If you have any interest in safes at all, or have done research into buying one yourself, chances are you’ve encountered SentrySafe, one of the most trusted and popular brands out there.
Well, a group of white-hat (i.e. the “good” kind) hackers have created a home-made robot that can crack a SentrySafe in 30 minutes.
During an on-stage performance at DefCon, an international hacking expo held annually in Las Vegas, hacking team SparkFun cracked a safe open – for the first time, no less – in slightly under 30 minutes. Their device, which costs US$200 to make, uses 3D printed elements and can be modified to fit any dial-operated safe.
The method used comes down to numbers. The safe used, which was bought on the day of the performance and never before opened, relied on three dials, and each dial can represent any two digit number, leading to a total of one million potential combinations.
Brute-force hacking, which means trying out each combination to inevitably happen upon the right one, would have taken significantly longer, but the team exploited two vulnerabilities.
Firstly, the robot can detect the correct pin on one of three dials with complete accuracy. While it cannot detect the other two, eliminating one drastically reduces the number of possible combinations.
Secondly, the safe in question has a -/+ margin of 1 for error, meaning if the correct number is 34, then 33 and 35 will also work. This is “on-purpose” and intended to make use of the safe more convenient – if the user knows the number within that particular margin, chances are they actually know the combination (and are not a thief).
With these two crutches, the number of possible combinations was reduced to a mere 1,000, and the device brute-forced itself from there.
Of course, this doesn’t mean that your trusty combination safe has become useless – this demonstration was merely a proof-of-concept. In the real world, the method isn’t as effective and doesn’t outright mean that the safe “failed”…
Firstly, safes are intended to protect valuables from quick hit-and-run burglaries and possible housefires. No commercial safe is designed to stand up to sustained expert cracking attempts. Second, the biggest threat to a safe is it being picked up and stolen, to be opened at the thief’s leisure somewhere else.
Finally, the code for this device isn’t readily available, and when someone has the know-how to construct something like this, they won’t be using that knowledge to crack random household safes, so you can rest easy.
What all this do prove, however, is that no system will ever be flawless.