 I'm assuming you're all here to learn about safe-cracking if you're not go somewhere else. With the kind of safe-cracking I'm going to be talking about is safe-cracking with a trace, which means not this sort of thing. This is a safe being opened with a thermic lens at UL labs. It's a very, very flamboyant, very destructive, lots of smoke, fire, and works very quickly. But it's also not very cool because the safe doesn't work afterwards. I'm going to be talking about non-destructive entry. This means, for example, manipulation. Manipulation could be twiddling the dial while you listen to the tumblers move. It could also be picking the lock if the safe has a key to it, then you can pick the lock usually. You could X-ray the safe. Now this doesn't exactly mean taking the safe to your local hospital and saying, Doctor, my safe has a broken leg. Can you put it in the X-ray machine while I fiddle with the dial? But there are ways to do it. Also robot dialing. Robots are very good at repetitive tasks, and nothing is more repetitive than trying every combination on the dial. Also robot manipulation. This is what happens when you make a robot a little more intelligent and it does all the manipulation for you. First of all, I'm going to be talking about manipulation. This is the classic way of cracking the safe. It's featured in books, movies, Italian job. This is still from Hogan's Heroes, the opening scene. It's an ancient TV comedy. Something of a black art. Locksmiths passed it down basically by word of mouth for a very long time until 1955 when Clyde Lentz and Bill Keaton wrote a book, published a book called The Art of Manipulation. It was considered so secret that in the foreword to the book, they actually said, please destroy this book after you've learned how to do it. So, okay, you want to manipulate this lock? Well, and if you give me a sec, because my laser pointer isn't working, please bear with me for a sec. Okay, there you go. So you have these things here. They're called gates. There's three wheels, and they have these slots cut in them. Those that you go over here, those are these things here. I'm sure some of you have looked through a combination lock and know how they work. And you have this thing called the fence. It's the interaction between the gates and the fence that allows the lock to know when you've entered the correct combination. When the gates are all aligned, then the fence can drop into those gates, and the bolt can retract. In this case, the bolt is retracted back this way, and the fence is no longer in its original position right here. Fairly simple. Now, how do we manipulate this thing? Well, the wheels aren't perfect. All the feedback you have to work with is what you can feel or hear from the front of the safe. And to open this, it's the same way as when you pick a normal lock. You're relying on the fact that the wheels are imperfectly made, so that one of the wheels in this case is going to be bigger than the other. And when the gate in that wheel passes under the fence, that fence will be able to drop down just a little bit, and you'll be able to hear or feel it dropping down. It might be kind of indirect. It might show up on a graph, as I'm going to talk about later. But you will get indication of it doing that. Now, back in the day, back in whatever, 1850s and Wild Wild West, when everyone was blowing safes left and right, listening with stethoscopes, we had these things called the direct entry fence, which is where the fence here was connected to the bolt bar. You had a handle on the front of the safe, which would push this bolt bar into the wheel pack. And voila, if the wheels were lined up, then this thing could go into the wheel pack into this slot right here, which went through all the wheels, and the safe would open. The disadvantage was that if you applied a little bit of turning force to that handle, and then listened, you would hear the gates in the wheels, since, after all, there is one wheel that's larger, and therefore when that gate in that wheel pass under the fence, and you're applying a bit of torque to that handle, you would hear the click as the fence dropped into that gate, and then got bounced back out again as the wheels kept moving, and you would know where one of the gates was. And you could keep doing this until you'd figured out the combination of the safe, and you'd have your safe open. Now, at some point, people figured out that, hey, this is not such a good thing if people can listen to our safes and open them. So they came up with the idea of the nose and the cam. We have our fence up here, it's just a little square thing, it moves back here in the lock, and we have a nose and a cam. The cam is this large area and this large disc in the back, it's directly connected to the dial, it's the only thing that's directly connected to the dial, and it has a little notch cut in it here, we call it the drop-in area. And when the nose can drop into that drop-in area, when the nose drops into that drop-in area, only then will the fence actually touch the wheels. You can see here, the nose is resting on the cam, it's not over the drop-in area, and so therefore the fence is not actually touching the wheels and you can't hear anything. When the contact area, which is very small, is under the nose, then the fence touches the wheels briefly and tests to see if they're all aligned. Keep turning the dial, the fence goes back to this position. The solution is to look at where do we feel the increased resistance caused by the nose hitting the sides of the drop-in area. And if you come up to the lock-picking skybox, you can feel this for yourself, I have a safe lock with me. It is essentially a small bump. It's all you'll ever feel while manipulating in modern and safe. Because what's happening is when this nose here hits the sides, this thing gets pushed up. And because this is spring-loaded, all of a sudden this thing starts dragging along the cam where it was floating in free space earlier. And we call the points where the nose hits the edges of the drop-in area, the contact area, the contact points. And as the nose drops in further, as if there's say a gate in the largest wheel and the fence drops down that fraction of a millimeter to the next largest wheel, these contact points will appear to get closer together. It takes a bit to wrap your head around this concept. Essentially what you can do is by looking at the width of the contact points, measure the radius of the wheel pack and thereby determine the combination. This is again what happens. Here is in a high wheel pack. That is if the wheel is high, say it's a high wheel and there's no gate under the fence, you can see the contact point, the left contact point and the right contact point. If it's a low wheel pack, say you have a high wheel, but there's a gate under the fence in that wheel, you can see where the nose has dropped in just a little bit further. That's all you have to work with. Solution is to graph it. This is a graph made while manipulating a safe lock. And you can see here just as the contact points get wider apart and closer together. Where's the number? Right here. We can see there's only one point at which both contact points narrow together and we can safely assume that's one of the wheel, one of the numbers of the combination. We do this whole thing with a little more detail, like so, checking every half a number, getting a very high resolution graph of the contact points and we can say, hey, that looks like a gate. Okay, we've got a gate. What do we do? That's one of three numbers and a three number combination. Which number is it? We only actually have to dial three different combinations because the lock is sensitive to the order of the numbers dialed in the combination. And if we dial, say 42, 22, 22, if we go back here, you'll see that the gate is at 22. If we dial, say 42, 22, 22, we're moving that first wheel out of position, out from under that gate and all of a sudden, if those contact points get wider again, we know that moving that first wheel out from under the fence caused the contact points to get wider and therefore the gate that we're looking at was on the first wheel. If that doesn't happen until we move the second wheel out from under the fence, we know that that gate was on the second wheel and therefore the number we've found is the second number in the combination. The same thing for the third wheel. Basically, we're looking for this gate to vanish in our little graph of contact points. Okay, this is complicated. It takes people, I think, about a year to become really proficient at manipulating open safes. You know, safe technicians, they practice on locks that have been modified to basically become training wheels, to gain training wheels. They bend the fence, for example, so they know which wheel is gonna read first. And they work at it and they work at it and eventually they get good enough that they can go into the field with a customer who has a safe to which he's forgotten the combination and for the small fee of $200 or so, they'll manipulate open your safe. If you wanna learn this, I would suggest you do the same thing. Go on eBay, get yourself a practice lock. Get yourself, if you can, a cutaway like this one right here. Some of you may not be able to see it because it's, if you're in the way in the back. This is a mounted cutaway lock by Sergeant Greenleaf. It's a standard safe lock. Costs me about 40 bucks. I think the price has gone up since then. And really, read some of the books and stuff and teach yourself how to do it. Other thing you might be tempted by are manipulation aids. These are basically gadgets which allow you to read the dial to a great deal of precision. You can, say, determine where those contact points are to within a thousandth of a dial graduation because they use lasers and other crazy things, optical character recognition. I think they're cheating. All right. So, if I'm the US government or for that matter any government and I'm storing lists of all the spies and other countries in my safes, I don't want those other countries to be able to sneak a spy into my organization, manipulate open the safe, photograph the lists of spies and then bring that photograph back to their home country for those spies to be taken care of without those spies knowing that they've been compromised. So, what people tended to do back in the day, they put time locks on their safes. This was inspired by locksmith. This was back before manipulation had ever been published. Probably 20s, 30s, I don't know the exact date. This locksmith had gone crooked. He decided he couldn't make enough money as a legitimate locksmith. And so, he would take his manipulation skills and start breaking into jewelry shops and manipulating open the safes. Well, he had a lot of practice under his belt and he could do it. And the insurance companies weren't very happy when all of a sudden all these jewelers started reporting missing jewelry without any evidence that their safes or jewelry shops had ever been burgled, forcibly opened. The US government heard about this and said, uh-oh, if that crooked locksmith can do it, then so can the spies. And they put time locks on all their safes, which meant that on Friday night, your clerk would set the time lock so that the safe would not open until Monday morning. This is very good because over the weekend, you would not have to post a guard at the safe and you would not have to worry that the guard was crooked because the time lock was generally considered infallible. Unfortunately, Pearl Harbor happened on a Sunday. And so, the battle plans were locked away in time locked safes that dreadful day and the generals were scurrying around looking for the battle plans which were all safe and secure by the time lock. So they called up Harry Miller, the head of sergeant in Greenleaf, one of the biggest safe lock manufacturers in the world, safe in the country anyway, and said, Harry, make us a lock that we can open anytime but that nobody else can open without the combination. The solution was the manipulation proof lock. This is an 8400, this is the modern manipulation proof lock, and it looks a little bit different than that lock I showed you previously because it has a rather odd cam. It has a slider in that cam, in fact, so that instead of having a contact area that's open all the time, the contact area or the drop-in area, you can see the little tooth here which catches on the cam, you have this slider mechanism which springs apart, you know, just springs apart so that when you turn the dial to zero, you turn a little butterfly knob in the middle of the dial, locking the dial in place but then allowing the nose to drop in to the drop-in area. And the dial is locked such that you can turn the dial just far enough to open the lock but not far enough to hit the contact points. And so it's not actually possible to derive any useful information from this lock and is therefore not possible to manipulate it. Nobody, in fact, has ever been able to manipulate an 8400 to the best of my knowledge. There's no published technique in any case. Okay, so you're the KGB engineer whose job it is to figure out how to get all those lists of spies from the clutches of the CIA. What are you gonna do? You can't manipulate open the safes and if they find out that the lists have been compromised, they'll get their spies out of there before you can catch them. Well, you can extrate the safe. This sounds like the stuff of a spy movie and in fact it is. The writers in one James Bond movie had the same idea or at least heard about the technique and featured it in Moon Raker. There's no sound, I'm gonna hook it up. Now, in reality, you're not gonna fit an X-ray machine into your cigarette case but thanks to modern paranoia, we have these things called portable package X-rays. This is one made by SAIC. And the idea is that if you're an installation that cares about security, you think you might be getting pipe bombs in the mail. You can set this thing up in your mail room and you can X-ray all your packages and see that, in fact, there is a pipe bomb in this package. Well, if you get your hand on one of these and you put the detector behind the safe in this X-ray source in front of the safe and you play with the dial, you'll get a nice video feed of the wheels turning on your LCD screen and you can line them up. Quite simple, you may not be able to have children afterwards but you'll have opened your safe. Now, like anything, there's a counter to this too and now the buzzing's gonna real disconnect my laptop. So these guys at Sergeant Greenleaf said, okay, they're X-raying these safes. What can we do to prevent it? And it's a little war of wits ensued in which people put lead ball bearings around the dials to absorb the X-rays and scatter them and people develop image processing techniques to get around the ball bearings and put more ball bearings in there and everything else. And eventually the guys at Sergeant Greenleaf made their safe wheels out of plastic or delirium in this case. Quite effective. Rumor has it the Soviets eventually came up with an X-ray machine good enough that they could even X-ray this lock. I don't know if that's true. But say you don't have access to this crazy X-ray machine and you have to get the safe open. Say you're a locksmith who's been called to a client site and you've been too lazy to learn manipulation but you still want that 200 bucks of cold hard cash for getting that safe open. You can use a robot dialer. This is a device which will try every combination of the dial. Now there are three numbers in the average combination you're a basic safe lock and the numbers range from zero to 100 or one to 100 actually, zero to 99. So in theory that's one million possible combinations to try rather a lot. Well, as it turns out there are these things called mechanical tolerances. There's no such thing as a perfect lock. And in reality there might be 100,000 or 200,000 possible combinations that you actually have to try. And if you play around with your programming and you've got some clever engineers you can in fact design your auto dialer so that it doesn't have to run through every dial the combination from scratch every time. You can say dial 36, 45, 72, 36, 45, 75, 36, 45, 78, so on and so forth without having to dial the 36 and the 45 or whatever I said was the first number, so forget it. Well, okay, this will take about four to 40 hours which means you come in there on Friday night when they're closing up shop and feeling frustrated because everything's locked away in the safe. You say, okay, I'll bring out my magic robot dialer, you hook it up to the safe, you come back Monday morning and the safe is open. The problem is, what if your customer is a really shady type and he figures whatever's in the safe is worth less than the robot dialer. And you don't really feel like leaving it at this particular shady's customer's premises for the whole weekend for him to play with or his kids. You can use robot manipulation. This is the Moss Hamilton soft drill. It is a robot dialer with a brain. It has a hot, it has a very sensitive accelerometer mounted to the front of the safe. You can see it right here. Basically it's a microphone and it has a step promoter with an opto encoder on the back right here. And a very fancy piece of A to D hardware connected to a laptop. And it will open safe somewhere in 20 to 40 minutes. You could sit there reading your latest copy of Playboy. Now the Moss Hamilton soft drill isn't available anymore. It was about $6,500 when it was. It's only available to locksmiths, of course. But nevertheless, the existence of things like robot dialers and soft drills made the US government very, very nervous. Because it meant that maybe you couldn't do it now or maybe you couldn't do it with existing tools but maybe those pesky government agents from other governments could get into those states protected by manipulation proof locks without leading a trace. And so the same guys that did the Moss Hamilton soft drill came up with the solution to the problem which they had created. The solution is this. It is an electronic safe lock called the Moss Hamilton X07. It's the current variation is the X09. It is considered to be impregnable because it has a couple of tricky things. First of all, you never need to replace the battery. It is user powered. Turn the dial, turns the generator. It has a zener diode inside. This zener diode, if you spin the dial too quickly with say a robot dialer, it will fry and the lock is now dead and you have to drill the safe. When you change direction, you're dialing 36, 45, 72. Every time you change direction, you'll find yourself in a new part of the dial. Brand new uncharted territory. You stop at 36, you'll find yourself at 17 or 82 or 96, you never know. It has a true one million possible combinations. There's no such thing as tolerances in a CPU. They could make a 10 billion combinations if they wanted to, but that'd be one long combination to remember. It also has an audit trail. If you're feeling particularly paranoid, this lock will tell you how many times it's been opened over its entire lifetime. You write this down on the bottom of your shoe or on your palm Friday night. You come in Monday morning and you check that this number hasn't changed. If you dial continuously for one and one third turns with a pause of a quarter second, the lock will shut down. When you think about it, your arm can only twist so far, but a robot dialer can twist all it wants to because it's a motor. So this thing can tell, well, a robot dialer doesn't have to stop to change its grip, but a human does. And so if it thinks you're a robot dialer, it will shut down. If you dial too quickly, if you enter the entire combination in less than 15 seconds, it will shut down. If you dial continuously entering combinations for more than five minutes, i.e. you're dialing really slowly for a very long time, without letting the lock power down, it will shut down. And of course, if you try 10 incorrect combinations in sequence, you have to wait a couple of minutes for this thing to reset itself. It contains an Intel Design CPU. They claim it's custom. You have a microprocessor driven by the stepper motor generator, which also gives the dial position information, I think. It has a random number generator, which it uses to do all sorts of crazy internal encryption and reseeding every time you change the dial turning direction, it will re-encrypt the memory. Speed-sensitive lockout display unit. You have nine data lines going to the display. The manufacturer claims that you cannot get any useful information from those nine data lines. There's ROM, combination storage, and usual. It was designed before people knew about differential power analysis, but it was designed by people who did know about differential power analysis. The committee of very smart people put in a whole bunch of these crazy features, which I'm not gonna go into at the moment, but you can get this presentation online and read them for yourself. The idea being that if you have access to any wires in the lock, anything coming out of the lock, you will not be able to determine the combination. If you open the safe somehow, by breaking the lock somehow, and decide you wanna get the combination out of the lock so that you can set a new lock to that combination and replace the broken lock, that no one will be the wiser, this lock is designed so you cannot determine the actual combination, even if you have the lock in your hand. And just to make life even more of a pain in the ass, everything is potted. It's potted in a compound that has UV fluorescent particles in it that are photographed when the lock is installed and compared whenever people are feeling paranoid to the file photograph. Rather than a unique fingerprint. If you made a robot dialer to open this lock, you used OCR or tapped into those data lines, if you, to get through half the combination space would take you about 190 days. To quote the guy that was up here in the previous talk, he wrote the great book on these subjects, in reality there's no such thing as a surreptitious entry. If you don't have the combination, you're not gonna get into the safe. You will not open the lock. You can drill the safe, but you can't open the lock. All right, so this is more or less impregnable. What about an easier way of getting into safes? What if you say you're not going into a government agency which has these things everywhere, but you just wanna get the contents of a safe? And occasionally people buy safes that aren't top quality and manufacturers make safes that aren't top quality. And they tell their design engineers, make a cheap safe. Don't necessarily make a good safe, but make it cheap so that we can get a good profit on, we can sell cheap and lots of people will buy it. And as a result, there are design flaws in some safes. There is one European manufacturer, we're comparatively a little lone, which I'm not gonna name, which designed a rather nice four digit combination lock, so 10 or 100 million possible combinations in theory, that in fact only had 100 possible combinations. And someone who owned this safe or sold these safes and happened to open it up, took a look inside the door and said, there's something wrong with this lock. And he wrote a program that if you find the drop-in area, takes about 10 seconds, and enter that location, the drop-in area into the program, it will give you the rest of the combination. I wouldn't buy that safe if I were you. So, are safes secure? I mean, that's really the big question. You're putting your cash, gold, bullion, drugs, precious family heirlooms, you know, Henry the 16th, cognac, whatever into the care of this manufacturer by buying their safe and putting your stuff inside of it. Safes have been developed, been in development for a very long time. And this is a very well understood field. If you buy a quality insurance-rated safe and a burglar alarm, because you can get into any safe, it would simply take time. Safes are a means of slowing the burglar down to the point that the cops will get there before the burglar has got the safe open. That is what a safe does. If this safe is somewhere in the middle of nowhere, you have no burglar alarm, then that safe had better be sturdy enough that the effort to get into that safe will be so great it's not worth it compared to the value of the contents inside. If you buy a high security safe, if you decide to go into the jewelry business, for example, you need to know what kind of safe you're gonna get. But you will also, if you get a high security safe, know exactly how long it will take a burglar at the very least to get into that safe so that you can then make sure the cops get there in time, that your alarm system is good enough, that the signal, that the whole chain of events ends in the cops showing up with guns drawn or sleepily walking with a donut in their hand, will happen quickly enough to catch that burglar in his tracks. If you get a high security safe, a really good safe will be UL rated, underwriters laboratories test safes, just like in that first slide with that flaming thermic lance, and they rate their safes according to what they can withstand. TL-15, the basic rating, the basic high security safe, means that with tools, drill, chisel, hammer, pry bar, whatever, it will take at least 15 minutes to get into that safe. TL-30 is exactly the same. It'll take 30 minutes to get into that safe. A TR-TL rated safe means that the rating applies even if the burglar's not only using tools, but it's also using a torch or thermic lens. You know, he's got his cutting torch out, the big thing of oxy-settling tanks, things like, argh, it'll take him 15 minutes or half an hour to get into that safe. TX-TL means he gets to use explosives too. And of course, the slower the cops, the bigger the safe you get to get, and the more expensive and the heavier. TL rated safe started 750 pounds. I hope your floor is sturdy. Standard safe locks are rated for two hours manipulation resistance. This means that this long and involved process of manipulation, which I demonstrated or talked about earlier, will take two hours. There are people who can do it more quickly at the Safe and Vault Technicians Association Conference. There is an annual speed manipulation contest, like the speed picking contest here in our very own convention. And people have been known to manipulate these locks open in five minutes. I've also been doing it for 30 years and have uncanny talent. But with a normal safe lock, you can assume it will take about two hours to get it open. Or 10 hours if you're an amateur and don't know what you're doing. But above all, fire safes are not burglary safes. You'll see this over and over again and it's really true. Your average century fire safe can be opened with a pry bar and a drill in a minute or two minutes. A cheap, not even fire resistant safe can be opened with a can opener. I'm not kidding. I've seen a video. You don't wanna keep your stuff in there. So buy a good safe. If you wanna find out a little more about how to manipulate safes, how to crack safes, lock safes and security, it is the book, the reference, the Dutch called the Bible, the Dutch lock pickers anyway. If you buy one book, drop your 200 bucks on this one or 250 if you get the electronic version, whatever, I don't know the price is 225, 250. It's highly worth it, the electronic version is normally 350 if you don't get it at the conference. This way you get a search function, you get instructional how-to videos, all sorts of fun things. If you can't afford lock safes and security, there is safe cracking for the computer scientist. This is Matt Blaise's excellent free guide, crypto.com, crypto.com slash papers. It is a free guide, great pictures. I stole a lot of pictures in this talk from that paper, which will tell you what you need to do to manipulate open a lock. If you decide to go into the business, there's the National Locksmith Guide to Manipulation which talks a lot about the in-depth details, you know how safe locks can fail, different kinds. You know, there are a number of different kinds to watch out for, Yale Friction Fence and crazy things like that, which is definitely aimed at the practicing locksmith. If you wanna find out more, you can send me an email, manipulation.proof at gmail.com is my email address. Questions?