Safe-cracking

(Redirected from Safecracking)

Safe-cracking is the process of opening a safe without either the combination or the key.

A safe with destroyed electronic components

Physical methods

edit

Safes have widely different designs, construction methods, and locking mechanisms. A safe cracker needs to know the specifics of whichever will come into play.

Lock manipulation

edit

Lock manipulation is a damage-free, combination-based method. A well known surreptitious bypass technique, it requires knowledge of the device and well developed touch, along with the senses of sight and possibly sound.

While manipulation of combination locks is usually performed on Group 2 locks, many Group 1 locks are also susceptible. The goal is to successfully obtain the combination one number at a time.[1] Manipulation procedures vary, but all rely on exploiting mechanical imperfections in the lock to open it, and, if desired, recover its combination for future use. Similar damage-free bypass can also be achieved by using a computerized auto-dialer or manipulation robot in a so-called brute-force attack. These auto-dialer machines may take 24 hours or more to reach the correct combination,[2] although modern devices with advanced software may do so faster.

Mechanical safe locks are manipulated primarily by feel and vision, with sound sometimes supplementing the process. To find the combination the operator uses the lock against itself by measuring internal movements with the dial numbers. More sophisticated locks use advanced mechanics to reduce any feedback available to a technician in identifying a combination. These group 1 [3] locks were developed in response to group 2[4] lock manipulation.[5] Wheels made from lightweight materials will reduce valuable sensory feedback, but are mainly used for improved resistance against radiographic attacks.[6] Manipulation is often the preferred choice in lost-combination lockouts, since it requires no repairs or damage, but can be time consuming for an operator, the specific difficulty depends on the unique wheel shapes and where the gates rest in relation to them. A novice's opening time will be governed by these random inconsistencies, while some leading champions of this art show consistency. There are also a number of tools on the market to assist safe engineers in manipulating a combination lock open in the field.

Nearly all combination locks allow some "slop", or deviation, while entering a combination on the dial. On average, 1% radial rotation in either direction from the center of the true combination number allows the fence to fall despite slight deviation, so that for a given safe, it may be necessary only to try a subset of possible combinations.[7] Such "slops" may allow for a margin of error of plus or minus two digits, which means that trying multiples of five would be sufficient in this case. This drastically reduces the time required to exhaust the number of meaningful combinations. A further reduction in solving time is obtained by trying all possible settings for the last wheel for a given setting of the first wheels before nudging the next-to-last wheel to its next meaningful setting, instead of zeroing the lock each time with a number of turns in one direction.

Guessing the combination

edit

A safe may be compromised by using a manufacturer-set combination. Known as try-out combinations, these allow an owner initial access to their safe in order to set a new unique one. Sources of try-out combinations exist by manufacturer.

Other easy-to-guess combinations include a birthdate, street address, or driver's license number.

Autodialer

edit

Autodialing machines have been developed to open safes. Unlike fictional machines that can open any combination in a matter of seconds, such machines are usually specific to a particular type of lock and must cycle through thousands of combinations before success. Such a device was created by two students from the Massachusetts Institute of Technology, which took 21,000 tries to open a Sargent and Greenleaf 8500 lock on a Diebold Safe. Lockmasters, Inc. markets the QX3 Combi Autodialer (LKMCOMBI) that works on a variety of 3 and 4 Wheel combination safe locks.[8]

Another computer-aided method uses tools similar to autodialers, which instead make measurements of the internal components of the lock then deduce the combination in a way similar to that of a human safe cracker. Mas Hamilton's SoftDrill was one such device, but is no longer in production.

Weak-point drilling

edit
 
Safe-drilling with a drill rig

Some safes are susceptible to compromise by drilling. Manufacturers publish tightly-guarded drill-point diagrams for locksmiths for specific models. Drilling is an aid in bypassing the locking mechanism, as well as gaining more information about it in order to defeat it. It is the most common method used by locksmiths on malfunctioning or damaged locks, and commonly used in burglary.

Drill-points are often located close to the axis of the dial on the combination lock, but drilling for observation may sometimes require drilling through the top, sides or rear of the safe. While observing the lock, the attacker manipulates the dial to align the lock gates so that the fence falls and the bolt is disengaged.

Bypass attacks involve physical manipulation of both the lock and its bolt mechanism.

Punching, peeling and using a torch are other methods of compromising a safe. The punch system is widely used by criminals for rapid entry. Punching was developed by Pavle Stanimirovic and used in New York City. Peeling is a method that involves removing the outer skin of the safe.

All quality safes protect against drilling attacks through the strategic use of specially tempered or alloyed hardplate steel, or composite hardplate (casting tungsten carbide chips into alloys such as cobalt-vanadium, designed to shatter the cutting tips of a drill bit). These include protecting the locking mechanism, the bolts, and areas where drilling could be used to advantage. Special diamond or tungsten-carbide drill-bits can make some headway with some hardplates, but it is still a time-consuming and difficult process.

Some high-security safes use a tempered glass relocker. This has wires that lead from the glass to randomly located, spring-loaded bolts. If a penetrating drill or torch breaks the glass, the bolts are released, blocking retraction of the main locking bolts. A gas abrasive drill can sometimes be used to safely drill through a glass relocker.

Plasma cutters and thermal lances can be as hot as 2,200 °C (3,990 °F), much hotter than traditional oxyacetylene torches, and can be used to burn through the metal on a safe. Many modern high-security safes also incorporate additional thermal safeties to foil blow torches and thermal lances. These are usually in the form of fusible links integrated into the glass relocker cabling, which trigger it when a set temperature is exceeded.

Drilling is an attractive method of safecracking for locksmiths, as it is usually quicker than manipulation, and drilled safes can generally be repaired and returned to service.

Scoping

edit

Scoping a safe is the process of drilling a hole and inserting a borescope into the safe to get an intimate look into a specific part of the security container. When manipulation-proof mechanical locks and glass re-lockers are implemented as security measures, scoping is the most practical option. One common method is called "scoping the change key hole." The safecracker will drill a hole allowing him to get his scope into a position to observe the change key hole. While spinning the dial and looking through the change key hole for certain landmarks on the combination lock's wheel pack, it is possible to obtain the combination and then dial open the safe with the correct combination. This method is common for a professional safe specialist because it leaves the lock in good working order and only simple repairs are needed to bring the safe barrier back to its original condition. It is also a common way to bypass difficult hard plates and glass re-lockers since the change key hole can be scoped by drilling the top, side, or back of the container.

Brute force methods

edit

Other methods of cracking a safe generally involve damaging the safe so that it is no longer functional. These methods may involve explosives or other devices to inflict severe force and damage the safe so it may be opened. Examples of penetration tools include acetylene torches, drills, and thermal lances. This method requires care as the contents of the safe may be damaged. Safe-crackers can use what are known as jam shots to blow off the safe's doors.

Most modern safes are fitted with 'relockers' (like the one described above) which are triggered by excessive force and will then lock the safe semi-permanently (a safe whose relocker has tripped must then be forced, as the combination or key alone will no longer suffice). This is why a professional safe-technician will use manipulation rather than brute force to open a safe so they do not risk releasing the relocker.

Radiological methods

edit

Penetrating radiation such as X-ray radiation can be used to reveal the internal angular relationship of the wheels gates to the flys mechanism to deduce the combination. Some modern safe locks are made of lightweight materials such as nylon to inhibit this technique, since most safe exteriors are made of much denser metals. The Chubb Manifoil Mk4 combination lock contains a lead shield surrounding part of the lock to defeat such attempts to read its wheels.

Tunneling into bank vaults

edit

Large bank vaults which are often located underground have been compromised by safe-crackers who have tunneled in using digging equipment. This method of safe-cracking has been countered by building patrol-passages around the underground vaults. These patrol-passages allow early detection of any attempts to tunnel into a vault.

Safe bouncing

edit

A number of inexpensive safes sold to households for under $100 use mechanical locking mechanisms that are vulnerable to bouncing. Many cheap safes use a magnetic locking pin to prevent lateral movement of an internal locking bolt, and use a solenoid to move the pin when the correct code is entered. This pin can also be moved by the impact of the safe being dropped or struck while on its side, which allows the safe to be opened.[9][10][11] One security researcher taught his three-year-old son how to open most consumer gun safes. More expensive safes use a gear mechanism that is less susceptible to mechanical attacks.

Magnet risk

edit

Low-end home and hotel safes often utilize a solenoid as the locking device and can often be opened using a powerful rare-earth magnet.

Electronic methods

edit

Electronic locks are not vulnerable to traditional manipulation techniques (except for brute-force entry). These locks are often compromised through power analysis attacks.[12][13] Several tools exist that can automatically retrieve or reset the combination of an electronic lock; notably, the Little Black Box[14] and Phoenix. Tools like these are often connected to wires in the lock that can be accessed without causing damage to the lock or container. Nearly all high-end, consumer-grade electronic locks are vulnerable to some form of electronic attack.

TEMPEST

edit

The combinations for some electronic locks can be retrieved by examining electromagnetic emissions coming from the lock. Because of this, many safe locks used to protect critical infrastructure are tested and certified to resist TEMPEST attacks. These include the Kaba Mas X-10 and S&G 2740B, which are FF-L-2740B compliant.

Spiking the lock

edit

Low-end electronic fire-safes, such as those used in hotels or for home use, are locked with either a small motor or a solenoid. If the wires running to the device (solenoid or motor) can be accessed, the device can be 'spiked' with a voltage from an external source - typically a 9 volt battery - to open the container.

Keypad-based attacks

edit

If an electronic lock accepts user input from a keypad, this process can be observed in order to reveal the combination. Common attacks include:

  • Visually observing a user enter the combination (shoulder surfing)
  • Hiding a camera in the room which records the user pressing keys
  • Examining fingerprints left on the keys
  • Placing certain gels, powders, or substances on the keys that can be smudged or transferred between keys when the combination is entered, and observed at a later time.
  • Placing a "skimmer" (akin to those used for credit card fraud) behind the keypad to record the digital signals that are sent to the lock body when the combination is entered.
  • Examining wear or deformity of buttons which are pressed more often than others

Many of these techniques require the attacker to tamper with the keypad, wait for the unsuspecting user to enter the combination, and return at a later time to retrieve the information. These techniques are sometimes used by members of intelligence or law enforcement agencies, as they are often effective and surreptitious.

High-security keypads

edit

Some keypads are designed to inhibit the aforementioned attacks. This is usually accomplished by restricting the viewing angle of the keypad (either by using a mechanical shroud or special buttons), or randomizing the positions of the buttons each time a combination is entered.

Some keypads use small LED or LCD displays inside of the buttons to allow the number on each button to change. This allows for randomization of the button positions, which is normally performed each time the keypad is powered on. The buttons usually contain a lenticular screen in front of the display, which inhibits off-axis viewing of the numbers.

When properly implemented, these keypads make the "shoulder surfing" attack infeasible, as the combination bears no resemblance to the positions of the keys which are pressed.

While these keypads can be used on safes and vaults, this practice is uncommon.

Media depictions

edit

Movies often depict a safe-cracker determining the combination of a safe lock using his fingers or a sensitive listening device to determine the combination of a rotary combination lock. Other films also depict an elaborate scheme of explosives and other devices to open safes.

Some of the more famous works include:

Three safecracking methods seen in movies were also tested on the television show MythBusters, with some success.[15][16] While the team was able to blow the door off of a safe by filling the safe with water and detonating an explosive inside it, the contents of the safe were destroyed and filling the safe with water required sealing it from the inside. The safe had also sprung many leaks.

See also

edit

References

edit
  1. ^ Archived from the original on December 9, 2016
  2. ^ Archived August 1, 2017
  3. ^ archived from original June 28, 2017
  4. ^ archived from original on June 28, 2017
  5. ^ archived from original on August 9, 2016.
  6. ^ Archived from the original on June 28, 2017.
  7. ^ Feynman, Richard P. (1985). Leighton, Ralph (ed.). Surely You're Joking, Mr. Feynman!: Adventures of a Curious Character. W. W. Norton & Company. ISBN 0-393-01921-7. OCLC 10925248.
  8. ^ "Dialer ITL-2000II" (Press release). Zieh-Fix, Inc. Retrieved 2020-10-12.
  9. ^ Marc Weber Tobias. "Unsafe Gun Safes Can Be Opened By A Three-Year Old". Forbes.
  10. ^ "Kids Can Open Gun Safes With Straws and Paper Clips, Researchers Say". WIRED. 27 July 2012.
  11. ^ How to break into most digital safe's. YouTube. 1 March 2012. Archived from the original on 2021-12-12.
  12. ^ DEFCONConference (2016-11-10), DEF CON 24 - Plore - Side channel attacks on high security electronic safe locks, archived from the original on 2021-12-12, retrieved 2019-05-18
  13. ^ EEVblog (2015-07-05), EEVblog #762 - How Secure Are Electronic Safe Locks?, archived from the original on 2021-12-12, retrieved 2019-05-18
  14. ^ "Lockmasters. Lockmasters Little Black Box; LKM522BATMAG". www.lockmasters.com. Retrieved 2019-05-18.
  15. ^ "Crimes and Myth-Demeanors 1". Mythbusters. Season 4. Episode 54. July 12, 2006.
  16. ^ "Crimes and Myth-Demeanors 2". MythBusters. Season 4. Episode 59. August 23, 2006.
edit