The company was notified of the problem but never responded. This is exceptionally bad, obviously – given that this safe is advertised for storing valuables and firearms. Just a bit shy of a James Bond-suited tool, this marker will yield you a gun in times of need, or perhaps a wad of cash, as long as you can locate a Sentry Safe out in the wild. If you want to hack such a safe, you just need to remove the keypad, take the cap off the marker, touch two pins to test points on the keypad board, and press a button that sends a packet to the safe - as shown in a video by. All you need for that is an MCU injecting serial packets, and built just that, embedding an ATmega circuit into a shell of a marker, tip replaced with a two-pin header. By sending a single packet saying “please change the code to 00000”, the PIN code will be reset. That code entry is a separate kind of packet from the “change password” one.Īrmed with an Arduino able to send packets imitating those produced by the keypad, found a critical bug – sending the password change command didn’t actually require the factory code packet to be sent first. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets - both for password entry and for password change. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). Got one of these lovely $5 logic analyzers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |