 Hello, everyone. Thank you very much for coming to this talk. We're going to attempt to crack this safe in the next 45 minutes. We could have made the safe cracker faster, but then how would we get a 45 minute time slot? So we're going to do the best we can. These guys are still setting up. As you can see, it's kind of a big setup, but we're going to go through the technical aspects of how we built it. I am Nathan. This is Joel and that's Rob. So a little background. If you may know a company called Sparkfun Electronics. About 15 years ago in 2002, I started Sparkfun Electronics in a little room. Hopefully you can see it. This was student housing. There was like 15 of us in this house. I started shipping little electronics out of my bedroom, freaking out my roommates. Here we are today. Pretty advanced website. We have about 2,000 products that we sell. About 500 of those are open source hardware. So today, what Sparkfun does is we design little development boards and technology and then we build projects using that technology to demonstrate it and inspire other folks. So this is an example of a LiDAR with an Arduino shield and a couple of segment displays. And you can see if you have distant... No slides. I'm going to do an interpretive dance for all the slides. So I don't know if you can hear that noise, but I still have nightmares with that noise. We've been working on this a lot. But I'll wave my hands. So what the robot is doing, as you can see, if you can see, there's a dial on the front and there's a servo pulling on the handle. So while we set up here, we attached the robot using magnets. So the idea is that there's no glue, there's no drilling, there's nothing to make it so that you would, if we did it right, okay, we got slides. I don't know if we're going to have this video feed up, but hopefully they'll work on that. In the meantime, I'm going to stream through this thing. So I'm Nathan, that's Joel, that's Rob. This is what Sparkfun looked like 15 years ago, student housing, 15 people in this house. This is what our website looks like. Cool. This is, we build technology. This is a LiDAR with a couple of segment displays and you have distance out to about 40 feet, right? And so if you take multiple measurements per second, then you can turn that into speed. So this is a speed trap. You run at the wall and see how fast you can get that number up to. And in the lower right hand corner, you can see the hand print. We're lucky no one's cracked the drywall yet. This is another thing I built a speedbag detector. So you hit the speedbag and vibrations from the platform using an accelerometer. You can count the number of speedbag hits. That helped me train for an amateur boxing match. I am undefeated one in zero amateur boxer. Beehive we hacked. So we took a bathroom scale, hacked it, attached it to wifi and you can see the weight of the beehive change over time. It's actually sawtooth. Because every morning, five pounds of bees leave the hive and they come back during the day and then they leave again. Kind of interesting. Power wheels. My wife and I, this is my beautiful wife, like to hack things. So we hack the power wheels up to about 48 volts. Bunch of sensors, laser distance sensors. It's an autonomous power wheels that does about 18 miles an hour. This is all to say, I am a hardware geek. I don't know software. My wife had to explain this cartoon to me. I'm sorry. Then she asked me for a sandwich. Okay. You're all here today to figure out how to make these look like this. Now the story behind this thing is, I'm really into puzzles and my wife found a safe on Craigslist for $20. It was so cheap because the owner of that safe did not have the combination. They had lost it. You can hire a locksmith to open it up for you. But the owner was just like, forget it. I'm just going to kick it to Craigslist and my wife bought it. Give it to me for Christmas. And I said, hey, we got to build a robot to open this thing up. And we're doing good. All right. And then we built it. We livestreamed it on YouTube, which was the second dumbest thing I've done in my life. The dumbest thing I've done in my life is demo Defcon. So we opened this safe in 41 minutes. Okay. Now, this safe is really cool, but I'm going to give you a little animation about how safe combination locks work. Little background. There we go. Okay. There is three discs. The A disc, the B disc, and the C disc. Lovely. All right. So the C disc is that blue one that's got the notches in it. The green disc is disc B, disc A. Now the first thing you need to know is that disc C is directly attached to the dial. So when you twist that dial, you're only turning disc C. Now, after a while, disc C has these dots on it. And those dots will interfere with the dots on disc B. And so that's how you turn disc B. Continuing to turn, you turn disc A. You line up those slots and you can unlock the safe. Okay. I have to go back. It's going to be important later on. Starting in the top left-hand corner, this thing runs on an Arduino. It's not a Raspberry Pi. It's not some heavy lifting single board computer. It's just an 8-bit microcontroller, which means we can make this thing portable. Next up, we've got three magnets that help it stick to the safe. Power supply. That is just an AT power supply, common 12 volts, 5 volts. You find it really often with external hard drives. Really cheap. It provides us a couple amps on the 12 volt and 5 volt rails. Next is the erector set from a company called Actobotix. That makes it really handy so we can reconfigure the robot as we need it. For instance, if you have the dial in different place or the handle in different place, you can rejigger it real quickly to make those two things fit. The motor has 8,400 ticks. What that means is it's a DC motor that spins really fast. But on the back end of it, it's got an encoder. So it's a magnet that passes a Hall Effect Sensor. That motor turns at, like, I don't know, 10,000 RPM. On the front of that, there's a gear head that gears it down to a single rotation. So 8,400 turns of the magnet equal one rotation of the head. So we take a 100-digit dial and we split it into 8,400 individual segments. Okay? So that's the motor. Next we have a servo with feedback. So that's the servo that pulls on the handle and tells us when the handle is pulled down. And let's see. Next step of building this thing is we had to 3D model the servo safe. From that, we were able to print a 3D print a coupler. So that coupler fits onto the dial really nicely and tightly. You can see the little flag sticking off of it. We use that in a photo gate. So there's a photo gate attached to the Arduino that looks for that flag and sees when it breaks the beam. When it breaks the beam, it knows that it is, well, it knows the flag is there. And then it asks the human, hey, what number am I at? The human types in 62 and says, okay, I know where 62 is. It can immediately go to zero. So it's a way that we kind of calibrate and home the dial. This is what the handle puller looks like. So we have a spring that pulls back, pulls the handle back up. We have a servo with this cool nautilus gear. That allows us to maintain constant torque while we're pulling on the handle. And then we have some very fancy string that you can get from anywhere that attached the servo head. And again, we've got analog feedback on that servo. The way that you do that is you take any off the shelf servo, you open it up and there's a potentiometer in there. You solder to the center point of that potentiometer and you can see, you get an analog voltage that is in relation to where the head is. So now we can say, okay, the head is at 45 degrees or it's at 90 degrees and from that we can tell when the handle is open. This is what the electronics look like. Top left corner, motor driver. It's a 15 amp motor driver because this motor pulls a couple amps so it's overrated but that's good because we don't want it to get hot. Underneath we've got an Arduino. It's just a red board. That's the board that Sparkphone makes. We've got a buzzer, piezo buzzer so that it can beep and let us know whenever the safe is open. We initially designed a current sensor into the board thinking that we would look at how much current this motor was using to tell when it started to stall. We found out that it's actually a lot faster to see the encoder stop. So when we tell the motor to do something, if we ever see the encoder ever stop turning, it's about 100 milliseconds before we see the current increase. So we don't actually use the current sensor, we just look at the encoder. Next is that 12 volt external hard drive power supply. Next we have the motor control and feedback. So motors are pretty simple, right? You give 4 in 1 direction and the motor starts turning. In this case it's got a couple more pins because it's giving us feedback that gives us access to that encoder. So we can read the encoder, we can power the motor, we can switch directions on the motor so that we can turn the dial in different directions. Next up we've got a display and I'm just going to check it out real quick. Currently we're testing 18 1693. So that's a display, 7th segment display with a bunch of segments. The display is three wire. So it's serial, just going to the display. Next is that home photo gate. So it's a really simple photo interrupter. You power it and whenever it breaks the beam you can see that pin go low. So we tell the head to turn until we see that beam broken and we know that the flag is there. Next up we have a go button. So we wanted to make this thing as autonomous as possible. You'll see a red button on the robot. So we enter it, we can hit the red button and it starts doing its thing. Next up is the servo and feedback. Again that's where we attach the servo to find out where the handle is at. Now we had to connect all these things together. So this is pretty simple schematic, right? There's not a lot going on. It's just a whole series of connectors and making sure that the servo and the buttons and everything are connected to the right spot on the Arduino. We could have done this but it's not going to make it very portable and not very reliable. So this is the schematic. You can see in the bottom center is that gear logo. I don't know how many people are familiar with open source hardware. This is, yeah, yeah, awesome. The open source hardware association. This, you can take this design, you can modify it, you can copy it, you can sell it, you can do whatever the heck you want with it. And that's the same for all SparkFun products. We believe that everything should be open source hardware. If you can learn from me then I can learn from you and we can build upon each other's work. So this is all open source, this is the schematic. And then we turn it into a printed circuit board. So this is a really simple printed circuit board. It's two-sided but the traces are huge and it's all through whole soldering and it's really pretty straightforward. So that's the PCB. Now let's talk a little bit about the keys and how we will hopefully get this thing open quickly. There is about two combinations on a given safe. And the reason that is is you've got to dial 0 to 99, so it's 100 times 100 times 100, that's a million. If a human walks up to a safe, you think about it, you've got to clear the dial, right? And then you've got to dial in the first one, you've got to dial in the second one, you've got to do that. So worst case, if we were to brute force this, it would take 115 days of nonstop trying every 10 seconds. So the first exploit we came about was how we could reduce the overall keyset. And I don't know if you've noticed but we are only testing 93 over and over and over again. Why is that? That's because oh, let me take one step back. So 100 times 100, we can actually reduce that a little bit. They design the safes so that if the digit is say 56, humans are really bad at doing fine stuff. So it's hard to get 56 just right. So they design the safes at 57 and 55 will work. So it's a three-digit window, so we're not actually trying 100, we just have to hit that middle digit. So we're doing 333 times 333 times 333. It's still four days. It's mind numbingly slow. So this is what the inside of the safe looks like. There are three dials and the two white ones and the black one. If you see that black one, it's got a bunch of indents on it. And that's what we call those little indentations. And those are there at the bottom. Yeah. So there are 11 small indents and then there's one large indent and that's the solution slot. So we know that one of those 12 indents has to be the solution slot. So we don't need to try all 33 digits on the last disk. We only need to try 12 on disk C. That's the black disk. So now we've reduced the solution set 33 times 33 times 12, still at one and a half days. So when the kicker came when I took apart the safe and found out that the solution indent on this older model safe is slightly different in size. So that small indent is about 10 thousandths of an inch smaller than the other 11 shallow indents. So from the outside of the safe, if we have a sensitive enough motor, we can measure those indents and find the skinniest indent. So if we can do that, then we can take disk C down to one. We have the solution number within about 20 seconds. So if disk C has the skinny indent, we take 33 times 33 times 1, we're now down to about three hour test time. So the first thing I want to show you, well, no, I got to show you all sorts of stuff, but this is the model safe that we had back in Boulder that we got on Craigslist. And it's really cool and that's the one we cracked open, worked well. The problem is that we wanted to do this demo at DEF CON. This safe is about 10 years old. You can no longer get this model safe. Awesome. So we looked around and said, well, what is the model of safe we can buy at... What's that? We're good. Okay. What's the model safe that we can buy here in Vegas? We bought this safe at Home Depot. This is the model you can get readily in Vegas. Now, something should jump out at you about this picture. What is it? There's keys. Where the hell did those come from? Those weren't on the original model safe. So when we found... We saw the model safe in Vegas, we're like, okay, cool, let's get the same model in Boulder. I buy this same model in Boulder where we're from and I take it up to Rob's office and I'm like, hey, we got the safe and I'm like, oh my God, what is... There's keys now? This isn't going to work. I know the DEF CON audience is really understanding about demos, but we can't just show up with a robot that doesn't work. How are we going to open this lock? Well, anybody who knows tubular locks, right? This is the first time in my life where I used a big pen to open a lock. It works really well. It's incredible. So sure enough if you find this safe and you need to get it open, build one of these robots and bring a big pen with you. That's all you need. So inside this safe, again, we've never opened this safe. We bought it yesterday. God, I hope we get it open. But this is what the inside of our safe, same model, in Boulder looks like. Same 12 indents, all plastic. Now the interesting thing about this disc C is that the solution slot is actually 50,000 of an inch larger than all the other indents. That may not sound like a lot but that's 54 ticks on the encoder. That's a huge gaping. It's such a sore thumb, it sticks out at you. So this is what it looks like. How we measure the indents. So the robot will spin the discs to an indent and then it'll apply pressure on the handle and rock the wheel back and forth. Now remember the encoder is giving us feedback. So we can say, okay, the encoder is at 17 and then it went to 312. And then we do the subtraction and we say, okay, that indent is this many ticks wide. And we do that for each indent. And I think yep. We'll eventually do the solution slot. Measures that. Got it? Okay. That's how you measure the indents. Now we're not trying anything yet but we are establishing what those indent widths are. This is what the output from the terminal looks like. Nothing may jump out at you except for that. The width of that indent is like a sore thumb. It's much bigger than any of the other indents. So our software says, okay, cool. The largest indent number is 6. That is the number I'm going to try for all the other combinations. So in this case we think the indent is 93. We're really, really hoping the solution works. We're going to see if it works or not. We're pretty sure. So we know we have the solution to disc C. It's 33 times 33. It still takes about three hours. So how are we going to do this in under 45 minutes? There's some other things we can do. How can we get the test time down from 10 seconds to something shorter? This is something we created called set testing. So we've got the test per test. We can even go a little bit faster than that. But let me demonstrate what set testing is because it's a little complicated. Well, it's not complicated. It's hard to describe. So this, I'm going to play this animation again, but disc C is the blue disc. Disc B is the green disc. Now we have those interference points, right? To test as quickly as possible I shouldn't reset all the discs. I'm a robot. I know exactly where the discs are. So I shouldn't have to reset B. I tested C and now I'm going to turn C until it interferes with B. B will move three digits and then C returns to where it needs to be and we test again. So we do this. We turn B we bring it back. We turn B we bring it back. And I want to show you the next video of that in practice. Set testing measurement. Okay. So this is the robot set testing. So we test. We move the disc. We test. We move the disc. We test and you can see that slot opens up a little bit and keeps going and we go right through it. Now realize that this is just a quick little video but we're testing a large number of combinations in the 10 seconds it takes to watch this video. We're screaming through combinations quickly so we can. Okay. So if we can get to the set time test time per combination down to about four seconds, how are we going to get it down to 45 minutes? We can. It's all luck. Right? It's to the demo gods at DEF CON to try to get this thing open in 45 minutes. It's not an exploit. It's just luck. So you may ask yourself, okay, how can we improve upon this technology? How do I protect myself? Well, there's a couple of things. If you don't like combination locks, get one with a keypad. Right? The one in the middle is a keypad. My robot does not work on keypads. However, before you buy the model of safe in the middle, I suggest you search for it on the Internet because that safe can be opened faster than we can open this one. You take a high power magnet. You take it on the outside and there's a solenoid that when you type in the keypad, that solenoid pulls the pin and you can open the safe. Well, you can activate the solenoid using that magnet from the outside and you can open the safe in a couple seconds. Do your research. Well, Nathan, I could just spend more money on a safe. Yes, you could. There's lots of very good secure safes out there for, you know, $1,000. You can get a safe that doesn't have plastic internals. Right? This safe is the most common model at Home Depot Lowes, all the other places. So this is the one we wanted to exploit and this is probably the one that everyone has. However, if you spend a whole bunch of money, you can get a jeweler safe, you can also get the SG6730. The interesting thing about this is that the only people that buy this are locksmiths because they're the only ones that can actually dial in the single digit combination. Remember, our safe has that plus or minus one digit, so if you dial in 56 and it's supposed to be 55, it's still going to work, this lock, you have to be dead on and it's so safe that users can't open their own safe. And there's always somebody around with a thermal lance. No matter how much money you spend on a safe, nothing is impervious. So a few things about future research. We found out that there's two aspects, two motors on our robot. One is the motor that spins the dial, the other one pulls on the handle. We have a very sensitive motor that turns the dial. We can also get a very sensitive servo that pulls on the handle. Giving us feedback about how far down that handle has been pulled. Let's see. Based on the depth at which the handle is going, we ought to be able to glean some information about the disks inside the safe. I don't know if we can or not, but we can get depth feedback from the servo. Something to look into. Another one, this is my friend TJ. This is an idea called impulse response. We ought to be able to slam the arm into the disks and listen to what it sounds like. If there's three pieces of plastic there, we should hear one sound. Humans probably won't be able to detect this, but a computer could look at and do the analysis and say, ah, there's three pieces of plastic there. Or in this case, you can barely see that there's one slot lined up. So whenever we slam into it, there's only two pieces of plastic. We should have a different impulse response. If we can make this happen, then I won't have to stand next to a safe that isn't open. We should be able to open it up a lot faster. Next, we have a 3D printed coupler that works with this dial. So if you want to hack into a safe, you have to get measurements of that safe, measurements of that dial, or on a safe similar to it. In this case, there are really interesting grabbers. This is from iRobot, and it's basically a balloon filled full of coffee grounds. You press it up against the thing, you then suck the air out of the balloon, and it turns into a hard gripper. So you can grip all sorts of different objects in different shapes, a few shown here. We may be able to create a coupler that you shove onto the disk, you evacuate the air, and then you have a very tight grip on whatever dial, any size or shape dial you've got. Another thing, the next safe that we would like to work on is the keypad safe. So these are the ones you often find in the hotel room, or the one I suggested before, there are combination to the safe. Okay, I'm done now. Lastly, we ought to be able to see the tactile feedback of buttons. So using a load cell on a pen, we ought to be able to press the button and see where the tactile force fails, and from that, you can see which buttons have been worn out. In theory, this is future research. Not sure if we can, but we've done a lot with load cells, and this is a common testing method for tactile feedback of buttons. It might work. Yeah, and then once you have the number of buttons figured out, it's just infectorial. This is all really boring compared to that. So yeah, I'm, that's all I got.