back to article Heistmeisters crack cost of safecrackers with $150 widget

A pair of Melbourne security professionals have developed a $150 auto-dialer safe cracker that replicates a machine worth tens of thousands of dollars and sold only to military customers. The unit launches automatic brute force attacks against group two combination locks used in high-security environments like ATMs and gun …

  1. Ole Juul

    No video

    I gave up after 20 minutes.

    1. Knoydart

      Re: No video

      I'm getting 4 windows of the same video!

      1. Anonymous Coward
        Happy

        Re: No video

        I think it uses something called flash? No idea, I just get a blank window with a "f" in one corner.

  2. Mark 85 Silver badge

    The big question is...

    are they now planning selling this? Or the plans? Or are they just bragging that they did it? I can foresee a big headache and cost for anyone using those locks to upgrade. And a bigger cost if they don't.

    1. Cliff

      Re: The big question is...

      I don't think it's a big question for them - they saw a challenge and took it, it's what engineers do, genetically.

      The big questions are for people who believe a single lock of any sort is security in depth.

    2. YetAnotherLocksmith

      Re: The big question is...

      I wouldn't worry.

      Did you miss the bit where it takes 4 days of continuous work to open the safe?

      Assuming that's an average, that's twice as long as the 'military' one (whatever that's meant to mean - if I had $15k I could buy one) which we had running against a Grade 1 lock for 3 days, and it failed.

      So basically, check your safe once every few days and you are fine.

      For what it is worth, an expert can crack these locks in under 15 minutes. I'm not brilliant at these, but I've done one in under 2 hours. There's the real threat!

      (If you want to upgrade your safe, get in touch. )

  3. seven of five Silver badge

    *sigh*

    "high-security environments"

    "have about 10 default combinations which never ever get changed"

    another sad day in the asylum.

    1. YetAnotherLocksmith

      Re: *sigh*

      The default combo is either 50, or 10-20-30.

      Yes, pay someone to install the safe and change it. Cheaper than not changing it.

      (Change it every 6 months if you want the insurance to pay out, too, if it is a commercial use safe.)

      1. Brad Ackerman
        FAIL

        Re: *sigh*

        Kaba Mas likes 50-25-50, and if you don't remember that, don't worry; some asshole will tape it to the back of the ATM.

    2. ecofeco Silver badge

      Re: *sigh*

      And you thought security was just a problem in the digital world?

      BWAHAHAHAHAAHAHAA!!!!!

  4. Christian Berger

    Those systems exist for decades

    They can simply do brute force attacks on safes. After all people do lock themselves out of their safes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Those systems exist for decades

      They weren't denying these products already exist, just denying they exist at a price of $150.

      1. Anonymous Coward
        Anonymous Coward

        Re: Those systems exist for decades

        Or $1500.

    2. glen waverley
      Terminator

      Re: Those systems exist for decades

      People also lock themselves into safes, aka strongrooms. Was once looking at an old bank (not Snowtown!) and it was pointed out to me that the strongroom had air holes to prevent slow suffocation in case of inadvertent closing of the door.

      Can see how a quick and cheap way of opening the door could be a Good Thing

  5. Anonymous Coward
    Anonymous Coward

    Time

    It is only a $150 device because they consider the time they spent designing it to be worthless.

    1. Drem

      Re: Time

      This, so much this. It's an issue in loads of areas, but one that I come across most often in craft circles, people selling things that they've made at so close to cost that no-one else can survive as a business doing that any more.

      And yes, at that time you need to take a hard look at your business, but it also has wider impacts on things like tax receipts.

      1. Chris Miller

        Re: Time

        I don't think they're planning to sell it for $150, rather that's the cost to purchase the necessary materials to make your own.

    2. phuzz Silver badge

      Re: Time

      If they're anything like me, they probably enjoyed the designing process and considered it a bonus, not worthless.

  6. Chris Miller

    It's very clever, but if you can get uninterrupted physical access to a safe for 4 days, there are easier ways to get inside it.

    1. Adam 1

      True, but probably not as quietly and most likely leaving it in a way that makes it obvious that something is amiss. It would allow the sort of attack where the safe is broken at a time when it is empty and so under minimal supervision. The safe can then be opened in seconds when it is of more interest.

  7. Anonymous Coward
    Anonymous Coward

    Heh

    I'm somewhat in both industries (IT as well as physical security) and while there's a lot each can learn from one another they often commit the same mistakes. Just to clarify, the common classification for turn-dial safe locks are Group-2, Group-2M, Group-1 and Group-1R (from "weakest" to "strongest", generally speaking). Now, if you're performing a brute-force attack on such a lock the classification of said lock will only impact speed. A Group-1 is just as susceptible to bruteforce as a Group-2.

    Group-2 locks are the easiest to bruteforce as there's an allowable dialling tolerance of +/- 1 and thus a "50" can be dialled as either a "49", "50" or "51". Thus instead of 100^3 combinations you're suddenly looking at only 33^3 (and strictly speaking it's even less as the final number of the combination cannot be within a specific dead-zone of the lock, typically between the numbers "90" and "20" (varies (in a rather predictable fashion) from manufacturer to manufacturer).

    You CAN actually get Group-2 locks with half-number dialing tolerances but they are still Group-2 as they offer no manipulation resistance (manipulation meaning taking advantage of the design of the lock in order to accelerate the cracking of its combination, not just a simple bruteforce). Group-2M offers SOME manipulation resistance BUT like Group-2 the acceptable dialling tolerance is STILL +/- 1. It's only with Group-1 locks where a half-number dialing tolerance becomes mandatory (plus Group-1 locks are required to be manipulation-proof (as per my definition of "manipulation" above)).

    So, why the frankly ridiculous dialling tolerance? Like in the IT industry; convenience. It's a lot easier to open a safe when the lock allows for a greater margin of error (for those "whoops, I missed the number by one" scenarios). As such the VAST majority of safes which are sold are equipped with Group-2 locks with a dialling tolerance of +/- 1. I have tried to persuade a number of safe manufacturers from doing otherwise but they resisted the idea claiming that it'll increase customer complaints.

    It's also possible to get 4-wheel combination locks with just-under-half-number dialing tolerances (thus your total number of combinations is almost 100^4 (again the last number dead-zone rule still applies and hence the word "almost")). Extremely rare to see these fitted. Again, convenience above all.

    You might imagine then that since turn-dial combination locks are such a pain in the ass the simple solution would be to fit digital keypad locks, right? Wrong. The reasons behind this can get lengthy, but the short versions is; (A) cost; (B) maintenance; (C) reliability, and; (D) regulations. Also, keypads are generally frowned upon as they too are susceptible to a number of attacks (keypad wear exposing numbers, thermal imaging attack on a recently utilized keypad, along with a number of others).

    Yes, there are electromechanical solutions out there which utilize a turn-dial front-end (eliminating the issues surrounding keypads) with an electronic back-end (eliminating the bruteforcability of purely mechanical locks) but such solutions are extremely costly. Such locks even go out of their way to have their PCB's covered in UV-sensitive resin glittered with random particles to create a physical tamper-resistant fingerprint allowing for post-installation security audits. For those who are interested two very well thought out solutions are the S&G 2740 and Kaba Mas X-10.

    You might now be wondering "well, if mechanical locks are all susceptible to bruteforce then why even bother classifying them?" Time to live, so to speak. The idea is that if you have valuables stored in a safe the safe and its locking mechanisms are only part of the security solution, not all of it. In addition to the safe you will want to have an alarm fitted to either the safe itself or its perimeter to call for backup during a robbery. Thus if you know that the nearest police station is a good half an hour away you would likely want your safe to be able to deter the robbers for a good hour, at least.

    Safes themselves have their own levels of classification. A "TL-30" safe for example should withstand attacks (with a number of commonly available tools (hence "TL")) for up to 30 minutes. So yeah, the key point here is that a safe and its locking mechanisms are only PART of the security solution. They aren't THE security solution. And this is one matter which is often misunderstood.

    Another aspect which is often misunderstood is that there is no such thing as an invulnerable lock or safe. Everything can be broken into... eventually. Locks and safes exist to hinder a robbery and if possible deter said robbery completely if the process of breaking into the lock and safe proves too much for the robbers in question. They also serve as a "seal", so to speak. Even if the lock and safe can be penetrated, you will want at the very least to know about it. So either have a safe under heavy surveillance or have a safe with a 100% bruteforce-proof and manipulation-proof lock (in which case electromechanical is almost the only solution you're down to) and if possible with built-in auditing.

    The problem here is many locks and safes are sold (even by very reputable safe manufacturers) without much (or any at all) education to the customer. More often than not the only concerns of a customer are "how affordable is it?" followed by "how easy is it to use?" Or worse still in the case where a customer is actually required by law to use a safe "what is the bare minimum requirement we have to meet in order to be compliant?" Again, these are all issues we see every day in IT.

    I could frankly write an essay on this topic but I would rather not and as such I have skipped on a number of facts for the purpose of not spending the rest of my day typing in a tiny comments box. Having said that there are a number of countries which require banks to utilize electromechanical locks with OTP functionality on their safes (including those found on ATM's) and as such the financial industry can actually be in pretty good order in certain countries.

    Many of my complaints are pretty much directed towards non-regulated industries. Small business. Home. Et al. Take a look at how many so-called "safes" are out there which cannot even withstand a five minute sledge hammer party.

    And finally it should also be worth pointing out that as far as Group-2 combination locks are concerned a bruteforce is highly inefficient. An experienced manipulator can BY HAND crack open a Group-2 combination lock in under ten minutes without the assistance of ANY tools or aids. And not walking around with a suitcase full of questionable articles does help when you're required to infiltrate a safe in an environment where your belongings can be checked by security.

    1. Ian Michael Gumby

      Re: Heh

      Wow.

      A long and detailed explanation...

      Lets just cut it down to the important bits.

      No safe is impenetrable and the quality of locks determine how long it takes to crack the safe. The key is that locks are just another layer in the security onion. Slow the crook down long enough for Johnny Law to stop them.

      Hows that for a short summary? :-)

      (And yes, I really did like what you wrote and upvoted you. )

    2. FartingHippo
      Thumb Up

      Re: Heh

      Thanks for taking the time to write that. Jolly interesting.

    3. YetAnotherLocksmith

      Re: Heh

      10 out of 10.

      No idea why you posted that AC though.

      I'd also add that most electromechanical tin box safes can be opened in seconds to a few minutes.

      1. Anonymous Coward
        Anonymous Coward

        Re: Heh

        @YetAnotherLocksmith - Because I fear certain aspects of the physical security industry. Everyone's favourite buzzword in IT security has been "security through obscurity"* and how it should be avoided. In the world of safes and vaults however obscurity is something which is still heavily practiced and in certain cases heavily enforced. Some veterans in the industry still view it as taboo to talk about anything to do with their trade to the general public.

        To a certain degree I can understand their paranoia. Many locks and safes can be overcome with greater ease if you are familiar with the construction of the lock and safe in question. The obvious solution would be to design a lock and safe which is bulletproof by design but it can result in increased R&D cost and increased manufacturing complexities.

        I've had an interest in the trade for well over a decade and while information on the topic at hand is much more readily available these days I still stumble into roadblocks from time to time. Acquiring certain tools can still be a bit of a nightmare as vendors can be selective of who they deal with.

        *I cringe every time someone mentions "security through obscurity". It doesn't matter how you put it but obscurity /can/ (and does) have its place. Obviously your entire security solution shouldn't consist purely on obscurity but likewise it shouldn't be avoided 100%.

    4. Yet Another Anonymous coward Silver badge

      Re: Heh

      The $few100M diamond heist in antwerp had a vault door with a 6digit combination, except the janitor who locked up at night never bothered to spin the wheels to a random setting. It had a key that was uncopyable (?) and split into two halves for security, except they left it assembled and hanging up in a closet next to the door.

      1. eldakka Silver badge

        Re: Heh

        Interesting, I just read up on this, and according to a Wired story after interviewing one of the leaders of the heist, Notarbartolo, it seems:

        1) Notarbartolo had business hours access to the vault as he was a customer (for 18 months prior) who had a safety-deposit box in the vault;

        2) they were able to install a camera outside the vault (probably by Notarbartolo who had legitimate access) that allowed them to see the door so that they could see the code entered.

        3) the original key was kept in a utility closet nearby...which they guessed by the fact that the guard who opened the vault every morning went into this closet before opening the door.

        4) Notarbartolo's legitimate access allowed him to degrade the internal heat/motion sensor (apparently he sprayed hair-spray on the sensor during a visit the day before) that degraded it long enough to enable it to be deactivated once the vault door was opened.

        The only reason they were caught was due to sloppiness in destroying evidence linking them to the crime - they had a bag of evidence to burn, but it burst open on private property that ran alongside a highway, and they didn't clean it up, they left it there and it was found.

        Based on the description of the criminals involved, I find this sloppiness hard to believe. Notarbartolo had an apartment in the region they had used for days, they could have burnt most of the evidence in small wastebin fires inside the apartment before they went to break into the vault. Or surely as part of the plan it wasn't "let's find somewhere to burn the evidence as we flee", surely they would have already picked several suitable locations (1 or 2 on each exit route) that they could use, rather than hoping to just find one.

        There was other hard to believe sloppiness - they kept receipts for the buying of equipment such as surveillance systems.

        It looks to me that they wanted to get caught. Which is understandable. They had potentially made off with $10+ million EACH. They would be running and looking over their shoulders for the rest of their lives.

        Notarbartolo is serving 10 years (well HAS served, he would have been released a year or 2 ago now). Which means he's served his time, he's been convicted. Now he gets to live out the rest of his life without having to look over his shoulder as he's already served his time. While I wouldn't consider it a fair trade-off, 10 years in prison with $10+ million to live on afterwards...some, especially those who have been criminals for years, might consider it a good trade-off. Especially since he'd have enough to 'buy protection' in prison. He was wearing a Rolex during his prison interviews with Wired! Not to mention Notarbartolo is connected to the Italian Mafia, supposedly his cousin was tapped to head the Sicilian Mafia, that would buy a lot of protection all by itself.

    5. Brad Ackerman
      Black Helicopters

      Re: Heh

      Ooh, backlit display... primary complaint with the X-09 addressed.

    6. Brandon 2

      Re: Heh

      Was reluctant to read (long) but glad i did! One of the best comments I've read in a long time!

  8. Frankee Llonnygog

    My extensive knowledge of nuclear weapons

    (garnered exclusively from TV and movies) tells me that bombs can be detonated or defused with one of these gizmos. The keypad is usually located between the 7 segment red LEDs counting down to doomsday, and the red and green wires

    1. Yet Another Anonymous coward Silver badge

      Re: My extensive knowledge of nuclear weapons

      British nuclear weapons of course used the far safer bicycle lock

      http://news.bbc.co.uk/2/hi/7097101.stm

    2. Frankee Llonnygog

      Re: My extensive knowledge of nuclear weapons

      Thumb down? Did I spell nukular wrong?

    3. Tom 13

      Re: My extensive knowledge of nuclear weapons

      Mine tells me you don't actually have to worry about it at all. In the worst case scenario the timer stops at 1.

      See also, Galaxy Quest.

    4. DButch

      Re: My extensive knowledge of nuclear weapons

      "My doomsday bomb will contain only red wires."

  9. Eclectic Man Silver badge

    Los Alamos

    According to his autobiographical books (Surely you're jokng Mr Feynman, and What do you care what other people think?), Richard Feynman engaged in safe cracking at Los Alamos, and discoverd the +/- 1 accuracy in the locks used on the safes there. He was also once asked to crack the safe of a senior army officer who had left wihtout emptying or unlocking his safe (it was one of the larger more secure ones). It was still on the factory default setting.

  10. Mage Silver badge

    Any SW keyboard locks I have designed quadruple retry delay on each wrong attempt with a one day reset period.

  11. Mage Silver badge

    Sometimes ...

    Filing cabinet: A regular drill on lock

    Ordinary door: Sledge hammer or ram

    Safe or ATM: Fork lift it away or blow it up

    I guess they did this to see if they could.

    Other approaches are to see which buttons are worn or have finger prints. Most commonly the digits ascend or descend. But if you know the digits and not the order you have dramatically reduced the number codes to what can be done by hand.

    1. Bloakey1

      Re: Sometimes ...

      Ahhh, but you have forgotten that a tension bar and stroking is your friend. I did some of this in another place (where it was legal) and oft times used, 4 or five seconds for an unknown Yale or Union lock. Another way is a barrel extractor, a bit like a shaft puller for a car. For the bigger items I would suggest that plastic bags full of water and a few feet of Dartex are your friend.

      Failing that one can utilize the Munroe effect in many different ways and some of them are very very quiet.

      Where I am at the moment, certain Eastern European gentlemen are using lighter fuel to turn cash machines into ambulatory vehicles. No four days for these boys, just an in and out job.

    2. Kevin McMurtrie Silver badge

      Re: Sometimes ...

      Vertical filing cabinet with a single lock: Turn it upside down.

      As for the digital safe cracker, are there no clues that can be used for acceleration? Unlike an amateur cracker, a computer could analyze timing, frequency, and reverb of each sound to detect when the internal state of the lock has changed. Combinations similar to those causing a state change would be prioritized over those that do not.

  12. Colin Miller

    Audio cracking

    Some combination locks make a distinct Click when you go past the correct number, this is why some safe crackers use stethoscopes to listen for them.

    Does this device use them to speed up the process?

  13. RainForestGuppy

    Takes all the fun out...

    If you use this you can't shout.. "YOU WERE ONLY SUPPOSED TO BLOW THE BLOODY DOORS OFF!!!"

  14. Don H

    AC's comment about the dead zone for the last digit reminds me of a service call many years ago. A local bank did regularly change the combos on their ATM safes, but one time the (randomly) chosen combo had a last digit in the dead zone, and they forgot the rule... set the combo, shut the door, spun the dial, it "made a funny noise" and then the new combo didn't open the lock. A succession of locksmiths failed to open it. We eventually took a spare mechanism from stock and duplicated the setting process while observing the mechanism. It turned out that it had dragged one of the discs out of position, so it was just a case of trying numbers around the displaced position until we found it.

    1. Anonymous Coward
      Anonymous Coward

      AC who made the lengthy post here... First mistake; calling a locksmith instead of an SVT (Safe & Vault Technician). No offense to the large number of excellent locksmiths out there whom I have an incredible amount of respect for but there are simply too many locksmiths out there who claim to have experience in working with safes and their locking mechanisms when they simply do not.

      If you have a safe which needs opening your best bet is to usually call an SVT. They may charge more but in certain situations they can open a safe indestructibly thus allowing the reuse of said safe.

  15. David Roberts
    Unhappy

    Too much security?

    If a lock is more or less uncrackable then other options become more attractive.

    Chief of which is persuading someone who knows the combination to reveal it.

    This leads to a certain nervousness especially where additional security involves identifying unique body configurations such as finger and retinal prints.

    So perhaps a level of security which can deter criminals but still offer options which are more attractive than maiming or killing the work force?

    Unless the contents are so valuable (to you not someone else) you would rather suffer or die than allow access.

    Or using a time lock so that there is no point in trying to crack the combination when the safe is not guarded.

  16. Tom 13

    Even at $1500 you have significant savings over a machine worth tens of thousands of dollars and sold only to military customers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021