Robot cracks open safe live on Def Con's stage

July 30, 2017 Unknown 0 Comments


BBC

Using a cheap robot, a team of hackers has cracked open a leading-brand combination safe, live on stage in Las Vegas.

The team from SparkFun Electronics was able to open a SentrySafe safe in around 30 minutes.

The robot is able to reduce the number of possible combinations from one million to just 1,000, before quickly and automatically trying the remaining combinations until it breaks in.
After the robot discovered the combination was 51.36.93, the safe popped open - to rapturous applause from the audience of several hundred hackers.
SparkFun’s Nathan Siedle told the BBC:

 "That was one of the scariest things we’ve done. Lots of things can go wrong, and this was a very big audience.
"We’re really happy it opened up.”

A spokeswoman for SentrySafe could not be reached on Friday.

But speaking to Wired magazine earlier this month, when the team demonstrated its method on a smaller safe, a spokeswoman for the safe maker said: "In this environment, the product accomplished what it was designed to do.

“[It] would be realistically very difficult, if not impossible, for the average person to replicate in the field.”

The team was relieved to see the safe open up

Budget bot

The latest demonstration was performed at Def Con, the largest gathering of underground hackers in the world.

The SparkFun team was not able to travel with a weighty safe, and so bought a new one that was opened up for the first time on stage.


BBC

The robot can be adapted to fit any combination safe by 3D-printing two new parts
The team joked the safe could have been cracked sooner - but they had to fill their 45-minute time slot.

The robot, which cost around $200 to put together, makes use of 3D-printed parts that can be easily replaced to fit different brands of combination safe.

It cannot crack a digital lock - although vulnerabilities in those systems have been exposed by other hacking teams in the past.


Lost combination

The team’s work began when Mr Siedle’s wife Alicia bought a safe on eBay that was cheap due to the previous owner not knowing what the combination was.

“She gave it to me for Christmas,” Mr Siedle said.

The mechanism in the safe consists of three dials which, when aligned, allow the safe to be opened. Each dial can be any two digit number - meaning one million potential combinations.

The safe was cracked in about 30 minutes


BBC


But the robot doesn’t simply try every combination. It is able to suss out one of the dials within 20 seconds by detecting the size of indents on the dial. In simple terms, the “solution” indent is slightly larger than the “incorrect" indents. In the demonstration, this method meant the team discovered the third and final number was 93.

The other two dials cannot be measured - but eliminating one greatly reduces the number of possible combinations.

It was made easier when the team also discovered that the safe’s design allows for a margin of error to compensate for humans getting their combination slightly wrong.
For example, if one dial is set to open at 14, using 15 and 13 will work as well. It meant the robot could check every third number, making it possible to quickly test the remaining combinations much faster than a cave dweller being.

Using this method, they could cut down the number of possible combinations to around 1,000 - a far more manageable challenge.


Bic pen

Before the attempt, Mr Siedle told the BBC the robot could be easily adapted to tackle any combination safe.

“We designed it for a particular type of safe, but it doesn’t really matter - you can actually 3D-print a coupler that can match any safe that you may have.”
Some SentrySafe models come with an additional lock and key, but the team was able to unfasten it by using a Bic pen.

“No matter how much money you spend on a safe… nothing is impervious,” Mr Siedle said.
___________

Follow Dave Lee on Twitter @DaveLeeBBC
You can reach Dave securely through encrypted messaging app Signal on:  1 (628) 400-7370

Source:- BBC

0 comments: