

Safecracking for the computer scientist (2004) [pdf] - deutronium
http://www.crypto.com/papers/safelocks.pdf

======
deutronium
I'm very curious about how some auto-dialers (devices which automatically
bruteforce the safe's rotary code entering mechanism) make use of audio, to
apparently look for specific sounds relating to the locking mechanism.

For instance:

[http://blockyourid.com/~gbpprorg/mil/lock/softdrill/](http://blockyourid.com/~gbpprorg/mil/lock/softdrill/)

[http://blockyourid.com/~gbpprorg/mil/lock/softdrill/SOFTCAP1...](http://blockyourid.com/~gbpprorg/mil/lock/softdrill/SOFTCAP1.htm)

You can apparently get microphones specifically designed for safe cracking
too:

[http://www.keyprint.co.uk/store_detail.asp?stkcode=LS-
LKM103...](http://www.keyprint.co.uk/store_detail.asp?stkcode=LS-LKM1036AMP)

~~~
yuubi
The device shown isn't quite a brute-force attack; it exploits a side channel.
Back in the 1980s there was a device called the ITL-1000 that took a couple of
days to dial combinations in sequence, with the only feedback it received
being whether the lock opened.

Refer to the picture at
[http://www.sargentandgreenleaf.com/MC-6730.php](http://www.sargentandgreenleaf.com/MC-6730.php)
, which shows a typical combination lock with the combination dialed (as you
can tell by the position of the lever; if the correct combination weren't
dialed, the lever would be held up by one or more of the aluminum wheels).
When the lever is held up, the drive cam (brass thing closest to the camera
that's normally attached to the dial) can rotate freely, with the nose of the
lever dipping just slightly into the notch in the edge of the drive cam.

When the lever is so held up, one of the wheels does the holding because
manufactured things are never quite straight. If that wheel gets set to the
correct position, another wheel holds the lever up slightly less, and the nose
of the lever hits the sloping edge of the notch in the brass drive cam at a
slightly different position. One can graph the location of the "contact point"
as each wheel is turned and work out the combination.

~~~
StavrosK
Don't the wheels spin in a sequence, from the outermost to the innermost? In
that case, couldn't you vary their widths, so the lever is only held up by the
widest (and last) wheel?

------
dbarlett
Exploiting mechanical weaknesses in Master dial padlocks to reduce the search
space from 64,000 to 100:
[http://www.markedwardcampos.com/files/gimgs/13_mcamposfinal....](http://www.markedwardcampos.com/files/gimgs/13_mcamposfinal.png)

