Dave does some more quick basic testing of the La Gard Basic digital safe lock, for any obvious power line exploits.
Part 1 is here: https://www.youtube.com/watch?v=HxQUKAjq-7w
Forum: http://www.eevblog.com/forum/blog/eevblog-762-how-secure-are-electronic-safe-locks/'>http://www.eevblog.com/forum/blog/eevblog-762-how-secure-are-electronic-safe-locks/
EEVblog Main Web Site: http://www.eevblog.com
The 2nd EEVblog Channel: http://www.youtube.com/EEVblog2
Support the EEVblog through Patreon!
http://www.patreon.com/eevblog
EEVblog Amazon Store (Dave gets a cut):
http://astore.amazon.com/eevblogstore-20
T-Shirts: http://teespring.com/stores/eevblog
Donations:
http://www.eevblog.com/donations/
Projects:
http://www.eevblog.com/projects/
Electronics Info Wiki:
http://www.eevblog.com/wiki/
Part 1 is here: https://www.youtube.com/watch?v=HxQUKAjq-7w
Forum: http://www.eevblog.com/forum/blog/eevblog-762-how-secure-are-electronic-safe-locks/'>http://www.eevblog.com/forum/blog/eevblog-762-how-secure-are-electronic-safe-locks/
EEVblog Main Web Site: http://www.eevblog.com
The 2nd EEVblog Channel: http://www.youtube.com/EEVblog2
Support the EEVblog through Patreon!
http://www.patreon.com/eevblog
EEVblog Amazon Store (Dave gets a cut):
http://astore.amazon.com/eevblogstore-20
T-Shirts: http://teespring.com/stores/eevblog
Donations:
http://www.eevblog.com/donations/
Projects:
http://www.eevblog.com/projects/
Electronics Info Wiki:
http://www.eevblog.com/wiki/
Hi. This is just going to be a quick follow-up video to previous one. I've done doing some basic Powerline analysis attack on one of these Lagarde digital safe locks. This is a semi basic safe made in Australia and click here if you haven't seen the previous video because it's got lots of detail on various things.
So I Thought we'd do just a quick follow-up video just looking a little bit more detail in exactly what's happening here on the Powerline for this particular lock. let's go now. As per the previous video, we're doing nothing fancy here at all. We've just got a 10 ohm resistor in series with the 9-volt battery on this Lagarde digital lock.
Here we're just got a standard dart times one nut scope probe. you don't to use that times 10 you can because you just attenuate in a very low level. Our signal don't really need the bandwidth you know to get 5 10 megahertz bandwidth on a times one probe is certainly adequate and on the scope here. we actually want to set this up for you.
notice all the noise and stuff and crap all sorts of things we're picking up. So we want to put on some on high-res mode there just so we clean up that signal. Now the first thing I Want to check. We were doing single-shot capture before with like the first button press so we were checking for any vulnerability on the first button press to see if it was good or bad to see if it was actually doing, see if we could see any differences on the power line of how the processor inside here inside the safe actually detects the first key press and we really couldn't find any vulnerability on that first key press.
So we're going to do subsequent key presses now and see what if it didn't see what it does at the end of entering in all six digits. Now the first thing I want to check is actually we want to go into instead of a regular single shot capture mode. What I want to do is I want to change the time base I Want to go into roll mode here so that the thing rolls across like that and we'll be able to see if I press the button, we'll be able to see the transitions happening in real time. Now this is the interesting thing.
Let's take a look at this now. when we press the button here as you saw we were getting in that signal excursions which actually went off our scale here and that's fine because we want to look at more of the fine detail in here. so we're at 1 millivolts per division at the moment. Sorry, it's a bit difficult to get this shot I'm trying to get the lock and the scope in the same shot I've had to turn my lights down here so that they didn't wash out the screen because we've got the white here.
it's all. It's actually reasonably difficult to shoot this thing cleanly, but anyway, we've got roll mode, so we can continuously see it. So what we want to do now? you can see that it's basically nothing there. Okay, 1 1 millivolt per division.
We're getting no noise. The processor inside the lock, but in the insider lock, it's not on the outside here. it's on the inside as we saw in the previous video is shut down. It's sleeping. It's just waiting, doing nothing, waiting for that key press to interrupt it, wake it up from its sleep mode and start up. Now, watch this. Ok, if we press a button, it doesn't matter what button it is. Ok, so it could be 7.
The code for this one, by the way, is 1, 2, 3, 4, 5, 6. It's a six digit code and if we enter the code what as I said last time incorrectly more than I think three or four times it'll actually lock us out for like five or ten minutes. So that's a very useful security feature that these locks use. so you can't just brute force them.
even if you know what six numbers they are in the combination, you can't just start brude for us. So let's push it and watch what happens. Okay, now you see it was clean there. but look boo we're getting so ripple on there Now that is.
Obviously the processor has not shut back down. the process is still going boom. Look at that. you can see that it's shut down.
So if we actually I can time that, so let's actually do that again. Here we go and let's time that and see how long it waits for the next key press. And if that key press doesn't come along Seven, eight, nine, ten. There we go.
Ten seconds so up. So if you don't press a second key within 10 second, it'll shut back down and reset that key sequence. So there's a potential for an attack sequence there. If we could detect individual key presses as I said, has that lockout mode, but only if you go through all six digits.
So if I go one, two, three, four, five, seven incorrectly. Okay, that's one incorrect key press. If I do that another couple of times, then it will lock us out permanently and that count resets. If I do the correct key sequence here.
Okay, so in theory, if there was a way to exploit and detect the correct keys in that sequence, you would actually have quite a you would have an infinite number of shots at it. Provided that you waited for that 10 seconds to exit that our key sequence and reset at that timer, you wouldn't get hit by that entry delay thing that they've built into the lock. So that's a potential way in. It doesn't mean we're going to find anything and I've actually verified that by doing that like 10 times in a row now and it does not lock me out.
So I effectively get unlimited attempts at doing not only the single digit, but also up to 5 digits. As long as I don't don't go to that sixth digit within the 10 seconds between each period, then it'll timeout and I get infinite number of shots at it. So yeah, that's a potential way in, perhaps if there is any power up power line vulnerability on this thing. Ok, so what we want to do now is compare the first and second key presses to see if they're different.
So here we go: Waited the 10 seconds so this will be a first key press I'm going to trigger I've changed it back to what single-shot capture mode yt mode it's not rolling anymore and I've set the negative trigger level down here so that we capturing this is the beep pulse which we established in the previous video. That's the physical beep in there. It does all the processing before that. Now that's what happens if you press the first button. Now we can actually store that waveform as a reference just like we did last time. So I can go into my reference men you here and I can go save. We can change that. Save that.
Bingo. There we go. So now we can re capture that and make sure that's exactly the same again. So let's do it.
Don't know? I remember what button I pressed last time, but look, it's identical. We get this: Wake up. The processor seems to wake up here, seems to shut down. Maybe do something Well, they're the pros.
I think they're the processor ticks that we saw last time. that noise. you see how we had the consistent ticks like that. Anyway, so it's powered up, it's doing something, it's processing, and then it's going into that beep.
so it's exactly the same regardless of which button we press. I Think this is more detail than what we got last time. So I can repeat that again with the number 0 for example. And now this is rather interesting.
I press 0 there and that's what I got. 0 seems to be different to all the other numbers. if I wait the 10 seconds which I've waited, they kegs I mean Yap and on here I press any number here I don't know 5 right? Then we get exactly what we got before and I can do that. I've gone through off-camera here and over, checked them all and they all do exactly that same thing except zero.
so we can do number nine for example. Okay, I think we've waited hour 10 seconds. Bingo. We get exactly the way same waveform.
but if we wait that 10 seconds again and do 0-0 seems to be special. so I'm not sure because the program mode for this you normally have to press star and then the sequence and stuff like that. so I'm not sure why 0 first is producing a different result. Not sure what the deal is there at all.
So I just slowed the time-base down by one notch and let's try zero again. It's no. it's exactly the same, but for some reason it doesn't trigger on it properly. It yeah it doesn't.
Even though my my trigger level lasers are like right down here, it shouldn't trigger it. Maybe there's some extra noise in there from number zero? I'm not I I Don't know, but it seems very consistent so it could job. Might just put that down with some sort of triggering type thing. Anyway, it's it's exactly the same way of shape.
I mean if I go like that and shift that over like that bingo, it's exactly the same. Now here's the interesting one that we want to get. Okay if we do number four like that. okay, that's our first key press. Doesn't matter what key it is, it's no different. So there's no vulnerability on the first key press. We do the second one within 10 seconds. Bingo.
Look what? we get this pro and that. sort of like our process. a regular process and noise that we saw before. Okay, but it it's different.
We don't get this pulse here before and I've actually expanded this time base right out. And as we saw in the Romo before, these ticks just go on forever and they're exactly the same. They keep going for 10 seconds because it's powered up. so there's only something different here and here like that.
So I can save that waveform as well. Actually, what I'm going to do is I'm going to do the correct sequence here, and I'm going to store the correct sequence for the second digit. So I'm going to go one re trigger the scope -. Okay, so that is the correct digit? Uh-huh.
Okay, so we now have our white reference waveform there. That was the first digit and then the second digit which was the correct digit is now this green waveform. So now I'm going to do the same. I'll go one and then I'll go three, which is an incorrect sequence and see if there's any difference.
So let's give that a go one and then single-shot capture again and three. Bingo, it's different. That's interesting. So now we can save that one again.
We can enable Reference 3 here and let's give it a different color. Let's give it a light blue here and we can actually save that as reference channel three. So now we have three waveforms saved there. The white one is the first key press, the green one was the second correct sequence key press, and the light blue one.
We is different to the light green one and that's interesting is the incorrect sequence. So I'm going to see if that's exactly repeatable with the the correct one, but like instead of one and three or go like one an eighth or something like that and see if it matches that new light blue waveform. So here we go. one single shot and like seven, Lucky seven, shall we? Bingo It matched the blue waveform for the incorrect sequence.
That's fascinating. We might be getting somewhere. So now what I want to do is capture a correct sequence again. But instead of having one and two for example, I'll get it further on in the sequence.
So I might get say three and four in the correct sequence. and it should. You know if the thief the theory is right about there being a vulnerability of the power line on here in the way it actually processes sequence of numbers correct and incorrect. Then it should match the green one and not the light blue one.
So let's give that a go. so one is the correct number. Okay, so I'll just go like one, two, three, single-shot CAPTCHA for why, it's not quite following the green, is it? it's not quite following it. Look, it's uh, it's different.
Again, that's a bit of a I Was hoping for that to be the same, but you can see it's lower amplitude here. It's higher amplitude on this one. It's yeah. Okay, let's try. Yeah, that one's higher amplitude that one's lower. so that's fascinating. So let's try that again for a different sequence. Further on, it could be because it's got more numbers to process and that sort of jazz.
So let's try the next one up. Let's try. Well, it's well, we know. let's try four and five for example.
So One, two, three, four, single-shot CAPTCHA five. Ah, bingo. that one matches the greens. That might have been some anomaly or something like that.
I can try the other ones, but it matches so that yellow one. As you can see that yellow one match the green one. So if it's correct sequence, it's one waveform. If it's an incorrect sequence, it's another waveform.
Ah, that's good. That's got powerline vulnerability written all over it. Just try that sequence. three and four again.
Three single shot CAPTCHA For you need, it's definitely different. That's that is fascinating. Hmm, let's try two and three. so one two, single shot CAPTCHA three.
It matches the green one. So what's different about three and four? That off the top of my head it's it. Doesn't seem to have any real significance, but I could be wrong now. I Just wanted to Rivera fie that the correct sequent digit sequence was repeated.
We know how I captured the green waveform before with one two. Well, it doesn't seem air completely repeatable. Now it seems to be like one of two types. You can see the yellow waveform I Just captured now.
I'll do it again. Okay, so here we go: do one single shot, capture two, and occasionally it'll match the green one, but often it doesn't. so I like it is not repeat like sometimes it's repeatable I get away three times in a row, other times it's not and it's so. It's not like there's some sort of random function in there or you know, some sort of randomness in the software because it seems to be like one of two different scenarios.
So let's see if I can get it again. There we go. Got it right? But we can actually try that again. Let's wait out ten seconds I'll just jabber on for another little bit and that's got to be 10 seconds surely.
So let's try it again. One two, hey, it matched it. No mate. Not down here.
it didn't So it's it's. really not a hundred percent reliable, but there is definitely something there, at least. So let's put aside that randomness there and say that we have found a vulnerability here where we can find two correct digits in the sequence like this ie. we can identify which is a good two digits in the correct sequence and which is two digits in an incorrect sequence.
Well, to find just the two digits, we have to try all the combinations. So we've got to go 1, 1, 1, 2, 1, 3, 1, 4, all the way up to 1 9 and then 1 0. Of course, because you can. it can be the same number in the same sequence. so you've got to try 1 1 And of course you can't do more than 5 at once, so you'd have to do 4 and then stop. You'd have to wait the 10 seconds for the time out and do the next one. and then if you haven't found it, well, you've got to go through all the sequences. You've got to go to 1, 2 to bring you all the way through to 2-0 and then once again at each after you've entered.
After you've tried two of those, you've got to wait the 10 seconds. Then you'd have to go 3, 1, 3, 2 bla bla bla. And all the way. you'd have to try every single sequence just to get 2 digits in sequence like that and you might think ok, well, you can calculate how much time that's going to take you, but which two digits is that? It could be these two.
It could be these two. It could be these two, these two, or these two up here, You don't know. So really, even if there is a genuine vulnerability there, it's like it's pointless to try and exploit that via a brute-force attack like this. It's just it.
I She should be there forever. You're better. I've just bloody drilling into the safe and those math nerds can go through the and work out. You know how much time will take you if you've only got two attempts like this.
And it can be any two digits in the six digit sequence. And the average amount of time it's going to take you. So you know if you could be rotten, luck could be having a real bad day. Murphy could be right on your ass, you know, and it might take to the last digit to get the bloody thing so you know.
Ah man, it's just horrible. But any math nerds wouldn't do the math on that, Go for it, right? So they may or may not be something there I Think we like I Think we may have actually found something. But anyway, let's go on and see what happens if we see if there's any extra processing at the end of the six digit sequence like that? Let's see what if we can find anything there. All right, let's do the correct sequence: one two three, four, five, single-shot six and you heard the double beep there? That means the correct sequence so we can store that as our correct sequence waveform.
Here's just a little annoying thing with the Rygar when you say V reference waveforms like this: Look, you can enable all of these reference channels right up to ten reference channels. How many colors you got to choose from? That's it. You've only got five colors Wow and the other annoying thing is doesn't tell you your currently selected color there either. It tells you currently selected like reference waveform there.
but you know know about your current color. Geez, how does that? Anyway, saved all right. So that's our stored correct six digit sequence that opened the lock. Now we'll do an incorrect sequence: One, two, three, four, five, single digit, seven. Hey, look at that. Whoa. that's interesting. So once again, I think we've been duped by the time-base there, so let's actually try that again.
I'll just do the correct sequence just so I don't accidentally lock myself out or anything dumb like that. Okay, so now we'll do the incorrect, the incorrect sequence again, five and single-shot CAPTCHA and seven. So we're at a slower time base now, so then we can scroll. We can now move that back because we've got the detail to do that now and that's where it starts.
So it's good. Yeah, look, it's got a funny little funny little Jaggi there and it doesn't line up in tight. Well, actually, I'm not going to say it doesn't line up in time sequence because it does. If you align the start there, that certainly lines up.
But look, that's different. Okay, that is definitely different now. I'm going to enter like a completely incorrect sequence now. Okay, so I'll actually stall that one as reference five.
The other annoying thing about the Rye goals: this art selection control here is incredibly touchy and like you don't have to just breathe on it. You're fired halfway across the room and the thing moves. And also when you go to press the button like this, you can often cause it. to move just before you press it.
It's just it's really. yeah, it's very touchy. They need to do something about that. Oh bloody hell, it selected the wrong color I wanted orange and it didn't do it.
Oh, it's what someone's done. Oh Alright, so our orange waveform in there is the correct one. Okay, in the correct sequence and that white / gray one, there is our incorrect sequence. Let's verify that incorrect sequence again.
So I'm going to go just. I Don't know. Like eight, two, three, four, five, single shot, and two I don't know something like that. There we go.
Yep, hang on. No, this has gone back up here instead of going back down there like the other one. So something. once again.
That's yeah. that's that's changed. I've got this huge spike there, which we didn't It didn't go all the way back up before it sort of started going down there, so it looks like there's some sort of difference between the between. you know, like a close number and one that's not.
perhaps? All right. So let's do one. Let's say halfway in between one, two, three, six, five, four. ah, that one's identical.
See, this is like the non repeatability like I'll seen before on the other one when we're checking for two-digit sequences. Seems to be something happening there again. Perhaps because look, it's match that are that gray, that white one we had before when we did one two, three, four five and then seven. and now we did one two.
What did we just do? One two three six five four or something? And it's an identical waveform, but there is a difference. So let's do the repeatability again. One two three four five seven. Let's try that again and it should match the orange waveform. So oh, don't need to single-shot capture that one, two three, four, five, Single-shot seven. So there you go. it's exactly the same again. So let's keep going.
Let's just run another sequence, shall we? I Better do. Actually damn it. Oh Lock myself out. Oh ah, people were probably screaming at me there.
Yep. I did three in a row and locked myself out. Okay, let's do the repeatable, correct sequence again. I've waited by ten minutes or whatever.
wet for the time out. God that was embarrassing. One two three four, five, Single-shot six. Boom.
Yeah, that's good. It matches. so I'll just up shuffle that across the ROI girls a bit. not hugely responsive to the vertical the horizontal position control.
It's a bit once again bit touchy. you get some overshoot there. it's really annoying. but yeah, it matched that orange waveform that we had before.
So bingo, let's do it one more time just for kicks, shall we? five Single shot sequence: see safe opens and why no see look it shuffled that look that's low amplitude. This is high amplitude so it seems to it seems to randomized. Perhaps like like not like completely random but it seems to like as I saw before, it does seem to change. it's not entirely repeatable and I'm not sure what the deal is, whether that's a deliberate decoy in the firmware because on a well-designed product like this, they'd be aware of power line attacks and you'd expect them to possibly build in some randomness.
or you know to do some tricks in firmware to actually uh, you know, to mask that sort of thing. So yeah, perhaps that's what they're doing. So it's like, even if there is a vulnerability there, it will you know once again, like the two digit sequence before, what is that? How does that help us? Not much at all. So really, that's all I Wanted to check for today.
Just once again, a very basic power line analysis. with us in you know, you know, as simple as you can get with a 10 ohm drop a resistor in series like that and just a scope probe and just a scope doing that, you know Yeah, you can get better tools for the job like this for like the Chip Whisperer which I had and things like that can really gain it up and see the noise and get averages. and do you know, get the data out of the noise and all sorts of things. So I just wonder it once again.
I'll probably still get complaints of people I Didn't go far enough. but anyway, that's all I got time for now I've got to head off and finish assembling my X-carve Live. Now by the way, we're about to switch that on live, but you won't know this because this video will be is not going live. So yeah, do that.
So yeah, we found a couple of interesting things there and there might be some sort of vulnerability there, but you know it doesn't seem consistent which is really annoying. And as I said, even if you even if there was a vulnerability there, once again, go through the math of how many if you did that had to do the whole six digits. Even if there was a vulnerability there with the like the three attempt ten minute lockout, it's just, you know, so you have to do it some other way. So I think just the way I've been doing the simplistic approach, it seems reasonably. You know it seems reasonably safe pun intended, but yet, no, it doesn't mean this thing is not vulnerable. I Mean, if you use much more advanced power line attacks and things like that people have talked about like seeing the oh, maybe the I squared C bus for this side keyboard. if it's like an I squared C bus might be in parallel with the one at the back nine. I Pretty much don't even have to test that.
This is one of the best locks on the market this Lagarde one. as I said before, and if it was that volt and if it was that vulnerable that you could read the code out of the E Squared prom which she was hooked on to the same bus as the keypad, then yeah, that would be a well known exploit. So you know I don't think they're that stupid. Anyway, that's all I've got time for today I'd love to do some.
Maybe I might do a video with the Chipra Sporus and more advanced stuff and things like that. So this is just very simple, so please don't complain that I haven't gone far enough I know I haven't gone far enough. It's just once again just wanted to do some simple tests and we did actually see some differences there. so I'm actually quite impressed by that.
We did actually make a bit of progress, even if it's a pointless high, but I hope you found that an interesting video Anyway, if you liked it, please be give it a big thumbs up. If you want, ask us at Eevblog for YouTube comments. So I try and read them all. Catch you next time you.
If you have little think and make a reasonable guess as to why 0 gives a different result then you'll come close to the answer. If you think of what the button presses do and what they're compared against then you'll figure it out.
It's 7 years since the video was posted. Has anyone managed to hack the safe yet? I've got the same lock on fairly heavy safe which is locked closed. From what I can gather there some clever tools available (little black box & phoenix) which can hack the code. But I can't find anyone in the UK with one, and buying one for £4000 would be ridiculous. I'm guessing if these tools really exist and work, then this lock is hackable. Anyone managed to do it yet with and oscilloscope and care to share the secrets?
The zero,flutters because 6x zero is the first code in the code change sequence ……
so basically it put every number in a memory and only challenge them when you press the last on ?
The second valley from power off only seems to go as deep for correct numbers even though it doesn't always. That could still be useful for cracking, but yeah, annoying.
Maybe worth checking if power waveforms rotate through a set or completely random by repeating the same code times in a row.
"So their away for the weekend, I have my scope, I have my tablet and pen,….Never mind hand me the grinder….."
Make sure the homeowner is on vacation for a month? Hey, let's spend thousands on equipment to not be able to open a safe.
There was a lot of talking but didn't really didn't say much.
I'm thinking the processor just waits for 6 digits to be put into a buffer, then runs them against the proper code, rather than checking them as it goes. Honestly would be the smarter way. Thus, no power line vulnerability.
So, I know this is unpopular based on the comments, but it’s possible each button is compared in order as it would be very efficient using bitwise operators like xor assuming key 1 is 1000, key 2 is 0100, key 3 is 0010 and so on. You could map it in a table so the correct code is always 1111 or whatever and if a wrong key is pressed exit the sequence immediately to save processing power. Without firmware analysis it’s impossible to really know. I’d like to see a firmware dump, if it’s a mips processor or something, should have a serial Rx and tx for flashing to connect to. Could actually lead to a viable vulnerability if we could see the assembly.
At a guess, the variability is due to the quirks of flash memory/the ROM.
Can't remember which direction, but changing ones to zeros/zeros to ones is not symmetric, one takes substantially longer/more current than the other, leading to any timings getting messed up by what was in the cell previously, hence why 0 looks different to the rest- all 0s in binary, whereas all the others have at least one 1 in them.
To make it consistent you'd have to enter the correct code after every attempt.
This still leaves the possibility of a powerline attack if it's being naughty like this and not clearing the code memory after every attempt, but it'd be more difficult to pull off, needing access up to 4 separate times to the safe, say if 0->1 is the expensive one, then first time you enter all 1s, second time all twos, third time fours, fourth time eights
And see which positions took a different amount of time, the. Those have a 0 in that position, and you have the code, by comparing the bit values of the previously entered code, which is presumably the correct one, as most don't input an incorrect code after they unlock it.
You could probably reduce it to less if you could discriminate between different numbers of expensive transitions
Did you ever verify if removing the 9 Volt battery reset the “failed attempt lockout” ?
It would be quicker to grind it open and you wouldn't need all the equipment, but then that is not what it is about is it? So it is going to be not opened. Ok, I'll get the money from under the bad and put it inside the safe. Drats, the battery is flat!
You could have some software run the bruteforce attack and record the differences in processing responses. But it would still take a very, very long time due to the 10 second rule.
next video fill the safe with water and add a small explosive inside aswell. do it now
Could you at least in theory overload what ever stops the electricity from going to the solenoid?
does the lockout timer reset when power is disconnected and what about power glitching..?
I know this is an old video but I wonder if there any RF or H field vulnerabilities?
does the reset drop timing change when you get the right or wrong sequence? ie you have 10 seconds if entering the right digits…but what if you enter the wrong ones, does it reset earlier than the 10 seconds?