Hacking electronic safes

The article mentions that Plore's best case scenario is to get the attack time down to about 15 minutes.

How many consumer safes are even UL rated at TL-15?


I wonder if he was inspired by Dave Jones 2015 "powerline attack" EEVblog video?


Not sure that a burglar would bother with this for commodity guns that could be punted to the burglar's criminal associates for a few bucks.
I agree -- the average crackhead is looking for a smash-and-grab opportunity, is not going to spend even 5 minutes inside playing around with something like this.

The real exposure, just like with the simplisafe vulnerabilities, is that the attack can eventually be coalesced down into a simple "black box", and then rented out to B&E guys from southie who have already scoped out their target and know how long they can be inside and what kind of lock they are up against.
 
Last edited by a moderator:
no, the average crackhead would use a crowbar and pop that door open in less than a minute! [rofl]

but still, what frigin idiot electrical engineer makes it so you can figure out a code from outside the safe????

Sounds like if you owned one....you would have a big honking series inductor, and a shunt supercapacitor in parallel with a couple big ceramic capacitors, to filter out any digital current glitches by maybe 50 dB or so. That would stop the oscilloscope from seeing anything.
 
Last edited:
Take a closer look at the safe in the video I posted -- it's a +$500 CMI H2D, weighs about 80 pounds!

The only way a crowbar is going to do anything is if the owner didn't use long enough bolts, somebody might eventually crowbar it out of the wall.
 
Why not just rip the keypad off and use the key? I'm sure it's around somewhere. Or just cut a hole in the side?
 
no, the average crackhead would use a crowbar and pop that door open in less than a minute! [rofl]

but still, what frigin idiot electrical engineer makes it so you can figure out a code from outside the safe????

Sounds like if you owned one....you would have a big honking series inductor, and a shunt supercapacitor in parallel with a couple big ceramic capacitors, to filter out any digital current glitches by maybe 50 dB or so. That would stop the oscilloscope from seeing anything.
As an electrical engineer I can confidently say keep your day job.

The equipment needed to exploit the side channels is large and expensive in comparison to the expected take from a cheap safe.
Adding super capacitors and large inductors is a very large reoccurring cost where a software obfuscation is NRE only.
At the end of the day it was designed to a price point that did not include the ability to resist electronic surveillance.

Sent from my C6530 using Tapatalk
 
As an electrical engineer I can confidently say keep your day job.

The equipment needed to exploit the side channels is large and expensive in comparison to the expected take from a cheap safe.
Adding super capacitors and large inductors is a very large reoccurring cost where a software obfuscation is NRE only.
At the end of the day it was designed to a price point that did not include the ability to resist electronic surveillance.

Sent from my C6530 using Tapatalk

I can appreciate the insight, but dude, could you be a little less douche baggery about it? You don't need to insult a fellow members intelligence for offering an opinion.
 
The equipment needed to exploit the side channels is large and expensive in comparison to the expected take from a cheap safe. At the end of the day it was designed to a price point that did not include the ability to resist electronic surveillance.
I can appreciate the insight, but dude, could you be a little less douche baggery about it? You don't need to insult a fellow members intelligence for offering an opinion.
The S&G lock was designed in the 1990s to resist attacks in common use 25 years ago. The equipment needed to design an exploit is still somewhat large and expensive. The equipment needed to implement the exploit in a "black box" after you've worked out the timing is relatively inexpensive, reusable, and getting cheaper every day.

Oh, and please stop quoting DBs, it makes my ignore list less effective.
 
Last edited:
I can appreciate the insight, but dude, could you be a little less douche baggery about it? You don't need to insult a fellow members intelligence for offering an opinion.
Sorry, too tightly wound from dealing with idiots who ask for conflicting requirements and then get pissed that engineering won't break the laws of physics for a cut rate price so they can get an award for making you have a heart attack.

Only so many times you can be asked as the "subject matter expert" and then ignored because engineers are all idiots. The best part is getting asked to fix the Charlie Fox AND keep budget

Sent from my C6530 using Tapatalk
 
As a professional safe and vault technician who regularly services, installs and opens these locks I found this video amusing. I'm glad he did not reveal anything too critical just for the sake of people who own these locks (they're one of the top two most common). That being said, if an Australian tweaker with a few hours of free time and thousands of dollars of equipment plus the expertise to use them or a .gov locksmith wants a surreptitious entry to your safe it will happen. That being fairly unlikely the largest vulnerability is a drill attack. As he said in the first few minutes: invest in a safe with hard plate and glass fired re-lockers and firmly bolt it to the ground and you've mitigated a good deal of vulnerability. Add a GPS tracker, an alarm system and a remotely uploaded DVR and you're (almost) all set.
 
The article mentions that Plore's best case scenario is to get the attack time down to about 15 minutes.

How many consumer safes are even UL rated at TL-15?
TL-15 requires a Group IIm or better lock.

I wonder if UL will re-think the Group I ratings for these locks.

I'll bet the Kaba-Mas X-10 doesn't have this problem.
 
As technology improves, price as a barrier to entry is not a long-term protection. For example, the ITL-1000 automatic safe dialer that cost $2,500 in the 1980s now goes for $300 on eBay, or a slower open-source dialer can be 3d printed for half that.

Yes, the first guy to document the procedure and determine the necessary timing might need thousands of dollars of equipment and significant expertise. The next guy needs a summer coding class and hundreds of dollars of equipment to write the software to implement the process, then your hypothetical tweaker needs just a few bills (mostly for the deposit) to rent the resulting locksmith-in-a-box. No expertise required.
 
Back
Top Bottom