Hacking expensive safes without a trace. Measure voltage on electronic locks

Castle Sargent and Greenleaf 6120

Distributors of Sargent and Greenleaf may soon have to look for another occupation. Electronic locks for safes that they sell have just been hacked at the Defcon hacker conference, and in a particularly humiliating way , that is, by direct measurement of voltage, without any damage to the mechanism or signs that the lock code is compromised.

Now this supposedly “ burglar-resistant ” lock ( Type I High Security ) is simply a beautiful toy that can be put on the shelf or presented to a son.

Hacking various locks is one of the favorite hacker activities, so at the Defcon conference this is one of the regular topics of the reports. Moreover, right at the conference, there is a whole “Castle Hacking Village”, where hackers use master keys and other tools to test their skills. Here you can learn the basic techniques of locking locks.
')
Actually, this is not surprising, because the iron lock is in some sense the physical equivalent of the subject of information security.

Every year new locks for research appear - and every time weaknesses are found in some new model. But the report of the hacker under the nickname Plore this year is in some sense unique. First, he managed to crack the “burglar-proof” electronic locks for high-grade safes. Secondly, he did this with special cynicism, that is, without physical penetration.

Plore used to crack known in cryptography attacks from third-party channels that exploit vulnerabilities in the practical implementation of a cryptosystem, using information about the physical processes in the device. Simply put, the hacker simply measured the voltage (in the case of one lock) or the speed of response (in the second case) - and calculated the correct code combination.

The victims of the hacker were two locks produced by a reputable firm Sargent and Greenleaf , which has been manufacturing locks for 150 years. In both of the fallen castles, a six-digit combination is used. In the USA, these are quite popular locks - that's why they were chosen by Plore for research. However, it will not be a surprise if the technique described by him is suitable for hacking and other electronic locks from other manufacturers.

The first to hit was the most popular “burglar-resistant” lock, Sargent and Greenleaf 6120 (pictured above), which has been produced since 1993 and is still being sold. The hacker determined that if you enter any wrong combination, then by measuring the voltage you can calculate the correct combination. In the electronic circuit of the lock, in series with the power source (battery), a resistor was switched on, from which the voltage was taken proportional to the current consumption of the lock. This makes it possible to draw a conclusion about the state of the lock. When the incoming value of the code combination is checked with the lock's memory, the voltage fluctuates depending on the value of each bit in the memory . Hacking was surprisingly simple.

It is quite another thing - a more advanced new model Sargent and Greenleaf Titan PivotBolt .


Sargent and Greenleaf Titan PivotBolt

A more advanced electronic design does not allow determining the entire combination at once by tracking voltage. But Plore found a way to attack on another third-party channel - timing. As it turned out, when the system compares the entered code with the value in memory, there is a delay of 28 microseconds before the voltage jump, if the entered code was correct. The delay varies depending on the number of correct digits in the six-digit code. Thus, it is possible to use a kind of brute force: change only one digit in the code, leaving the rest unchanged, and measure the delay until we determine that we have guessed this digit. So one by one, we define all six digits. Not such a long procedure. Only the security function of the lock interferes, which locks the lock for 10 minutes after every five incorrect attempts. But even with this in mind, the brute force with the new method will take less time than 3.8 years, which is necessary to search absolutely all the combinations in the usual way.

Plore says that since February 2016, he tried to contact Sargent and Greenleaf to inform them about vulnerabilities, but did not receive an answer to his appeals.

In principle, new hacking methods are of interest not so much for hackers and thugs (these guys can use more crude methods for opening seayfov), but for engineers and security specialists. The work of the hacker Plore shows how security systems are designed in electronic locks and what techniques can be used to bypass the built-in protection. His work also shows how effective attacks from third-party channels can be, because an attacker can open the system and not leave any traces of his stay. Everything will look like someone who knows the code just entered the desired combination.

It may take years before the safe owner understands that he has been robbed.