python_avatars Robert Mitchum says:

    You quickly drilled a hole in this safe to plug the solenoid cable back in……. I say drill a hole in the safe and pull the solenoid cable OUT! Apply power to solenoid,,, and your in like Flinn…….. Drill right next to that convenient loop of extra cable right there on the door!

  22. Avataaar/Circle Created with python_avatars Ding sens says:

    that is the reason why i dont like safedesigns that you can lock without power. mine has a motor to drive the bolt, so it cannot lock itself without being operational…

  23. Avataaar/Circle Created with python_avatars Rasheed says:

    What about using a powerful magnet to push up the spring …is. it feasible ?

  24. Avataaar/Circle Created with python_avatars Whisky Guzzler says:

    Super interesting failure. Thanks for sharing.

  25. Avataaar/Circle Created with python_avatars aussiegruber86 says:

    Lock picking lawyer will teach you some tricks

Leave a Reply

Your email address will not be published. Required fields are marked *