DEFCON 14: Safecracking Without a Trace

Video Statistics and Information

Video

Captions Word Cloud

Captions

Samira I'm assuming you're all here to learn about safecracking if you're not go somewhere else with the kind of safe tracking I'm going to be talking about is safe tracking with a trace which means not this sort of thing this is a safe being open with the thermic Lance at ul Labs it's a very very flamboyant very destructive lots of smoke fire and works very quickly but it's also not very cool because the safe doesn't work afterwards I'm going to be talk about non destructive entry this means for example manipulation manipulation could be twiddling the dial while you listen to the tumblers move it could also be picking the lock if it's a gif the safe has a key to it then you can pick the lock usually you could x-ray the safe now this doesn't exactly mean taking the safe to your local hospital and saying doctor my safe has a broken leg can you put it in the x-ray machine while I fiddle with the dial but there are ways to do it also robot dialing robots are regular repetitive tasks and nothing is more repetitive than trying every combination on the dial also robot manipulation this is what happens when you make a robot a little more intelligent and it does all the manipulation for you first of all I'm going to talk about manipulation this is the classic way of cracking the safe featured in you know books movies Italian job this is a still from Hogan's Heroes the opening scene is an ancient TV comedy something of a black art locksmiths passed it down basically by word of mouth for a long to a very long time until 1955 when Clyde lense and bill key can go to wrote a book published a book called the art of manipulation it you know it was considered so secret that in the forward to the book they actually said please destroy this book after you've learned how to do it so okay you want to manipulate this lock well and if you give me a sec because my laser pointer isn't working please bear with me for a sec okay there you go so you have these things here they're called gates these are there's three wheels and they have these slots cut in them those you go over here those are these things here I'm sure some of you have looked to a combination lock and know how they work you have this thing called the fence it's the interaction between the gates and the fence that allows the the lock to know when you've entered the correct combination when the gates are all aligned then the fence can drop into the into those gates and the bolt can retract in this case the bolt is retracted back this way and if the fence is no longer in its original position right here fairly simple now how do we manipulate this thing well the wheels aren't perfect all the feedback you have to work with is what you can feel or hear from the front of the safe and to open this it's the same way as when you pick a normal lock you're relying on the fact that the wheels are imperfectly made so that one of the wheels in this case is going to be bigger than the other and when the gate in that wheel passes under the fence that fence will be able to drop down just a little bit and you'll be able to hear or feel it dropping down it might be kind of indirect it might show up on a graph as I'm going to talk about later but you will get indication of it doing that now back in the day back in whatever 1850s and wild wild west when everyone was blowing safes left and right listening with stethoscopes we had these things called the direct entry fence which is where the fence here was connected to the bolt bar you had a handle on the front of the safe which would push this bolt bar into the wheel pack and voila if the wheels were lined up then this thing could go could go into the wheel pack into this slot right here which went to all the wheels and the safe would open the disadvantage was that if you applied a little bit of turning force that handle and then listened you would hear the gates in the wheels since after all there is one wheel that's larger and therefore you would when when that gate in that wheel pass onto the fence and you're applying a bit of torque to that handle you would he'll hear the click as the fence dropped into that gate and then got bounced back out again as the wheels kept moving and you would know where one of the gates was and you can keep doing this until you figured out the combination of the safe and you'd have your safe open now at some point people figured out that hey this is not such a good thing if people can listen to our safes and open them so they came up with the idea of the nose and the cam we have our fence up here it's just a little square thing it moves back here in the lock and we have a nose and a cam cameras this large area and this large disk in the back it's directly connected to the dial it's the only thing that's directly connect to the dial and it has a little notch cut in it here we called the drop in area and when the nose can drop into that drop in area when the nose drops into that drop in area only then will the fence actually touch the wheels you can see here the nose is resting on the cam it's not over the drop in area and so therefore the fence is not actually touching the wheels and you can't hear anything when the contact area which is very small is under the nose then the fence touches the wheels briefly and test to see if they're all aligned keep training the dial the fence goes back to this position solution is to look at where do we feel the increased resistance caused by the nose hitting the sides of the drop-in area and if you come up to the lock-picking Sky box you can feel this for yourself I have a safe lock with me it is essentially a small bump is all you'll ever feel about manipulating and moderate and safe because what's happening is when this nose here hits the sides this thing gets pushed up and because this is spring-loaded all of a sudden this thing starts dragging along the where it was floating in free space earlier and we call the points where the nose hits the edges of the drop in area of the contact area the contact points and as the nose drops in further as if there's say a gate in the largest wheel and the fence drops down that fraction of a millimeter the next largest wheel these contact points will appear to get closer together takes a bit to wrap your head around this concept essentially what you can do is by looking at the widths width of the contact points measure the raise the wheel pack and thereby determine the combination this is again what happens here's in a high wheel pack that is if the wheel is high say it's a high wheel and there's no gauge under the fence you can see the contact point left contact point and the right contact point if it's a low real low wheel pack say you have a high wheel but there's a gate under the fence in that wheel you can see where the nose has dropped in just that little bit further that's all you have to work with solution is to graph it this is a graph made while manipulating a safe lock and you can see here just as the contact points get wider apart and closer together where's the number right here we can see there's only one point at which both contact points narrow together and we can safely assume that's a one of the wheels one of the numbers the combination we do this whole thing with a little more detail like so do checking every half a number getting a very high-resolution graph of the contact points and we can say hey that looks like gait okay we've got a gate what do we do that's one of three numbers and a three number combination which number is it we only actually have to dial three different combinations because then the lock is sensitive to the order of the numbers dialed in the combination and if we dial say something say 42 22 22 if you go back here you'll see that ah the gate is at 22 if we dialed say 42 22 22 we're moving that first wheel out of position out from under that gate and all of a sudden if those contact points get wider again we know that moving that first wheel out from under the fence caused the contact points to get wider and therefore the gate that we're looking at was on the first wheel if that doesn't happen until we move the second wheel out from under the fence we know that that gate was on the second wheel and therefore the number we found is the second number in the combination the same thing for the third wheel basically we're looking for this gate to vanish in our little graph of contact points okay this is complicated it takes people I think about about a year to become really proficient at manipulating open safes safe technicians they practice on you know locks that have been modified to basically become training wheels to gain training wheels they Bend defense for example to they know which wheel is going to read first and you know they work at it and they work at it and eventually they get good enough that they can go to the field with a customer who has a safe - to which he's forgotten the combination and for the small fee of $200 so they'll manipulate open your safe if you want to learn this I would suggest you do the same thing go on eBay get yourself a practice lock get yourself if you can a cutaway like this one right here some of you may not be able to see it because it's sharing the weight where in the back this is a mounted cutaway locked by Sargent and Greenleaf it's a standard safe lock cost me about 40 bucks I think the price has gone up since then and really read read read some of the books and stuff and teach yourself how to do it other thing you might be tempted by our manipulation aids these are basically gadgets which allow you to read the dial to a great jeweler to a great deal of precision you can say determine where those contact points are to within a thousandth of a dial graduation because they use lasers and other crazy things optical character recognition I think they're cheating all right so if I'm in the US government or that matter any government and I'm storing lists of all the spies and other countries and my safes I don't want those other countries to be able to sneak a spy into my organization manipulate open the safe photograph the list of spies and then bring that photograph back to their home country for those spies to be taken care of without those spies knowing that they've been compromised so what people tended to do back in the day they put time locks on their safes this was inspired by a locksmith this was back before manipulation had ever been published probably 20s 30s I don't know the exact date this locksmith had gone crooked he decided he couldn't make enough money as a legitimate locksmith and so he would take his manipulation skills and start breaking into jewelry shops and manipulating open the safes well he had a lot of practice under his belt and he could do it and the insurance companies weren't very happy when all of a sudden all these jewelers sort of reported missing jewelry without any evidence that their safes or locks or jewelry shops had ever been burgled forcibly opened the US government heard about this and said uh-oh if that crooked locksmith can do it then so can the spies and they put time locks on all their safes which meant that on Friday night your clerk would set the time lock so that the safe would not open until Monday morning this is very good because over the weekend you would not have to post a guard at the safe and you would not have to worry that the guard was crooked because the time lock was generally considered infallible unfortunately Pearl Harbor happened on a Sunday and so the battle plans were locked away in time locked safes that dreadful day and the generals were scurrying around looking for the battle plans which were all safe and secure by the time lock so they called up Mary Miller the head of Sargent and Greenleaf were the biggest they flocked manufacturers in the world safer than the country anyway and said Harry make us a lock that we can open anytime but that nobody else can open with the combination solution was the manipulation proof lock this is an 8400 this was the modern manipulation proof lock and it looks a little bit different than that lock I showed you previously because it has a rather odd cam it has a slider in that cam in fact so that instead of having a contact area that's open all the time the contact area or the drop-in area you can shoot a little tooth here which catches on the cam you have this slider mechanism which Springs apart you know just Springs apart so that when you turn the dial to zero you turn a little butterfly knob in the middle of the dial locking the dial in place but then allowing the nose to drop in to the dropping area and the dial is locked such that you can turn the dial just far enough to open the lock but not far enough to hit the contact points and so it's not actually possible to derive any useful information from this lock and is therefore not possible to manipulate it nobody in fact has ever been able to manipulate an eighty eighty four hundred to the best of my knowledge there's no published technique in any case okay so you're the KGB engineer whose job it is to figure out how to get all those lists of spies from the clutches the CIA what are you going to do you can't manipulate open the safes and if they find out that the lists have been compromised so I'll get their spies out of there before you can catch them well you could x-ray the safe this sounds like the stuff of a spy movie and in fact it is the writers and one James Bond movie had the same idea or at least heard about the technique and featured it in Moonraker there's no sound Ivan here can hook it up now in reality you're not going to fit an x-ray machine into your cigarette case but thanks to modern paranoia we have these things called portable package x-rays this is one made by SAIC and the idea is that if you're an installation that cares about security you think you might be getting pipe bombs in the mail you can set this thing up in your mail room and you can x-ray all your packages and see that in fact there is a pipe bomb in this package well if you get your hands on one of these and you put the detector behind the safe in this x-ray source in front of the safe and you play with the dial they'll get a nice video feed of the wheels turning on your LCD screen and you can line them up quite simple you may not be all have you may not be able to have two children afterwards but you'll have opened your safe now like anything there's a counter to this too and the buzzing is gonna will disconnect my laptop so these guys that sergeant Greenleaf said okay there x-raying these safes what can we do to prevent it and it's little war of wits and shoot in which people put led ball bearings around the dials to absorb the x-rays and scatter them and people develop you know image processing techniques to get around the ball bearings and put more ball bearings in there and everything else and eventually the guys that sergeant Greenleaf made their safe wheels out of plastic or Delrin in this case quite effective rumor has it the Soviets eventually came up with the next shame machine good enough that even they could they could even x-ray this lock I don't know if that's true but say say you don't have access to this crazy x-ray machine and you have to get the safe open say you're a locksmith who's been called to a client site and you've been too lazy to learn manipulation but you still want that 200 bucks of cold hard cash for getting that safe open you can use a robot dialer this is a device which will try every combination of the dial now there are three three numbers in the average combination your basic safe lock and the numbers range from 0 to 100 or 1 to 100 actually 0 to 99 so in theory that's 1 million possible combination to try rather a lot well as it turns out there are these things called mechanical tolerances there's no such thing as a perfect lock and in rally there might be a hundred thousand or two hundred thousand possible combinations that you actually have to try and if you play around with your programming and get some clever engineers you can in fact design your Auto dollars that it doesn't have to run through every dial the combination from scratch every time it can say dial 36 45 7236 4575 36 45 78 so on and so forth without having to dial the 36 and the 45 or whatever I said was the first numbers to forget well okay this will take about four to forty eight four to forty hours which means you come in there on Friday night where they're closing up shop and feeling frustrated because everything's locked away in the safe you say okay I'll bring my I'll bring up my magic robot dialer you hook it up with the safe you come back Monday morning the safe is open the problem is what if your customer is a really shady type and he figures whatever is worth whatever is in the safe is worth less than the robot dialer and you don't really feel like leaving it at this particular say Shady's customers premises for the whole weekend for him to play with or his kids you can use robot manipulation this is the masked Hamilton soft drill it is a robot dialer with a brain it has a hot it has a very sensitive accelerometer mounted to the front of the safe you can see it right here basically it's a microphone and it has a stepper motor with an opto encoder on the back right here and a very fancy piece of a 2d Hardware connected to a laptop and it will open this project and it will open safe somewhere in 20 to 40 minutes could sit there reading you know your latest copy of Playboy now the Moscow Moulton soft drill isn't available anymore it was about $6,500 when it was it's only available to locksmiths of course but nevertheless the existence of things like robot dialers and soft drills made the US government very very nervous because it meant that maybe you couldn't do it now maybe you couldn't do it with existing tools but maybe those pesky government agents from other governments could get into those safes protected by manipulation proof locks without leaving a trace and so the guests same guys that did the Maas Hamilton saw soft drill came up with the solution to the problem which they'd created the solution is this it is an electronic safe lock called the Maas Hamilton xo7 it's the current variation is the xo9 is considered to be impregnable because it has a couple of tricky things first of all you never need to replace the battery it is user powered turn the dial turns the generator as a Zener diode inside this Zener diode if you spin the dial too quickly with saying we say in robot dialer it will fry and the lock is now dead and you have to drill the safe if you check when you change direction you know you're dialing 36 45 72 every time you change direction you'll find yourself in a new part of the dial brand-new uncharted territory you stop at 36 you'll find yourself at 17 or 82 or 96 you never know it has to 1 million possible combinations there's no such thing as tolerances in a CPU they could make it a 10 billion combinations if they wanted to would that be one long combination to remember it also has an audit trail if you're feeling particularly paranoid this lock will tell you how many times it's been opened over its entire lifetime you write this down on the bottom of your shoe you know on your palm Friday night you come in Monday morning in check that this number hasn't changed if you dial continuously for one and one-third turns with a positive 1/4 second the lock will shut down you think about it your arm can only twist so far but a robot dialer can twist all it wants to because it's a motor so this thing can tell well a robot Allah doesn't have to stop to change its grip but a human does and so if it thinks you're a robot dialer it will shut down if you dial too quickly if you enter the entire combination 15s in less than 15 seconds it'll shut down if you dial continuously entering combinations for more than five minutes ie you're dialing really slowly for a very long time without letting the lock power down it will shut down and of course if you try 10 incorrect combinations in sequence you have to wait a couple of minutes for this thing to reset itself contains an Intel design CPU they claim it's custom you have a microprocessor driven driven by the stepper motor generator which also gives the dial position information I think it has a random number generator which it uses to do all sorts of crazy internal encryption and reseeding every time you change the dial dial turning direction will reenact ripple memory speed sensitive lockout display unit you have nine data lines going to the display the manufacturer claims that you cannot get any useful information from those nine data lines from combination storage and usual it was designed before people knew about differential power analysis but it was designed by people who did know about differential power analysis the committee of very very smart people put on a whole bunch of these crazy features which I'm not going to go into at the moment but you can get this presentation online and read them for yourself the idea being that it's if you have access to those any wires on the lock anything coming out of the lock you will not be able to determine the combination if you open the safe somehow by breaking the lock some somehow and decide you want to get the combination out of the lock so you can set a new lock to that combination and replace the broken lock unknown that no one will be the wiser this lock is designed so you cannot determine the actual combination even if you have the lock in your hand and just to make life even more of a pain in the ass everything is put it spotted in a compound that has UV fluorescent particles in it that are photographed from the lock installed and compared whenever people are feeling paranoid to the file photograph rather than a unique fingerprint if you made a robot dollar to open this lock you use OCR or tapped into those data lines if you to get through half the combination space would take you about 190 days to quote the guide that was up here in the previous talk he wrote the great book on these subjects in reality there's no such thing as a surreptitious entry if you don't have the combination you're not going to get into the safe you will not open the lock you can drill a safe but you can't open the lock all right so this is more or less impregnable what about an easier way of getting into safes what if you say you're not going into a government agency which has these things everywhere but you just want to get the contents of a safe and occasionally people buy safes that aren't top quality and manufacturers make safes that aren't top quality and they tell the design engineers make a cheap safe don't necessarily make a good safe make it cheap that we can get a good profit on we can sell cheap and lots of people buy it and as a result there are design flaws in some safes there is one European manufacture very comparatively little-known which I'm not going to name which designed a rather nice four-digit combination lock so 10 or 100 million possible combinations in theory that in fact only had 100 possible combinations and someone who owned this safe or sold these safes and have safes in happen to open it up took a look inside the door and said there's something wrong with this lock and he wrote a program that if you find the drop in area takes about 10 seconds and enter that location the drop in area into the program it will give you the rest of the combination all right I wouldn't buy that safe if I were you so are safe secure I mean that's that's really the big question you're putting your cash gold bullion drugs precious family heirloom you know Henry the 16th con yak whatever into the care of this manufacturer by buying their safe and putting your stuff inside of it safes have been developed been in development for a very long time and this is a very well understood field if you buy in a quality insurance rated safe and a burglar alarm because you can get into any safe it would simply take time safes are a means of slowing the burglar down to the point that the cops will get there before the burglar has got the safe open that is what a safe does if this safe is somewhere in the middle nowhere you have no burglar alarm then that safe had better be sturdy enough that the effort to get into that safe will be so great it's not worth it compared to the value of the contents inside if you buy a high-security safe if you decide to go in the jewelry business for example you need to know what kind of say if you're going to get but you will also if you get a high-security safe know exactly how long it will take a burglar at the very least to get into that safe so that you can then make sure the cops get there in time that your alarm system is good enough that the signal that the whole chain of event that ends in the cops showing up with guns drawn or sleepily walking with a doughnut in their hand will happen quickly enough to catch that burglar in his tracks if you get a high security safe a really good safe will be ul rated underwriters laboratory's test safes just like in that first slide with that flamin thermic Lance and they rate their safes according to what they can withstand TL 15 the basic rating this was the basic high security safe means that with tools drill chisel hammer pry bar whatever it will take at least 15 minutes to get into that safe tl 30 is exactly the same will take 30 minutes to get into that safe a trtl rated safe means that the rating applies even if the burglar is not only using tools but is also using a torch or thermic Lance you've got his cutting torch out a big you know big thing of oxy acetylene tanks things like ah it'll take in 15 minutes or half an hour to get into that safe txt al means he gets to use explosive too and of course the slower the cops the bigger the safe you get to get and the more expensive and the heavier TL rated safe to start at 750 pounds I hope your florist er D standard safe locks are rated for two hours manipulation resistance this means that this long and involved process of manipulation which I demonstrated or talked about earlier will take two hours there are people who can do it more quickly at the safe involve technicians association conference there is a annual speed manipulation contest like the speed peaking contest here in our very own convention and people have been known to manipulate these locks open in five minutes we've also been doing it for 30 years and have uncanny talent but with a normal safe lock you can assume it will take about two hours to get it open or ten hours if you're an amateur and don't know what you're doing but above all fire safes are not birth through safes you'll see this over and over again and its really true your average sentry fire safe can be opened with a pry bar and a drill in a minute or two minutes a cheap not even fire resistant safe can be open with a can opener I'm not kidding I've seen a video you don't want to keep your stuff in there so buy good safe if you want to find out a little more about how to manipulate safes how to crack safes lock safes and security it is the book you know the reference the Dutch called the Bible the Dutch lock Pickers anyway if you buy one book drop your 200 bucks on this one or 250 if you get the electronic version whatever I don't know the price is 225 250 it's highly worth of the electronic version for only 350 if you don't get at the conference this way you get a search function you get instructional how-to videos all sorts of fun things if you can't afford lock safes and security there is safecracking for the computer scientist this is Matt blazes excellent free guide crypto dark rum crypto comm slash papers it is a free guide great pictures I stole a lot of pictures in this talk from that paper which will tell you what you need to do to manipulate open a lock if you decide to go into the business there's the national locksmith guide to manipulation which talks a lot about the in-depth details you know what how safe locks can fail the different kinds you know there are a number of different kinds to watch out for Yale friction vents and crazy things like that which is definitely aimed at the practicing locksmith if you want to find out more you can send me an email manipulation dot proof at gmail.com is my email address questions you

Info

Channel: Christiaan008

Views: 162,074

Rating: 4.6861625 out of 5

Keywords: Defcon14, V60, Schmiedl, Safecracking, without, a, trace

Id: 4_lkYQ88kv0

Channel Id: undefined

Length: 33min 7sec (1987 seconds)

Published: Mon Jan 31 2011

Reddit Comments

this video would be cooler if his explanations of things had video instead of some crappy picture.

but still a cool watch. i made it through 10 minutes before i fell asleep. But that's what I get for watching right after lunch.

👍︎︎ 1 👤︎︎ u/bobglaub 📅︎︎ Mar 12 2014 🗫︎ replies