>>Hello everyone, um thank you very much for coming to this talk. Uh, we’re going to attempt to crack this safe in the next 45 minutes. We could have made this safe cracker faster but then how would we get a 45 minute time slot [laughter] so we’re going to do the best we can. These guys are still setting up as you can see it’s kind of uh a  big set up but um, we’re going to go through the technical aspects of how we built it. I am Nathan, this is Joel and that’s Rob. [laughter] So a little background, um if you uh may or may not know a company called SparkFun Electronics so back 15 years ago in 2002, I started SparkFun Electronics in a little room, hopefully you can see it uh this was in student housing and there was like 15 of us in this house and I started shipping little electronics out of my bedroom freaking out my roommates. Uh and um, here we are today pretty advanced website. We have about 2,000 products that we sell, uh about 500 of those are open source hardware. So today um, what SparkFun does is we design little development boards and technology and then we build projects using that technology to demonstrate it and inspire other folks. So this is an example of uh a light R with an Arduino shield and uh 7 uh couple 7 segment displays and you can see um if you have distance 


>>[audience babble] Slide! [indiscernible] Slide!


>> No slides?


>>You don’t have slides you’ll have to do an interpretive dance 




>>[laughs] Going to do an interpretive dance for all the slides. [off-mic inaudible chatter] [laugh] [faint squeaking]

>>Tell us a story!
>>Another shot! [laughter]
>>He can’t move, he can’t move! [laughter] [squeaking continues]


So I don’t know if you can hear that noise, but I still have nightmares with that noise. We’ve been working on this a lot uh but I’ll wave my hands. So uh what the robot is doing as you can see um, if you can see there’s a dial on the front and there’s uh a servo pulling on the handle. So while um we set up here um we attach the robot using magnets so the idea is that uh it’s- there’s no glue, there’s no drilling, there’s nothing to make it so that um you would if we did it right [applause] okay. We got slides, um I don’t know if we’re going to have this video feed up but um hopefully they’ll work on that. In the meantime I’m going to stream through this thing. I’m Nathan, that’s Joel, that’s Rob. Uh this is what SparkFun looked like 15 years ago, student housing uh 15 people in this house uh this is what our website looks like, cool. Um this is [laugh] we build technology, this is a light R with a couple 7 segments displays and you have distance out to about 40 feet right? So if you take multiple measurements um per second than you can turn that into speed. So this is a speed trap, you run at the wall and see how fast you can get that number up to. [laughter] and in the lower right hand corner you can see the handprint um we’re lucky no one's cracked the drywall yet. Um this is uh another thing I built a speedbag detectors so you hit the speedbag and vibrations from the platform using an accelerometer  you can count the number of speedbag hits. That helped me train for an amateur boxing match. I am undefeated 1 and 0 amateur boxer. [applause] A Beehive we hacked. So we took a bathroom scale, hacked it, attached it to wifi and you can see the weight of the beehive change overtime. It’s actually sawtooth cause every morning 5 pounds of bees leave the hive and they come back during the day and then they leave again. Kinda interesting. Um power-power wheels, my wife and I. Who is my beautiful wife like to hack things. So we hacked power wheels um up to about 48 volts uh a bunch of sensors. Uh laser distance sensors uh it’s an autonomous power wheels that does about 18 miles an hour. [laughter] This is all to say I’m a hardware geek. I don’t know software. 


My wife had to explain this cartoon to me. [laughter] I’m sorry. Then she asked me for a sandwich. Okay [laughter] You’re all here today to figure out how to make these look like this. Now the story behind this thing is uh, I’m really into puzzles and my wife found a safe on craigslist for 20 dollars. It was so cheap because the owner of that safe did not have the combination, they had lost it. You can hire a locksmith to open it up for you but the owner was just like oh forget it, I’m just going to kick it to craigslist so my wife bought it and gave it to me for Christmas and I said hey we got to build robot to open this thing up. [laughter] and we, okay we’re doing good. Alright, um and then uh we build it, uh we live streamed it on you uh youtube which was the second dumbest thing I’ve dom- I’ve done in my life. The dumbest thing I’ve done in my life is demoed Def Con. [laughter] So we’ve opened this safe in 41 minutes. Okay now this safe is really cool um but I’m going to give you a little animation about how safe combination locks work. A little background there we go. Okay, there is 3 disks. The A disk, B disk and C disk. hmmm, hmmm, [humming under breath] there we go, lovely alright. So the C disk is that blue one that’s got the notches in it, the green disk is disk B, disk A now the first thing you need to know is disk C is directly attached to the dial so when you twist that dial you’re only turning disk C. Now after awhile disk C has these dots on it and those dots will interfere with the dots on disk B. And so that’s how you turn disk B. Continuing to turn, you turn disk A. You line up those slots and you can unlock the safe. K? Have you go back, do do do do do. That’s going to be important later on. Starting on the top lefthand corner, this thing runs on an Arduino. It’s not a raspberry pie, it’s not some heavy lifting single board computer. It’s just an 8 bit micro controller, which means we can make this thing portable. Um next up we’ve got 3 magnets that help it stick to the safe. Power supply, that is just an AT power supply uh common 12 volts 5 volts, you find it fairly often with external hard drives. Really cheap, um it provides us with a couple amps on a 12 volt 5 volt rails. Uh next is the erector set that’s uh from a company called Actobotics. That makes it really handy so that we can reconfigure the robot as we need it. Um for instance, if you had the dial in a different place or the handle in a different place. You can rejigger it real quickly to make those two things fit. Um the motor has 8,400 ticks. What that means is that it’s a DC motor that spins really fast. But on the back end of it, it’s got an encoder. So it’s a magnet that passes uh uh a hall effect sensor. That motor that turns it like I dunno 10,000 RPM. On the front of that, there’s a gearhead that gears it down to uh, uh a single rotation so 8,400 turns of the magnet equal one rotation of the head. So we take 100 digit dial and we split it into 8,400 individual segments. Okay? So, that’s the motor. Next we have the servo with feedback, that’s the servo that pulls on the handle and tells us when the handle is pulled down and let’s see. Next step of building this thing, is we had the 3D model of the safe. Uh from that we were able to print uh 3D print coupler. So that coupler fits on the dial really nicely and tightly. You can see the little uh flag sticking off of it. We use that and a photogate. So there’s a photogate uh attached to the arduino that looks for that flag and sees when it breaks the beam. When it breaks the beam it knows that it is. Well it knows the flag is there and it asks the human, “hey what number am I at?” and the human types in, “62” and it says “aww okay I now know where 62 is.” It can immediately go to zero. So it’s a way that we can kinda calibrate hone the dial. This is what the handle puller looks like so we have a spring that pulls back uh pulls the handle back up. We have a servo with this cool nautilus gear. That allows us to maintain constant torque while pulling on the handle and then we have some very fancy string that you can get from anywhere that will attach the handle to the servo head. And again we got uh analog feedback on that servo. Um the way that you do that is you take any off the shelf servo, you open in up and there’s uh uh potentiometer in there, you solder it to the center point of that potentiometer and you can see, you can uh analog voltage is in relation to where the head is. So now we can say okay the head is at 45 degrees or it’s at 90 degrees and from that we can tell when the handle is open. This is what the electronics look like. Um top left corner, motor driver to 15 amp motor driver because this motor pulls a couple amps so it’s overrated but that’s good because we don’t want it to get hot. Um underneath we’ve got an arduino right? It’s just a red board, that’s the board that SparkFun makes um we’ve got a buzzer. Piezo buzzer so it can beep and let us know when the safe is open. Um there’s, we initially designed a current sensor into the board thinking that we would look at how much the current motor was using, to tell when it started the stall. We found out that it’s actually a lot faster to see the encoder stop so when we tell the motor to do something, if we ever see the encoder ever stop turning it’s about 100 milliseconds before we see the current increase so we don’t actually use the current sensor, we just look at the encoder. Next is that 12 volt external hard drive power supply. Uh next we have the motor control and feedback. So the motors are pretty simple right? You give is DC power in one direction and the motor starts turning uh in this case it’s got a couple more pins because it’s giving us feedback to that uh, gives us access to that encoder so we can read the encoder, we can power the motor and we can switch the directions on the motor and then we can turn the dial in different directions. Uh next up we’ve got a display, and I’m just going to check it out real quick. 


So currently we’re testing 18, 16, 93 um so that’s a display 7 segment with a bunch of segments um the interface to that display is 3 wire so it’s serial just going uh to the display. Um next is the, that home photogate so it’s a really simple photointerrupter, you power it and um whenever it breaks the beam you can see that pin go low. So we can tell the head to turn until we see that beam broken and we know the flag is there. Last uh, next up we have a go button. So we wanted to make this thing as autonomous as possible. You’ll see a red button the the robot so we hear it, we hit the red button and it starts doing it’s thing. Next up, is the servo and feedback, again that’s where we attached the servo to find out where the handles at. Now, this is uh we had to connect all these things together. Um se this is a pretty simple schematic. There’s not a whole lot going on it’s just a whole series of connectors and making sure that the servo and buttons and everything are connected to the right spot on the arduino. Could have done this with wires, we could have just inserted things but it’s not going to make it very portable and not going to make it very reliable. So uh, this is the schematic you can see in the bottom center is that gear logo. Um I don’t know how many people are familiar with open source hardware. This is open, yeah yeah awesome OSHWA uh the open source hardware association um uh this you can take this design, you can modify it, you can copy it, you can sell it, you can do whatever the heck you want with it. Um and that’s the same for all SparkFun products. We believe that everything should be open source and you know, if you can learn from me then I can learn from you and we can build upon each other's work so this is all open source, this is the schematic. Uh we turn it into a printed circuit board so uh this is a really simple printed circuit board. It’s two sided but the traces are huge and it’s all through hole soldering, and it’s- it’s really pretty straight forward. So that’s the PCP. Now let’s talk a little bit about the keys and how we will hopefully get this thing open quickly. Um there is about a million combinations on a given safe. And the reason that is is you’ve got to dial 0 to 99. So it’s 100 times 100 times 100. That’s a million. If a human walks up to a safe, think about it, you gotta clear the dial right? And then you gotta dial in the first one and you gotta dial the second one and the third one and pull on the handle. Takes about 10 seconds for a human to do that. Um so worst case, if we were to brute force this, it would take 115 days of non stop trying every 10 second. So the first exploit that came about was how we could uh reduce the overall key set. I don’t know if you noticed but we are only testing 93 over, over, and over again. Why is that? That’s because uh oh let me take 1 step back um. So 100 times 100, we can actually reduce that a little bit. They design the safes so that if the digit is say 56. Humans are really bad at doing fine stuff. So it’s hard to get 56 just right so they design the safes so that 57 and 55 will work so it’s a 3 digit window so we’re not actually trying all 100 we just have to hit that middle digit. So we’re doing 33 times 33 times 33, it’s still 4 days. It’s mind numbingly slow. So this is what the inside of the safe looks like. There are 3 dials and the 2 white ones and a black one, if you see that black one, it’s got a bunch of uh indents on it and that’s what we call those indentations. Those are there uh yeah so there are 11 small indents and then there’s one large indent and that’s the solutions slot. So we know that one of those 12 indents has to be the solutions slot. So we don’t have to try all 33 digits on the last disk, we only need to try um 12 on disk C that’s the black disk. So now we’ve reduced the solutions set 33 times 33 times 12 still at 1 and a half days. The real kicker came when um I took apart the safe and found out that the solution indent on this older model safe is slightly different in size okay? So that small indent is about ten thousandths of an inch smaller than the other 11 shallow indent. So from the outside of the safe, if we have a sensitive enough motor we can measure those indents and find the skinniest indent. So if we can do that then we can take disk C down to 1. We have the solution number within about 20 seconds. So if disk C has the skinny indent. We take 33 times 33 times 1. We’re now down to about 3 hour test time. So the first thing I want to show you, well no, I got to show you all sorts of stuff but this is the model safe we had back in Boulder uh that we got off craigslist. Uh and it’s really cool and that’s the one we cracked open, it worked well. The problem is we wanted to do this demo at def con. This safe is about 10 years old and you can no longer get this model safe. Awesome, so we looked around and said “well what is the model of safe we can buy at.” What’s that? [inaudible] We’re good. Okay. What’s the model safe we can buy here in Vegas, we bought this safe at Home Depot. This is the model you can get readily available in Vegas. Now something should jump out at your about this picture. What is it? There’s keys, where the hell did those come from? Those weren't on the original model safe. So when we’ve found, we saw the model safe in Vegas. We’re like okay cool let’s get the same model in Boulder I buy this same model in Boulder, where we’re from and I take it up to Rob’s office and I’m like hey we got this safe and I’m like “Oh my God, wh-wha-what is, there’s keys now? This isn’t gonna work.” I know the Def Con audience is really understanding about demos but we can’t just show up with a robot that doesn’t work. How are we going to open this lock? Well anybody who knows tubular locks right? Um this is the first time in my life where I used a big pen. [laughter] to open a lock. It works really, really well. [laughter] It’s incredible so uh sure enough if you find this safe and you need to get it open, build one of these robots and bring a big pen with you, that’s all you need. So inside this safe, again we’ve never opened this safe. We bought it yesterday, um God I hope we get it open. But um, this is what the inside of our safe, same model in Boulder looks like. Ok? Same 12 indents, all plastic now the interesting thing about this disk C is that the solution slot is actually fifty thousandths of an inch larger than all the other indents. That may not sound like a lot but that’s 54 ticks on the encoder. That’s, that’s a huge gaping, like i-it’s such a sore thumb it sticks out at you. So uh this is how, what it looks like um. How we measure the indents. So the robot will spin the disks to an indent and then it will apply pressure on the handle and rock the wheel back and forth. Now remember the encoder is giving us feedback so we can say “okay the encoder is at 17 and then it went to 312” and then we do the subtraction and say “okay that indent is this many ticks wide.” And we do that for each indent. And I think, yup we’ll eventually do the solutions slot, measures that. [inaudible noise] Got it? K. That’s how you measure the indents. Now we’re not trying anything yet but we are establishing what those indent widths are. So [deep breathe] this is what the output from the terminal looks like. Nothing may jump out at you except that. The width of that indent is like a sore thumb, It’s much bigger than any other indents. So our software says “okay cool, the large indent number is 6, that is the number I’m going to try for all other combinations.” So in this case, we think the indent is 93, we’re really, really hoping the solution indent is 93. Uh we’re gonna see if it works or not. Uh we’re pretty sure. So, we know we have the solutions disk C. It’s 33 times 33, it still takes about 3 hours so how are we going to do this is under 45 minutes? There’s some other things that we can do. How can we get the test time down from 10 seconds to something shorter? Um this is something we created called set testing so uh we’ve got the test time down to about 4 seconds per test. We can even go a little bit faster than that. Um but let me demonstrate what set testing is cause it’s a little complicated. Um well it’s not complicated it’s hard to describe. So, hum hum, so this, I’m going to play this animation again but disk C is the blue disk. Disk B is the green disk. Now we have those interference points right? To test as quickly as possible, I shouldn’t reset all the disks. I’m a robot, I know exactly where the disks are so I shouldn’t have to reset B. I tested C and now I’m gonna turn C until it interferes with B. B will move three digits and then C returns to where it needs to be and we test again. So we do this, we turn B, we bring it back, we turn B, we bring it back. And I want to show you the next video of that in practice. Set testing and take measurement. MMk so this is, it-it the robot. Oh that set testing, measurements there we go. So we test, we move the disk, we test, we move the disk, we test and you can see that slot opens up a little bit and keeps going and we go right through it. Now realize that this is just a quick little video but we’re testing a large number of combinations in the 10 seconds it takes to watch this video. We’re screening through combinations as quickly as we can. Hmm, okay so doo-doo if we can get the set time, test time per combination down to about 4 seconds how are we gonna get it down to 45 minutes. We can’t, it’s all luck. It’s to the demo Gods of Def Con to try to get this thing open in 45 minutes. [laughter] It’s not an exploit, it’s just luck. Um so you may ask yourself uh okay, how can we improve upon this technology? How do I protect myself? Well there’s a couple things, um if you don’t like combination locks get one with a key pad right? The one in the middle has a keypad and my robot does not work on keypads, however before you buy the model of safe in the middle, I suggest you search for it on the internet because that safe can be opened faster than we can open this one. You take a high powered magnet, you take it outside and there’s a solenoid that when you type in the keypay, that solenoid pulls the pin and you can open the safe? Well if you take a high powered magnet and you can activate the solenoid using that magnet from the outside and you can open the safe in a couple seconds. [laughter] Do your research. Um well Nathan, I could just spend more money on a safe. Yes you could, there’s lots of good secure safes out there for um ya know a thousand dollars. Um you can get a safe that doesn’t have plastic internals right? This safe is the most, common model at home dept, Lowes and all the other places. So this is the one that we wanted to exploit because this is probably the one that everyone has. However if you spend a whole bunch of money you can get a jewelers safe  but you can also get the SG6030 the interesting thing about this is that um the only people that buy this are locksmiths because they are the only ones who can actually dial in the single digit combination. Remember, our safe has that plus or minus one digit so if you dial in 56 and it’s supposed to be 55, it’s still going to work. This lock you have to be dead on and it’s so bad that most users can’t open their own safe. And there’s always someone around with a thermolance [laughter] right? No matter how much money you spend on a safe. There’s, uh nothing is impervious. So few things about future research, um we found out that as you, there’s 2 aspects, 2 motors on our robot. One is the motor that spins the dial and the other one pulls on the handle. We have a very sensitive motor that uh turns the dial. We can also get a very sensitive servo that pulls on the handle. At, giving us feedback about how far down the handle has been pulled. Um, if the ha, we uh let’s see. Based on the depth at which the handle is going, we ought to be able to glean some information about the disks inside the safe. I don’t know if we can or not, but we can get uh depth feedback from the servo. Something to look into. Uh another one, this is from my friend TJ. This is an idea, it’s called impulse response we ought to be able to slam the arm into the disks and listen to what it sounds like. If there’s 3 pieces of plastic there. We should hear one sound. Humans probably won’t be able to detect this but a computer could look and do the analysis and say ah there’s 3 pieces or plastic there or in this case. You can barely see there is one slot lined up to whenever we slam into it. There’s only 2 pieces of plastic, we should have a different impulse response. If we can make this happen then I won’t have to stand next to a safe that isn’t open. Uh we should be able to open it up a lot faster. Uh next, we have a uh 3D printed coupler that works with this dial. So if you want to hack into this safe you have to get measurements of that safe, measurements of that dial or on a safe similar to it. Um in this case, uh there are really interesting grabbers uh this is uh from irobot and it’s basically a balloon filled full of coffee grounds. You press it up against the thing and then suck the air out of the balloon and it turns into a uh hard gripper, so you can grip all sorts of different objects and different shapes. Um a few shown here we may be able to create uh a coupler that you shove onto a disk, you evacuate the air and then you have a very tight grip on whatever dial any, any size or shape dial you’ve got. 


Another thing, uh the next safe that we would like to work on is the uh keypad safe. So these are the ones that you often find in the hotel room um or uh the one I suggested before. There are machi- [beeping]


>>Woo! [applause] [silence] [laughter] [uproarious applause]


>>What's in the safe?!
>>I don’t know! [indescribable] 
>>OH yeah, So the combination to the safe is 


>>51, 36, 93 [applause] [speaker exhales sharply]


>>Man oh man, okay. I’m- I’m done now. [laughter] Um, lastly we- we ought to look at the- we ought to be able to see the tactile feedback of buttons. So uh using a load cell on a pen we ought to be able to press the button and see where the tactile force fails and from that you can see which buttons have been worn out. In theory, this is future research. Not sure if we can but we’ve done a lot with load cells. And this is a common testing method for tactile uh tactile feedback of buttons. It might work, um yeah and then once you have the number of buttons figured out it’s just in factorial. This is all really boring compared to that [laughter] so yeah I’m um. We got it open. That’s all I got. [applause]