• (cs) in reply to EngleBart
    EngleBart:
    This reminds me of a brute force attack that a college friend used after a night of drinking.
    All the bike combo locks I've ever seen are pretty damn easy to brute force, when I had one as a kid it was how I used to unlock it every time I forgot my own combination. You just step the most significant digits one by one and spin the least-significant one 360 degrees at each step while pulling. Allow < 10min for a 3-digit combo and ~half-an-hour for a 4-digit barrel. Less if it's a cheap and crudely manufactured one that you can guess one of the digits straight off because it gets slightly loose when you hit it.
  • (cs) in reply to Ike
    Ike:
    1234? That's the same combination as my luggage!
    Sorry, the correct response is "<10003-digit string>? That's the same combination as my luggage!"
  • Basterd (unregistered) in reply to Frank

    Sure, when you take into account that brute-forcing a 4-digit long, 10-different-digits key takes 10^4*4 button presses, and this solution would take 10^4-1, it is so different that you'll kill the safety industry.

  • anon (unregistered) in reply to db48x

    While a group of network admins may always being looking for increased security, a group real estate brokers is not. I've always thought that 'full disclosure' was a good idea to spread the idea of being secure, but after that you are simply publishing ways to break into systems(or in this case houses).

    However I feel this is moot because your MRIS listing has the combination anyway(only viewable to the realtors though).

  • Gunslinger (unregistered) in reply to Frank

    In southern California at least, the lock boxes require a card swipe too. Of course, these probably also require that only the right digits are entered after that swipe.

  • Mike (unregistered)

    Most people don't even know what security is.

    If you're living in a vinyl village neighborhood, you're an Exacto knife away from a break-in. Just cut through the siding, rip out the insulation, break the drywall, and walk right in. Brick houses FTW.

    Most idiots walk out of the house every day and lock the vanity lock behind them, instead of taking 15 seconds to use the deadbolt. Vanity locks are to keep out the curious. Deadbolts are to keep out the malicious (but not the determined).

    How many people leave their windows open or unlocked every day? Or an extra set of keys under the mat in the their car?

    convenience, laziness, and/or price > security

  • BBT (unregistered)

    If I were to be opposed to publishing how to crack a lock, I would have to criticize my idol, Richard Feynman. That would simply be unacceptable.

    http://books.google.com/books?id=7papZR4oVssC&printsec=frontcover&dq=surely+you%27re+joking+mr.+feynman&ei=AJmzS8jLGaWCywTN1ui4BA&cd=1#v=onepage&q=&f=false

    (go to the Safecracker meets Safecracker chapter, it's a good read. Any self-respecting geek should read the whole book)

  • SoaperGEM (unregistered)

    In college the dorm I was at had one of these lockboxes, just like the one in the picture. Only you could only press each button once, as they stayed down once you'd pushed them, and order was irrelevant. So if your code was 1234, then you also could have opened it with 4321, 2431, 3124, etc. What you're describing here sounds slightly more secure than the one at my dorm, but still not very secure.

  • Mike (unregistered)

    The shortest possible number of keypresses to solve the combination is 4. The greatest possible number is infinite, as I'm sure some idiot would get halfway through and forget his place and repeat (n) tries.

  • bmm6o (unregistered)

    http://en.wikipedia.org/wiki/De_Bruijn_sequence

  • anon (unregistered) in reply to Frank

    This is a very big ethical problem. We should also keep quiet when old crypto is broken, eh? Everybody keep using WEP, nothing wrong here.

  • Andrew (unregistered) in reply to Frank

    Given that there are 10 000 combinations, even if you managed 100% density (ie, every digit starts a new, unique 4-digit sequence), you will still have a 10 003 digit sequence to type in.

    So this method is hardly a viable attack.

  • Jonathan Collins (unregistered)

    It's not unethical, if only because the de Bruijn sequence for k=10,n=4 is still prohibitively long.

  • Alex (unregistered) in reply to db48x

    Agreed, "security through obscurity" is never a way to actual security.

  • Scott (unregistered) in reply to Frank

    Then again, I've had one of the on the outside of my garage since I bought my house two years ago. Nobody knew the code to it, not the realtor, not the bank, the builders even said they didn't know it. I would love to know a combination of inputs to get into the damn thing, just so I can remove it!

  • Chris Sinchok (unregistered)

    Here's my attempt, in Python. It's inefficient, but I think that it works for the first case--by this I mean that it generates a string that appears to be the right length and no contains obvious duplicates.

    comboString = "4321"
    
    def addDigit(comboString):
        for i in range(0,10):
            i = (int(comboString[-1]) + i) % 10
            newCombo = comboString[-3:] + str(i)
            if not newCombo in comboString:
                comboString += str(i)
                break
        return comboString
    
    
    while True:
        newComboString = addDigit(comboString)
        if(newComboString == comboString):
            break
        else:
            comboString = newComboString
    
    print "Final Combo String: "
    print comboString
    
  • Ian (unregistered) in reply to Frank

    It really is a well know problem with these boxes. I worked it out when I was 12 as it let me through the cheap combination lock doors.

  • vihrea (unregistered) in reply to Frank

    Haven't you guys ever read 2600 magazine? One can hack to learn one's craft, not to steal.

  • Andrew Baker (unregistered) in reply to db48x

    Or it could be like our Half blind Realtor that could never get them open, and just told us the codes to enter ourself.

  • XR (unregistered)

    The non-electronic lock-boxes aren't difficult to break-in to, either.

    Take the three-digit barrel lock (bicycle-lock type). Using the limited possible combinations, and the natural force of the spring against the tumblers, it's trivial to hear & feel when you've got the right combination. In short, you can spin the numbers around in sequence as fast as you can move your fingers, and as soon as you get the right one, a nice loud click will indicate you've just gone by the right sequence. Anybody who has done it once before can tackle 3 digits in under 1 minute in the worst case, and may be lucky enough to get it in a few seconds.

  • lucusloc (unregistered) in reply to grizz

    @grizz

    these types of articles do work for those who wish to be educated. i have already replaced the lock on my apartment because i read an article discussing lock-picking and found out that my old locks "were good to practice on because they are so easy."

    education is a personal responsibility issue, and i appreciate people who put forth the effort to educate me. because of this article you can bet that i will never use one of these boxes myself, and for that i am appreciative.

    the more people who publicize this the less likely others will use the device. it is the same in other fields as well. as exploits become more well known people are more likely to secure against it, or switch applications entirely. sure there will be some who try to use that knowledge for nefarious uses, but the more people are educated the less likely the wrongdoer will be successful.

    lets get one thing straight, anytime you rely on security through obscurity you are making yourself vulnerable to someone with knowledge. how wide ranging those someones are is irrelevant, what matters is what you do with the knowledge that you are vulnerable. if you do nothing then it is your fault if you are taken advantage of. saying "so and so informed the wrongdoer, if they had not done so this would not have happened" is just passing the blame, not the fault. so and so informed the general public, and you did not take advantage of that fact.

    if i am going to buy a security product you can bet that i am going to do the work to find out how secure it actually is, and not just read the manufacturer brochure. i am going to find third parties and ask them what they think. to do anything else would be foolish, and those who do not are leaving themselves open. it is not the whistle-blowers fault for publicizing a known vulnerability, it is the consumers fault for not doing due diligence. just because the populace at large does not follow through with due diligence does not mean that we should silence the whistle-blowers, that is foolish.

    due diligence can take many forms, as can publicizing any finding. many security companies (both physical and digital) offer cash prizes or host competitions so that other have incentive to find and publicize vulnerabilities.

    this site has (probably inadvertently) publicized an apparently well known flaw with realtor lock-boxes. i have filed that knowledge away so that i do not become a victim of that vulnerability. the question for you is: what are you going to do with the information? (hint: pass it on)

  • nisl (unregistered)
    4-8-2-9-5-1-4-5 would cover the codes 4-8-2-9 8-2-9-5 9-5-1-4 and 5-1-4-5

    While the other list of four-digit codes was readable thanks to a few well-placed commas, this one I had to parse a couple times ove to understand. It helped when noticed the lack of said commas.

  • Ryan A (unregistered)

    Here's my stab at it. This is a bit unwieldy and could be slimmed down a lot, but it seems to work okay, although it will not handle bad parameters nicely. I also left a bunch of commented out debug prints in here.

    Optional arguments are in order: code length, number of buttons, and does order matter (expects "False" for order not to matter). If no arguments are given they default to 4, 10, and True respectively.

    #! /pkg/python/bin/python
    
    class lockbox:
    
      def __init__(self):
        self.reset()
    
      def reset(self):
        self.codeLength = 0
        self.numButtons = 0
        self.orderMatters = True
        self.seq = None
        self.codes = []
        self.output = []
        self.currentStart = 0
    
      def solve(self, codeLength_ = 4, numButtons_ = 10, orderMatters_ = True):
        self.reset()
        self.codeLength = codeLength_
        self.numButtons = numButtons_
        self.orderMatters = orderMatters_
    
        self.genCodes()
        sorted = []
        if not self.orderMatters:
          for code in self.codes:
    	code.sort()
    ##      print self.codes
          sorted = [self.codes[0]]
          for code in self.codes[1:]:
    	if code != sorted[-1]:
    	  sorted.append(code)
          self.codes = sorted
    ##    print self.codes
        self.codes = dict(zip([tuple(x) for x in self.codes], [1]*len(self.codes)))
    ##    print self.codes
    
        while (self.codes):
          self.output += self.popNextCode()
        return self.output
    
      def genCodes(self, depth = 1):
    ##    print "depth = %d" %(depth,)
        if(depth == self.codeLength):
          self.codes = [[x] for x in range(self.numButtons)]
    ##      print "genCodes(%d) returning with codes == %s" % (depth, str(self.codes))
          return
        self.genCodes(depth+1)
        self.codes = reduce(lambda x,y: x+y, [[[button] + rest for button in range(self.numButtons) if button not in rest] for rest in self.codes])
    ##    print "genCodes(%d) returning with codes == %s" % (depth, str(self.codes))
    
      def popNextCode(self):
    ##    print "output = %s\tcurrentStart = %d" %(str(self.output),self.currentStart)
        if(len(self.output) - self.currentStart == self.codeLength):
          self.currentStart += 1
        while (True):
          start = tuple(self.output[self.currentStart:])
          for code in self.codes.keys():
    ##	print "\tTrying %s against %s" % (str(code), str(start))
    	retval = []
    	if not self.orderMatters:
    	  retval = [x for x in code if x not in start]
    	  for x in start:
    	    if x not in code:
    	      retval = []
    	      break
    ##	  print "Non-order Matters retval == %s" %(str(retval))
    	elif start == code[:len(start)]:
    	  retval = code[len(start):]
    	if retval:
    	  del self.codes[code]
    	  return retval
          self.currentStart += 1
    
      def matchStart(self, start, code):
        return start == code[:len(start)]
    
    
    import sys
    
    if __name__ == "__main__":
      box = lockbox()
      args = [4,10,True]
      for arg in [x for x in range(len(sys.argv)-1, 0, -1) if x < 3]:
        print "Replacing arg[%d]'s %d with %d" % (arg-1, args[arg-1], int(sys.argv[arg]))
        args[arg-1] = int(sys.argv[arg])
      if(len(sys.argv) >= 4):
        args[2] = (sys.argv[3] != "False")
      print box.solve(args[0], args[1], args[2])
    
    
  • Someone in the Industry (unregistered) in reply to Frank
    Frank:
    People selling their house have a realtor, who will use lockboxes. For the seller, there's no guarantee that others will use spin-wheel, combination, or push-button lockboxes, and the seller has no say on what will be employed.

    Actually, you have to sign some sort of agreement with your realtor that allows (or doesn't allow) them to place a lockbox on your property.

    Also, some security companies hold their own contests challenging the public to hack their system in some way so they learn their flaws and improve their product.

    Last, there are updated lockboxes that realtors can use to improve security. Not just by Supra (who is the company that owns the box pictured) but by their competitors, such as SentriLock, as well.

  • Ollie Jones (unregistered) in reply to Frank

    Modern lockboxes are electronic and need a rfid tag to open. So this is an historic folkloric challenge.

  • A Gould (unregistered) in reply to Frank
    Frank:
    You're not only revealing how these lock boxes work (Which, yes, would be commonly available information), but you're announcing "to the world" that they're simple to break into, with a solution to how to do it.

    As other people have mentioned, the classic "combination lock" variety are going out of style, replaced with RF or other electronic locks. Around here they're moving to ones with "phone home" capability, so the realtor's office can tell you exactly when people accessed the box.

    But I'm pretty sure anyone who was inclined to exploit the old locks either (a) already figured out the limited combination possibilities; or (b) use a crowbar instead.

  • Jeff T (unregistered)

    This is called a Bruijin Sequence - the shortest sequence that hits every possible combination of codes.

    A generator is here: http://www.hakank.org/comb/debruijn_k_10_n_4.html

  • Fedaykin (unregistered)

    This is how keyless entry pads on most cars work too.

    They really are more of a "keep honest people honest" solution -- just like locks on doors made of easy to break wood, or door on cars with easily broken glass windows

  • Tristique (unregistered) in reply to Ollie Jones

    I don't have a lock box, but I do have a baseball bat.

  • Il Bruto (unregistered) in reply to db48x

    00000001000200030004000500060007000800090011001200130014001500160017001800190021002200230024002500260027002800290031003200330034003500360037003800390041004200430044004500460047004800490051005200530054005500560057005800590061006200630064006500660067006800690071007200730074007500760077007800790081008200830084008500860087008800890091009200930094009500960097009800990101010201030104010501060107010801090111011201130114011501160117011801190121012201230124012501260127012801290131013201330134013501360137013801390141014201430144014501460147014801490151015201530154015501560157015801590161016201630164016501660167016801690171017201730174017501760177017801790181018201830184018501860187018801890191019201930194019501960197019801990202020302040205020602070208020902110212021302140215021602170218021902210222022302240225022602270228022902310232023302340235023602370238023902410242024302440245024602470248024902510252025302540255025602570258025902610262026302640265026602670268026902710272027302740275027602770278027902810282028302840285028602870288028902910292029302940295029602970298029903030304030503060307030803090311031203130314031503160317031803190321032203230324032503260327032803290331033203330334033503360337033803390341034203430344034503460347034803490351035203530354035503560357035803590361036203630364036503660367036803690371037203730374037503760377037803790381038203830384038503860387038803890391039203930394039503960397039803990404040504060407040804090411041204130414041504160417041804190421042204230424042504260427042804290431043204330434043504360437043804390441044204430444044504460447044804490451045204530454045504560457045804590461046204630464046504660467046804690471047204730474047504760477047804790481048204830484048504860487048804890491049204930494049504960497049804990505050605070508050905110512051305140515051605170518051905210522052305240525052605270528052905310532053305340535053605370538053905410542054305440545054605470548054905510552055305540555055605570558055905610562056305640565056605670568056905710572057305740575057605770578057905810582058305840585058605870588058905910592059305940595059605970598059906060607060806090611061206130614061506160617061806190621062206230624062506260627062806290631063206330634063506360637063806390641064206430644064506460647064806490651065206530654065506560657065806590661066206630664066506660667066806690671067206730674067506760677067806790681068206830684068506860687068806890691069206930694069506960697069806990707070807090711071207130714071507160717071807190721072207230724072507260727072807290731073207330734073507360737073807390741074207430744074507460747074807490751075207530754075507560757075807590761076207630764076507660767076807690771077207730774077507760777077807790781078207830784078507860787078807890791079207930794079507960797079807990808080908110812081308140815081608170818081908210822082308240825082608270828082908310832083308340835083608370838083908410842084308440845084608470848084908510852085308540855085608570858085908610862086308640865086608670868086908710872087308740875087608770878087908810882088308840885088608870888088908910892089308940895089608970898089909090911091209130914091509160917091809190921092209230924092509260927092809290931093209330934093509360937093809390941094209430944094509460947094809490951095209530954095509560957095809590961096209630964096509660967096809690971097209730974097509760977097809790981098209830984098509860987098809890991099209930994099509960997099809991111111211131114111511161117111811191122112311241125112611271128112911321133113411351136113711381139114211431144114511461147114811491152115311541155115611571158115911621163116411651166116711681169117211731174117511761177117811791182118311841185118611871188118911921193119411951196119711981199121212131214121512161217121812191222122312241225122612271228122912321233123412351236123712381239124212431244124512461247124812491252125312541255125612571258125912621263126412651266126712681269127212731274127512761277127812791282128312841285128612871288128912921293129412951296129712981299131313141315131613171318131913221323132413251326132713281329133213331334133513361337133813391342134313441345134613471348134913521353135413551356135713581359136213631364136513661367136813691372137313741375137613771378137913821383138413851386138713881389139213931394139513961397139813991414141514161417141814191422142314241425142614271428142914321433143414351436143714381439144214431444144514461447144814491452145314541455145614571458145914621463146414651466146714681469147214731474147514761477147814791482148314841485148614871488148914921493149414951496149714981499151515161517151815191522152315241525152615271528152915321533153415351536153715381539154215431544154515461547154815491552155315541555155615571558155915621563156415651566156715681569157215731574157515761577157815791582158315841585158615871588158915921593159415951596159715981599161616171618161916221623162416251626162716281629163216331634163516361637163816391642164316441645164616471648164916521653165416551656165716581659166216631664166516661667166816691672167316741675167616771678167916821683168416851686168716881689169216931694169516961697169816991717171817191722172317241725172617271728172917321733173417351736173717381739174217431744174517461747174817491752175317541755175617571758175917621763176417651766176717681769177217731774177517761777177817791782178317841785178617871788178917921793179417951796179717981799181818191822182318241825182618271828182918321833183418351836183718381839184218431844184518461847184818491852185318541855185618571858185918621863186418651866186718681869187218731874187518761877187818791882188318841885188618871888188918921893189418951896189718981899191919221923192419251926192719281929193219331934193519361937193819391942194319441945194619471948194919521953195419551956195719581959196219631964196519661967196819691972197319741975197619771978197919821983198419851986198719881989199219931994199519961997199819992222222322242225222622272228222922332234223522362237223822392243224422452246224722482249225322542255225622572258225922632264226522662267226822692273227422752276227722782279228322842285228622872288228922932294229522962297229822992323232423252326232723282329233323342335233623372338233923432344234523462347234823492353235423552356235723582359236323642365236623672368236923732374237523762377237823792383238423852386238723882389239323942395239623972398239924242425242624272428242924332434243524362437243824392443244424452446244724482449245324542455245624572458245924632464246524662467246824692473247424752476247724782479248324842485248624872488248924932494249524962497249824992525252625272528252925332534253525362537253825392543254425452546254725482549255325542555255625572558255925632564256525662567256825692573257425752576257725782579258325842585258625872588258925932594259525962597259825992626262726282629263326342635263626372638263926432644264526462647264826492653265426552656265726582659266326642665266626672668266926732674267526762677267826792683268426852686268726882689269326942695269626972698269927272728272927332734273527362737273827392743274427452746274727482749275327542755275627572758275927632764276527662767276827692773277427752776277727782779278327842785278627872788278927932794279527962797279827992828282928332834283528362837283828392843284428452846284728482849285328542855285628572858285928632864286528662867286828692873287428752876287728782879288328842885288628872888288928932894289528962897289828992929293329342935293629372938293929432944294529462947294829492953295429552956295729582959296329642965296629672968296929732974297529762977297829792983298429852986298729882989299329942995299629972998299933333334333533363337333833393344334533463347334833493354335533563357335833593364336533663367336833693374337533763377337833793384338533863387338833893394339533963397339833993434343534363437343834393444344534463447344834493454345534563457345834593464346534663467346834693474347534763477347834793484348534863487348834893494349534963497349834993535353635373538353935443545354635473548354935543555355635573558355935643565356635673568356935743575357635773578357935843585358635873588358935943595359635973598359936363637363836393644364536463647364836493654365536563657365836593664366536663667366836693674367536763677367836793684368536863687368836893694369536963697369836993737373837393744374537463747374837493754375537563757375837593764376537663767376837693774377537763777377837793784378537863787378837893794379537963797379837993838383938443845384638473848384938543855385638573858385938643865386638673868386938743875387638773878387938843885388638873888388938943895389638973898389939393944394539463947394839493954395539563957395839593964396539663967396839693974397539763977397839793984398539863987398839893994399539963997399839994444444544464447444844494455445644574458445944654466446744684469447544764477447844794485448644874488448944954496449744984499454545464547454845494555455645574558455945654566456745684569457545764577457845794585458645874588458945954596459745984599464646474648464946554656465746584659466546664667466846694675467646774678467946854686468746884689469546964697469846994747474847494755475647574758475947654766476747684769477547764777477847794785478647874788478947954796479747984799484848494855485648574858485948654866486748684869487548764877487848794885488648874888488948954896489748984899494949554956495749584959496549664967496849694975497649774978497949854986498749884989499549964997499849995555555655575558555955665567556855695576557755785579558655875588558955965597559855995656565756585659566656675668566956765677567856795686568756885689569656975698569957575758575957665767576857695776577757785779578657875788578957965797579857995858585958665867586858695876587758785879588658875888588958965897589858995959596659675968596959765977597859795986598759885989599659975998599966666667666866696677667866796687668866896697669866996767676867696777677867796787678867896797679867996868686968776878687968876888688968976898689969696977697869796987698869896997699869997777777877797788778977987799787878797888788978987899797979887989799879998888888988988899898989999000

  • dron (unregistered) in reply to Frank

    It's way easier to break a small window than to sit on the porch for 2 hours with an excel spreadsheet punching in key combinations. You should hope that more crooks try this method.

    In our area, they use pager or sms technology to open the lock boxes. When the Realtor gets to the box, they call the number listed on the back and enter the unit #. If the cell phone they're calling from is registered with the server, it will open the box for them.

  • Dirge (unregistered) in reply to db48x
    db48x:
    I'm sure there's an easier way to attack a lock like this than brute-forcing the combination

    I've seen at least one that appeared to have been vulnerable to the "use a slot screwdriver as a pry-bar" attack. At least, that's what it looked like from its remains. It made me question why anyone uses them. Even in a worst-case scenario, someone could break the entire box off of the house with a crowbar (it's just screwed into wood or stucco after all), take it home and use an angle grinder or drill press on it.

  • Rakig (unregistered)

    // //args handling // whatever.language.output(combinationLength + (possibleNumbers ^ combinationLength) - 1) //

  • msturtz (unregistered)

    It's certainly true that there are many different types of lock-boxes, but the brand and type pictured don't work exactly like you say, at least not in my experience. You have to have the correct set of numbers, but the sequence doesn't matter -- meaning, if the code is 1234, you can enter 1-2-3-4, or 2-3-1-4, or 4-3-2-1. As long as all the correct buttons are pushed, and none of the incorrect ones are, then it opens. If you make a mistake, the second slider between buttons 3-4 and 8-9 un-pushes all the buttons.

    Clearly the security isn't that great.

    NOW your challange is to write a function that will take the # of buttons in the code (say, you're standing next to your realtor, count the clicks), and print out a list of all possible codes of that length, eliminiating the duplicates based on the above (print 1-2-3-4, and don't print 2-3-4-1 or 3-4-1-2 or 4-1-2-3)... THEN you'll see how insecure these boxes really are.

  • Jeff Dege (unregistered)

    Those of these I've seen used Simplex locks, which are a bit more complicated than what you describe.

    A simplex lock has five buttons. In a combination, each button can be pressed at most once. But order does matter, and more than that, so do simultaneous pushes.

    A combination is a sequence of 0-5 pushes:

    • In each step, you can push any number of buttons, from 1 to 5
    • A pushed button stays in, so it cannot be re-used.

    Valid combinations:

    {1} {1} {2} {1 2} {3} {4 5}

    There still aren't that many possibilities, but working through the list takes a bit more intellectual exercise.

  • Pete (unregistered) in reply to Cad Delworth
    Cad Delworth:
    Likewise. Assuming these things are hung around the front door handle (as Sentrilock's site illustrates them), what's to stop a criminal walking away with the box and taking it elsewhere to physically break open, then stroll back later with the key to let themselves in?

    There bolted to the wall at least mine is which is the same as the one in the image. it would be easier to break the door than pull it off the wall.

    That particular model also only allows 4 digits to be pressed hence the method suggested doesn't work.

  • Pete (unregistered) in reply to msturtz
    msturtz:
    It's certainly true that there are many different types of lock-boxes, but the brand and type pictured don't work *exactly* like you say, at least not in my experience. You have to have the correct *set* of numbers, but the sequence doesn't matter -- meaning, if the code is 1234, you can enter 1-2-3-4, or 2-3-1-4, or 4-3-2-1. As long as all the correct buttons are pushed, and none of the incorrect ones are, then it opens. If you make a mistake, the second slider between buttons 3-4 and 8-9 un-pushes all the buttons.

    Clearly the security isn't that great.

    NOW your challange is to write a function that will take the # of buttons in the code (say, you're standing next to your realtor, count the clicks), and print out a list of all possible codes of that length, eliminiating the duplicates based on the above (print 1-2-3-4, and don't print 2-3-4-1 or 3-4-1-2 or 4-1-2-3)... THEN you'll see how insecure these boxes really are.

    Your right just tested it on mine of that model. You can do your combination in any order.

  • (cs)

    I have found the fireman's axe to be the perfect tool for entering a place... not only does it grant nearly immediate access to almost any building, room, or hallway, but it strikes great fear into any potential occupants, meaning that they're usually all huddled into one spot whilst you merrily make your way through the rest of the place undeterred. It also serves as a great defensive or offensive weapon. Downside: it's noisy as hell and not good for apartment complexes.

    DISCLAIMER: ... oh, screw it, if you really take this seriously, then you can just bugger off...

  • db48x (unregistered) in reply to Franz Kafka
    Look up bump keys - they're simple to make and only require that you know what shape key blank is used. With practice, you can open a door quickly enough that a casual observer would think you were using a real key

    Certainly. That attacks the real lock on the door though, not the combination lock holding the real keys. As others have mentioned, there are other ways of attacking this combination lock, such as using tension to feel which numbers are part of the combination and so on. Actually trying all the combinations is going to be a pretty rare attack, with easier alternatives available.

  • highphilosopher (unregistered) in reply to db48x
    db48x:
    It's not ethically questionable at all. It's far better to encourage people to think critically about the security measures that they employ than it is to try to hide this kind of information. Hiding information never works, those people who would abuse it already have it, while the rest of us need to be sure we understand how the technology around us works.

    Of course, the sad fact is that all locks are much easier to get past than the manufacturers claim. I'm sure there's an easier way to attack a lock like this than brute-forcing the combination, but it's an interesting programming problem nevertheless. There's a known algorithm for finding the shortest sequence when the attempts can overlap like this, but I can't quite think of the name…

    I agree. My vote is for pull of the faceplate, trace the wires from the lock mechanism. Short out each one to each pole of the battery and boom, it will probably magically open. I hate it when people try to solve electrical problsm with a computer.

  • Bart (unregistered) in reply to Beta

    Erm, it's only called breaking and entering if .. you guessed it .. break ... AND .. enter.

    I'm sure the cop would tear a strip off of you, and perhaps charge you with intent if you couldn't think of a really good excuse.

    Swearing a lot and cursing and how you're gonna sue your realtor is probably enough to get you off with a warning.

    Anyway, there's probably a key under the doormat.

  • KP (unregistered)

    You can also tell what numbers are involved just by looking at the wear and dirt on the box around the numbers, because the combination is usually not changed often, if ever.

    I agree with other posters here that the simplest way to get into a house is with a boot to the door, or a brick through a window. People focus so much on locks, and will spend hundreds of dollars getting special locks for their house, but do nothing to make the windows unbreakable, and therefore their investment in the lock is useless.

    Many key locks are also susceptible to Key Bumping, if you can't be bothered to take the minute it takes to stroke-pick a lock cylinder.

    Locks only keep honest people out.

  • (cs) in reply to db48x
    db48x:
    I'm sure there's an easier way to attack a lock like this than brute-forcing the combination…
    Exactly. You can "bump" the type of lock most homes use in 10s. It'd take a couple hours to brute force one of these locks.

    Also, whereTF does Alex live that is still using these? Where I live (city with pop. of ~300K) the lock boxes have IR receivers and the agents use a smartphone to open it.

    An interesting point this brings is you always have to look for the lowest common denominator in security. A condo I lived in spent big bucks to get entry locks that were un-bumpable (also extremely difficult to pick). The only problem is the buzzer board at the front door was protected with a 3-tooth key (easily pickable, probably easy enough to force). Once you open the panel to the buzzer you can buzz yourself into the building (that's how the mail person would let themselves in, albeit with a key).

  • da1l6 (unregistered)

    Pressing keys for all combinations: O(m*n^m) Pressing keys while exploiting the overlappings: O(n^m) Opening the door with a crowbar: O(1)

  • grizz (unregistered) in reply to lucusloc

    Something that has been missed in the comments regarding my rant is that I'm not advocating a moratorium on all discussions of security threats. I fully agree that knowing of a device or procedure’s vulnerabilities beforehand is better than discovering after the fact that you’ve trusted something inherently unsecure. The thing that initially raised my hackles is the incivility all too often shown to anyone who dares question the propriety of discussing an issue in certain forums. If someone questions the direction of a discussion in a polite way, they don’t deserve to have scorn and rancor heaped on them in return.

    Often it is the degree of detail being discussed or the venue of the discussion that is the person’s point of concern. For example, detailed step-by-step directions for making meth aren’t necessary in a discussion of why making meth is A Bad Thing; people can be educated about the dangers without broadcasting a cookbook of how to do it. Topics and details that are appropriate in one forum might not be appropriate in another. Using the meth example, a cookbook of how it is done would be reasonable to see on a law enforcement site but not so much in comments on a site about Pokemon, for instance.

    In this thread there have been a bunch of posts with pretty detailed descriptions on how to defeat various locks. Is the knowledge of how easy it is to defeat them useful? Yeah, probably. I suppose a guy could switch realtors if the one he’s using only has the unsecure type of lock. But does the detailed information on how to foil the lock give him any advantage? I don’t see how.

  • (cs) in reply to grizz
    grizz:
    Let the ad hominum attacks commence!
    OK, let's start with "ad hominem."

    Really, the standard of Latin on this forum has gone to pot lately. Pfah!

  • Dotan Cohen (unregistered) in reply to Frank

    Then I suggest that you forward this page to every realtor that you know.

  • joshua (unregistered) in reply to db48x

    http://en.wikipedia.org/wiki/De_Bruijn_sequence

  • sharks (unregistered) in reply to db48x

    These locks are completely worthless anyway. Once they are anything but brand new, they can be trivially 'picked' by placing the catch under load and wiggling each key. If the combination is not regularly changed you can also look for the slight 'polish' on the used keys.

    -----N

  • marcan (unregistered)

    My neighborhood front door has a keypad lock that works in a similar way, via firmware. They have a 9-key buffer, and the combination is 3 keys. They buffer wraps and they only check the first three slots, so you can hit any multiple of 9 keys followed by the combination and it will open. Sometimes, when I screw up, I find it quicker to spam 6 button presses and then retype the code instead of waiting for the lock to time out and reset.

Leave a comment on “The Key Lock Box”

Log In or post as a guest

Replying to comment #:

« Return to Article