A hacker demonstrated techniques to compromise electronic safes with cryptographic locks at the Defcon hacking conference. The demonstration was at the lock picking village in the Defcon conference, which has a number of different locks that can be intruded into by attendees.
The hacker known as Plore used a side-channel attack to get past the cryptographic protections on the lock, according to a report in Wired. A side-channel attack analyses and exploits channels not related to the cryptographic implementation, bypassing the encryption implementation altogether.
The intrusion was demonstrated on Sargent and Greenleaf safes, a common brand for safes in the United States. Plore managed to get into two models of safes, and didn’t have time to practice on more models before the conference.
In theory, his methods could be applied to other safes as well. A resistor was placed between the battery and the lock to measure the current flow. This gives an indication of the state of the lock. The voltage was different based on whether an entered number in a six digit sequence was correct or not. This allowed Plore to guess the six digit number in a series of tries.
For a newer model of a lock, Plore could not use the same method of monitoring the voltage. Instead a different side channel attack was used, one where the input was timed. When a digit was correct, the delay to check the entered value against the value in the system was exactly 28 microseconds. Plore tried out the numbers one by one, till he guessed all the six numbers in the code to unlock the safe.