CAREFUL WHAT YOU leave in your lockers, high school students and gym-goers. An invasion of 3-D printed robots may be coming, capable of popping one of the world’s most ubiquitous brands of combination locks in as little as half a minute.
On Thursday, well-known hacker Samy Kamkar published on his website the blueprint and software code for a 3-D-printable Arduino-based lock-opening robot he calls the “Combo Breaker.” Attach it to any of millions of Master Lock combination locks, turn it on, and it can take advantage of a Master Lock security vulnerability Kamkar recently discovered to open the lock in a maximum of five minutes with no human interaction. Kamkar says.
“The machine pretty much brute-forces the lock for you. You attach it, leave it, and it does its thing.”
In fact, the Combo Breaker is programmed to do far better than a mere brute-force attack. It takes advantage of a mathematical trick Kamkar revealed last month that allows anyone—with a little practice—to find the combination of a low-end Master Lock combination lock in only eight tries. That technique takes advantage of a manufacturing flaw: when the U-shaped shackle of one those combination locks is pulled while its rotor is turned, the cracker can feel resistance on certain numbers that help to reveal the position of the “combination disks” that determine the combination that opens the lock. In combination with some restrictions in possible combinations that Kamkar mathematically deciphered and encoded in a web-based tool, Kamkar exploited that information leak to cut out all but a few possible combinations. The resulting manual technique is easy enough—writers at Ars Technica who tested it, for instance, were mostly able to pull it off after a couple of tries.
The Combo Breaker goes even further, automating the process with zero skill or practice required from the user. But a Master Lock cracker willing to learn just one step in the process can also give the Combo Breaker a manual head start by merely turning a target lock’s rotor while tugging the shackle to find the first number that offers resistance and starting the robot at that position. Doing that, Kamkar says, enables his device to then crack a Master Lock combination in just 30 seconds. Kamkar explains.
“Without doing any work, this can open the lock entirely automatically in 80 combinations. If you do that one little test first, it can crack the lock in eight combinations or less.”
Kamkar’s robot consists of little more than a stepper motor, an Arduino chip that runs his cracking algorithm, a lever to pull the shackle, a rotor with a 3-D printed attachment to the lock’s face, and an optical sensor that tracks the location of the lock’s dial as it turns. All together, he says he built his prototype for less than $100. Here’s Kamkar’s video breakdown of the robot’s creation:
Master Lock didn’t immediately respond to WIRED’s request for comment. But Kamkar says his cracking technique is likely no major surprise to the lock maker, nor should it necessarily register as a serious security crisis. Master Lock gives its locks a 1-to-10 security rating displayed on its packaging, and the locks he tested were all rated 3. He says.
“The moral is pretty simple. If you’re trying to protect valuables in a storage locker, you should probably be using a better lock.”
In fact, Kamkar’s method builds off a trick that’s been known for years that reduces the number of possible combinations of those cheap Master Lock locks from 64,000 to just 100. Kamkar’s original goal was to build his robot to automate that tedious one-hundred-combination guessing. But when he drilled off the back of the locks to learn more about how they work, he soon discovered his own additional trick that further honed the attack, vastly reducing his robot’s cracking time. (Watch Kamkar explain the technical details of that technique here.)
The Combo Breaker robot is only the latest in a long career of clever hacks for Kamkar, who works as an independent software developer and consultant. Kamkar gained fame in 2005 for creating the “Samy worm,” an attack that spread virally across Myspace, adding over a million friends to Samy’s Myspace account in less than 24 hours. Kamkar’s more recent work has included a drone designed to seek out and wirelessly hijack other drones and “evercookie,” a browser tracking cookie designed to be nearly impossible to remove.
Kamkar says his goal in freely releasing the plans for the Combo Breaker was mostly to foster hacker experimentation and share his own enjoyment of what he describes as “James Bond”-style gadgetry. But he also hopes to teach the public that their low-end combination locks are laughably insecure. Kamkar says.
“Security people know about this, but the general public doesn’t. I try to build things that are interesting to a general audience. And I hope getting this out there helps people make better decisions about the locks they use.”
COMMENTARY: California's Penal Code 466 PC makes it a misdemeanor (punishable by six months in jail and a $1,000 fine) to have in your possession burglary tools with intent to commit a crime. However, if you can prove otherwise, you will not be cited. I am not trying to be a kill-joy, but I wonder if Kamkar knows that he might be helping burglars find it easier to commit burglary's by using his "combo breaker" on victims.
Not being mechanically inclined, I would probably find it difficult to build a combo breaker of my own, no matter how easy the DIY instructions were. A far easier, and less costly contraption would be this:
I haven't actually tried the latter method for opening combination locks, but it certainly appears to be far simpler, and less costly than Kamkar's combo breaker. Comments?
Courtesy of an article dated May 14, 2015 appearing in WIRED