Header Ads

Anyone Can Be The Master Of This Master Lock Safe

A light blue marker with a two-pin header replacing the tip, being pressed against the back of the keypad baord that's removed from the safe

[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe.

[Etienne] hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets — both for password entry and for password change. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. That code entry is a separate kind of packet from the “change password” one.

More after the break…

Picture of the internals of the marker, with an ATMega in DIP, two CR2032 cells in red 3d-printed holder, a two-pin header attached to the ATMega by wires, and a simple button glued into the side of the markerArmed with an Arduino able to send packets imitating those produced by the keypad, [Etienne] found a critical bug – sending the password change command didn’t actually require the factory code packet to be sent first. By sending a single packet saying “please change the code to 00000”, the PIN code will be reset. All you need for that is an MCU injecting serial packets, and [Etienne] built just that, embedding an ATmega circuit into a shell of a marker, tip replaced with a two-pin header.

If you want to hack such a safe, you just need to remove the keypad, take the cap off the marker, touch two pins to test points on the keypad board, and press a button that sends a packet to the safe — as shown in a video by [Etienne]. Just a bit shy of a James Bond-suited tool, this marker will yield you a gun in times of need, or perhaps a wad of cash, as long as you can locate a Sentry Safe out in the wild.

The intermediate board design, with an ATMega and an ESP-01 module on it, three connector-ended two-wire cables going away from the board.This is exceptionally bad, obviously – given that this safe is advertised for storing valuables and firearms. The company was notified of the problem but never responded. If you have a safe that’s affected, however, [Etienne] designed an intermediate board that mounts inside the safe, between the keypad and the solenoid boards, and presumably blocks malicious packets. The designs for everything are open-source, in the best of hacker traditions. With this board, your safe’s safety is one PCB order away. As if [Etienne]’s work had to be any cooler, he also wrote a firmware that adds OTP code support to this board, so you can use your favorite 2FA app to open this safe, too.

We tip our hats to [Etienne] finding this bug, making a cool proof-of-concept, and then even creating a fix – in the face of the manufacturer straight up ignoring the problem. We often see hardware hackers upgrading their safes or breaking into them, and it’s nice to see a project that manages to do both.


No comments