Security

Heistmeisters crack cost of safecrackers with $150 widget

Arduino hack-box brute-forces ATMs, gun safes

A pair of Melbourne security professionals have developed a $150 auto-dialer safe cracker that replicates a machine worth tens of thousands of dollars and sold only to military customers.

The unit launches automatic brute force attacks against group two combination locks used in high-security environments like ATMs and gun safes.

Current and former penetration testers Luke Janke and Jay Davis created the device using Arduino and 3D printed components.

"They pretty much use group two locks for everything," Davis said at the Ruxcon security conference in Melbourne.

"We're still working on tracking [remaining combinations] so if you get busted you can run away and come back and try later on - not that we condone that.

"A lot of these locks have about 10 default combinations which never ever get changed and they would be the ones you would want to try out first."

The autodialer.

The safe-cracking device is connected to a custom Arduino unit that runs through possible combinations used by group two locks, cracking the code in less than four days.

The pair's initial work needed about two weeks to do the job.

The cracking process could be slashed to just minutes by loading default lock combinations onto an SD card then inserted into the Arduino board. The pair were working on implementing that technique which they suspected was used by the official pricey military kit.

Changing the default combinations was a difficult process which deterred many owners, they said.

Components were designed using three dimensional printers and salvaged electronics including step motors formerly used in stage lighting that provided rotation control. The trial and error process of the research meant the prototype cost about $1500, well above the estimated $150 price tag. ®

Sponsored: 2016 Cyberthreat defense report