Safe-cracking

Last updated
A safe with destroyed electronic components Safecracking brute force.jpg
A safe with destroyed electronic components

Safe-cracking is the process of opening a safe without either the combination or the key.

Contents

Physical methods

Different procedures may be used to crack a safe, depending on its construction. Different procedures are required to open different safes, so safe-crackers need to be aware of the differences.

Lock manipulation

Lock manipulation is a damage-free combination recovery method and a well known surreptitious bypass technique. Manipulation only requires fingers, eyes, and proper technique, though it is a skill that takes years to develop. While manipulation of combination locks is usually performed on Group 2 locks, many Group 1 locks are susceptible to manipulation. It involves the manipulation of the lock in order to obtain the combination one number at a time. [1] Manipulation procedures can vary, but they all rely on exploiting the presence of mechanical imperfections in the lock, unlocking the safe and recovering its combination, which can then be reused to open the safe lock. Similar damage-free bypass can also be completed by a brute-force attack from a computerized auto-dialer or manipulation robot. These auto-dialer machines may take 24 hours or more to reach the correct combination, [2] although modern devices with enhanced advanced software may successfully do this more quickly.

Mechanical safe locks are manipulated primarily by feel and vision, with sound helping the process occasionally. To find the combination the operator uses the lock against itself by measuring internal movements with the dial numbers. More sophisticated locks use advanced mechanics to reduce any feedback a technician could use to identify a combination. These group 1 [3] locks were developed in response to group 2 [4] lock manipulation. [5] Wheels made from lightweight materials will reduce valuable sensory feedback, but are mainly used for improved resistance against radiographic attacks. [6] Manipulation is often the preferred choice in lost-combination lockouts, since it requires no repairs or damage, but can be time consuming for an operator, the specific difficulty depends on the unique wheel shapes and where the gates rest in relation to them. A novice's opening time will be governed by these random inconsistencies, while some leading champions of this art show consistency. There are also a number of tools on the market to assist safe engineers in manipulating a combination lock open in the field.

Nearly all combination locks allow some "slop" while entering a combination on the dial. On average 1% radial rotation in either direction from the center of the true combination number to allow the fence to fall despite slight deviation, so that for a given safe it may be necessary only to try a subset of the combinations. [7] Such "slops" may allow for a margin of error of plus or minus two digits, which means that trying multiples of five would be sufficient in this case. This drastically reduces the time required to exhaust the number of meaningful combinations. A further reduction in solving time is obtained by trying all possible settings for the last wheel for a given setting of the first wheels before nudging the next-to-last wheel to its next meaningful setting, instead of zeroing the lock each time with a number of turns in one direction.

Guessing the combination

Safes may be compromised surprisingly often by simply guessing the combination. This results from the fact that manufactured safes often come with a manufacturer-set combination. These combinations (known as try-out combinations) are designed to allow owners initial access to the safes so that they may set their own new combinations. Sources exist which list manufacturers' try-out combinations.

Combinations are also unwittingly compromised by the owners of the safes by having the locks set to easy-to-guess combinations such as a birthdate, street address, or driver's license number.

Autodialers

A number of companies and groups have developed autodialing machines to open safes. Unlike fictional machines that can open any combination in a matter of seconds, such machines are usually specific to a particular type of lock and must cycle through thousands of combinations to open a device. A good example of such a device is a project completed by two students from the Massachusetts Institute of Technology, Kyle Vogt and Grant Jordan. Their machine, built to open a Sargent and Greenleaf 8500 lock on a Diebold Safe, found an unknown combination in 21,000 tries. Lockmasters, Inc. markets one autodialing machine [QX3 Combi Autodialer (LKMCOMBI)] that works on a variety of 3 and 4 Wheel combination safe locks. [8]

There also exist computer-aided manipulation tools such as Mas Hamilton's SoftDrill (no longer in production). These tools are similar to autodialers, except they make measurements of the internal components of the lock, and deduce the combination in a similar way to that of a human safe technician.

Weak-point drilling

Safe-drilling w/ drill rig Safecracking-Drill-Rig.png
Safe-drilling w/ drill rig

While some safes are hard to open, some are susceptible to compromise by drilling or other physical methods. Manufacturers publish drill-point diagrams for specific models of safes. These are tightly guarded by both the manufacturers and locksmithing professionals. Drilling is usually aimed at gaining access to the safe by observation or bypass of the locking mechanism. Drilling is the most common method used by locksmiths, and is commonly used in cases of burglary attempts, malfunctioning locks or damaged locks.

In observational attacks, the drill hole allows the safecracker to view the internal state of the combination lock. Drill-points are often located close to the axis of the dial on the combination lock, but observation may sometimes require drilling through the top, sides or rear of the safe. While observing the lock, the locksmith manipulates the dial to align the lock gates so that the fence falls and the bolt is disengaged.

Bypass attacks involve physical manipulation of the bolt mechanism directly, bypassing the combination lock.

All but the simplest safes are designed to protect against drilling attacks through the implementation of hardplate steel (extremely wear-resistant) or composite hardplate (a casting of metal such as cobalt-vanadium alloys with embedded tungsten carbide chips designed to shatter the cutting tips of a drill bit) within the safe, protecting the locking mechanism and other critical areas such as the locking bolts. The use of hardplate ensures that conventional drilling is not successful when used against the safe. Drilling through hardplate requires the use of special-purpose diamond or tungsten-carbide drill-bits. Even then, this can be a time-consuming and difficult process with safes equipped with modern composite hardplates.

Some high-security safes use a glass relocker. This is a piece of tempered glass mounted between the safe door and the combination lock. It has wires attached to the edges. These wires lead to randomly located, spring-loaded bolts. If an attempt is made to penetrate the safe, the penetrating drill or torch could break the glass and release the bolts. These bolts block the retraction of the main locking bolts. To drill a safe with a glass relocker, side, top, or rear drilling may be necessary. A gas abrasive drill can sometimes be used to drill through a glass relocker without triggering it.

Many modern high-security safes also incorporate thermal relockers in conjunction with glass-based relockers (usually a fusible link as part of the relocker cabling), which also activate when the temperature of a safe exceeds a certain level as a defense against torches and thermal lances.

Drilling is an attractive method of safecracking for locksmiths, as it is usually quicker than manipulation, and drilled safes can generally be repaired and returned to service.

Punching, peeling and using a torch are other methods of compromising a safe. The punch system is widely used by criminals for rapid entry. Punching was developed by Pavle Stanimirovic and used in New York City. Peeling is a method that involves removing the outer skin of the safe.

Plasma cutters and thermal lances can be as hot as 2,200 °C (3,990 °F), much hotter than traditional oxyacetylene torches, and can be used to burn through the metal on a safe.

Scoping

Scoping a safe is the process of drilling a hole and inserting a borescope into the safe to get an intimate look into a specific part of the security container. When manipulation proof mechanical locks and glass re-lockers are implemented as security measures, scoping is the most practical option. One common method is called "scoping the change key hole." The safecracker will drill a hole allowing him to get his scope into a position to observe the change key hole. While spinning the dial and looking through the change key hole for certain landmarks on the combination lock's wheel pack, it is possible to obtain the combination and then dial open the safe with the correct combination. This method is common for a professional safe specialist because it leaves the lock in good working order and only simple repairs are needed to bring the safe barrier back to its original condition. It is also a common way to bypass difficult hard plates and glass re-lockers since the change key hole can be scoped by drilling the top, side, or back of the container.

Brute force methods

Other methods of cracking a safe generally involve damaging the safe so that it is no longer functional. These methods may involve explosives or other devices to inflict severe force and damage the safe so it may be opened. Examples of penetration tools include acetylene torches, drills, and thermal lances. This method requires care as the contents of the safe may be damaged. Safe-crackers can use what are known as jam shots to blow off the safe's doors.

Most modern safes are fitted with 'relockers' (like the one described above) which are triggered by excessive force and will then lock the safe semi-permanently (a safe whose relocker has tripped must then be forced, as the combination or key alone will no longer suffice). This is why a professional safe-technician will use manipulation rather than brute force to open a safe so they do not risk releasing the relocker.

Radiological methods

Penetrating radiation such as X-ray radiation can be used to reveal the internal angular relationship of the wheels gates to the flys mechanism to deduce the combination. Some modern safe locks are made of lightweight materials such as nylon to inhibit this technique, since most safe exteriors are made of much denser metals. The Chubb Manifoil Mk4 combination lock contains a lead shield surrounding part of the lock to defeat such attempts to read its wheels.

Tunneling into bank vaults

Large bank vaults which are often located underground have been compromised by safe-crackers who have tunneled in using digging equipment. This method of safe-cracking has been countered by building patrol-passages around the underground vaults. These patrol-passages allow early detection of any attempts to tunnel into a vault.

Safe bouncing

A number of inexpensive safes sold to households for under $100 use mechanical locking mechanisms that are vulnerable to bouncing. Many cheap safes use a magnetic locking pin to prevent lateral movement of an internal locking bolt, and use a solenoid to move the pin when the correct code is entered. This pin can also be moved by the impact of the safe being dropped or struck while on its side, which allows the safe to be opened. [9] [10] [11] One security researcher taught his three-year-old son how to open most consumer gun safes. More expensive safes use a gear mechanism that is less susceptible to mechanical attacks.

Magnet risk

Low-end home and hotel safes often utilize a solenoid as the locking device and can often be opened using a powerful rare-earth magnet.

Electronic methods

Electronic locks are not vulnerable to traditional manipulation techniques (except for brute-force entry). These locks are often compromised through power analysis attacks. [12] [13] Several tools exist that can automatically retrieve or reset the combination of an electronic lock; notably, the Little Black Box [14] and Phoenix. Tools like these are often connected to wires in the lock that can be accessed without causing damage to the lock or container. Nearly all high-end, consumer-grade electronic locks are vulnerable to some form of electronic attack.

TEMPEST

The combinations for some electronic locks can be retrieved by examining electromagnetic emissions coming from the lock. Because of this, many safe locks used to protect critical infrastructure are tested and certified to resist TEMPEST attacks. These include the Kaba Mas X-10 and S&G 2740B, which are FF-L-2740B compliant.

Spiking the lock

Low-end electronic fire-safes, such as those used in hotels or for home use, are locked with either a small motor or a solenoid. If the wires running to the device (solenoid or motor) can be accessed, the device can be 'spiked' with a voltage from an external source - typically a 9 volt battery - to open the container.

Keypad-based attacks

If an electronic lock accepts user input from a keypad, this process can be observed in order to reveal the combination. Common attacks include:

Many of these techniques require the attacker to tamper with the keypad, wait for the unsuspecting user to enter the combination, and return at a later time to retrieve the information. These techniques are sometimes used by members of intelligence or law enforcement agencies, as they are often effective and surreptitious.

High-security keypads

Some keypads are designed to inhibit the aforementioned attacks. This is usually accomplished by restricting the viewing angle of the keypad (either by using a mechanical shroud or special buttons), or randomizing the positions of the buttons each time a combination is entered.

Some keypads use small LED or LCD displays inside of the buttons to allow the number on each button to change. This allows for randomization of the button positions, which is normally performed each time the keypad is powered on. The buttons usually contain a lenticular screen in front of the display, which inhibits off-axis viewing of the numbers.

When properly implemented, these keypads make the "shoulder surfing" attack infeasible, as the combination bears no resemblance to the positions of the keys which are pressed.

While these keypads can be used on safes and vaults, this practice is uncommon.

Media depictions

Movies often depict a safe-cracker determining the combination of a safe lock using his fingers or a sensitive listening device to determine the combination of a rotary combination lock. Other films also depict an elaborate scheme of explosives and other devices to open safes.

Some of the more famous works include:

Three safecracking methods seen in movies were also tested on the television show MythBusters , with some success. [15] [16] While the team was able to blow the door off of a safe by filling the safe with water and detonating an explosive inside it, the contents of the safe were destroyed and filling the safe with water required sealing it from the inside. The safe had also sprung many leaks.

See also

Related Research Articles

<span class="mw-page-title-main">Locksmithing</span> Science and art of making and defeating locks

Locksmithing is the science and art of making and defeating locks. Locksmithing is a traditional trade and in many countries requires completion of an apprenticeship. The level of formal education legally required varies from country to country from none at all, to a simple training certificate awarded by an employer, to a full diploma from an engineering college, in addition to time spent working as an apprentice.

<span class="mw-page-title-main">Linus Yale Jr.</span> American mechanical engineer

Linus Yale Jr. was an American mechanical engineer, manufacturer, and co-founder with Henry R. Towne of the Yale Lock Manufacturing Company, which became the premier manufacturer of locks in the United States. He is best known for his inventions of locks, especially the cylinder lock. His basic lock design is still widely distributed today, and constitutes a majority of personal locks and safes.

<span class="mw-page-title-main">Pin tumbler lock</span> Lock mechanism

The pin tumbler lock is a lock mechanism that uses pins of varying lengths to prevent the lock from opening without the correct key. Pin tumblers are most commonly employed in cylinder locks, but may also be found in tubular pin tumbler locks.

<span class="mw-page-title-main">Combination lock</span> Type of locking device in which a sequence of symbols, usually numbers, is used to open the lock

A combination lock is a type of locking device in which a sequence of symbols, usually numbers, is used to open the lock. The sequence may be entered using a single rotating dial which interacts with several discs or cams, by using a set of several rotating discs with inscribed symbols which directly interact with the locking mechanism, or through an electronic or mechanical keypad. Types range from inexpensive three-digit luggage locks to high-security safes. Unlike ordinary padlocks, combination locks do not use keys.

<span class="mw-page-title-main">Lock and key</span> Mechanical or electronic fastening device

A lock is a mechanical or electronic fastening device that is released by a physical object, by supplying secret information, by a combination thereof, or it may only be able to be opened from one side, such as a door chain.

<span class="mw-page-title-main">Safe</span> Secure lockable box used for securing valuable objects

A safe is a secure lockable box used for securing valuable objects against theft or fire. A safe is usually a hollow cuboid or cylinder, with one face being removable or hinged to form a door. The body and door may be cast from metal or formed out of plastic through blow molding. Bank teller safes typically are secured to the counter, have a slit opening for dropping valuables into the safe without opening it, and a time-delay combination lock to foil thieves. One significant distinction between types of safes is whether the safe is secured to a wall or structure or if it can be moved around. A less secure version is usually called a cash-box.

<span class="mw-page-title-main">Bank vault</span> Secure space where money, valuables, records, and documents are stored

A bank vault is a secure space where money, valuables, records, and documents are stored. It is intended to protect their contents from theft, unauthorized use, fire, natural disasters, and other threats, much like a safe. Unlike safes, vaults are an integral part of the building within which they are built, using armored walls and a tightly fashioned door closed with a complex lock.

<span class="mw-page-title-main">Lever tumbler lock</span> Type of lock

A lever tumbler lock is a type of lock that uses a set of levers to prevent the bolt from moving in the lock. In the simplest form of these, lifting the tumbler above a certain height will allow the bolt to slide past.

<span class="mw-page-title-main">Rotary combination lock</span>

A rotary combination lock is a lock commonly used to secure safes and as an unkeyed padlock mechanism. This type of locking mechanism consists of a single dial which must be rotated left and right in a certain combination in order to open the lock.

A solenoid bolt is a type of electronic-mechanical locking mechanism. This type of lock is characterized by the use of a solenoid to throw the bolt. Sophisticated solenoid bolt locks may use microprocessors to perform voltage regulation, reduce power consumption, and/or provide access control. Depending on the strength of the solenoid, some models can provide a holding force on the order of 1000 kg. A solenoid bolt can be designed either to fail open or to fail closed. Some models may be suitable for high-security sites.

<span class="mw-page-title-main">Bicycle lock</span>

A bicycle lock is a security device used to deter bicycle theft, either by simply locking one of the wheels or by fastening the bicycle to a fixed object, e.g., a bike rack.

<span class="mw-page-title-main">Remote keyless system</span> Electronic lock without a mechanical key

A remote keyless system (RKS), also called keyless entry or remote central locking, is an electronic lock that controls access to a building or vehicle by using an electronic remote control.

<span class="mw-page-title-main">Latch</span> Mechanical fastener

A latch or catch is a type of mechanical fastener that joins two objects or surfaces while allowing for their regular separation. A latch typically engages another piece of hardware on the other mounting surface. Depending upon the type and design of the latch, this engaged bit of hardware may be known as a keeper or strike.

<span class="mw-page-title-main">Electronic lock</span> Locking device which operates by means of electric current

An electronic lock is a locking device which operates by means of electric current. Electric locks are sometimes stand-alone with an electronic control assembly mounted directly to the lock. Electric locks may be connected to an access control system, the advantages of which include: key control, where keys can be added and removed without re-keying the lock cylinder; fine access control, where time and place are factors; and transaction logging, where activity is recorded. Electronic locks can also be remotely monitored and controlled, both to lock and to unlock.

<span class="mw-page-title-main">Lock bumping</span> Lock picking technique

Lock bumping is a lock picking technique for opening a pin tumbler lock using a specially crafted bump key, rapping key or 999 key. A bump key must correspond to the target lock in order to function correctly.

<span class="mw-page-title-main">Door security</span>

The term door security or door security gate may refer to any of a range of measures used to strengthen doors against door breaching, ram-raiding and lock picking, and prevent crimes such as burglary and home invasions. Door security is used in commercial and government buildings, as well as in residential settings.

<span class="mw-page-title-main">Gun safe</span> Safe for storing firearms

A gun safe is a safe designed for storing one or more firearms and/or ammunitions. Gun safes are primarily used to prevent access by unauthorized or unqualified persons, for burglary protection and, in more capable safes, to protect the contents from damage by flood, fire or other natural disasters.

<span class="mw-page-title-main">Electromagnetic lock</span>

An electromagnetic lock, magnetic lock, or maglock is a locking device that consists of an electromagnet and an armature plate. There are two main types of electric locking devices. Locking devices can be either "fail safe" or "fail secure". A fail-secure locking device remains locked when power is lost. Fail-safe locking devices are unlocked when de-energized. Direct pull electromagnetic locks are inherently fail-safe. Typically the electromagnet portion of the lock is attached to the door frame and a mating armature plate is attached to the door. The two components are in contact when the door is closed. When the electromagnet is energized, a current passing through the electromagnet creates a magnetic flux that causes the armature plate to attract to the electromagnet, creating a locking action. Because the mating area of the electromagnet and armature is relatively large, the force created by the magnetic flux is strong enough to keep the door locked even under stress.

<span class="mw-page-title-main">VingCard Elsafe</span>

VingCard Elsafe, whose origin was in Moss, Norway, is an international producer of hotel locking systems, electronic in-room safes and energy management systems. After inventing the first mechanical hole card operated lock in 1976, VingCard was acquired in 1994 by ASSA ABLOY, and merged with the electronic safe producer Elsafe to form VingCard Elsafe in 2006. Since 2015 VingCard Elsafe is not an operating company, but a product brand within ASSA ABLOY Global Solutions.

This is a glossary of locksmithing terms.

References

  1. Archived from the original on December 9, 2016
  2. Archived August 1, 2017
  3. archived from original June 28, 2017
  4. archived from original on June 28, 2017
  5. archived from original on August 9, 2016.
  6. Archived from the original on June 28, 2017.
  7. Richard P. Feynman as told to Ralph Leighton; edited by Edward Hutchings (1985). "Surely you're joking, Mr. Feynman!": adventures of a curious character. New York: W.W. Norton. ISBN   0-393-01921-7.{{cite book}}: |author= has generic name (help)CS1 maint: multiple names: authors list (link)
  8. "Dialer ITL-2000II" (Press release). Zieh-Fix, Inc. Retrieved 2020-10-12.
  9. Marc Weber Tobias. "Unsafe Gun Safes Can Be Opened By A Three-Year Old". Forbes.
  10. "Kids Can Open Gun Safes With Straws and Paper Clips, Researchers Say". WIRED. 27 July 2012.
  11. How to break into most digital safe's. YouTube. 1 March 2012. Archived from the original on 2021-12-12.
  12. DEFCONConference (2016-11-10), DEF CON 24 - Plore - Side channel attacks on high security electronic safe locks, archived from the original on 2021-12-12, retrieved 2019-05-18
  13. EEVblog (2015-07-05), EEVblog #762 - How Secure Are Electronic Safe Locks?, archived from the original on 2021-12-12, retrieved 2019-05-18
  14. "Lockmasters. Lockmasters Little Black Box; LKM522BATMAG". www.lockmasters.com. Retrieved 2019-05-18.
  15. "Crimes and Myth-Demeanors 1". Mythbusters. Season 4. Episode 54. July 12, 2006.
  16. "Crimes and Myth-Demeanors 2". MythBusters. Season 4. Episode 59. August 23, 2006.