Hacker News new | past | comments | ask | show | jobs | submit login
Robot cracks open safe live on Def Con's stage (bbc.com)
325 points by SirLJ on July 29, 2017 | hide | past | web | favorite | 112 comments

Last month I had the disappointing surprise of finding a lock on my bike. I forgot I put it (it's been years since I last used it). And it's not a key lock.. so I'm screwed. Not willing to cut the cable.. I decided to brute force it. 999 space is fun. Luckily you quickly find similar tips than the alignment one to speed up the process. And since it's not a full rotary lock, I could also "DDR" the tests by testing when going from 0 to 9 then from 9 to 0. 5 minutes later and 800 attempts I was lifting my bike like a king. Until I realize the rear tire was dead. TL;DR; do not succomb to the seductive power of cryptanalysis.. check rubber first !

It probably would have been faster to apply tension to the lock, and then rotate the rows of digits until you find the "binder" (the one that the lock is resting on under tension).

Once you have found the binder, rotate it until you feel the lock open slightly and the digit ring falls into the gate. The digit ring will move freely for about 1.5 digits until it starts to seize again.

Repeat until you've found all the digits. I've done this one a number of occasions to help friends unlock their bikes, or to troll them by changing the combination on their bike.

tl;dr: combination locks suck. Don't use them, ever.

Case in point: https://youtu.be/uMvx0GtfEOk

That's exactly what I did.

Then it should not have taken you 800 attempts?

In reality there are other issues:

- mechanism is rusty

- has backlash/play

you're never sure you isolated the empty slot, so you assume so, go deeper, then backtrack when you reached the leaf of that exploration tree. Also, the double scan thing made it quick enough to avoid trying to probe too long for the right slot, hence the hybrid solution.

800/999 is worse than brute force at that point…

How so ?

On average it would take around 500 guesses. One would have expected that with your "method" you could have reduced this by an order of magnitude (i.e. not 800) at least. Otherwise you're really just wasting time with additional steps for each trial.

By bruteforcing randomly, you'll find the combination in 500 attempts on average.

To have to make 800 guesses, you need to have pretty bad luck, or a strategy worse than bruteforce.

Average says nothing about how often you'd expect to take more than 800 attempts or more unlock, which I guess is 199/999 or one in five times

bruh... you think I can remember all the random attempts in my head ?

Without hyperbole stories are not as fun.

When I was 10, I found a rotary bicycle lock + connected chain, locked alone to a post in a park. Having read up on locks even then (god knows how), I tried the method of "pull on it and spin the dials".

About 30 seconds later, it was unlocked.

I used that lock for about 10 years, until I went to University, where the thieves were a bit smarter.

Just a note that the lock you found may have not been abandoned.

Many bike posts in my university's undercover bike shed often had several locks without a bike in sight. It turned out many people leaving bike locks on posts they often use (it doesn't take up much space or prevent someone from using the post).

It saves those cyclists the hassle of carrying the the lock with them (only the key), which is particularly an issue with those very heavy bike U-locks and D-locks.

Agreed. I have a lock on the work bike lockers I use. Everyone seems to do this. Means you can have a very hefty lock but not carry it. Speaking of we moved buildings I need to snag it.

At university, I had someone accidentally lock their bike to mine with one of those. So I just unlocked and relocked it, using a similar process. (There was a lot of play in the wheels - it was a fairly cheap one.)

hehe nice story.

My cherished (and uber low grade) bike was stolen in Paris. The robber didn't bother to find the code, they ripped that tiny cable apart. They were nice enough to leave the bits in a McDonald's bag where the bike was attached (and of course, the McDonald's was just in front of me). Anyway I know have a 2kg keylock chain on my new bike.

In a bike workshop you frequently remove locks. It always takes seconds.

It is a bit like taking on a project and not knowing the admin password, it takes seconds if you know the codebase to fix it.

After taking assembler my freshman year (1970's) i wrote the combination lock code in the octal representation of 1-9. I wrote it on the bottom if the storage unit rented to?store furniture between terms..

When i returned to unlock it, the numbers were faded and unreadbale.

Got lock pliers from the office

lol. Funny someone suggested to engrave similar encoding into the frame.

And since I was eyeing on CNC milling machines .. that might be a nice project. I am thinking about stealing the correction scheme used on CD to be scratch resistant.

For 1000 possible combinations, wouldn't you expect to have to try ~500 combinations on average to find solutions? Since you found it in 800 attempts, this suggests that whatever method you used may have actually made your odds of success worst.

> on average

You can "expect" but if you only have one lock to unlock, it can be anything from 1 to 1000 attempts.

If you had 1000 locks, you can expect that the average would be 500 (if the numbers were truly random), but it still means that you might need one try for some locks, and 999 tries for some other lock.

Well if you enumerate in order and your code is 800 then you have to try 800 cases.

I'm not sure how you make that inference. Could you explain your logic?

It's a cool robot, but auto-dialers are a known tool in safecracking.

Additionally, the safe in question seems to be a SentrySafe SF082CS, which caries NO security rating from UL. The lowest test rating, RSC, only requires the safe survive a 5 minute attack with hand tools.

there's a little more to this than autodialing; dialing the entire keyspace would have taken several days. presenter used some manufacturing defects to narrow the keyspace into something that could be cracked in 45 minutes.

How do I find a UL-security-rated safe? Does it matter if I don't bolt it to the floor?

Depends on where you are. UL ratings are used in north america. There are similar EU ratings that I dont recall of hand. TL ratings are for theft/entry resistance. There are other modifiers for fire, water, chemical, etc resistance. Unrated "safes", and even some that are said to be rated, are junk. In NA you want to get in touch with a local safe dealer/specialist. Most of their business is commercial, and they are not the same as a locks ith or "security" company. Moving and installing a safe is a specialist job by itself.

As a sibling commented RSCs are the lowest level and appropriate for home use of low level valuables. Expect $500-1000 and up. TL rated products are almoat always geared towards commercial use. When I was looking a local safe company had a korean made TL-15 with 1 hr fire resistance for about $2500. This was a very bare bones commercial demo/returned unit about 2'x3'x5' interior.

All safes and RSCs must be anchored to the structure on 2 or more sides to be effective. RSCs or "gun safes" will simply be pulled/cut out of the structure if not anchored. TL safes will be knocked over and attacked at the door or floor.

Heres UL testing a safe that probably costs $10,000+ today. https://m.youtube.com/watch?v=OtbGUbeM860

That video was much dirtier and louder than I expected. Lots of brute force still involved. Not quite the domain of out of shape hackers. But I guess that's why we build robots.

For anyone who wants a good safe cracking story, this book is excellent: https://www.amazon.com/Flawless-Inside-Largest-Diamond-Histo...

A group of Italians went to Belgium's diamond district and bypassed an very expensive vault door. The best part was using an aerosol can of hair spray attached to a broom to defeat the top of the line motion sensors.

Edit: Can anyone explain why it's a 30 minute test for UL 30x6?

30x6 means 30 min on all 6 sides. Normally safes are installed bolted to concrete and sometimes positioned in a building so only the front or possibly sides are easily accessible to attack, so often the door is far more attack resistant than the rest of the safe. This saves money and mass.

For contrast here's two guys with crowbars opening a non-UL-rated but serious-looking safe in less than 3 minutes.

This leads me to believe that if I am renting an apartment, I am SOL.

> if I am renting an apartment, I am SOL

Not at all! If you're renting in a high-rise building, the floors will be concrete below the laminate or hardwood. A good safe will have either 4 holes or 1 center hole in the base to allow you to anchor it to the floor. Use a concrete drill bit to drill a hole in your apartment floor in a discreet area, like in a closet or laundry room. If you can borrow a hammer drill it'll be faster, but even an ordinary drill will work, though slower. Make sure you buy a concrete drill bit.

Then attach the safe using concrete screws and anchors. You can use either a self-tapping concrete screw or, better, put the correct size expanding sleeve into the hole first[1]. Even with a single concrete anchor/screw, the safe will be 100 times more difficult to steal. I've seen expensive TL-15 safes ($5000+) with only one center hole in the base, so I assume the manufacturer thought that was sufficient (if properly anchored).

Before you place the safe, put down a sheet of plastic or a very thin patch of carpet to protect the laminate or hardwood floor. Cut holes in the plastic sheet or carpet for the concrete screws.

When you move out of your rented apartment, fill the holes with putty matching the color of the laminate or hardwood floor. If you make a small effort at patching up, the holes will be invisible.

One more piece of advice: The drilling won't take long, but it'll be very loud. If you have a nosy landlord or superintendent, do the drilling when he's not around. A superintendent, for example, is unlikely to work on a Saturday or Sunday.

Also, cover the safe with a sheet or blanket, so if someone casually looks in your closet or laundry room, the safe won't be noticed.


Just be very sure there is no cables or pipes where you drill (electrical, central heating, water etc).

You're advocating damaging someone's property without their permission. Don't do that.

Found the landlord!

Or the person who had their basement apartment flooded.

As sibling point out all is not lost. In a wood framed structure put lag bolts in to studs or beams. It doesnt have to be perfect. Your primary goal is to prevent a strong man, or someone with straps/handtruck, from literally walking off with the goods. The goal of a safe is to simply delay the attacker until an active response arrives.

Edit: in an appartment building check your floor loading. A little jewelry/document safe is probably fine. Big get very heavy very quick on a relatively small surface area.

You think that people are going to be able to steal a safe from an apartment without anyone noticing?

I have a friend who had a 40+ inch rear projection TV(not a modern LCD/plasma but one of those much larger ones), a couple of very large wood cabinet speakers(probably at least 3.5-4x1x1 feet) and a small mini fridge(still filled with food) all stolen, during daytime hours, from a 20-25 unit multi-story apartment.

Anecdotal I know, but I wouldn't assume most people are terribly attentive.

Wear a high-vis vest with "removals, inc." on and you can probably do it and get people to hold doors and things for you.

Funny you say that since it turned out from surveillance footage from another building that the burglars where dressed as movers and loaded all the items into a small moving van that was double parked.

Forget about stealing safes from apartments, I wouldn't be shocked if you could rob an actual bank vault by dressing as a construction crew.

University I went to had this happen in the summer. Showed up in coveralls and had a paper for the RA to sign. Cleared out all the furniture and appliances. Told the RA that the new stuff was a bit late but would be there in an hour. They were not caught but I question the target’s value.

Would fast and heavy internal gyros be a feasible alternative to bolting? I'm thinking that if the safe cannot be reoriented across all three axis, it'll be very hard to move.

Serious safes are in the neighborhood of $5-10,000 and weigh 2-4,000+ lbs. proper concrete anchors are maybe $100 and another 1-2hrs of installation time. Thats a hard roi to beat.

And then I just cut the power to the building.

Police response is what, 6 minutes? Can you open the safe in 6 minutes after cutting the power? Probably not.

Cut communications hardlines to the building, and also use a cell scrambler.

If a building has that level of protection, I'd hope its fail closed not open.

That, and the overall physical security standards require the communication lines to be buried in concrete.

Ross Anderson's Security Engineering has a fun chapter on this topic.

deadman switch?

> Does it matter if I don't bolt it to the floor?

It depends on the type of safe. I'm not a locksmith, but I have researched this, and this is how I understand it.

There are "security" safes (aka "burglar" safes), and "fireproof" safes. A security safe should be bolted to the floor, to stop the bad guys ripping it out. It comes with pre-drilled holes for that purpose. However, a fireproof safe should not have any thru-wall holes, since a fireproof safe must protect against the deluge of water that will occur when the fire is put out. Thus, fireproof safes are often glued instead of bolted.

Some time ago, a relative showed me his new safe. It didn't have any pre-drilled holes, so he drilled some in, so he could bolt it to the floor. I chose not to tell him the following: (1) The fact that he could drill any holes in the safe, using his trusty Black & Decker drill, showed that it was a fireproof safe - not a security safe; and (2), drilling those holes destroyed its value as a fireproof safe!

In summary, you need to decide what's most important - theft protection, or fire protection. Those are different types of safes. The problem is they look identical to the untrained eye.

[edit: sp]

But for his own sake wouldn't it be better you told him so that he can either get a burglar proof safe if that's what he wants or get a new fireproof safe that he then doesn't destroy by drilling through it?

I know that a lot of people don't appreciate advice though, but still if this relative respects you they should listen.

> wouldn't it be better you told [your relative] so that he can either get a burglar proof safe if that's what he wants or get a new fireproof safe that he then doesn't destroy by drilling through it?

Fair comment. But I guessed that all he wanted was something that would stop a burglar from bashing it open in 5 minutes. It's probably fine for that purpose. But I might say something to him next time.

Out of interest, is the typo in your username deliberate?

Nope, accidental.

I'm far from an expert, but the common ratings to look for are UL RSC, TL-15, or TL-30 depending on what level of protection you want. The ratings are expensive, so generally vendors show them off prominently.

Not bolting it down does make it much easier to steal. A small safe like this can be carried off pretty easily. Even with a large safe, being able to move it can make it easier to use a pry-bar or to cut through a side-panel.

I have a friend who cleans up around the Bay. It's fairly common for him to find a safe that's been opened and then discarded as trash. (You'd be surprised at what floats).

So yeah, if your safe isn't bolted down, a burglar will probably just take it with them.

I have seen safes which you put a number of weights in the bottom, then you move the safe and door separate which both weigh a lot each. The hope is that once assembled and weighted it can't be moved easily. But...clever fools and all...so nothing is perfect and more layers of protection cost more money.

> The hope is that once assembled and weighted it can't be moved easily.

It's amazing how heavy a burglar safe is - even a small one. I have one just big enough to store some documents, spare phone, keys, and some cash. But it took two guys and a trolley to get it up the stairs to my apartment. Even if a burglar could rip it out of the floor, and push it down the stairs, I doubt that they could lift it up into their car or whatever.

Defcon is always raising the bar.

I love this frank response from the safe manufacturer:

'... speaking to Wired magazine earlier this month, when the team demonstrated its method on a smaller safe, a spokeswoman for the safe maker said: "In this environment, the product accomplished what it was designed to do."'

It is designed to trick people into building robots to open it? :-)

More seriously though, I consulted a friend and neighbor when buying a safe for my home. This person who owns a locksmith shop and is a registered locksmith (and has been for > 20 years) asked me to look up the median response time of the police to my address. Since I live near the police station it was fairly small. He said you only need a safe that can last 15 - 20 minutes and you will need to anchor it so that it can't be easily yanked out of your house. Any professional thief will skip it and it may keep an amateur working on it long enough for the police to arrive and arrest them in the act.

That made a lot of sense to me.

You bought a TL-15 safe for your home? Where did you place it? Even the smaller TL-15 safes weigh hundreds of pounds and require some logistics to place. They are very impractical for most apartment dweller types, or even some high-density, old-construction flats because of their weight.

> Even the smaller TL-15 safes weigh hundreds of pounds

I've seen a TL-15 safe that came as 6 separate modular pieces (i.e., 5 walls and the door each weighing about 100-150 pounds) that you bolted together, internally, with about 50-60 heavy bolts. It was specifically intended for condos, high rise offices, etc., so you could easily transport each piece on a hand cart or dolly, then assemble in place. It was a beautiful design, but no longer manufactured as far as I can tell.

   > You bought a TL-15 safe for your home?
Yes I did. It did not weigh hundreds of pounds. Its location was constrained a bit by where it could be secured to the structure but not unreasonably so. And it wasn't like I've got paintings or something in it, just stuff that if the house burned down I'd want to have survive and a few things I'd rather other folks not have (like passports).

From this thread I've learned that a people-resistant safe might not be fire-resistant.

Please check if your safe can actually handle heat and water.

That is correct, and something to specify when buying a safe. In our case I was actually replacing a fire safe that my wife had bought at CostCo so fire resistance was a 'must have' feature. It has has our critical documents in it and a key to the safe deposit box where actually valuable but not something you might need to get out at home stuff is kept.

I'm honestly a little disappointed it's "just" an automated safe cracker.

I wanted to see a hulking brute of a robot peel the safe like an apple with its powerful metal claws.

Here's a commercial version. [1]

This seems to be an exhaustive-search combination lock solver. Someone else has built one that not only manipulates the lock, but uses a contact microphone to listen to it. But I can't find the reference.

[1] https://www.youtube.com/watch?v=fIavLorioys

A key element of this is it's ability to limit the amount of possible combinations from 1 million to about 1000 due to small flaws in the dials. A contact microphone might be able to even further reduce this search space in combination with the existing exploits.

There are Sergeant and Greenleaf locks with a half-digit tolerance, so you have to get the number exactly right. They're not popular, because they're such a pain to use.

  >> half-digit tolerance
I assume you mean <0.5digit tolerance.

There is a big difference between 0.55digit tolerance (might be able to try two numbers at once with enough mechanical precision to the solver) and 0.45digit tolerance.

> Some SentrySafe models come with an additional lock and key, but the team was able to unlock it by using a Bic pen.

Um.. that also seems like an important problem?

It's a well-known attack on tubular locks.

SparkFun posted a full tutorial on their machine few months ago.


Aren't there a whole bunch of videos on YouTube of kids opening these with not much more than a length of steel wire and primitive hand tools? You decidedly do not want a safe that's not UL listed.

Think of this as version 1.0 of the robot, though.

Unlike hand tools, the improvement curve of such robots will be interesting to watch over time. [Edit: especially to the extent that the improvement is partly in the innovative hands of the hacker / maker community as opposed to just a few commercial companies as with existing "speed dialers."]

The point is that this approach is general and scales to tougher safes, since they too must open to the correct combination, whereas the hand tools and steel wire approach doesn't scale up.

So many people in SF leave their house keys in those 3 digit combination locks for Wag dog walkers. Something like this could crack that in seconds.

A typical front door lock is considerably easier to defeat than the mechanism on one of these safes. Many can be opened in seconds with a bump key or other pick tools.

No kidding! I recently picked up lock picking as a hobby, and it really makes me realize just how insecure most locks really are. I'm a total beginner and I'm able to pick some locks in seconds.

Most regular houses I've lived in (in Australia) could be trivially and discretely broken in to with a jemmy bar (crowbar).

My neighbour had his two jet skis stolen from his carport on a weekday, they were chained to a post.

The auto shop across from my work had their delivery ute stolen from inside the building while six staff were an open door way away.

I caught someone sitting in my car trying to start it with a screwdriver. I nearly asked him if he wanted me to show him how it's done.

I keep telling my partner not to leave her laptops and cashbox visible from the windows and to lock the front door when she's in the bathroom or backyard.

People I thought were my friends have stolen from me.

Unless you have something worth protecting and the budget to protect it... Security is a hopeless mess.

Is Tasmania that bad? This sounds like Detroit

That encouraged me to take a peek, turns out Launceston was the the worst place in Tasmania for home burglary in 2014/15[1], but still not as bad as other areas around the country.

1. https://www.canstar.com.au/home-insurance/state-hotspots-for...

I forgot who it was, but someone once said: "Door locks are not a protection against burglars - they are there to keep decent people decent".

I've heard "Locks only keep honest people out"

Those framing pieces of aluminum or steel look awesome. They look great for quick mechanical structural work.

Anyone have any idea where to buy them from ?

The people that presented this on stage are from SparkFun, you can likely buy all the bit from them. Most of the robot parts look like it is from the Acrobatics line that they cary:


Somebody dumb enough to leave a key to their house right next to their house in a city like SF deserves to get burglarized.

We detached this subthread from https://news.ycombinator.com/item?id=14879325 and marked it off-topic.

Gotta love this attitude, which is widely shared by Bay Area media and law enforcement.

- "You shouldn't have parked there. "

- "You shouldn't have left anything visible in your vehicle."

- "You shouldn't have left anything invisible in the trunk, either."

As for "key right next to house" how else do you propose letting agents show your property to prospective buyers or tenants?

In SF, property crimes don't matter. I once had a road rager shoot at me and blow a window out in my car. SFPD response? "We can't find the round (bullet), so we'll just give you a case number (and no further investigation)."

Edit: typo

> As for "key right next to house" how else do you propose letting agents show your property to prospective buyers or tenants?

Give the letting agent a key to hold on to? Use an electronic keypad lock? Perhaps in your specific situation those are not feasible, but it’s not like there aren’t alternatives.

- "You shouldn't have been driving a car without bullet proof glass"

Yeah, this attitude in the Bay Area has also befuddled me too. Its the victims fault.

Bear in mind that local governments view property crime as a form of economic stimulus.

You'll be spending money to replace the stolen items, presumably some of that locally, and on repairs, presumably all locally. Meanwhile, whatever money the criminals get back in selling the stolen items (and subsequent profits by their fences) will also presumably be spent locally.

I mildly subscribe to this believe too, however it's more likely the police in (highly populated?) areas don't have the time / budget to thoroughly investigate everything.

Properly crime + little evidence = contact you're insurer thanks have a nice day.

  little evidence
No evidence collected != little evidence present.

I bet pretty much every thief leaves fingerprints now; police haven't taken prints for pure property crimes in years. (In contrast, SJPD did take prints for a car break-in in 1986).

Every week, you hear of a neighborhood getting hit by a gang, with 30+ vehicles affected -- total losses well into the felony range.

A gang could be shut down in a month if bait cars with GPS-tracked bags were used. Same with front-porch package thefts (always rampant).

A literal broken window fallacy example. Amazing.

It's not quite as fallacious. The negligent window breaker does not profit from the broken window.

It is the policy of San Francisco to annoy and harass car owners into switching to bicycling and public transit. Why would the city undermine its own policy goals by going after people who help deter driving and car ownership? It would make more sense to pay the people who smash car windows than it would to lock them up.

What do you expect them to do? It wasn't someone you know, it wasn't someone who has a personal motive to kill you, and they don't have any way of determining the owner of the gun.

Would you want to bother investing the case where someone in SF shot at a car and no-one was injured.

Also, give the agent a key and/or get a key box with a pass code and give that to the agent. There really is no excuse to hide a key on the property these days.

That's a serious pain. :/ Glad you weren't shot, though.

(Is "road eager" auto-correct for something?)

"road-rager", I'd guess.

road rager, sorry. Specifically, Dodger fans leaving the Giants game.

What about all the houses with doors that won't stand up to a sledgehammer?

Or unbarred windows.

There's a big difference between forced and unforced entry.

I wonder, what would be the charge in this situation ?

Brute forced entry

Beyond the "un", what's the difference in San Francisco?

Quite a few burglars only do unforced entries.

Unforced entry and taking a small number of objects from cupboards / filing cabinets / draws / jewellery boxes could go unnoticed for days or weeks.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact