Programming a Texecom Premier Elite 12-W using a FTDI cable

Posted on by

The Texecom Premier Elite series of alarms can be programmed using Windows software called Wintex. This makes setting up these alarms far easier than using the keypad menus – they have hundreds of options and settings.

Texecom sell two products to connect to these alarms using Wintex – PC-COM (a serial port adapter ~£20) and USB-COM (a USB to serial adapter ~£35) . I strongly suspected these were just serial TTL converters, but I was concerned that there might be some jiggery pokery stopping this from working. Some software requires very specific VID (vendor ID) and PID (product IDs) on the USB device. Some software uses custom drivers. Others use microcontrollers and obfuscation to make sure you buy the genuine product.

As an avid hardware hacker, I have a lot of USB to TTL serial converters. The most useful (and reliable, in terms of drivers) are FTDI cables based on the FT232R chips. Genuine cables are ~£14, breakout boards can be as low as £2 on eBay. So let’s try and get connected to the Premier Elite 12-W using this cable.

There are two ports on the Premier Elite board – Com Port 1 and Com Port 2. These are 5 pin Molex connectors with only 4 pins populated. There didn’t seem to be a direct pin-out in the manual, so from the manual and with a multimeter we have:

Pin 1 – 12V

Pin 2 – nothing

Pin 3 – GND

Pin 4 – Receive

Pin 5 – Transmit

Com port 1 and 2

Com port 1 and 2

Signalling appears to be 5V. So, get out the 5V FTDI cable (they come in different voltages):

A 5V FTDI cable

A 5V FTDI cable

Pin 1 – GND

Pin 2 – Don’t care

Pin 3 – Don’t care

Pin 4 – Transmit

Pin 5 – Receive

Pin 6 – Don’t care

We then need to connect transmit to receive, receive to transmit, and common ground. This terminology might be at odds with alarm equipment – RS485 buses often label one wire “T” and it means transmit on the master, receive on the slave. I suspect this simplifies wiring as you just connect all “T” wires.

So, to connect the two:

Texecom – FTDI

Pin 3 GND – Pin 1 GND

Pin 4 Receive – Pin 4 Transmit

Pin 5 Transmit – Pin 5 Receive

Just be cautious of the 12V on pin 1 of the alarm board – sending this up the chuff of your PC will result in damage.

Using jumper cables, you could make up a proper cable

Using jumper cables, you could make up a proper cable

Find out which COM port the FTDI cable is using (generally go into Device Manager, and it will be listed there).

COM6 is my FTDI cable

COM6 is my FTDI cable

Go into Wintex and change the PC-COM port to this COM port:

Change Wintex to use COM6

Change Wintex to use COM6

Connect, receive settings, change settings, and monitor Ricochet devices to your heart’s content!

And start setting things up

And start setting things up

 

 

First look at the TI MSP-SA430-SUB1GHZ spectrum analyser

Posted on by

TI are running a “Back to school” promotion, and as part for this they are selling a simple sub-1GHz spectrum analyser for $25 (with free shipping to the UK).

It uses a CC430 chip, which is an MSP430 microcontroller plus an RF front-end. Seems like a deal, and could be used for something like RFCat.

It turned up in a couple of days, marked as a “Sample” so no duty or VAT to pay.

It’s in a nice plastic case, which I immediately ripped off.

Construction is good quality – the SMA connector is bolted on, big ground planes.

PCB

It connects to a PC using USB, with cable supplied. There is also a SMA antenna provided:

Unit out of case

You can download the spectrum analyser software from the TI site, although it does come with a CD as well. This is our baby monitor transmitting white noise:

Spectrum analyser

I’ve only had a quick play about with it… it works, sort of. It’s buggy though and certainly not as good as the software that comes with the RF Explorer.

Key points:

  • Covers 300-348MHz, 389-464MHz and 779-928MHz – quite gappy but covers ISM.
  • Relatively quick to update on the screen.
  • Can configure frequency, span, RBW and FSW. Minimum span is 0.2MHz, minimum RBW is 58kHz, minimum FSW is 1kHz. It seems that a lot of values here cause no display – span of 0.5MHz stops the display working.
  • Does realtime, max, average display.
  • Numeric entry validation is really irritating – it limits you whilst entering the value rather than after.
  • A lot of the UI doesn’t seem to like Windows 8 with scaling set to <>100%.
  • Crashes relatively frequently.
  • Mentions firmware and calibration data in the app, so it might be relatively well calibrated.
  • Source code for the app is available.

I’d be annoyed if I spent $250, but it’s great for £25. There is a lack of documentation on the hardware – there are a lot of passives between the SMA and CC430. It would be nice if this could be used for transmit as well as receive but I expect the passives will get in the way.

Straight Pride UK having a shot at the Streisand effect

Posted on by

A blogger called Oliver Hotham emailed a set of questions to an organisation called “Straight Pride UK”. They responded, Oliver blogged about it, and then was served with a DMCA takedown notice. WordPress generally just give in to these.

Oliver decided he didn’t want trouble – WordPress said his whole blog would be suspended if he posted it again. Ian at Technovia made the content available again. I’m mirroring it here. It would be great if more people could do the same – the more people that share this, the less can be done.

Oliver’s original post

There has never been a better time to be gay in this country. LGBTI people will soon enjoy full marriage equality, public acceptance of homosexuality is at an all time high, and generally a consensus has developed that it’s really not that big of a deal what consenting adults do in the privacy of their bedrooms. The debate on Gay Marriage in the House of Commons was marred by a few old reactionaries, true, but generally it’s become accepted that full rights for LGBTI people is inevitable and desirable. Thank God.

But some are deeply troubled by this unfaltering march toward common decency, and they call themselves the Straight Pride movement.

Determined to raise awareness of the “heterosexual part of our society”, Straight Pride believe that a militant gay lobby has hijacked the debate on sexuality in this country, and encourage their members, among other things, to “come out” as straight, posting on their Facebook page that:

“Coming out as Straight or heterosexual in todays politically correct world is an extremely challenging experience. It is often distressing and evokes emotions of fear, relief, pride and embarrassment.”

I asked them some questions.

First of all, what prompted you to set up Straight Pride UK? 

Straight Pride is a small group of heterosexual individuals who joined together after seeing the rights of people who have opposing views to homosexuality trampled over and, quite frankly, oppressed.

With the current political situation in the United Kingdom with Gay Marriage passing, everyone  is being forced to accept homosexuals, and other chosen lifestyles and behaviours, no matter their opposing views. Straight Pride has seen people sued, and businesses affected, all because the homosexual community do not like people having a view or opinion that differs from theirs.

Are your beliefs linked to religion? How many of you derive your views from scripture?

Straight Pride aims are neutral and we do not follow religion, but we do support people who are oppressed for being religious. Only today, Straight Pride see that two homosexual parents are planning to sue the Church because they ‘cannot get what they want’. This is aggressive behaviour and this is the reason why people have strong objections to homosexuals.

You say that one of your goals is “to raise awareness of the heterosexual part of society”. Why do you feel this is necessary? 

The Straight Pride mission is to make sure that the default setting for humanity is not forgotten and that heterosexuals are allowed to have a voice and speak out against being oppressed because of the politically correct Government.

Straight Pride feel need to raise awareness of heterosexuality, family values, morals, and traditional lifestyles and relationships.

Your website states that “Homosexuals have more rights than others”. What rights specifically do LGBTI people have that straight people are denied?

Homosexuals do currently have more rights than heterosexuals, their rights can trump those of others, religious or not. Heterosexuals cannot speak out against homosexuals, but homosexuals are free to call people bigots who don’t agree with homosexuality, heterosexuals, religious or not, cannot refuse to serve or accommodate homosexuals, if they do, they face being sued, this has already happened.

Straight Pride believe anyone should be able to refuse service and speak out against something they do not like or support.

There is a hotel in the south of England, called Hamilton Hall which only accepts homosexuals – if this is allowed, then hotels should have the choice and right to who they accommodate.

What has been the response to your campaign?

The response to Straight Pride’s formation has been as expected; hostile, threatening, and aggressive. Homosexuals do not like anyone challenging them or their behaviour.

We have had support from many people saying that if homosexuals can have a Pride March, and then equality should allow Heterosexuals to have one too. After all, the homosexual movement want everyone to have equality.

Why would you say that heterosexuality the “natural orientation”? 

Heterosexuality is the default setting for the human race, this is what creates life, if everyone made the decision to be homosexual, life would stop. People are radicalised to become homosexual, it is promoted to be ‘okay’ and right by the many groups that have sprung up.

Marriage is a man and a woman, homosexuals had Civil Partnerships, which was identical to Marriage with all the same rights, they wanted to destroy Marriage and have successfully done so.

If you could pick one historical figure to be the symbol of straight pride (just as figures like Alan Turing, Judith Butler or Peter Tatchell would be for Gay Pride) which would you choose?

Straight Pride would praise Margaret Thatcher for her stance on Section 28, which meant that children were not  taught about homosexuality, as this should not on the curriculum.

More recently, Straight Pride admire President Vladimir Putin of Russia for his stance and support of his country’s traditional values.

How do you react to anti-gay attacks and movements in Russia and parts of Africa? 

Straight Pride support what Russia and Africa is doing, these country have morals and are listening to their majorities. These countries are not ‘anti-gay’ – that is a term always used by the Homosexual Agenda to play the victim and suppress opinions and views of those against it.

These countries have passed laws, these laws are to be respected and no other country should interfere with another country’s laws or legislation.

We have country wide events which our members attend, and ask people their opinions and views, on such event at Glastonbury this year was very positive with the majority of people we asked, replied they were happily heterosexual.

For the record, Straight Pride did not respond to these questions:

“Pride” movements such as Gay Pride and Black Pride were making the argument that the stigma against them meant that proclaiming their “pride” was an act of liberation from oppression. Can being heterosexually really compare?

A problem that Gay rights activists cite is the issue of bullying, and the effect this can have on young LGBT people. Do you think a similar problem exists with straight children being bullied by gay children? 

I will obviously add to this if they do respond.

You can follow Straight Pride on Twitter here and see their Facebook page here.

Reverse engineering Megamos Crypto?

Posted on by

Some of you might have read the stories going around a few weeks ago – “Scientist banned from revealing codes used to start luxury cars“. The short of it is that a security researcher has had a injunction imposed on him, preventing him from publishing a paper. The paper reveals security problems in the Megamos Crypto system used in the immobiliser system of many cars. Volkswagen are not happy – it really seems they want this shut down.

(As an aside, I hate the way that mainstream media refers to “codes” – it can mean source code, executables, an algorithm, or even a secret key. Often used interchangeably in the same article)

Details were a little scant, but last night the EFF passed comment, based on the court’s decision.

I am not a lawyer – I’m not going to pass judgement on the legal side. But what is interesting is how the researchers got hold of the Megamos Crypto algorithm. It wasn’t by decapping the chips in the transponders, it wasn’t from observing them black-box, it wasn’t from looking at an embedded software implementation – they took a Windows program used to clone car key transponders and reverse engineered that.

In terms of working out how Megamos was implemented, someone else had already done the hard work. This left the researchers to perform detailed cryptanalysis of the algorithm and – rumour has it – find some serious problems.

The piece of software is called “Tango Programmer“, a third party tool (software and hardware) used to make transponders. This has been available since at least 2009.

Tango Programmer is readily available, but it appears that it needs to be bought alongside a physical programmer. I strongly suspect that the software would be available on file sharing sites illegally, or possibly even legitimately on another site if you look hard enough.

Another company, Bicotech, produce a similar tool called RwProg. The software is downloadable from their website. The executable is packed, but I am sure it would be perfectly possible to reverse engineer the algorithm from the binary.

The court decision itself contains valuable information on Megamos as well, notably from paragraphs 4 and 5:

In detail the way this works is as follows: both the car computer and the transponder know a secret number. The number is unique to that car. It is called the “secret key”. Both the car computer and the transponder also know a secret algorithm. That is a complex mathematical formula. Given two numbers it will produce a third number. The algorithm is the same for all cars which use the Megamos Crypto chip. Carrying out that calculation is what the Megamos Crypto chip does.

When the process starts the car generates a random number. It is sent to the transponder. Now both computers perform the complex mathematical operation using two numbers they both should know, the random number and the secret key. They each produce a third number. The number is split into two parts called F and G. Both computers now know F and G. The car sends its F to the transponder. The transponder can check that the car has correctly calculated F. That proves to the transponder that the car knows both the secret key and the Megamos Crypto algorithm. The transponder can now be satisfied that the car is genuinely the car it is supposed to be. If the transponder is happy, the transponder sends G to the car. The car checks that G is correct. If it is correct then the car is happy that the transponder also knows the secret key and the Megamos Crypto algorithm. Thus the car can be satisfied that the transponder is genuine. So both devices have confirmed the identity of the other without actually revealing the secret key or the secret algorithm. The car can safely start. The verification of identity in this process depends on the shared secret knowledge. For the process to be secure, both pieces of information need to remain secret – the key and the algorithm.

In standard cryptography terminology:

A car \text{C} and a transponder \text{T} share a secret key K. A pseudo-random function family \textsf{PRF} is keyed using key K i.e. \textsf{PRF}_K. The output from this PRF is split into two parts F and G.

  1. \text{C} generates a random number r.
  2. \text{C} calculates (F,G) = \textsf{PRF}_K(r)
  3. \text{C} \to \text{T}: r, F
  4. \text{T} calculates (F',G') = \textsf{PRF}_K(r)
  5. \text{T} checks that F = F'
  6. \text{T} \to \text{C}: r, G
  7. \text{C} checks that G = G'

This process means that the transponder believes the car knows the key and PRF, and the car believes the transponder knows the key and PRF. They should have authenticated themselves with each other.

What is a PRF? A pseudo-random function is similar in many respects to a psuedo-random number generator (PRNG), except instead of sequentially generating output, you can randomly access any of the outputs using an index (r in the example above). The key is analogous to the seed of the PRNG. Using a certain key, a given input will map to a determined output.

Importantly, the output of a PRF should be indistinguisable to an observer from a random function, and by extension you should not be able to derive the key even if inputs, outputs, or free access to the function is given. You should also not be able to tell which PRF is in use even if you can control the inputs and read the outputs.

So – if this is a secure, solid, verified PRF, the protocol should be secure, even if we know what the PRF is. The only thing that needs to be kept secret is the key.

But the court decision says:

The verification of identity in this process depends on the shared secret knowledge. For the process to be secure, both pieces of information need to remain secret – the key and the algorithm.

This suggests a few things:

  1. The PRF used is not secure
  2. They don’t know what they are talking about

Both are entirely possible, but I would strongly suspect that the PRF has issues and they want to keep it secret. This would be a clear example of “security through obscurity”.

How could a PRF be insecure?

  • Using one or more input/output pairs, it might be possible to derive the key.
  • You might not need a key to derive the output given the input.
  • The key length might not be long enough to prevent bruteforcing.
  • F and G might not depend on the whole key i.e. you might be able to calculate G given part of the key.

The protocol itself might suffer from further issues:

  • There does not appear to be any protection from replay attacks (prevented from being used as a direct vulnerability because the authentication is bidirectional).
  • Is the random nummber actually random? Does it matter if it isn’t? If they are re-used (i.e. it’s not a nonce), it probably does matter.
  • The transponder can bypass the check for F = F’ – it can be a “yes” key. If we don’t need the entire key to compute G, this matters.
  • The key might be constant across an entire line or make of cars. Recover the key from one transponder and there would be no secrets left.
  • The key might be derived from an open piece of information like the car VIN number
  • The key might be derived from something like the manufacture date/time of the car, massively reducing keyspace
  • Probably a million more things

Let’s look at the attacks described in the court decision.

Firstly, note:

The attacks are not, themselves, trivial things to do. However, they allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car.

This makes it sound like some of these attacks are practical i.e. it won’t take 2 weeks of effort after decapping and reading the key from EEPROM.

Attack 1:

One attack relies on weaknesses in the secret keys that are used in certain cars. That “weak key” weakness arises because certain car makers have used weak secret keys which are easier to guess than they need to be. In effect, it is a bit like using the word “password” for a password.

As I mentioned above, there are a number of situations where the keys chosen might be poor. It might be the case that the researchers need 2 weeks to work out the key given a car and transponder, but then if the same key is used across all cars, it doesn’t really matter.

Attack 2:

Another is concerned with key updates. The details do not matter.

This is very vague.  Maybe you can alter or add keys easily if you already have access to the car?

Attack 3:

The third attack relates to weaknesses in the Megamos Crypto algorithm itself. The academics explain this attack in the paper, and, as I say, the paper also sets out the whole of the algorithm. It is these two elements that the claimants seek to prevent publication of. The claimants wish to remove the Megamos Crypto algorithm and information about the attack based on the weakness in it from the paper.

This is where we get to the point that it sounds like the PRF is not secure. It sounds like this attack may take days of work with access to both the car and transponder.

This could be like the insecurities found in Keeloq. The first step was determining the details of the algorithm. The first few papers detailed weaknesses that meant the protocol was insecure, but the weakness could not practically be exploited. After this, papers were released that detailed faster, more effective attacks, until finally we are at the stage where Keeloq can be called “broken”.

A quick look at some of the software

I haven’t got hold of Tango Programmer, but I do have RwProg up and running. Here is a screenshot:2013-08-07 22_37_06-RwProg v2.17.0002

What can we tell from this? Well, the crypto key looks to be 96bits long – too long to bruteforce.

There are a few videos as well:

http://www.youtube.com/watch?v=SKTMawm5Ffw

http://www.youtube.com/watch?v=EX4FuK1JUEE

Nothing really groundbreaking. I can’t see how the software reads and then writes the crypto key.

Conclusion

Regardless of the court decision, it looks like there is enough information out there for other people to start work on this. Download the software, maybe buy Tango Programmer, reverse the algorithm and then let the world loose on it!

 

Another muddled, seriously misguided petition

Posted on by

Petitions seem to have become the de facto form of protest, somewhere between tutting and writing a strongly worded letter.

So often they are badly written, require previous knowledge of the situation, and don’t have a clear goal.

This morning, a hot topic of conversation has been how Twitter deals with reports of abuse, in relation to alleged rape threats made to @CCriadoPerez. Of course – a petition has started.

EDIT – the petition has been edited to add something about changing T&Cs. This is a step in the right direction, I still feel the petition is very poor. I also really dislike the fact you can edit petitions on change.org – it seems dishonest to let 8k people sign something and then alter it. The screenshot still stands below.

 

Petitions...

I really don’t want to comment on the alleged threats themselves, but the response and what people expect of Twitter.

Why direct this at Mark S Luckie?

The first thing I find really odd is how Mark S Luckie has become part of this issue. He is the Manager of Journalism and News at Twitter. He isn’t involved with how abuse is reported or dealt with on Twitter. I’m not sure what people expected from him. It seems unfair to direct this campaign towards him.

After many tweets were directed at Mark, he changed his account to be protected, preventing most people from seeing his tweets.  I think it would be massively unprofessional for him to personally comment on the situation. At most he could direct people towards the proper channels for reporting abuse.

Oddly, some have interpreted Mark’s actions as “twitter says it’s not their problem”

I really don’t see how one employee protecting their account says this. The big issue here is how Twitter deals with abuse in general, not how one employee has handled one particular instance of abuse. Conflating the two seems petty.

Zero-tolerance? You are joking?

How can a multi-national micro-blogging platform with half a billion users and millions of tweets a day adopt a zero-tolerance policy on abuse?

Just think for a second about how this could possibly work.

Which country’s laws would Twitter uphold? What is perfectly fine in one country isn’t in another.

What happens if someone calls you a name you don’t like? Report it as abuse!

Someone was mean about a blog post you wrote? You can shut them down by reporting it as abuse.

Zero-tolerance means you would need to side with people who are easily offended and uphold laws in countries where free speech is oppressed. This isn’t what Twitter is about.

It’s just not possible or desirable to adopt a zero-tolerance stance on abuse. By aiming for a ridiculous goal you are never going to achieve it.

Totally missing the point

Twitter has procedures for reporting abuse already. I’ve used them and they worked for me.

I get the impression they don’t always work. It seems like the abuse team is often overworked. This is the real issue –  how Twitter actually deals with reports of abuse.

@CCriadoPerez seems to have managed to find out how to report abuse and she has also contacted the police. I would hope that both Twitter and the police handle the reports appropriately.

If @CCriadoPerez doesn’t get an appropriate response, then there is a problem. I don’t think enough time has passed to pass judgement on this.

I am not sure how adding an abuse button to tweets is going to solve any problem. If the abuse in a tweet is serious enough to warrant getting a member of Twitter staff to investigate, surely it is worth your effort to go the page where you need to report abuse? Inundating the abuse team with single-click abuse reports is not going to help in any way.

Bumbling burglars

Posted on by

Today, my wireless alarm hacking posts ended up on Hackaday, and I received this comment:

Your average suburban burglar is gonna be way to dumb to figure this stuff out. And if you’ve got millions of dollars worth of art or whatever that might attract a higher class of crook, you’re not gonna scrimp on security eh?

I’ve had more than a few people reply with the same sentiment over the last few months, so I thought I’d reply here rather than in a comment.

Burglars are too dumb

The burglar doesn’t need to be clever. He just needs to buy a device from someone who is clever and immoral. It’s possible to use a CC1110 RF SoC to jam, disarm, and otherwise disable many of these alarms. It wouldn’t need any skill to operate and it wouldn’t cost much.

Burglars won’t bother

This was exactly what people said about keyless ignition and entry on cars. That quickly changed once exploits were available.

Anyone with sense would have a better alarm system

They might have an alarm system that looks better on paper. But they have absolutely no way of actually knowing if the alarm has any exploitable vulnerabilities or not. There is no requirement for alarms to be independently tested. I can confidently say that much more expensive alarms are no better than the Friedland alarm detailed in my posts.

As an aside from this – the higher grade alarms are really only there to satisfy insurance requirements. As long as it the system meets the requirements of the insurers, it shouldn’t matter if there are any vulnerabilities. Unless, of course, it looks like the alarm wasn’t set in the first place…

Conclusion

This doesn’t mean that burglars are exploiting vulnerabilities in wireless alarms. It does mean two things:

  • Consumers don’t have the means to tell if an alarm system is secure or not, due to poor standards and lack of third party testing.
  • Alarm and signalling manufacturers are happy to sell insecure equipment because of this.

Reverse engineering a wireless burglar alarm – summary

Posted on by

What a mess!

I started (but didn’t really finish…) a series of posts reverse engineering several parts of a Friedland wireless burglar alarm. I will come back to finish it off, but in order, here are the posts:

If anyone wants any further details about technologies used in alarm systems (though not this one), I have another series of posts:

A newbie’s guide to safes, both opening and using

Posted on by

Firstly, a disclaimer – I’m not a safe cracker. I just know quite a few people who do work on safes and probably know more than the average person.

On Reddit a few months ago, a post appeared from user dont_stop_me_smee showing pictures of a large vault in a friend’s rented property. This garnered a lot of attention, partly riding off the back of the much older “vault in disused casino” popularity. Needless to say, OP did not deliver, and the vault is still closed.

As a result of this post, a new subreddit was set up called “WhatsInThisThing“:

This subreddit is a place for anyone who has acquired a safe, piggy bank, briefcase, treasure chest, oak barrel, thumb drive, bottle, locker, storage unit, abandoned home, bomb shelter, antique can, maybe even a confidential file to post pictures of the adventure of finding out what’s inside it.

There have been a lot of safes posted since then, ranging from modern £20 B&Q specials up to vintage monsters.

There has also been a lot of crap posted about safes and how to open them.

I’m writing this post to try and clear up some aspects of safes, both in terms of opening them an using them to improve your own security.

First things first, if you want your safe opened quickly and without damage, call a good safe engineer. If you are in the UK or Europe, I can put you in touch with someone.

Otherwise, read on.

Opening cheap modern safes

There are a lot of cheap modern safes, constructed of sheet steel (or even plastic/cement laminate!), often with digital combination locks or very insecure mechanical locks. These only provide an illusion of security.

How would I open a cheap digital combination lock safe?

  • Find the manual. The safe will have a default code, and could have a reset procedure that can be triggered from outside the safe. Try this first.
  • Call the manufacturer. Some of these safes have reset procedures that you can get from the manufacturer. You will need to prove ownership. Sometimes you need the serial number which will be inside the safe.
  • Try hitting it. A lot of these safes hold the boltwork back using a spring loaded solenoid. If you hit the safe in the right place with a mallet (or even your hand on smaller safes) whilst turning the handle, it bounces the solenoid back enough to allow the safe to open. This works on a surprisingly large number of safes.
  • Pick the override lock. Nearly all of these safes have a mechanical override lock. These are normally cheap wafer locks, which can be picked open easily by locksmiths and hobbyists.
  • Try and activate the code reset button. Many safes have a small button inside the door used to change the combination. I’ve managed to press this button from outside the safe by using a welding rod poked through a mounting hole on the rear of the safe.
  • Take the front panel off and manually activate the solenoid or motor. Some of the cheap safes have all of the electronics outside of the safe. If you remove the front panel, you will often find two wires going through the door. These connect to the solenoid or motor inside the safe. Apply the correct voltage (usually the same as the total voltage of the batteries) and the safe will unlock.
  • Cut the safe open. I’ve not seen one of these resist more than a few minutes with even a small angle grinder. The top or back is normally easiest.

Most of the time, you don’t really care if the safe survives or not, so go to town on it.

Opening bigger and better safes

If you want to try it yourself, you have the following options…

Non-destructively open the lock. There are a number of techniques that can be used to open mechanical combination locks – reading contact points, or brute forcing (trying every combination using a motor). This is a very skilled job. It is also unwise if you don’t know if the lock works or not – hours could be spent trying to open a lock that will never unlock. Matt Blaze has written a great guide on this (and other vulnerabilities) called “Safe Cracking For the Computer Scientist“. If the lock is mechanical, it can be picked.

Drill the safe. If non-destructive entry is not possible, safe engineers will drill the safe. This involves making a small penetration somewhere on the safe and then opening the safe through the hole. Again, this is a skilled job. You need to know exactly where to drill and then how to open the safe. Sometimes you will drill near to the combination lock and use a borescope to read the wheel pack. Sometimes you will drill to access the bolt or fence instead. Many safes have very hard steel called “hardplate” protecting the lock, and this requires a lot of pressure and special drill bits to get through. Most safes have some form of “relocker” – additional spring-loaded bolts that will trigger under attack and hold the boltwork shut. You really don’t want to trigger these as there is no way to unlock them from outside the safe. The small hole that is left can be filled with hardened steel and welded over for repair.

Cut the safe open. This still generally requires skill or knowledge if you don’t want to damage the contents. Angle grinders, punches, concrete breakers, and thermal lances are tools used here. This can be very time consuming and noisy.

Do you see a theme? You generally need to know what you are doing.

Opening a vault

Unless you can make a hole in the wall, floor, or ceiling, you should call a safe engineer.

Old safes vs. new

Most older safes tend to be fairly secure. I believe this is because of two things. Firstly, safes used to be made better, or at least, more solidly.  Secondly, if an old safe has survived this long and not been opened, it’s either secure or too damn heavy to throw out.

A lot of modern safes are cheap crap. Anything you can buy in B&Q can be cut open in under 10 minutes. But a good, expensive modern safe is a formidable opponent. Modern combination locks are very good – they have extensive “anti manipulation” features. Even low-cost lever locks are hard to pick. Hardplate is very hard and there are advanced composite materials that are difficult to drill or cut through.

What not to do

There is a lot of bad advice floating about.

Don’t cut the external hinges off the door. They aren’t part of the locking mechanism on even the cheapest safes, so you now have a broken safe that is still closed.

Don’t force the handle. Good safes have boltwork that won’t open no matter how much force you apply to the handle. The handle will shear off first or you will break part of the drive mechanism.

Don’t hit the dial or spindle of the combination lock. The combination lock and door has something called a relocker on it. If you trigger this by hitting it, additional spring-loaded bolts will fire and mean that you cannot open the safe even if you unlock the lock. You’ve potentially made an easy job much harder.

Don’t attempt to use thermite. I’m not sure why, but people suggest this. I suspect none of them have made or used thermite. I have. It’s hard to mix correctly, it isn’t cheap, it’s dangerous, and it will destroy the contents of the safe.

Don’t try a plasma cutter. Again, I suspect these people have never used a plasma cutter. They are exceptionally good at cutting through plate. They are no good when you cannot make the cut in one pass (there is nowhere for the slag to go, so it gets blasted back towards you). They will toast the contents. They are expensive and need a lot of compressed air.

Don’t try any other half-cut idea from someone who has no idea what they are doing. Dousing the safe in liquid nitrogen, filling with water and blowing it up etc. all sound like they are a lot more work and cost than just paying a safe engineer.

Don’t think that opening safes is some kind of mystical black art. There are hundreds of people who can open safes. The more expensive and secure the safe, the less there are that can open it. But there is no safe that cannot be opened.

Don’t think that the safe will have anything exciting in it. They very rarely do.

What do you need in a safe?

After reading all of that, you’ve decided you need a safe. What should you look for?

  • Consider the difference between a key and combination. A combination can be trivially copied, but is easily shared. A key is harder to copy but useless if left near the safe. Which works better for your users?
  • Avoid any digital combination safe that has a mechanical override lock. Instead of having one good mechanical lock, you now have a digital lock and a crap mechanical lock. The security of the safe is limited by the lower of the two.
  • Look for a good lever lock. At prices acceptable to most householders, a good lever lock will provide the best security.
  • Decide if you are protecting against fire and/or theft. A lot of “fire safes” have extremely poor security. Burglary is far more common than house fire. My safe protects against theft, and the small fire chest inside protects truly irreplaceable objects.
  • Avoid any safe that a single person can easily pick up. You don’t need something that weighs 750kg, but 50kg+ makes things a lot more awkward for burglars.
  • Make sure you can bolt the safe to the floor and/or wall. A 50kg safe attached to a concrete floor with 4 expanding bolts is going to be as hard to move as a 500kg safe.
  • Make sure it is big enough to hold your stuff. If it can’t hold the thing you need to protect, it has no purpose. A lot of smaller safes can’t take 15.6″ laptops.
  • Make sure it is accessible enough that you actually use it. If it is hidden away, you are unlikely to ever use it. If your stuff isn’t in the safe, it doesn’t matter how secure the safe is.

Recommended contacts

The following locksmiths and safe engineers are known to me, and whilst I have never had to use their services, I know they do good work.

Jason Jones at Kelocks (UK)

Stuart Game at BBS Safe Engineers (UK)

Nigel Tolley at Discreet Security Solutions (UK)

Jord Knapp at Knapp Junior (NL)

Emiel van Kessel at De Slotenspecialist (NL)

Oliver Diederichsen at Tresoroeffnung (DE)

Quickly installing Sun/Oracle Java in Linux Mint 15

Posted on by

Almost the same technique as yesterday, but a much bigger timesaver this time.  Most Linux distributions come with the open OpenJDK installed. This is fine for most things, but I’ve noticed that apps that are graphically complex (PyCharm for one) have some rendering issues and CPU usage is high.

You can install the Sun/Oracle Java instead, but this seems to be a pain to do from the download. There is another PPA for this:

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java7-installer

It still downloads all however-many-megabytes of installer, but it’s fire and forget. No need to un-install OpenJDK, they can coexist.