This article's lead sectionmay be too short to adequately summarize the key points. Please consider expanding the lead to provide an accessible overview of all important aspects of the article.(August 2020)
Safes have widely different designs, construction methods, and locking mechanisms. A safe cracker needs to know the specifics of whichever will come into play.
Lock manipulation
Lock manipulation is a damage-free, combination-based method. A well known surreptitious bypass technique, it requires knowledge of the device and well developed touch, along with the senses of sight and possibly sound.
While manipulation of combination locks is usually performed on Group 2 locks, many Group 1 locks are also susceptible. The goal is to successfully obtain the combination one number at a time.[1] Manipulation procedures vary, but all rely on exploiting mechanical imperfections in the lock to open it, and, if desired, recover its combination for future use. Similar damage-free bypass can also be achieved by using a computerized auto-dialer or manipulation robot in a so-called brute-force attack. These auto-dialer machines may take 24 hours or more to reach the correct combination,[2] although modern devices with advanced software may do so faster.
Mechanical safe locks are manipulated primarily by feel and vision, with sound sometimes supplementing the process. To find the combination the operator uses the lock against itself by measuring internal movements with the dial numbers. More sophisticated locks use advanced mechanics to reduce any feedback available to a technician in identifying a combination. These group 1 [3] locks were developed in response to group 2[4] lock manipulation.[5] Wheels made from lightweight materials will reduce valuable sensory feedback, but are mainly used for improved resistance against radiographic attacks.[6] Manipulation is often the preferred choice in lost-combination lockouts, since it requires no repairs or damage, but can be time consuming for an operator, the specific difficulty depends on the unique wheel shapes and where the gates rest in relation to them. A novice's opening time will be governed by these random inconsistencies, while some leading champions of this art show consistency. There are also a number of tools on the market to assist safe engineers in manipulating a combination lock open in the field.
Nearly all combination locks allow some "slop", or deviation, while entering a combination on the dial. On average, 1% radial rotation in either direction from the center of the true combination number allows the fence to fall despite slight deviation, so that for a given safe, it may be necessary only to try a subset of possible combinations.[7] Such "slops" may allow for a margin of error of plus or minus two digits, which means that trying multiples of five would be sufficient in this case. This drastically reduces the time required to exhaust the number of meaningful combinations. A further reduction in solving time is obtained by trying all possible settings for the last wheel for a given setting of the first wheels before nudging the next-to-last wheel to its next meaningful setting, instead of zeroing the lock each time with a number of turns in one direction.
A safe may be compromised by using a manufacturer-set combination. Known as try-out combinations, these allow an owner initial access to their safe in order to set a new unique one. Sources of try-out combinations exist by manufacturer.
Other easy-to-guess combinations include a birthdate, street address, or driver's license number.
Autodialer
Autodialing machines have been developed to open safes. Unlike fictional machines that can open any combination in a matter of seconds, such machines are usually specific to a particular type of lock and must cycle through thousands of combinations before success. Such a device was created by two students from the Massachusetts Institute of Technology, which took 21,000 tries to open a Sargent and Greenleaf 8500 lock on a Diebold Safe. Lockmasters, Inc. markets the QX3 Combi Autodialer (LKMCOMBI) that works on a variety of 3 and 4 Wheel combination safe locks.[8]
Another computer-aided method uses tools similar to autodialers, which instead make measurements of the internal components of the lock then deduce the combination in a way similar to that of a human safe cracker. Mas Hamilton's SoftDrill was one such device, but is no longer in production.
Weak-point drilling
Safe-drilling with a drill rig
Some safes are susceptible to compromise by drilling. Manufacturers publish tightly-guarded drill-point diagrams for locksmiths for specific models. Drilling is an aid in bypassing the locking mechanism, as well as gaining more information about it in order to defeat it. It is the most common method used by locksmiths on malfunctioning or damaged locks, and commonly used in burglary.
Drill-points are often located close to the axis of the dial on the combination lock, but drilling for observation may sometimes require drilling through the top, sides or rear of the safe. While observing the lock, the attacker manipulates the dial to align the lock gates so that the fence falls and the bolt is disengaged.
Bypass attacks involve physical manipulation of both the lock and its bolt mechanism.
Punching, peeling and using a torch are other methods of compromising a safe. The punch system is widely used by criminals for rapid entry. Punching was developed by Pavle Stanimirovic and used in New York City. Peeling is a method that involves removing the outer skin of the safe.
All quality safes protect against drilling attacks through the strategic use of specially tempered or alloyed hardplate steel, or composite hardplate (casting tungsten carbide chips into alloys such as cobalt-vanadium, designed to shatter the cutting tips of a drill bit). These include protecting the locking mechanism, the bolts, and areas where drilling could be used to advantage. Special diamond or tungsten-carbide drill-bits can make some headway with some hardplates, but it is still a time-consuming and difficult process.
Some high-security safes use a tempered glass relocker. This has wires that lead from the glass to randomly located, spring-loaded bolts. If a penetrating drill or torch breaks the glass, the bolts are released, blocking retraction of the main locking bolts. A gas abrasive drill can sometimes be used to safely drill through a glass relocker.
Plasma cutters and thermal lances can be as hot as 2,200°C (3,990°F), much hotter than traditional oxyacetylene torches, and can be used to burn through the metal on a safe. Many modern high-security safes also incorporate additional thermal safeties to foil blow torches and thermal lances. These are usually in the form of fusible links integrated into the glass relocker cabling, which trigger it when a set temperature is exceeded.
Drilling is an attractive method of safecracking for locksmiths, as it is usually quicker than manipulation, and drilled safes can generally be repaired and returned to service.
Scoping
Scoping a safe is the process of drilling a hole and inserting a borescope into the safe to get an intimate look into a specific part of the security container. When manipulation proof mechanical locks and glass re-lockers are implemented as security measures, scoping is the most practical option. One common method is called "scoping the change key hole." The safecracker will drill a hole allowing him to get his scope into a position to observe the change key hole. While spinning the dial and looking through the change key hole for certain landmarks on the combination lock's wheel pack, it is possible to obtain the combination and then dial open the safe with the correct combination. This method is common for a professional safe specialist because it leaves the lock in good working order and only simple repairs are needed to bring the safe barrier back to its original condition. It is also a common way to bypass difficult hard plates and glass re-lockers since the change key hole can be scoped by drilling the top, side, or back of the container.
Brute force methods
Other methods of cracking a safe generally involve damaging the safe so that it is no longer functional. These methods may involve explosives or other devices to inflict severe force and damage the safe so it may be opened. Examples of penetration tools include acetylene torches, drills, and thermal lances. This method requires care as the contents of the safe may be damaged. Safe-crackers can use what are known as jam shots to blow off the safe's doors.
Most modern safes are fitted with 'relockers' (like the one described above) which are triggered by excessive force and will then lock the safe semi-permanently (a safe whose relocker has tripped must then be forced, as the combination or key alone will no longer suffice). This is why a professional safe-technician will use manipulation rather than brute force to open a safe so they do not risk releasing the relocker.
Radiological methods
Penetrating radiation such as X-ray radiation can be used to reveal the internal angular relationship of the wheels gates to the flys mechanism to deduce the combination. Some modern safe locks are made of lightweight materials such as nylon to inhibit this technique, since most safe exteriors are made of much denser metals. The Chubb Manifoil Mk4 combination lock contains a lead shield surrounding part of the lock to defeat such attempts to read its wheels.
Tunneling into bank vaults
Large bank vaults which are often located underground have been compromised by safe-crackers who have tunneled in using digging equipment. This method of safe-cracking has been countered by building patrol-passages around the underground vaults. These patrol-passages allow early detection of any attempts to tunnel into a vault.
A number of inexpensive safes sold to households for under $100 use mechanical locking mechanisms that are vulnerable to bouncing. Many cheap safes use a magnetic locking pin to prevent lateral movement of an internal locking bolt, and use a solenoid to move the pin when the correct code is entered. This pin can also be moved by the impact of the safe being dropped or struck while on its side, which allows the safe to be opened.[9][10][11] One security researcher taught his three-year-old son how to open most consumer gun safes. More expensive safes use a gear mechanism that is less susceptible to mechanical attacks.
Magnet risk
Low-end home and hotel safes often utilize a solenoid as the locking device and can often be opened using a powerful rare-earth magnet.
Electronic methods
Electronic locks are not vulnerable to traditional manipulation techniques (except for brute-force entry). These locks are often compromised through power analysis attacks.[12][13] Several tools exist that can automatically retrieve or reset the combination of an electronic lock; notably, the Little Black Box[14] and Phoenix. Tools like these are often connected to wires in the lock that can be accessed without causing damage to the lock or container. Nearly all high-end, consumer-grade electronic locks are vulnerable to some form of electronic attack.
TEMPEST
The combinations for some electronic locks can be retrieved by examining electromagnetic emissions coming from the lock. Because of this, many safe locks used to protect critical infrastructure are tested and certified to resist TEMPEST attacks. These include the Kaba Mas X-10 and S&G 2740B, which are FF-L-2740B compliant.
Spiking the lock
Low-end electronic fire-safes, such as those used in hotels or for home use, are locked with either a small motor or a solenoid. If the wires running to the device (solenoid or motor) can be accessed, the device can be 'spiked' with a voltage from an external source - typically a 9 volt battery - to open the container.
Keypad-based attacks
If an electronic lock accepts user input from a keypad, this process can be observed in order to reveal the combination. Common attacks include:
Visually observing a user enter the combination (shoulder surfing)
Hiding a camera in the room which records the user pressing keys
Examining fingerprints left on the keys
Placing certain gels, powders, or substances on the keys that can be smudged or transferred between keys when the combination is entered, and observed at a later time.
Placing a "skimmer" (akin to those used for credit card fraud) behind the keypad to record the digital signals that are sent to the lock body when the combination is entered.
Examining wear or deformity of buttons which are pressed more often than others
Many of these techniques require the attacker to tamper with the keypad, wait for the unsuspecting user to enter the combination, and return at a later time to retrieve the information. These techniques are sometimes used by members of intelligence or law enforcement agencies, as they are often effective and surreptitious.
High-security keypads
Some keypads are designed to inhibit the aforementioned attacks. This is usually accomplished by restricting the viewing angle of the keypad (either by using a mechanical shroud or special buttons), or randomizing the positions of the buttons each time a combination is entered.
Some keypads use small LED or LCD displays inside of the buttons to allow the number on each button to change. This allows for randomization of the button positions, which is normally performed each time the keypad is powered on. The buttons usually contain a lenticular screen in front of the display, which inhibits off-axis viewing of the numbers.
When properly implemented, these keypads make the "shoulder surfing" attack infeasible, as the combination bears no resemblance to the positions of the keys which are pressed.
While these keypads can be used on safes and vaults, this practice is uncommon.
Media depictions
Movies often depict a safe-cracker determining the combination of a safe lock using his fingers or a sensitive listening device to determine the combination of a rotary combination lock. Other films also depict an elaborate scheme of explosives and other devices to open safes.
Breaking In (1989)—Drilling, hammering (a cheap safe), nitroglycerin explosives, torch-cutting (with this method the contents were destroyed), social engineering
The Score (2001)—Drilling, thermal lance, internal explosion. This method shown at the climax of the film was tested on an episode of MythBusters (see below).
Panic Room (2002)—Drilling, brute force, physical destruction of electronic security systems
Three safecracking methods seen in movies were also tested on the television show MythBusters, with some success.[15][16] While the team was able to blow the door off of a safe by filling the safe with water and detonating an explosive inside it, the contents of the safe were destroyed and filling the safe with water required sealing it from the inside. The safe had also sprung many leaks.
The pin tumbler lock, also known as the Yale lock after the inventor of the modern version, is a lock mechanism that uses pins of varying lengths to prevent the lock from opening without the correct key.
A combination lock is a type of locking device in which a sequence of symbols, usually numbers, is used to open the lock. The sequence may be entered using a single rotating dial which interacts with several discs or cams, by using a set of several rotating discs with inscribed symbols which directly interact with the locking mechanism, or through an electronic or mechanical keypad. Types range from inexpensive three-digit luggage locks to high-security safes. Unlike ordinary padlocks, combination locks do not use keys.
A lock is a mechanical or electronic fastening device that is released by a physical object, by supplying secret information, by a combination thereof, or it may only be able to be opened from one side, such as a door chain.
A safe is a secure lockable enclosure used for securing valuable objects against theft or fire. A safe is usually a hollow cuboid or cylinder, with one face being removable or hinged to form a door. The body and door may be cast from metal or formed out of plastic through blow molding. Bank teller safes typically are secured to the counter, have a slit opening for dropping valuables into the safe without opening it, and a time-delay combination lock to foil thieves. One significant distinction between types of safes is whether the safe is secured to a wall or structure or if it can be moved around.
A bank vault is a secure space where money, valuables, records, and documents are stored. It is intended to protect their contents from theft, unauthorized use, fire, natural disasters, and other threats, much like a safe. Unlike safes, vaults are an integral part of the building within which they are built, using armored walls and a tightly fashioned door closed with a complex lock.
A lever tumbler lock is a type of lock that uses a set of levers to prevent the bolt from moving in the lock. In the simplest form of these, lifting the tumbler above a certain height will allow the bolt to slide past.
A rotary combination lock is a lock commonly used to secure safes and as an unkeyed padlock mechanism. This type of locking mechanism consists of a single dial which must be rotated left and right in a certain combination in order to open the lock.
A solenoid bolt is a type of electronic-mechanical locking mechanism. This type of lock is characterized by the use of a solenoid to throw the bolt. Sophisticated solenoid bolt locks may use microprocessors to perform voltage regulation, reduce power consumption, and/or provide access control. Depending on the strength of the solenoid, some models can provide a holding force on the order of 1000 kg. A solenoid bolt can be designed either to fail open or to fail closed. Some models may be suitable for high-security sites.
A bicycle lock is a security device used to deter bicycle theft, either by simply locking one of the wheels or by fastening the bicycle to a fixed object, e.g., a bike rack.
Padlocks are portable locks usually with a shackle that may be passed through an opening to prevent use, theft, vandalism or harm.
A remote keyless system (RKS), also known as remote keyless entry (RKE) or remote central locking, is an electronic lock that controls access to a building or vehicle by using an electronic remote control (activated by a handheld device or automatically by proximity). RKS largely and quickly superseded keyless entry, a budding technology that restrictively bound locking and locking functions to vehicle-mounted keypads.
A latch or catch is a type of mechanical fastener that joins two objects or surfaces while allowing for their regular separation. A latch typically engages another piece of hardware on the other mounting surface. Depending upon the type and design of the latch, this engaged bit of hardware may be known as a keeper or strike.
A keypad is a block or pad of buttons set with an arrangement of digits, symbols, or alphabetical letters. Pads mostly containing numbers and used with computers are numeric keypads. Keypads are found on devices which require mainly numeric input such as calculators, television remotes, push-button telephones, vending machines, ATMs, point of sale terminals, combination locks, safes, and digital door locks. Many devices follow the E.161 standard for their arrangement.
An electronic lock is a locking device which operates by means of electric current. Electric locks are sometimes stand-alone with an electronic control assembly mounted directly to the lock. Electric locks may be connected to an access control system, the advantages of which include: key control, where keys can be added and removed without re-keying the lock cylinder; fine access control, where time and place are factors; and transaction logging, where activity is recorded. Electronic locks can also be remotely monitored and controlled, both to lock and to unlock.
An electric strike is an access control device used for door frames. It replaces the fixed strike faceplate often used with a latch. Like a fixed strike plate, it normally presents a ramped or beveled surface to the locking latch allowing the door to close and latch just like a fixed strike would. However, an electric strike's ramped surface can, upon command, pivot out of the way when the lock on the door is in the locked position and the door is opened, allowing a user to pull/push the door to open it without operating the mechanical lock or using a mechanical key. After the door is opened past the keeper, the keeper returns to its standard position and re-locks when power is removed or applied, depending upon the strike's configuration.
A keycard lock is a lock operated by a keycard, a flat, rectangular plastic card. The card typically, but not always, has identical dimensions to that of a credit card, that is ID-1 format. The card stores a physical or digital pattern that the door mechanism accepts before disengaging the lock.
Lock bumping is a lock picking technique for opening a pin tumbler lock using a specially crafted bump key, rapping key or 999 key. A bump key must correspond to the target lock in order to function correctly.
A gun safe is a safe designed for storing one or more firearms and/or ammunitions. Gun safes are primarily used to prevent access by unauthorized or unqualified persons, for burglary protection and, in more capable safes, to protect the contents from damage by flood, fire or other natural disasters.
An electromagnetic lock, magnetic lock, or maglock is a locking device that consists of an electromagnet and an armature plate.
↑ Feynman, Richard P. (1985). Leighton, Ralph (ed.). Surely You're Joking, Mr. Feynman!: Adventures of a Curious Character. W. W. Norton & Company. ISBN0-393-01921-7. OCLC10925248.
This page is based on this Wikipedia article Text is available under the CC BY-SA 4.0 license; additional terms may apply. Images, videos and audio are available under their respective licenses.
