Automatic search combinations in mechanical safe locks

At the Ruxcon conference in Melbourne, two Australian hackers showed an improvised device on the Arduino , which selects combinations on mechanical locks in some safes.

Pentesters Jay Davis and Luke Jahnke explain that equipment for breaking such locks is expensive and not commercially available. They are using 3D-printing and Arduino made "device autodial" of very cheap parts with a total cost of only $ 150. The device is able to pick up a code for a mechanical lock of the UL Group 2 standard, where the combination consists of three numbers from 0 to 99, with an error tolerance of ± 1 in each number.

The design uses a stepper motor that connects to the Arduino board via an expansion module.
')
To begin with, it was necessary to solve three problems: 1) fastening a stepper motor to a lock; 2) how to check the accuracy of rotation of the rotor; 3) how to test the device.

To solve the third problem, they took a simple lock, exclusively for testing the concept.

The first problem was solved by printing a self-made adapter. They avoided buying a 3D printer and using complex editors like AutoCAD. On the Internet, we found a simple, but suitable program for 3D-design Tinkercad.



The adapter from the stepper drive to the lock is ready! It was printed with friends, although you can use any of the commercial services, it will still be inexpensive.



To control, they wrote the code for the controlled movement of the rotor to the desired angle. The program even supports cool features like acceleration. Now you can specify a numerical combination with the Arduino, and the rotor is rotated to the desired position.

After the initial testing of the drive, it was decided to buy a real safe lock. The choice fell on the model La Gard 3330. For him, the same procedure was repeated with the printout of the adapter.




It was necessary to think of a way to determine that the lock is open. To this end, the developers used magnetic sensors that use the Hall effect.

The design for attachment to the safe borrowed from the game Payday 2.



In Tinkercad it was not possible to develop it, I had to use SketchUp.



That's what happened in the end.



Further it is clear: the device sets the combination, checks whether the lock is open, and then repeats the cycle. Testing a single combination takes 4 seconds, so it’s unlikely that you will be able to do it in one session. Therefore, the library supports downloading combinations from an SD card and working in several sessions with memorization of already tried combinations. You can create a pre-generated list of commonly used combinations, such as dates of birth. The maximum possible number of combinations is 100,000 (taking into account the specifics of the UL Group 2 specifications: a ban on the use of numbers from 0 to 20 in the last digit), which gives 4.6 days of pure brute force.

Authors will soon publish open source files with device design and source code for drive control. At least promise.