High-security electronic safes can be hacked through power and timing analysis

Researcher shows that variations in voltage and execution times can expose the correct access codes for electronic safe locks

Some consumer safes protected with electronic locks are quite easy to hack using basic techniques. Others, though, like those made to store guns, are designed to resist expert manipulation.

However, one hacker demonstrated at the DEF CON security conference Friday that even high-security rated electronic safe locks are susceptible to side-channel attacks typically used against cryptosystems.

Side-channel attacks involve techniques like analyzing power fluctuations and variations in the time it takes operations to complete on an electronic device. By monitoring these values when the system checks the user's input against a stored value, attackers can incrementally recover encryption keys or, in the case of electronic safe locks, the correct access code.

Plore, the hacker who demonstrated two such attacks at DEF CON, is an embedded software developer with a background in electrical engineering. One of his targets was the Sargent and Greenleaf 6120, an older electronic safe lock from the late '90s that's still being sold and certified as highly secure by UL, an international safety certification company. The second target was a newer lock from 2006 called the Sargent and Greenleaf Titan PivotBolt.

Plore tapped the power wires between the S&G 6120 keypad and the electronic lock mechanism inside the safe. By doing so, he was able to see fluctuations in the flow of electrical current when the lock extracted the correct six-digit access code from memory in order to compare it to the code entered by the user. He showed that an attacker could recover the correct code by entering an incorrect code on the keypad while performing power analysis on the device.

The Titan PivotBolt lock was somewhat more difficult to defeat, and it required a combination of a brute force attack implemented through a custom made device, as well as power analysis and timing analysis. It also required cutting the power after a guess attempt in order to prevent the lock from incrementing a counter that would enforce a 10-minute delay after five failed attempts.

While many consumer electronic safe locks are likely vulnerable to these attacks, there are other much more expensive locks designed to prevent side-channel techniques.

There is a U.S. federal standard for high-security locks approved by the General Services Administration for securing classified documents, materials, equipment, and weapons. This standard specifically defends against these attacks, Plore said.

Burglars won't bother with power analysis to open consumer safes and are more likely to use a crowbar, but the researcher believes these techniques might also be applicable to other software-based lockout systems, like those in phones or cars.

Earlier this year, the FBI sought a court order to force Apple to help it break into the locked iPhone of a mass shooter in San Bernardino, California. After Apple refused and challenged the order, the FBI bought an unspecified exploit from a third-party that allowed it to bypass the PIN lock and the safety mechanism designed to erase the phone's contents after a number of invalid PIN entries.

Join the CSO newsletter!

Error: Please check your email address.

Tags black hat

More about AppleFBIGeneral Services AdministrationSargent

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place