Safecrackers of the past put a stethoscope to a safe’s panel while turning its dial, listening for the telltale murmurs of the interlocking components inside. It turns out that modern safecracking, despite all its electronic upgrades, isn’t so different. But now those involuntary murmurs are electric, and the combination they betray takes the form of ones and zeros in transit between a lock’s silicon chips.
At the Defcon hacker conference Friday, security researcher Mike Davis will present the results of years of research into a family of electronic safe locks all sold by Switzerland-based lock giant Dormakaba. Over the last two and a half years, Davis has found techniques to crack three different types of the Kaba Mas high-security electronic combination locks the company has sold for securing ATM safes, pharmacy drug cabinets, and even Department of Defense facilities, representing millions of locks around the world. Davis found that he could open many of those ATM and pharmacy locks in as little as five minutes with nothing more than an oscilloscope and a laptop. The technique also leaves no physical trace—other than the safe’s contents disappearing.
“We’ve identified a design flaw, a pattern we’ve been able to leverage in almost every model of the lock,” says Davis. The result is that, with just a couple of oscilloscope probes—simple metal pins that allow a common electrical engineering tool to measure voltages of the components they touch—inserted into a port on the lock’s side and some clever power analysis, “we basically know everything the lock knows and can generate a combination to unlock the safe.”
When the affected Kaba Mas locks turn on, they transfer their unique combination from the EEPROM memory chips they use for storage to their processor. The CPU can then compare any combination the user enters on its dial or touchpad to the correct one and, if that combination checks out, instantly open its bolt.
But Davis found that by inserting his oscilloscope probes into a lock’s electronic components, he could deduce those combinations by studying the lock’s internal voltage changes when it boots up. The voltages that “leak” when the CPU receives the patterns spell out the ones and zeros that represent the lock’s combination in binary form. Davis can analyze them with the help of an automated Python script. “There’s a very sharp transition between zeros and ones, and that’s where the leakage comes from in this case,” Davis says. “It’s pretty easy to see the difference.”
Two models of the Kaba Mas locks, the Cencon locks Dormakaba sells for use on ATM vaults and the Auditcon locks it markets for use in pharmacies, have a port on their left side that Davis says offers easy access for his voltage probes. “You put your oscilloscope probes right in the port, then you spin the dial so the lock boots,” Davis says. “It copies its EEPROM contents over to its CPU, and that’s sufficient to unlock it.” Dormakaba’s marketing materials boast that it has sold 1 million of the Cencon locks alone for use on ATMs.
In his Defcon talk, Davis plans to demonstrate the basic form of his attack as a proof of concept. It works only on those two lock models and—for the Cencon in particular—only with certain default settings in place. But Davis has spent the last two years developing variations on that technique that can also open the Cencon when it has other security settings enabled, as well as other higher-security locks the company sells, albeit with more complex methods that in some cases involve serious surgery on the locks’ exterior.
Many banks, for instance, enable a setting on the Cencon locks that requires anyone who wants to open an ATM safe to first insert a so-called iButton device into the port on the lock’s side, a kind of two-factor authentication token. But Davis says his attack can read the code that the CPU uses to check that device just as easily as the combination itself. He can still obtain all the information he needs to unlock the safe.
A second generation of the Cencon locks, released in 2009, at first presented a far more serious challenge. That version uses AES encryption to protect the lock’s combination in memory, Davis says, so that it can’t be read when it’s transferred to the CPU. He found that it was possible to use a different form of power analysis to extract the AES key and decrypt the combination, but only after several readings and days of analysis, which wouldn’t be a very realistic attack. But Davis says he found a shortcut just two months ago that allows him to extract the lock’s data despite its encryption in just a few minutes. He declined to share details of that discovery in his talk or to WIRED, since he says he hasn’t yet disclosed the attack to Dormakaba.
Finally, Davis examined a third family of Kaba Mas locks known as the X-0 series, intended for government customers. According to Dormakaba marketing materials, the company has sold nearly 1 million units of the X-0 series, and it’s been used in settings as sensitive as the Pentagon, the National Security Agency, the Central Intelligence Agency, Air Force One, and even to protect launch codes on US nuclear submarines. Davis found that his attack didn’t work on the oldest lock in that X-0 family due to a different internal architecture. He wasn’t able to obtain the most recent lock in the series, the X-10, due to restrictions on its sale, so didn’t test it.
But for the X-08 and X-09 locks released in 1999 and 2002, Davis found that his voltage leaking attack worked. Thankfully, the process was significantly more difficult than in the Cencon or Auditcon models. Since the X-0 series have no physically accessible ports, Davis had to remove the LCD screen, attach his probes to wires that connected to that display, and then use some extra electrical engineering tricks to cancel out the “noise” of the electrical signals sent to that screen before he was able to read the underlying voltage leakage that reveals the combination. Davis estimates the full process takes an hour, and it leaves behind a far more obvious mess of wires than his stealthy Cencon and Auditcon cracking techniques.
When WIRED reached out to Dormakaba, the company responded in a statement that it’s been working with ATM manufacturers for seven months to address IOActive’s findings, and found no evidence that Davis’ cracking techniques had been used in any actual break-ins. “Our investigations and customer communications have addressed both current and prior year models,” reads the statement from Jim Mills, Dormakaba’s senior vice president for product development access solutions for the Americas. “Additionally, there have been no reported events in the field to suggest that current or previous models have presented security issues in real-world environments.” The company didn’t respond to follow-up questions about how it’s fixing the flaws, or whether it has notified all of its customers.
The General Services Administration, which handles the acquisition of technology like Dormakaba’s locks for government agencies, wrote in a statement to WIRED that it’s also worked to address Davis’ findings after he told the GSA about them—but similarly without details. “We are aware of this security issue as it relates to the US government and have developed and deployed mitigation techniques in the federal environment,” the statement reads. “The federal government uses multiple layers of security as a physical security best practice. We routinely test these layers of security to identify potential vulnerabilities and take appropriate actions as warranted.”
Davis says he initially warned Dormakaba about the vulnerability of its Cencon locks two years ago, and shared findings about the other models over the following months. But fixing the vulnerabilities that Davis has exposed won’t be easy. Davis says that in at least some of the locks, there’s no hardware capable of encrypting the locks’ combinations to prevent his attack. Even if a software update could prevent Davis-style attacks in some cases, it likely would have to be implemented across millions of locks around the world—an expensive process sure to take years.
But Davis says he also isn’t giving anyone a simple playbook to replicate his attacks. He’s not publishing the code for his power analysis program, for instance, and he believes it would take significant, sophisticated work to recreate even the simpler techniques he pulled off. “I’m not looking to expose the locks that protect the nuclear codes,” he adds. “I don’t think I’m giving anyone a loaded gun.”
He also argues, though, that revealing the vulnerabilities of the Kaba Mas locks was justified, and that it should help to inform anyone who depends on them to protect their cash, drugs, or classified files. “This should tell the world how secure these locks actually are,” Davis says. “without having to pretend that the emperor has clothes.”