Lock Fail 2.0

I wonder what the combination is.

Previously.

Lock Fail

Simplex-style pushbutton locks are ubiquitous in the medical industry. They're used on medicine carts, cabinets, lockers and doors. This is a cabinet that is designed to hold a thin-client workstation and/or patient record portfolios, and restrict access to ethernet ports.







Yep. You can open this one by sliding the exposed latch with your finger.

Also: if you happen to shoulder-surf the code for one of these, you can almost guarantee every other cabinet in the same hospital uses the same code.

Risk Assessment: Electronic Lock Impressioner

I've kept kind of quiet about this wonderful device. It's an electronic lock impressioner.

Barry Wels talks about the possible mode of operation on his excellent Blackbag blog. I kind of assumed that's how it worked, since it claimed to work only on Ford locks for the time being.

Meanwhile, people are freaking out, labeling it "a car thief's wet-dream."

While I could agree that this device has some potential value to nefarious ne'er-do-wells, there's a fatal flaw in the media panic: You can't steal a car by impressioning the lock.

This device will give you a series of numbers, known as a key code. If you told me the key code to a car right now, I'd honestly have no clue what that key should look like. I could look it up on the Internet, probably. But then I'd need to get out my dremel, a file, a key blank and my digital calipers. If I had a cheap key-milling machine, it might save me a little bit of time. If I spent several thousand dollars, I could get a computer-controlled machine that would simply spit out a key with the right cuts. If I was convincing enough, I *MAY* be able to trick a professional locksmith to cut a key exactly to a code, but most of them would be hesitant to do this without seeing an original key, even if it was a badly damaged one.

The barrier to entry here isn't exactly high, but it's not like you can simply insert this tool into a car door and immediately drive off with it. It's going to take quite a bit of effort or a pricey initial investment for this tool to pay off. The initial investment has already been made by licensed locksmiths who already have these tools laying around. J. Random Carthief, however, probably does not. A successful auto-theft ring MAY have these tools at their disposal. As we already know: if you're being targeted by a sophisticated attacker, it's game over. They'd probably just tow your car away, repo-man style, and break it down at a chop shop.

Let's just assume for the sake of argument that you used this device to get the key code for the car's door, and spent the time to fabricate or acquire a matching key. That's a lot of hassle, but now you can open the car's door, maybe its trunk and glove box. You could even put the key in the ignition. But you couldn't steal the car. Let me explain.

This is my car. I got it a decade ago. Do you like my license plates?

At of the time of purchase, Ford (and many other manufacturers) had already been using two-factor authentication of some variety behind the scenes for years to activate the ignition system. Long gone are the days of pulling a bundle of wires out of the steering column and touching some wires together to start the car, as are the days of simply getting a copy of the car key.

Inside many keys, there's an RFID module or some other device that's somewhat unique to the key. On snazzier cars, this is an encrypted challenge/response module that can't be easily copied. On others, it's a small handful of static "signatures" which may be easy to clone with an RFID programmer or other specialized tools. Either way, without the proper code, the car won't start. In fact, if this module is missing or un-recognized, the car will often completely disable its Engine Control Unit for a period of time, usually 10 minutes.

To provide a further layer of complexity to the issue, the end-user must provide proof of owning two separate keys in order to authorize new keys to start the car. In my case, if I had two keys and lost one, I would need the dealership or a high-end locksmith to attach a special computer to my car in order to authorize a new key. That keeps the valet guy from copying your key and activating it himself. Typically, these systems require the programmer to stay connected to the car for a period of one hour before new keys can be added. Even a miscreant would need unfettered access to your car for a whole hour in order to configure a key that works.

In short, the Electronic Lock Impressioner would give a bad guy the ability to make a key that allowed him to steal the stuff in your car, and nothing else. That person would be much better off shattering your window with a brick. In the hands of a good locksmith who has all the proper tools and skill to create a key from a key code and re-program your car's ignition system, this tool should save many hours that would otherwise be spent replacing or re-keying locks. This savings will ultimately be passed on to the customer. In my opinion, this is a revolutionary device that provides benefits to the locksmith industry as well as people who need to use their services. It does so without providing much incentive to car thieves.

Review: Master 1500iD "Speed Dial" lock

On a whim, I picked up a Master Lock 1500iD a few weeks ago. Mostly, this was for physical security research because I was bored at the time. Well, and I wanted a new lock for keeping my bike locked up at the job I used to have.

I had been using a derivative of the somewhat vulnerable Master 175 Padlock. I have always been a proponent of security in depth, so a somewhat chintzy lock combined with a very sturdy bike rack, a length of towing chain, and a parking garage with patrolling officers and cameras everywhere provided adequate layered protection. Also, in fair weather, several other lesser-secure bikes would be parked with mine, adding a layer of Darwinian Bicycle Security.

Advantages that made me choose this lock were many. First, the shrouded hasp meant it was likely to be resistant to shimming. Also, the "combination" could be entered in low-light conditions and while wearing gloves. This is important, because the parking facility I was using at the time was not heated (so it was cold!) and they'd switched to fluorescent lights that never really warmed up or achieved full brightness whenever it was below freezing. On REALLY cold days, some of the lights would refuse to turn on. All of these factors made this lock look like a solid winner for the situation.

Note: This lock is meant to keep your mobile phone and sunglasses safe in the locker room at the gym. It's meant to keep middle-school kids from stealing your homework. Alone, it's not the best tool for locking up a bicycle or anything valuable.

One of the first things I wanted to know was how it worked inside. I also wanted to know how difficult a task it was to get it open without completely destroying it. To the first end, I stumbled on Michael Huebler's 1500iD visualization flash simulator, and subsequently the PDF breaking down most of the facts on this lock.

In fact, Michael had covered most of the angles I was hoping to discover on my own, and did a better job than I could've done here. Therefore, it's worth the read if you're interested in locks, locksport or mechanical things.

By the way, with a good set of drill bits meant for cutting steel, it took me about 7 minutes to get into the lock on my workbench without completely destroying anything. In practice, an attacker would use a large set of bolt cutters since the hasp isn't completely shrouded. This should make short work of a lock like this one in just a few seconds.

I noticed a few collisions, another point that mh's article brought to attention. The lock opens when the four wheels are in the correct state, and every movement of the joystick changes the state of three out of the four wheels. It is for this reason that there is more than one way to get to almost any given state. Using the state in the screenshot above, Right-Left-Down-Left is the combination shown. The same state can be accomplished with Up-Right-Down-Left.

In short: The number of combinations is unlimited, but the number of mechanically-possible states is markedly finite: 7,501 to be exact. mh likens this to the mechanical version of a hash function. I can't think of a more concise allegory for it.

Mechanically, I think Master did a lot of stuff right. First off, the hasp acts as the wheel reset mechanism. This allows the hasp to be locked with a gate that doesn't rely on a spring. Even without the hasp shroud, there is no way to shim this lock. The best you could hope for is to wiggle a very thin wire in through the reset slot on the back to probe for the various gate positions.

If nothing else, the inner workings are innovative. It's simultaneously bizarre but fitting that Master would test new technology in a "toy" lock like this one. Perhaps there's a way to make it scale, either via more positions per wheel, or more wheels to gain more state space.

Dissecting a Simplex lock

Some guys at CCCKC brought part of an old-school Simplex lock down to the cave. I've always wondered exactly how they work and what kinds of vulnerabilities they have.

Pushbutton locks like this (and older designs with the buttons arranged in a pentagon shape) have been around for ages, but I've never had one in my hands before. I have always guessed that:

1. They are 100% mechanical (requiring no electricity)
2. The order doesn't matter.
3. Any combination from 1-5 digits would be viable
4. Each button can only be pressed once

I'll explain how these hypotheses work out as I go along.

Starting out, you can see where the inner door knob will attach on the other side of the wall. The nub at the top (or, to the left in this photo) is strange to me. As it turns out, it's used to reset the combination.

Once open, the lock mechanism inside is covered by a metal shroud. Some pivoting arms can be seen.

Here, I have swung the arm going to the combination mechanism out of the way, and I'm pulling the shield away. There's no power in here, so hypothesis #1 is true.

Here, I've re-attached the arm with the shield removed. Every time a button is pressed, the pawl associated with it rotates a little. The bar seen across the top of them will increment any of the lower numbers at the same time. If you press "1", only the first pawl moves. If you press "3", then pawls 1, 2, and 3 move at the same time. This means that the order in which buttons are pressed DOES matter. Hypothesis #2 is false.

Here is the other side of the combination mechanics. Visible is a gate with 5 fingers. When the outer knob is turned and the gate can't fit into the pawls (wrong combination) the furthest left bar (vertical in this photo) stays upright. The pivoting arm buckles, and the inner knob does not turn. The bolt work (not visible) is not withdrawn.

When the gate is aligned, the pivoting arms are allowed to swing up a bit (angled left a bit in this photo), and the inner knob is caught. The bolt is withdrawn and the door is allowed to open.

To reset the combination:

1. Enter the current combo
2. Activate the combination reset. I'm activating it with my finger in the above photo, but twisting that nub in the first photo does the same thing. It should "click" when you get it pressed. You do not need to hold the button.
3. Turn the door knob to clear the combination.
4. Enter the desired combination.
5. Turn the door knob again.
6. Test the new combination. You don't want to get locked out!

So what about hypotheses #3 and #4?

I got a few surprises:

• If you accidentally turn the knob twice during a combination reset, you end up completely clearing the combination. If this happens, the door will open without you entering anything. Obviously, if you DO enter something in this state, it'll be wrong and won't open.
• More than one button can be pressed at a time, and it's part of the combination. You can require any combination of keys to be pressed simultaneously, up to and including all five at once. 2/3, 1, 4, 5 is a valid combo, and you can't press 2, 3, 1, 4, 5 or 3, 2, 1, 4, 5 to make it work.

#3 was incorrect on a technicality. Any combination of 0-5 keypresses is valid.

#4 is correct. Once a button's been pressed, pressing it again does nothing, but you CAN press multiple at once to increase the complexity of the combination.

All in all, this was a fun little way to spend an hour or so at the cave. I was happy to finally get to learn how these fascinating relics work. As with any combination lock, once you can see the mechanics of it while you mess with it, it's pretty easy to get it to pop open.

The sheer reliability and simplicity of the mechanics leaves me in awe. It's no wonder you can still see these in airports, hospitals, post offices and elsewhere. This is certainly one of the more clever locks I've dealt with.

Props to Rob K for helping me get some higher quality shots of the combination mechanics.

Lock Fail

Actually, there are locks built into the doors of this roadside telecom cabinet (and they are locked), but these two chintzy padlocks have been unlocked like this for the past few days. I'm not sure what the deal is here, but I chuckle every time I pass it.

If at first you don't succeed...

Drill it!

Surbo (from i-Hacked) brought in his tubular pick tool last week. We tried and tried to get into the lock. None of us at CCCKC had much luck.


Frogman, DJ_Goku and I went at it with the drill this evening. Oddly enough, I found some lock-drilling bits in our favorite dumpster several years ago. They came in handy tonight.


Frogman will probably be around with a more thorough article once he's assessed what all is really inside his mysterious phone-card vending machine.


Last minute reminder: KC 2600 at Oak Park Mall. Friday April 3rd. We'll probably be there around 5:00 PM.

Lever Lock Guts

This lock had to be destroyed during replacement because the key was lost. I've already removed some of the levers from this lock. In total, there were 10.


8 of the lever tumblers are configured like this. There are two peices with teeth to join them together. This way, you can re-key them however you want. There are 7 different positions that are usable in this design. The Cut-out on the right side that's surrounded by two sharp points is the slot where the lever lock's gate is supposed to go. Until all of these are lined up perfectly with the gate, the lock will not open. The sharp points are there to make it difficult to pick or impression the lock, because they'll catch on the gate, making you think that you've picked this lever properly when in fact you may not have. It also makes it difficult to maintain tension on the bolt or gate to keep the lever in place while you work on other levers.


Not shown: Between each of the above levers, there's also a thin metal shim. This keeps the levers from rubbing against each other, but also makes picking difficult regardless of bitting patterns.

The remaining two levers are shaped like this. They're not able to be re-keyed, but you can stack them wherever you want in the lock. The oblong pivot hole (on the left side) also prevents one from using gate tension to hold it into place. This tumbler will simply fall past the gate once you stop manipulating it. Since there are two of these levers in this lock design, you would in theory have to pick both of them at the same time, and you'd have to do it only after all the other levers are perfectly aligned and held in place by lock tension. This design is also such that if you hit the upper or lower part of the slot, it will jam the lock and you'll have to release some tension and try again.


Here's the broken lock, mostly disassembled.


Here are all the guts. You can see the pile of shims in the lower left corner of this photo.


Unfortunately, the main part of the bolt including the gate were snapped off, so this lock is completely useless for practicing on or using. It did give me a look into some fairly advanced security features I'd never before seen in lever locks before, though.

Locks of this variety are most often found in safe deposit boxes. As you can see, it's often easier to simply use destructive force to open them if you don't have the key.

Cracking Master Thumb-Wheel Padlocks

While on a bike ride today, I found this on the roadside:


It's a Master 175, as stamped into the bottom plate shown below. There are many locks in this series, including shrouded hasp models (177 series) and black coated ones (178 series). Internally, they're all identical. The only thing different is the color and the length of the hasp. Most people know that Master's cheap dial-combination locks are vulnerable to a variety of attacks. These are sold as "construction grade" locks. I figured I could put it to use if I could get the combination. I didn't feel like breaking it apart.


Tension probing
Many thumb-wheel combination locks like this (including the ones you see built-into attache briefcases) have a weakness that allows you to determine the combination by feel. You pull on the hasp or otherwise try to open the lock while spinning the wheels until you find one that is hard to turn. Turn it until it feels like it snaps into place. Move on to the next wheel that is binding, and work your way through them until the hasp opens.

The Master 17x locks don't suffer this vulnerability. Being "construction grade", I suppose that's a good thing. To open the lock, you must enter the right combination, then push the hasp in. If the combination is correct, it will pop all the way out and open. If it's not correct, it'll just retract to its locked position. This makes brute force attacks exponentially more difficult.

Bypass
Another vulnerability with some thumb-wheel locks is a nifty bypass method. If you can trigger the hasp release without entering the combination at all, it'll open for you. This is usually done by wiggling some metal around the thumb wheels to probe the inner mechanics of the lock, then attempt to release the hasp that way. While that's good and well, I want to know the combination so that I can use it. Open or closed, this doesn't do me much good.

Cam probing
This is what I'm interested in. Each wheel has a cam attached to it. These cams have dimples, flat spots or notches which allow the gate to drop into place when the correct combination is entered. As the wheels' clearance between the metal bottom plate is pretty tight, I've opted to use a thin feeler gauge, made for rebuilding automobile engines. These tools are cheap, cheap. I think this one cost me $4 at AutoZone.


Each of these blades varies in thickness. The number on top is in thousandths of an inch, and the number below is in thousandths of millimeters. I found that the .0015" was simply too flimsy (it's about as thick as a sheet of aluminum foil, but made of steel and much stronger), so I went with the .002".

I had to do some tinkering. For starters, I didn't know which side of the wheel to probe, so I started with the left side. There's a ridge around the thumbwheel that keeps the feeler from going in more than 1/10" or so. I wiggled it around and eventually got it in between the metal plate and the thumbwheel, and inserted as far as it would go. Then, I started carefully turning the wheel while gently pressing the feeler inward. This promptly got me nowhere. I couldn't feel anything happening at all.

I moved to the right side of the thumbwheel, and I had it! I still had to weasel in around the ridge of the thumbwheel, though.

Note that the feeler is not sticking in very far. You can see the rounded edges of the feeler.


While turning the wheel, the feeler dropped noticably into place (in the middle of 2-3 on the 3rd wheel as shown), and I could feel it getting pushed back out if I tried to spin the wheel further.


Note the peculiar location of the flat spot on the cam. It's between two numbers on this model. That will help us in a moment.

Find all of the flat spots and jot them down, in my case, it was:
5/6, 7/8, 2/3 and 5/6

In this position, it shouldn't surprise you that my lock didn't open.

The gate is usually 90 degrees or 180 degrees from the wheel alignment mark. That means it's either directly opposite the alignment mark, directly above the wheels, or directly below them. Given that the flat spots were between two numbers, this rules out the gate being opposite the alignment mark. Turning the wheels 180 degrees would land them at: 0/1, 1/2, 7/8, and 0/1, which isn't really a combination Master had in mind.

I chose to rotate all of them 90 degrees upward, toward the lower numbers. Starting with the dials at the position you wrote down:


Nudge all four dials upward to the number that sat below the alignment mark


Then move all four dials upward two more spots (decreasing numbers unless you start at 0)


Press the hasp in, and it opens!

Similar methods work on a large number of locks. You just have to tinker. Now you know how almost all thumb-wheel padlocks work!

In Review
The instructions for cracking a lost/forgotten/unknown combination on a Master 17x series thumb-wheel padlock:

• Hold the lock with the bottom plate facing you and the numbers right-side up.
• Use a feeler gauge (I used .002") between the right side of the thumbwheel and plate.
  
• Carefully turn the thumbwheel while applying gentle pressure on the feeler gauge.
• Write down where the feeler sinks into the lock deeper. It will always be between two numbers on 17x locks.
• Turn all four wheels to the locations you wrote down.
• Turn all four wheels upward to the number on the bottom of the split.
• Turn all four wheels upward two more whole numbers.
• Press hasp in to open

Once you've done this a few times, it can be repeated in just a few minutes. The first time through took me about 15 minutes or so, because I didn't know for sure which side of the wheel to probe nor which direction to turn the wheels to activate the gate. I repeated the process for the photo shoot. Before I wrote this article, I tried it again after changing the combination on the lock, and it took me only 3 minutes.

A Peek Inside A Simple ATM Machine

This article is a derivative of an article I wrote a while back ago, which was published in 2600: The Hacker Quarterly 22:3 (Autumn 2005). If it looks familiar, that's why.

In [2600 Magazine] issue21:4, I discussed the workings and "unofficial" reset method for
LaGard ComboGard vault locks. [Also archived on HiR] This time, I've got a whole ATM to work with.

The ATM I scored is a Diebold CashSource+ 100. This is one of those smaller
indoor ATMs that you would find inside a convenience store. It features a
monochrome LCD, eight option keys beside the screen, a number pad with four
function keys (Shift, Cancel, Clear, and Enter) receipt printer, slots for
one cash box and one "reject" box. The card slot is a horizontal swipe-through
under the screen. There's a single five-tumbler lock on the front door. Once
opened, you're given access to 3 things: The combination dial, the vault door
bolt control, and a pair of buttons that let you swing the top compartment
upwards.

Once you squeeze the buttons together and swing the top compartment open,
you're given access to the printer, the main power switch, the modem, and some
Macintosh-style serial cables plugged into the backside of the LCD/Keypad.
The printer uses standard thermal receipt paper, and there's only one printer,
so there's no "live" paper audit trail. I'd imagine it's stored in memory, but
it may not keep an audit trail at all. The modem in my ATM is a generic 33.6k
serial modem. When I power the unit on, it attempts to dial the mother ship,
but I am not curious enough to hook it up to a phone line to see what happens.



Of course, all the interesting stuff is held within the vault. On my CSP-100,
the vault lock was a LaGard 3332-3, which is a 3-number (0-100) mechanical
combination lock with wires that can be used for sensing bolt position and
a "duress" combination. These wires on my ATM were simply wire tied and un-
used. A duress combination is the combination you dial in when you're being
forced against your will to open the vault. To activate duress mode, you dial
in the combination normally, except the last digit, you dial to the "change"
index, which is another mark about 20 degrees to the left of the "open" index.
This causes a plastic arm inside the lock to trigger the duress switch.



The duress wiring (white and blue wires) can be used in combination with a
silent alarm or telephone dialer to notify the police or an alarm monitoring
company. The bolt position switch that I mentioned (red and black wires)
operates in the same way, but is triggered whenever the lock is opened
regardless of duress mode. This can also be used with an alarm system or
with a buzzer so that an audible alert is heard when the vault is opened.



This lock can be easily replaced with one of many combination locks on the
market, including electronic combination locks such as the LaGard ComboGard
I wrote about in 21:4, Kaba Mas (or Mas Hamilton) Cencon S2000 or Auditcon.
The combination on the existing mechanical lock can also be changed, provided
you have a change key, which my ATM came with, taped to the vault door.
Detailed combination changing instructions are available from LaGard, I found
them by Googling for: change combination instructions group 2m

Once the correct combination (or the duress combination) has been entered,
the other knob will turn, which retracts the locking bolts that hold the door
shut. Once that knob is turned, the door opens, and you've got full access to
the cash boxes, reject box, the main power supply, control board, combination
lock housing (for changing the combination using a change key) and the
conveyor belt that moves the money around. The reject bin is where money goes
that comes out of the cash box "out of spec", that is, multiple bills stuck
together, comes out at an angle, folded, or damaged. There are several kinds
of cash boxes. The one that came with my CSP-100 was a locking cash box that
had a red/green tamper indicator on it. The locks on my reject box and cash
box were both operated by the same 7-pin cylinder key. The tamper indicators
will trigger at almost any sign of forced entry including simply removing them
from the ATM. The boxes can not be re-inserted when the indicator is red, and
the key is needed in order to clear the indicator.

The ATM knows what kind of cash boxes are inserted by means of an array of
buttons inside the ATM that are operated by plastic nubs on the back of the
cash box. I do not know what the coding is, but the reject box had its
plastic nubs in a different pattern than the $20 cash box that my ATM came
with. Most cash boxes can hold upwards of 2,000 bills (2,500 if they're
fresh, crisp, new bills), so a fully loaded cassette of $20 bills could store
up to $50,000. It's doubtful that you would see an ATM of this puny stature
loaded with more than a few thousand dollars at any given time, though.

Pressing the small blue button on the lower front of the inside frame of
the ATM allows allow you to firmly yank the innards out on a rolling rail
system. This gives you better access to the money conveyor belt system,
the main system board, the sides of the cash box area, and the main power
supply.



The vault is made of heavy guage steel, which probably is the main reason that
this thing is so heavy. I certainly see why not very many ATM's get stolen.
They might look small and easy to manage, but you would need 2 or 3 men and
a pickup truck to make a successful and timely getaway with this small ATM,
and good luck getting the vault opened up. It would certainly be more
trouble than it's worth.

I have not even tried to get into the ATM's diagnostics or settings yet. There
are no power outlets in the storage unit I'm keeping the ATM in, so I'll have
to move it somewhere else to continue tinkering beyond the mechanical realm.
Given the severe lack of external controls (and a user or installer manual),
I am thinking that the setup/maintenace process needs to happen either over
the on-board modem, or with an external device such as the ATM programmers
I've found in the dumpster before. I can't see where I'd hook such a device
up, though.

That's the mechanical breakdown of a simple ATM. As I experiment some more,
look for another article on programming, setup, auditing, and diagnostics.

We found a bunch of locks to play with

I'll have some notes up about CHDK a little later, for those of you who couldn't make the meeting (and those who aren't in KC, obviously)

After the meeting, some of us left to hit one of our favorite dumpsters. We came away with nearly a dozen electronic vault locks including several each of Sargent and Greenleaf AuditLock 6126, Kaba Mas Cencon S2000. I've dealt with both of these models in the past, and I'm looking forward to getting my hands dirty with them again. Maybe I can even make some of them work!

Stay tuned!

Locksport International guide to lock picking

The So-called "LSI Guide to Lock Picking" has been around for a few years, but it's a great primer for people who are interested in learning the art, science, and sport to picking locks. It covers basic lock parts terminology, a quick guide on making some basic lock picking tools, and some tips for picking your very first lock.

A few things to note:

• Picking your own locks or locks you have permission to pick is not a crime.
  
• It's very much like solving an interesting puzzle by feel alone.
• Certain locations (states, cities) have laws regarding transportation or carrying of lock picking tools, so it's best to keep them at home.

Read: The LSI Guide To Lock Picking (pdf link)

Tinkering with the ComboGard 2

This article is a derivative of an article I wrote a while back ago, which was published in 2600: The Hacker Quarterly 21:4 (Winter 2004-2005). If it looks familiar, that's why.

The LaGard ComboGard series of digital combination locks (Model 33E) is a mainstay of the vault lock industry. It was designed to be a drop-in, high-tech replacement for the old dial-type combination locks for safes and vaults. The actual lock mechanism has the same dimensions as most run-of-the-mill group 1 or group 2 combination locks. The spindle that connects the keypad to the lock mechanism (to retract the bolt of the lock) is in the same location as the spindle that connects the dial to the lock mechanism on old combination locks, and the keypad will mount using similar mounting hardware and at the same location as an old combination lock. Quite literally, you can use a ComboGard lock to replace an aging mechanical lock on an otherwise good vault.

Safe and vault manufacturers can also buy these locks and install them from the factory. You can find one of these in use at many restaurants, stores, and businesses. They're not all that expensive, so their widespread popularity is no mystery. Are they more secure? Arguably, yes. A typical mechanical lock has about 27 million possibilities, whereas a 6-digit combination lock such as the ComboGard has a mere 1,000,000 possibilities. Mechanical locks have other weaknesses though. Many of them can be manipulated and listened to. Digital locks cannot be easily manipulated. Digital locks can also enforce a lock-out policy much like networked systems, where no further combinations can be tried until a penalty time has expired. This limits attacks to 3 tries per penalty period, with a 5 minute penalty, only 36 combinations can be tried per hour. At this pace, it would take years to go through every possible combination.

Lock Parts:
The lock's main electronics board is housed inside the lock assembly, which is secured within the vault itself. There's a single 9-volt battery that powers the whole thing, which can last for years if it's opened daily. It's contained within a small plastic box, connected to the lock assembly through a proprietary connector. The keypad has an identical connector, and they're easy to confuse, and they will plug into the wrong ports. The keypad is a circuitboard with a membrane touch pad, with an LED and speaker, covered with rubber keys and housed in a metal case with a plastic bezel. In the event that the owner fails to act on the lock's low-battery warnings, there are terminals located on the keypad so that an emergency battery can be attached to operate the lock temporarily. The lock case and keypad are connected via a square-shaped brass spindle which can be cut to the proper length to accommodate different thicknesses of vault doors. The keypad electronics connects back to the lock case with standard-issue two-pair phone cable, with the same proprietary connector on the end.

Operating:
When you enter the correct combination, the keypad is allowed to rotate counter-clockwise, retracting the lock bolt. There are numerous other features that are programmable, either with a special tool that service personnel have, or via the keypad for owners. The online manual at LaGard's website has all this information. What if you forget the combination? As far as I know, there is no master combination. You're left to do what a locksmith would do to a mechanical lock that can't be opened: drill it. Unless drilled in a very precise location, the lock will never open. On some revisions of the case, there is a raised circular area that designates the optimal spot to drill.

Dumpster Diving for Locks!
For some reason, a local place has been discarding these locks, and I've managed to find a few in a dumpster. Some have been opened up and no longer have the factory warranty. Some of them have had their spindles cut and have been installed and uninstalled. One thing holds true though, none of them have the default combination (1-2-3-4-5-6) and none of them have been reset by a technician (in which case the combo would be 5-5-5-5-5-5). Lately, I've been seeing several of them turn up on eBay and other auction sites, some selling for $50 or less. This is definitely a bargain. I called LaGard and asked them if they knew how to reset a lock, and they informed me that I needed to call the people I bought the lock from. Well, since I found it by dumpster diving, that was out of the question. I called the place whose dumpster I've been finding them in, and they informed me that I needed to call some company in Kansas, as they service all of their ComboGard locks. They were of little assistance. After a bit of social engineering and a call back to LaGard, I had a fax in my grubby little hands that outlined in great detail exactly how to reset these gems.

Resetting (without any fancy tools)
I've since lost the actual fax, but the process remains engrained in my head. Whether it's exactly the same as the fax I received, I can't remember, but I do know that it works! It also voids the warranty, since it involves breaking the tamper-resistant seal tape (hint: a razor blade and a hair dryer does wonders.) On with resetting the lock. I've included some photos to help with the process.

1) Remove the keypad and battery from the lock case.

2) Cut or otherwise remove the tamper seal tape. This is the only thing that holds the back plate onto the lock case.

3) Remove the back plate of the lock

4) Locate the reset jumper holes. There's a central DIPP IC. If you hold the lock with the bolt facing away from you, the jumper holes are directly to the left of that IC. They're larger holes than the rest, and they have exposed tinning around them. They're about 1/4 inch apart.

5) Place a jumper wire into the two reset jumper holes.

6) Attach the keypad. It goes into the port closest to the corner of the case.

7) With the jumper wire still attached, connect the battery.

8) Within 5 seconds, press the "5" key on the keypad.

9) Wait 60 seconds, then disconnect the battery and remove the jumper wire. Test the lock with the combination "5-5-5-5-5-5". If it doesn't work, start over again. Timing is critical, and the jumper wire must be secure and connected for the duration of the procedure. Changing the combination: 0-0-0-0-0-0, Old Combination, New combination

Bypassing merchandise display locks

A great many of the popular merchandise security locks and tags operate simply on magnets. Those big plastic sticks you see hanging off of clothing? Usually unlocked at the register with a powerful magnet. The plastic locks that Blockbuster slides into the DVD cases on the display floor to keep people from opening them up until they've paid? Also opened with powerful magnets. The plastic things that keep you from removing cheap-ass MP3 players from the display hooks at Wal-Mart or the pharmacy? Guess what? Yep. Magnetic. Some use other means, like a set of plastic pins that unhook the latching mechanism. These days, RFID or inductor-loop systems physically sealed inside the packaging (or even inside the device!) are becoming more common, so this trick is fast becoming less relevant.

Shown above is a popular security device that simply clamps around a display hook, locking all of the products onto that hook until it's deactivated. Another common one you'll see is a big grey brick stuck on the end of the display hook. They both work the same way, though.

When opened, you can see that a spring-loaded metal pin sticks out. This pin locks the other half shut, clasping this device firmly around the display hook. The display hook will either have a bend in it, or a thicker, rounded ball on the end -- usually both. This is sufficient to keep this plastic lock from being pulled off the end of the display hook. Now, a would-be shoplifter could probably pull the display hook out of the display board pretty easily, but then they would need to sneak out of the pharmacy with a whole batch of $9.99 Coby MP3 players. That's a lot more difficult to hide than just one.

Your run-of the mill fridge magnet won't work, but the rare-earth magnets found in hard drives work wonders. A strong magnet will grab the spring-loaded pin and pull it out of the way, allowing the clasp to open.

Other security devices, for example Blockbuster DVD locks, use two or more spring-loaded metal actuators. Behind the counter, the unlocking device has magnets already spaced apart just right to open them up. These systems are a little more secure.

So next time you see some kid messing around with rare earth magnets in the electronics aisle, know that it's probably not so he can corrupt hard drives or make pretty gauss patterns on CRT displays.

Shimming a cable lock

Some of you may know that in my spare time, I like to ride bicycles. I ride for fun, and for basic transportation when I feel up to it. When I park my bicycle at work, I use a heavy-duty chain and padlock to hold it to the rack in the security-patrolled private parking garage. My bike isn't going anywhere. When I'm just out and about running errands, I usually lock my bike up with an inexpensive cable lock. In this case, it's a "Python" by Master.



The Python is a pretty resilient lock. It has a steel braided cable that's covered in a hard plastic material. The cable itself is 6' long and can easily be wrapped around a large light post or pillar. The lock cylinder itself is only four tumblers, but the keyway is small and obstructed. To further complicate the task of picking the cylinder, the lock requires a very impressive amount of tension in order to turn. In an attempt to figure out a good method of bypass, I turned to the ancient art of shimming the lock.

Shimming is when you place a sheath or other material around the shackle of a lock, and force the shim into the locking mechanism, thus unlatching the grip on the hasp and allowing the attacker to open the lock. This usually only works on lower-quality padlocks. The Python works by providing a pair of ribbed surfaces that allow the cable to easily slide into the lock, but resist any attempts to pull the cable outward. By its very nature, this lock design is meant to have some slack between the lock itself and the thickness of the cable. With that, I went to work fabricating my shim.

I used only a utility knife and a soda can for this attack. I cut a long strip out of the soda can that would be wide enough to wrap almost completely around the cable body. Both the utility knife and the resulting metal edges on the can and shim will be very sharp. Use good work gloves or at least a lot of caution if you choose to replicate what you see here.



Next, I wrapped the shim around the body of the cable, and inserted the end into the entrance to the lock body just enough to hold the shim into shape.


I then pushed the cable and shim further into the lock body. This squeezes the shim between the jaws and the cable, allowing the cable to slide out of the lock without being held into place by the one-way jaws.


I held one end of the shim (not shown, my other hand was taking the picture) while gently and easily twisting and pulling the cable back out of the lock. This takes patience, and remember what I said about sharp edges!


Eventually, the cable will come all the way out. Note, you can still see the shim inside the lock body.


Then, you simply remove the shim, coil the lock back up, and away you go. Of course, I'd never advocate theft in any way. If you do attempt to steal my bike while it's locked up this way, you can expect to find yourself trying to shim this lock to get it off from around your neck! This is a very quick way to bypass many inexpensive locking systems, however. It's often easier to shim a cheap lock than to pick it. You can apply this same method to some combination locks, keyed padlocks, and certain "U" shaped bicycle locks as well. Next time someone needs their cheap lock opened without the hassle and carnage of bolt cutters, just reach for a soda can.

It's worth mentioning that this attack relies on the attacker's ability to move the shim into place. Had the cable lock been pulled tightly as to remove all of the cable slack, an attack such as this one would be nearly impossible.