Anyone Can Be The Master Of This Master Lock Safe
[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe.
[Etienne] hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets — both for password entry and for password change. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. That code entry is a separate kind of packet from the “change password” one.
More after the break…
Armed with an Arduino able to send packets imitating those produced by the keypad, [Etienne] found a critical bug – sending the password change command didn’t actually require the factory code packet to be sent first. By sending a single packet saying “please change the code to 00000”, the PIN code will be reset. All you need for that is an MCU injecting serial packets, and [Etienne] built just that, embedding an ATmega circuit into a shell of a marker, tip replaced with a two-pin header.
If you want to hack such a safe, you just need to remove the keypad, take the cap off the marker, touch two pins to test points on the keypad board, and press a button that sends a packet to the safe — as shown in a video by [Etienne]. Just a bit shy of a James Bond-suited tool, this marker will yield you a gun in times of need, or perhaps a wad of cash, as long as you can locate a Sentry Safe out in the wild.
This is exceptionally bad, obviously – given that this safe is advertised for storing valuables and firearms. The company was notified of the problem but never responded. If you have a safe that’s affected, however, [Etienne] designed an intermediate board that mounts inside the safe, between the keypad and the solenoid boards, and presumably blocks malicious packets. The designs for everything are open-source, in the best of hacker traditions. With this board, your safe’s safety is one PCB order away. As if [Etienne]’s work had to be any cooler, he also wrote a firmware that adds OTP code support to this board, so you can use your favorite 2FA app to open this safe, too.
We tip our hats to [Etienne] finding this bug, making a cool proof-of-concept, and then even creating a fix – in the face of the manufacturer straight up ignoring the problem. We often see hardware hackers upgrading their safes or breaking into them, and it’s nice to see a project that manages to do both.
Hi @SentrySafe & @MasterLockUS,
I just found a software vulnerability in your electronic safe firmware that allow to open safe without secret code.
I made a pocket payload injector as PoC.
Is it possible to discuss with you to provide details and help fix ?Cc @LockPickingLwyr pic.twitter.com/B4A75Ws1OG
— Etienne Sellan (@etienne_sellan) February 21, 2022
Post a Comment