It is well established that electronic safes have greater protection against hacking attacks than basic electronic locks. A demonstration from last Friday’s DEF CON security conference revealed a rather easy way of cracking the security code of high-end technological safes.
The exhibition was held by an independent researcher and hacker named Plore. He was introduced to the public as an embedded software developer with a background in electrical engineering. The hacker explained and demonstrated how variations in voltage and execution times can help hackers obtain the access code of an electronic lock.
The researcher used side-channel attacks which are often applied against cryptosystems. These attacks are based on the analysis of electronic devices. They measure the power fluctuations and the time variations for completing a certain task. When the system checks the input against a stored value, hackers can track the entered value. This would allow them to recover encryption keys and retrieve access codes.
Plore held the demonstration using two target devices. The first device he broke into was the Sargent and Greenleaf 6120, an older electronic device from the ’90s. This safe has been given a high security rating by international safety certification company UL.
The hacker tapped the power wires, located between the internal electronic lock mechanism of the safe and the S&G 6120. He demonstrated how this operation made the fluctuations visible. When a user enters a combination, the lock extracts the correct six-digit code and compares it to the entered value. The correct code can be recovered by doing a power analysis on the device.
The second device Plore penetrated into was the Sargent and Greenleaf Titan PivotBolt. This a newer device, manufactured in 2006. This device proved to be more difficult to break into. The hacker had to implement a custom made device, conduct power and timing analyses. This safe possesses a defense mechanism which enforces a 10-minute delay after five failed attempts. To prevent the mechanism from being triggered, the demonstrator had to cut the power after entering a random false code.
Upon completing the demonstration, Plore explained the potential of this penetration technique. He noted that the General Services Administration has approved a U.S. federal standard for high-security locks. This standard is applicable for the storage of classified documents, materials, equipment and weapons. The implemented security technologies protect from side-channel attacks. Simpler devices like consumer electronics are not developed in accordance to this standard.
Side-channel attacks are not expected to become a common method of breaking into household safes. The amount of time they take is no shorter than the time required to break a safe open by force. This does not mean we can dismiss side-channel attacks as inapplicable. The growing concern is that this technique can be used to crack the codes of lockout systems for phones, cars and other devices.
An instance of a mobile device attack occurred earlier this year. It was conducted by the FBI during an emergency situation. The police needed to break into the iPhone of a mass shooter in San Bernardino, California. The FBI first issued a court order to force Apple to help break into the person’s phone. The company refused to cooperate and challenged the order. The police then bought an unspecified exploit from a third party. The exploit allowed them to bypass the PIN lock and the safety mechanism which erases the phone’s contents after a certain number of invalid PIN entries.