Last Christmas, Nathan Seidle's wife gave him a second-hand safe she'd found on Craigslist. It was, at first glance, a strange gift. The couple already owned the same model, a $120 SentrySafe combination fire safe they'd bought from Home Depot. But this one, his wife explained, had a particular feature: The original owner had locked it and forgotten the combination. Her challenge to Seidle: Open it.
Seidle isn't much of a safecracker. But as the founder of the Niwot, Colorado-based company SparkFun, a DIY and open-source hardware supplier, he's a pretty experienced builder of homemade gadgets, tools, and robots. So over the next four months, he and his SparkFun colleagues set about building a bot that could crack the safe for them. The result: A fully automated device, built from off-the-shelf and 3-D printed components, that can open his model of SentrySafe in a maximum of 73 minutes, or half that time on average, with no human interaction. In fact, in the demonstration Seidle gave WIRED in the video above, the process took just 15 minutes.
In the process of building his safecracking robot, which he will demonstrate live at the Defcon cybersecurity conference next week, Seidle discovered a series of real vulnerabilities in the relatively cheap, but popular, SentrySafe he tested. But the larger lesson of his work goes beyond his particular safe's security flaws. It points instead to a new reality for vendors of physical security equipment: If automated tools can crack your locks or safes, the increasing affordability of those tools makes you more vulnerable than ever. "You’re going to have an army of geeks like myself poking and prodding and trying to do things like this," says Seidle. "The nature of the toolset is getting cheaper, so more nerds are getting brave with their puzzling."
To build their safecracking robot, Seidle and his SparkFun accomplices Rob Reynolds and Joel Bartlett used about $200 in parts. Those include a $20 Arduino board, a $40 motor, an aluminum frame, 3-D printed components including a coupler that attaches to the safe's dial, some magnets to hold it onto the safe's face, and sensors that can check if the bot has successfully turned the safe's handle, and when it passes the "zero" when turning the dial.
In the most basic sense, the resulting safecracker works by "bruteforcing" the SentrySafe---trying every possible combination. Like your high school locker's combination lock, the safe has three internal rotors that each have to be set to a certain position–by dialing a series of three numbers–to open it. Since each of those rotors has 100 positions, corresponding to as many numbers on the safe's dial, trying all one million combinations (100 x 100 x 100) at the speed of about ten seconds per guess would take nearly four months.
So Seidle started looking for shortcuts. First he found that, like many safes, his SentrySafe had some tolerance for error. If the combination includes a 12, for instance, 11 or 13 would work, too. That simple convenience measure meant his bot could try every third number instead of every single number, immediately paring down the total test time to just over four days. Seidle also realized that the bot didn't actually need to return the dial to its original position before trying every combination. By making attempts in a certain careful order, it could keep two of the three rotors in place, while trying new numbers on just the last, vastly cutting the time to try new combinations to a maximum of four seconds per try. That reduced the maximum bruteforcing time to about one day and 16 hours, or under a day on average.
But Seidle found one more clever trick, this time taking advantage of a design quirk in the safe intended to prevent traditional safecracking. Because the safe has a rod that slips into slots in the three rotors when they're aligned to the combination's numbers, a human safecracker can apply light pressure to the safe's handle, turn its dial, and listen or feel for the moment when that rod slips into those slots. To block that technique, the third rotor of Seidle's SentrySafe is indented with twelve notches that catch the rod if someone turns the dial while pulling the handle.
Seidle took apart the safe he and his wife had owned for years, and measured those twelve notches. To his surprise, he discovered the one that contained the slot for the correct combination was about a hundredth of an inch narrower than the other eleven. That's not a difference any human can feel or listen for, but his robot can easily detect it with a few automated measurements that take seconds. That discovery defeated an entire rotor's worth of combinations, dividing the possible solutions by a factor of 33, and reducing the total cracking time to the robot's current hour-and-13 minute max.
In a statement to WIRED, SentrySafe didn't deny that its safes had vulnerabilities. But the company argued its products could still stand up to a less geeky attacker. "In this case, there was a tremendous effort, uninterrupted time in a controlled environment, the right tools and significant technical knowledge needed to eventually manipulate the safe," the statement from SentrySafe reads. "In this environment, the product accomplished what it was designed to do and would be realistically very difficult, if not impossible, for the average person to replicate in the field.”
Seidle counters that yes, anyone can reproduce his bot---that's the point of building it from cheap, open-source parts. But by demonstrating his safecracking bot and showing people how to make their own, Seidle says he's certainly not trying to aid burglars. Instead, he sees his work as mostly harmless DIY fun, and a warning about the limits of the security of a cheap safe. And more broadly, he sees it as a way to demonstrate the changing nature of physical security in an era of cheap robotics. "Could someone replicate it? Yeah, that’s the point," says Seidle."But there are so many cheaper and better ways to open up a safe than building one of these." (Less delicate methods involve a crowbar or a big hammer, for instance.)
In his talk at Defcon, Seidle plans to demonstrate his robot by cracking a newer, larger, $160 SentrySafe model live on stage. He says he couldn't find the smaller one for sale in Las Vegas, where the conference is held. That larger model requires a key as well as a combination to open. But surprisingly, Seidle found he could defeat that key safeguard with an old trick: shoving the plastic body of a Bic pen into the round keyhole and turning it. "Worked like a champ," Seidle says. "They added a layer of security that is completely useless."
Still, neither of the SentrySafes he's testing is a true high security safe, Seidle admits. Other, more expensive brands may not have its indentation giveaway in the third rotor, for instance, though Seidle notes some other elements of his robotic tricks could still vastly reduce the time to bruteforce their combinations. And as for those higher-end safes, Seidle welcomes other DIYers to pick up his work where he left off. "I don’t know if anyone is going to replicate my robot, but I imagine someone will take part one and part five and apply them to open a different model," he says. "And that would make me feel good."
