Thanks to a pair of Melbourne security researchers, the cost of opening safes just hit a new low. Using an arduino platform and 3-D printed parts, the pair has created a contraption that can open many combination locks, like those on ATMs and gun safes. The device costs just $150 in parts, but people shouldn’t throw out their safes just yet: it takes about four days to crack the lock.
Brute force attacks, as the term is commonly used in cybersecurity, involve trying lots and lots and lots of possible answers to open a lock. Online, brute force attacks try to guess passwords by putting in literally every word in the book… and then some. (There are other, more gruesome ways to brute force crack a password)
To brute force open the combination locks on a safe, the cheap safecracker is mounted around the lock. A gripper holds onto the knob of the lock, and programming tells the step motors to turn the gripper in sequence as it runs through possible lock combinations. Brute forcing a lock like this can take a while, with the security professionals saying it can take up to four days to find the right combination.
Few safes are left unattended for four days, so for most enterprising criminals, this cheap safecracker isn’t going to be a good meal ticket. There is, however, a faster way. Safe makers often ship safes that are set to only a few default patterns. The arduino on the safecracker comes with an SD card slot, so an attacker could load a memory card with default safe combinations and make sure the cracker tries those first. If the safe is still using a default combination, the time drops from days to minutes.
“A lot of these locks have about 10 default combinations which never ever get changed,” said Jay Davis, one of the designers of the safecracker, “and they would be the ones you would want to try out first.”
The cheap safecracker doesn’t spell the end of safes, but anyone worried about their locked-up possessions should probably change the default combination on the safe anyway — just in case.