- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Admin
Sure, when you take into account that brute-forcing a 4-digit long, 10-different-digits key takes 10^4*4 button presses, and this solution would take 10^4-1, it is so different that you'll kill the safety industry.
Admin
While a group of network admins may always being looking for increased security, a group real estate brokers is not. I've always thought that 'full disclosure' was a good idea to spread the idea of being secure, but after that you are simply publishing ways to break into systems(or in this case houses).
However I feel this is moot because your MRIS listing has the combination anyway(only viewable to the realtors though).
Admin
In southern California at least, the lock boxes require a card swipe too. Of course, these probably also require that only the right digits are entered after that swipe.
Admin
Most people don't even know what security is.
If you're living in a vinyl village neighborhood, you're an Exacto knife away from a break-in. Just cut through the siding, rip out the insulation, break the drywall, and walk right in. Brick houses FTW.
Most idiots walk out of the house every day and lock the vanity lock behind them, instead of taking 15 seconds to use the deadbolt. Vanity locks are to keep out the curious. Deadbolts are to keep out the malicious (but not the determined).
How many people leave their windows open or unlocked every day? Or an extra set of keys under the mat in the their car?
convenience, laziness, and/or price > security
Admin
If I were to be opposed to publishing how to crack a lock, I would have to criticize my idol, Richard Feynman. That would simply be unacceptable.
http://books.google.com/books?id=7papZR4oVssC&printsec=frontcover&dq=surely+you%27re+joking+mr.+feynman&ei=AJmzS8jLGaWCywTN1ui4BA&cd=1#v=onepage&q=&f=false
(go to the Safecracker meets Safecracker chapter, it's a good read. Any self-respecting geek should read the whole book)
Admin
In college the dorm I was at had one of these lockboxes, just like the one in the picture. Only you could only press each button once, as they stayed down once you'd pushed them, and order was irrelevant. So if your code was 1234, then you also could have opened it with 4321, 2431, 3124, etc. What you're describing here sounds slightly more secure than the one at my dorm, but still not very secure.
Admin
The shortest possible number of keypresses to solve the combination is 4. The greatest possible number is infinite, as I'm sure some idiot would get halfway through and forget his place and repeat (n) tries.
Admin
http://en.wikipedia.org/wiki/De_Bruijn_sequence
Admin
This is a very big ethical problem. We should also keep quiet when old crypto is broken, eh? Everybody keep using WEP, nothing wrong here.
Admin
Given that there are 10 000 combinations, even if you managed 100% density (ie, every digit starts a new, unique 4-digit sequence), you will still have a 10 003 digit sequence to type in.
So this method is hardly a viable attack.
Admin
It's not unethical, if only because the de Bruijn sequence for k=10,n=4 is still prohibitively long.
Admin
Agreed, "security through obscurity" is never a way to actual security.
Admin
Then again, I've had one of the on the outside of my garage since I bought my house two years ago. Nobody knew the code to it, not the realtor, not the bank, the builders even said they didn't know it. I would love to know a combination of inputs to get into the damn thing, just so I can remove it!
Admin
Here's my attempt, in Python. It's inefficient, but I think that it works for the first case--by this I mean that it generates a string that appears to be the right length and no contains obvious duplicates.
Admin
It really is a well know problem with these boxes. I worked it out when I was 12 as it let me through the cheap combination lock doors.
Admin
Haven't you guys ever read 2600 magazine? One can hack to learn one's craft, not to steal.
Admin
Or it could be like our Half blind Realtor that could never get them open, and just told us the codes to enter ourself.
Admin
The non-electronic lock-boxes aren't difficult to break-in to, either.
Take the three-digit barrel lock (bicycle-lock type). Using the limited possible combinations, and the natural force of the spring against the tumblers, it's trivial to hear & feel when you've got the right combination. In short, you can spin the numbers around in sequence as fast as you can move your fingers, and as soon as you get the right one, a nice loud click will indicate you've just gone by the right sequence. Anybody who has done it once before can tackle 3 digits in under 1 minute in the worst case, and may be lucky enough to get it in a few seconds.
Admin
@grizz
these types of articles do work for those who wish to be educated. i have already replaced the lock on my apartment because i read an article discussing lock-picking and found out that my old locks "were good to practice on because they are so easy."
education is a personal responsibility issue, and i appreciate people who put forth the effort to educate me. because of this article you can bet that i will never use one of these boxes myself, and for that i am appreciative.
the more people who publicize this the less likely others will use the device. it is the same in other fields as well. as exploits become more well known people are more likely to secure against it, or switch applications entirely. sure there will be some who try to use that knowledge for nefarious uses, but the more people are educated the less likely the wrongdoer will be successful.
lets get one thing straight, anytime you rely on security through obscurity you are making yourself vulnerable to someone with knowledge. how wide ranging those someones are is irrelevant, what matters is what you do with the knowledge that you are vulnerable. if you do nothing then it is your fault if you are taken advantage of. saying "so and so informed the wrongdoer, if they had not done so this would not have happened" is just passing the blame, not the fault. so and so informed the general public, and you did not take advantage of that fact.
if i am going to buy a security product you can bet that i am going to do the work to find out how secure it actually is, and not just read the manufacturer brochure. i am going to find third parties and ask them what they think. to do anything else would be foolish, and those who do not are leaving themselves open. it is not the whistle-blowers fault for publicizing a known vulnerability, it is the consumers fault for not doing due diligence. just because the populace at large does not follow through with due diligence does not mean that we should silence the whistle-blowers, that is foolish.
due diligence can take many forms, as can publicizing any finding. many security companies (both physical and digital) offer cash prizes or host competitions so that other have incentive to find and publicize vulnerabilities.
this site has (probably inadvertently) publicized an apparently well known flaw with realtor lock-boxes. i have filed that knowledge away so that i do not become a victim of that vulnerability. the question for you is: what are you going to do with the information? (hint: pass it on)
Admin
While the other list of four-digit codes was readable thanks to a few well-placed commas, this one I had to parse a couple times ove to understand. It helped when noticed the lack of said commas.
Admin
Here's my stab at it. This is a bit unwieldy and could be slimmed down a lot, but it seems to work okay, although it will not handle bad parameters nicely. I also left a bunch of commented out debug prints in here.
Optional arguments are in order: code length, number of buttons, and does order matter (expects "False" for order not to matter). If no arguments are given they default to 4, 10, and True respectively.
Admin
Actually, you have to sign some sort of agreement with your realtor that allows (or doesn't allow) them to place a lockbox on your property.
Also, some security companies hold their own contests challenging the public to hack their system in some way so they learn their flaws and improve their product.
Last, there are updated lockboxes that realtors can use to improve security. Not just by Supra (who is the company that owns the box pictured) but by their competitors, such as SentriLock, as well.
Admin
Modern lockboxes are electronic and need a rfid tag to open. So this is an historic folkloric challenge.
Admin
As other people have mentioned, the classic "combination lock" variety are going out of style, replaced with RF or other electronic locks. Around here they're moving to ones with "phone home" capability, so the realtor's office can tell you exactly when people accessed the box.
But I'm pretty sure anyone who was inclined to exploit the old locks either (a) already figured out the limited combination possibilities; or (b) use a crowbar instead.
Admin
This is called a Bruijin Sequence - the shortest sequence that hits every possible combination of codes.
A generator is here: http://www.hakank.org/comb/debruijn_k_10_n_4.html
Admin
This is how keyless entry pads on most cars work too.
They really are more of a "keep honest people honest" solution -- just like locks on doors made of easy to break wood, or door on cars with easily broken glass windows
Admin
I don't have a lock box, but I do have a baseball bat.
Admin
00000001000200030004000500060007000800090011001200130014001500160017001800190021002200230024002500260027002800290031003200330034003500360037003800390041004200430044004500460047004800490051005200530054005500560057005800590061006200630064006500660067006800690071007200730074007500760077007800790081008200830084008500860087008800890091009200930094009500960097009800990101010201030104010501060107010801090111011201130114011501160117011801190121012201230124012501260127012801290131013201330134013501360137013801390141014201430144014501460147014801490151015201530154015501560157015801590161016201630164016501660167016801690171017201730174017501760177017801790181018201830184018501860187018801890191019201930194019501960197019801990202020302040205020602070208020902110212021302140215021602170218021902210222022302240225022602270228022902310232023302340235023602370238023902410242024302440245024602470248024902510252025302540255025602570258025902610262026302640265026602670268026902710272027302740275027602770278027902810282028302840285028602870288028902910292029302940295029602970298029903030304030503060307030803090311031203130314031503160317031803190321032203230324032503260327032803290331033203330334033503360337033803390341034203430344034503460347034803490351035203530354035503560357035803590361036203630364036503660367036803690371037203730374037503760377037803790381038203830384038503860387038803890391039203930394039503960397039803990404040504060407040804090411041204130414041504160417041804190421042204230424042504260427042804290431043204330434043504360437043804390441044204430444044504460447044804490451045204530454045504560457045804590461046204630464046504660467046804690471047204730474047504760477047804790481048204830484048504860487048804890491049204930494049504960497049804990505050605070508050905110512051305140515051605170518051905210522052305240525052605270528052905310532053305340535053605370538053905410542054305440545054605470548054905510552055305540555055605570558055905610562056305640565056605670568056905710572057305740575057605770578057905810582058305840585058605870588058905910592059305940595059605970598059906060607060806090611061206130614061506160617061806190621062206230624062506260627062806290631063206330634063506360637063806390641064206430644064506460647064806490651065206530654065506560657065806590661066206630664066506660667066806690671067206730674067506760677067806790681068206830684068506860687068806890691069206930694069506960697069806990707070807090711071207130714071507160717071807190721072207230724072507260727072807290731073207330734073507360737073807390741074207430744074507460747074807490751075207530754075507560757075807590761076207630764076507660767076807690771077207730774077507760777077807790781078207830784078507860787078807890791079207930794079507960797079807990808080908110812081308140815081608170818081908210822082308240825082608270828082908310832083308340835083608370838083908410842084308440845084608470848084908510852085308540855085608570858085908610862086308640865086608670868086908710872087308740875087608770878087908810882088308840885088608870888088908910892089308940895089608970898089909090911091209130914091509160917091809190921092209230924092509260927092809290931093209330934093509360937093809390941094209430944094509460947094809490951095209530954095509560957095809590961096209630964096509660967096809690971097209730974097509760977097809790981098209830984098509860987098809890991099209930994099509960997099809991111111211131114111511161117111811191122112311241125112611271128112911321133113411351136113711381139114211431144114511461147114811491152115311541155115611571158115911621163116411651166116711681169117211731174117511761177117811791182118311841185118611871188118911921193119411951196119711981199121212131214121512161217121812191222122312241225122612271228122912321233123412351236123712381239124212431244124512461247124812491252125312541255125612571258125912621263126412651266126712681269127212731274127512761277127812791282128312841285128612871288128912921293129412951296129712981299131313141315131613171318131913221323132413251326132713281329133213331334133513361337133813391342134313441345134613471348134913521353135413551356135713581359136213631364136513661367136813691372137313741375137613771378137913821383138413851386138713881389139213931394139513961397139813991414141514161417141814191422142314241425142614271428142914321433143414351436143714381439144214431444144514461447144814491452145314541455145614571458145914621463146414651466146714681469147214731474147514761477147814791482148314841485148614871488148914921493149414951496149714981499151515161517151815191522152315241525152615271528152915321533153415351536153715381539154215431544154515461547154815491552155315541555155615571558155915621563156415651566156715681569157215731574157515761577157815791582158315841585158615871588158915921593159415951596159715981599161616171618161916221623162416251626162716281629163216331634163516361637163816391642164316441645164616471648164916521653165416551656165716581659166216631664166516661667166816691672167316741675167616771678167916821683168416851686168716881689169216931694169516961697169816991717171817191722172317241725172617271728172917321733173417351736173717381739174217431744174517461747174817491752175317541755175617571758175917621763176417651766176717681769177217731774177517761777177817791782178317841785178617871788178917921793179417951796179717981799181818191822182318241825182618271828182918321833183418351836183718381839184218431844184518461847184818491852185318541855185618571858185918621863186418651866186718681869187218731874187518761877187818791882188318841885188618871888188918921893189418951896189718981899191919221923192419251926192719281929193219331934193519361937193819391942194319441945194619471948194919521953195419551956195719581959196219631964196519661967196819691972197319741975197619771978197919821983198419851986198719881989199219931994199519961997199819992222222322242225222622272228222922332234223522362237223822392243224422452246224722482249225322542255225622572258225922632264226522662267226822692273227422752276227722782279228322842285228622872288228922932294229522962297229822992323232423252326232723282329233323342335233623372338233923432344234523462347234823492353235423552356235723582359236323642365236623672368236923732374237523762377237823792383238423852386238723882389239323942395239623972398239924242425242624272428242924332434243524362437243824392443244424452446244724482449245324542455245624572458245924632464246524662467246824692473247424752476247724782479248324842485248624872488248924932494249524962497249824992525252625272528252925332534253525362537253825392543254425452546254725482549255325542555255625572558255925632564256525662567256825692573257425752576257725782579258325842585258625872588258925932594259525962597259825992626262726282629263326342635263626372638263926432644264526462647264826492653265426552656265726582659266326642665266626672668266926732674267526762677267826792683268426852686268726882689269326942695269626972698269927272728272927332734273527362737273827392743274427452746274727482749275327542755275627572758275927632764276527662767276827692773277427752776277727782779278327842785278627872788278927932794279527962797279827992828282928332834283528362837283828392843284428452846284728482849285328542855285628572858285928632864286528662867286828692873287428752876287728782879288328842885288628872888288928932894289528962897289828992929293329342935293629372938293929432944294529462947294829492953295429552956295729582959296329642965296629672968296929732974297529762977297829792983298429852986298729882989299329942995299629972998299933333334333533363337333833393344334533463347334833493354335533563357335833593364336533663367336833693374337533763377337833793384338533863387338833893394339533963397339833993434343534363437343834393444344534463447344834493454345534563457345834593464346534663467346834693474347534763477347834793484348534863487348834893494349534963497349834993535353635373538353935443545354635473548354935543555355635573558355935643565356635673568356935743575357635773578357935843585358635873588358935943595359635973598359936363637363836393644364536463647364836493654365536563657365836593664366536663667366836693674367536763677367836793684368536863687368836893694369536963697369836993737373837393744374537463747374837493754375537563757375837593764376537663767376837693774377537763777377837793784378537863787378837893794379537963797379837993838383938443845384638473848384938543855385638573858385938643865386638673868386938743875387638773878387938843885388638873888388938943895389638973898389939393944394539463947394839493954395539563957395839593964396539663967396839693974397539763977397839793984398539863987398839893994399539963997399839994444444544464447444844494455445644574458445944654466446744684469447544764477447844794485448644874488448944954496449744984499454545464547454845494555455645574558455945654566456745684569457545764577457845794585458645874588458945954596459745984599464646474648464946554656465746584659466546664667466846694675467646774678467946854686468746884689469546964697469846994747474847494755475647574758475947654766476747684769477547764777477847794785478647874788478947954796479747984799484848494855485648574858485948654866486748684869487548764877487848794885488648874888488948954896489748984899494949554956495749584959496549664967496849694975497649774978497949854986498749884989499549964997499849995555555655575558555955665567556855695576557755785579558655875588558955965597559855995656565756585659566656675668566956765677567856795686568756885689569656975698569957575758575957665767576857695776577757785779578657875788578957965797579857995858585958665867586858695876587758785879588658875888588958965897589858995959596659675968596959765977597859795986598759885989599659975998599966666667666866696677667866796687668866896697669866996767676867696777677867796787678867896797679867996868686968776878687968876888688968976898689969696977697869796987698869896997699869997777777877797788778977987799787878797888788978987899797979887989799879998888888988988899898989999000
Admin
It's way easier to break a small window than to sit on the porch for 2 hours with an excel spreadsheet punching in key combinations. You should hope that more crooks try this method.
In our area, they use pager or sms technology to open the lock boxes. When the Realtor gets to the box, they call the number listed on the back and enter the unit #. If the cell phone they're calling from is registered with the server, it will open the box for them.
Admin
I've seen at least one that appeared to have been vulnerable to the "use a slot screwdriver as a pry-bar" attack. At least, that's what it looked like from its remains. It made me question why anyone uses them. Even in a worst-case scenario, someone could break the entire box off of the house with a crowbar (it's just screwed into wood or stucco after all), take it home and use an angle grinder or drill press on it.
Admin
// //args handling // whatever.language.output(combinationLength + (possibleNumbers ^ combinationLength) - 1) //
Admin
It's certainly true that there are many different types of lock-boxes, but the brand and type pictured don't work exactly like you say, at least not in my experience. You have to have the correct set of numbers, but the sequence doesn't matter -- meaning, if the code is 1234, you can enter 1-2-3-4, or 2-3-1-4, or 4-3-2-1. As long as all the correct buttons are pushed, and none of the incorrect ones are, then it opens. If you make a mistake, the second slider between buttons 3-4 and 8-9 un-pushes all the buttons.
Clearly the security isn't that great.
NOW your challange is to write a function that will take the # of buttons in the code (say, you're standing next to your realtor, count the clicks), and print out a list of all possible codes of that length, eliminiating the duplicates based on the above (print 1-2-3-4, and don't print 2-3-4-1 or 3-4-1-2 or 4-1-2-3)... THEN you'll see how insecure these boxes really are.
Admin
Those of these I've seen used Simplex locks, which are a bit more complicated than what you describe.
A simplex lock has five buttons. In a combination, each button can be pressed at most once. But order does matter, and more than that, so do simultaneous pushes.
A combination is a sequence of 0-5 pushes:
Valid combinations:
{1} {1} {2} {1 2} {3} {4 5}
There still aren't that many possibilities, but working through the list takes a bit more intellectual exercise.
Admin
There bolted to the wall at least mine is which is the same as the one in the image. it would be easier to break the door than pull it off the wall.
That particular model also only allows 4 digits to be pressed hence the method suggested doesn't work.
Admin
Your right just tested it on mine of that model. You can do your combination in any order.
Admin
I have found the fireman's axe to be the perfect tool for entering a place... not only does it grant nearly immediate access to almost any building, room, or hallway, but it strikes great fear into any potential occupants, meaning that they're usually all huddled into one spot whilst you merrily make your way through the rest of the place undeterred. It also serves as a great defensive or offensive weapon. Downside: it's noisy as hell and not good for apartment complexes.
DISCLAIMER: ... oh, screw it, if you really take this seriously, then you can just bugger off...
Admin
Certainly. That attacks the real lock on the door though, not the combination lock holding the real keys. As others have mentioned, there are other ways of attacking this combination lock, such as using tension to feel which numbers are part of the combination and so on. Actually trying all the combinations is going to be a pretty rare attack, with easier alternatives available.
Admin
I agree. My vote is for pull of the faceplate, trace the wires from the lock mechanism. Short out each one to each pole of the battery and boom, it will probably magically open. I hate it when people try to solve electrical problsm with a computer.
Admin
Erm, it's only called breaking and entering if .. you guessed it .. break ... AND .. enter.
I'm sure the cop would tear a strip off of you, and perhaps charge you with intent if you couldn't think of a really good excuse.
Swearing a lot and cursing and how you're gonna sue your realtor is probably enough to get you off with a warning.
Anyway, there's probably a key under the doormat.
Admin
You can also tell what numbers are involved just by looking at the wear and dirt on the box around the numbers, because the combination is usually not changed often, if ever.
I agree with other posters here that the simplest way to get into a house is with a boot to the door, or a brick through a window. People focus so much on locks, and will spend hundreds of dollars getting special locks for their house, but do nothing to make the windows unbreakable, and therefore their investment in the lock is useless.
Many key locks are also susceptible to Key Bumping, if you can't be bothered to take the minute it takes to stroke-pick a lock cylinder.
Locks only keep honest people out.
Admin
Also, whereTF does Alex live that is still using these? Where I live (city with pop. of ~300K) the lock boxes have IR receivers and the agents use a smartphone to open it.
An interesting point this brings is you always have to look for the lowest common denominator in security. A condo I lived in spent big bucks to get entry locks that were un-bumpable (also extremely difficult to pick). The only problem is the buzzer board at the front door was protected with a 3-tooth key (easily pickable, probably easy enough to force). Once you open the panel to the buzzer you can buzz yourself into the building (that's how the mail person would let themselves in, albeit with a key).
Admin
Pressing keys for all combinations: O(m*n^m) Pressing keys while exploiting the overlappings: O(n^m) Opening the door with a crowbar: O(1)
Admin
Something that has been missed in the comments regarding my rant is that I'm not advocating a moratorium on all discussions of security threats. I fully agree that knowing of a device or procedure’s vulnerabilities beforehand is better than discovering after the fact that you’ve trusted something inherently unsecure. The thing that initially raised my hackles is the incivility all too often shown to anyone who dares question the propriety of discussing an issue in certain forums. If someone questions the direction of a discussion in a polite way, they don’t deserve to have scorn and rancor heaped on them in return.
Often it is the degree of detail being discussed or the venue of the discussion that is the person’s point of concern. For example, detailed step-by-step directions for making meth aren’t necessary in a discussion of why making meth is A Bad Thing; people can be educated about the dangers without broadcasting a cookbook of how to do it. Topics and details that are appropriate in one forum might not be appropriate in another. Using the meth example, a cookbook of how it is done would be reasonable to see on a law enforcement site but not so much in comments on a site about Pokemon, for instance.
In this thread there have been a bunch of posts with pretty detailed descriptions on how to defeat various locks. Is the knowledge of how easy it is to defeat them useful? Yeah, probably. I suppose a guy could switch realtors if the one he’s using only has the unsecure type of lock. But does the detailed information on how to foil the lock give him any advantage? I don’t see how.
Admin
Really, the standard of Latin on this forum has gone to pot lately. Pfah!
Admin
Then I suggest that you forward this page to every realtor that you know.
Admin
http://en.wikipedia.org/wiki/De_Bruijn_sequence
Admin
These locks are completely worthless anyway. Once they are anything but brand new, they can be trivially 'picked' by placing the catch under load and wiggling each key. If the combination is not regularly changed you can also look for the slight 'polish' on the used keys.
-----N
Admin
My neighborhood front door has a keypad lock that works in a similar way, via firmware. They have a 9-key buffer, and the combination is 3 keys. They buffer wraps and they only check the first three slots, so you can hit any multiple of 9 keys followed by the combination and it will open. Sometimes, when I screw up, I find it quicker to spam 6 button presses and then retype the code instead of waiting for the lock to time out and reset.