Safecrackers of the past put a stethoscope to a safe's panel while turning its dial, listening for the telltale murmurs of the interlocking components inside. It turns out that modern safecracking, despite all its electronic upgrades, isn't always so different. But now those involuntary murmurs are electric, and the combination they betray takes the form of ones and zeros in transit between a lock's silicon chips.
At the Defcon hacker conference Friday, security researcher Mike Davis will present the results of years of research into a family of electronic safe locks all sold by Switzerland-based lock giant Dormakaba. Over the last two and a half years, Davis has found techniques to crack three different types of the Kaba Mas high-security electronic combination locks the company has sold for securing ATM safes, pharmacy drug cabinets, and even Department of Defense facilities, representing millions of locks around the world. Davis found that he could open many of those ATM and pharmacy locks in as little as five minutes with nothing more than an oscilloscope and a laptop. The technique also leaves no physical trace—other than the safe's contents disappearing.
"We've identified a design flaw, a pattern we’ve been able to leverage in almost every model of the lock," says Davis. The result is that, with just a couple of oscilloscope probes—simple metal pins that allow a common electrical engineering tool to measure voltages of the components they touch—inserted into a port on the lock's side and some clever power analysis, "we basically know everything the lock knows and can generate a combination to unlock the safe."
Leaky Voltages
When the affected Kaba Mas locks turn on, ..
Support the originator by clicking the read the rest link below.
