back to article Hacker 3D prints device that can crack a combo lock in 30 seconds

A California hacker who has become an expert in cracking locks has invented a 3D-printed machine that can crack a rotary combination lock in around 30 seconds – and he's released the plans, 3D models, and code as open source. Youtube Video A few weeks ago, Samy Kamkar told the world about a manufacturing flaw in Master Lock …

  1. Anonymous Coward
    Meh

    Analog Security

    Given that the geek who owns this device will probably be looking at the locker door from the inside, it will be rather difficult to access the lock dial.

    FWIW, there's a fine guide to key lock picking: MIT Lock Guide. If Samy can duplicate THAT feat with a small gadget, then it gets really serious.

    1. Anonymous Coward
      Anonymous Coward

      Re: Analog Security

      Given that the geek who owns this device will probably be looking at the locker door from the inside, it will be rather difficult to access the lock dial.

      FWIW, there's a fine guide to key lock picking: MIT Lock Guide. If Samy can duplicate THAT feat with a small gadget, then it gets really serious.

      Already exists, it's called a lockpicking gun. Not that you really need it, most locks are so exposed to key bumping that even an 11 year old with no prior experience can open it. The biggest problem with that is that it generally leaves no traces of a break in (as it uses a key, just with a special pattern), which generally makes it very difficult to get the insurance to pay out.

      (been interested in lock picking for years because I like to know what I'm buying is actually secure - and most of it isn't).

      1. Chris Miller

        Re: Analog Security

        For most people, a lock (or other security system) that is a deterrent is sufficient security - a casual attacker will move on to an easier target. If you own a Picasso, stronger measures may be advisable.

        1. spireite
          Coat

          Re: Analog Security

          Who'd want to break into a Citroen Picasso?

        2. JeffyPoooh Silver badge
          Pint

          Re: Analog Security

          The purpose of even a very poor lock is to make the unauthorized opening of it into a clearly defined crime.

          It doesn't have to be a good lock to fulfill its legal purpose.

          1. Anonymous Coward
            Anonymous Coward

            Re: Analog Security

            > The purpose of even a very poor lock [blah]

            Sorry, but that's utter nonsense.

            1. JeffyPoooh Silver badge
              Pint

              Re: Analog Security

              If you disagree, then it's because you failed to parse the statement correctly.

              Try again; read slower if it helps. Keep trying until you get it.

              1. Anonymous Coward
                Anonymous Coward

                Re: Analog Security

                I agree. A lot of people have rather loose definitions of Meum and Tuum (mine and yours). Forcing them to actually break thru a security device means they can't even attempt to justify the taking later as some sort of accident. Knowing this, they are largely dissuaded, when in the absence of the lock they might easily rationalize the taking and do it.

                Also, most of them aren't very brave and won't risk anything beyond a quick grab.

                1. JeffyPoooh Silver badge
                  Pint

                  Re: Analog Security

                  @Big John - "...Forcing them to actually break thru a security device means they can't even attempt to justify the taking later as some sort of accident. ..."

                  Bingo. Thank you for that. An e-beer for you.

                  It's no longer surprising to me that some don't understand such basic things. Too many people are apparently incapable of thinking these days.

      2. Anonymous Coward
        Anonymous Coward

        Re: Analog Security

        The exploit used was old when I was a kid (back in the 70s) and the non dial type combination locks are just as easy to exploit (even from quality manufacturers like Abus)

        A lockpicking gun is a sign that somebody has too much money and can't be bothered to put in an hours practice.

        BTW bump keys do leave quite distinct patterns on the pins. and quite often on the face of the lock too.

        In the case of the vast majority of Masterlock products (picking on them because they're mentioned in the article and they are common even in the UK) you encounter you have simply bypass the locking mechanism with shims or simply release the locking use a bypass knife/shank,or to go fancy the Masterswitch (though at $20 it's a bit expensive).

        A city rake or if you want to get posh you could go for a Bogota, free if you want to break out a wiper blade insert and a chainsaw file (templates freely available)

        You could go mad and buy a short hook (£3.00) and a tension wrench and open 90% of masterlock products with a few hours practice.

        Want a decent lock buy a Corbin they're often cheaper than Masterlock and they actually pretty secure.

        1. Anonymous Coward
          Anonymous Coward

          Re: Analog Security

          A lockpicking gun is a sign that somebody has too much money and can't be bothered to put in an hours practice.

          Classic effort vs ROI decision: lock picking takes time and skill, a lockpicking gun can be used by anyone after a couple of minutes. If you're doing it for sport (yes, there are competitions), a lockpicking gun is cheating, if you're doing it for business (legal or illegal), speed is usually more important.

          Given how easy they are to get, I prefer to get locks that offer some resistance to picking and bumping. Generally I don't distinguish between purists and lazy people when it comes to keeping people out :).

          1. Anonymous Coward
            Anonymous Coward

            Re: speed is usually more important.

            Than going equipped?

          2. Rob Crawford

            Re: Analog Security

            For the likes of most Masterlocks and a lot of others a snap gun requires as much practice as a city rake or Bogota, and even quicker and cheaper to bypass the picking altogether

            I have a collection of locks that I sometimes end up using for demoing to security teams (my real world role has nothing to do with such things) then I watch the panic (usually down at the cycle area as they decide to get new bike locks rather than the locks they're paid to be concerned about)

            However the locks I like all tend to be considerably more secure (but then again I simply like locks)

            1. Anonymous Coward
              Anonymous Coward

              Re: Analog Security

              > However the locks I like all tend to be considerably more secure (but then again I simply like locks)

              Don't overdo it though.

              Had a (sort of) neighbour once who had installed a really expensive, ultra-secure lock, in his summer residence. This went with one of those high security doors with metal bars all over the place n' stuff.

              The thieves simply knocked a hole in the wall.

              The damage from the forced entry cost him a lot more than the stolen items.

          3. YetAnotherLocksmith

            Re: Analog Security

            Problem is, nearly everything is easy to get, what with this new fangled Interwebz.

            Security is done in layers, just like your PC. (Only with the physical world, a pro can ensure there are no APTs or the like.)

            Bump keys are generally over rated imo. If you are trying to be subtle they are the equivalent of hammering, literally, on the door. Same with an EPG. There are better methods. And they cost more money to protect against!

            You can buy specific tools to defeat nearly every single lock on the market with barely a trace in seconds or minutes, if your pockets are deep enough.

            Just like the IT market for 0days!

            But unlike IT, you can simply add another lock. ;-)

        2. Sgt_Oddball Silver badge

          Re: Analog Security

          Marks on the lock face from bumping can be avoided (not to mention making the process easier) by using an o-ring at the base of the key.

        3. Alan Brown Silver badge

          Re: Analog Security

          "In the case of the vast majority of Masterlock products "...

          ...Picking them by feel is old hat - I was doing it 35 years ago.

          They're an expensive security illusion.

        4. JLV Silver badge

          >The exploit used was old when I was a kid

          +1 for seems to be a judicious use of Anonymous Coward ;-)

          and informative too.

    2. Tom 7 Silver badge

      Re: Analog Security

      The MIT Lock Guide seems to be written by Theodore T Tool.

      mmmmmm

    3. Annihilator
      Pint

      Re: Analog Security

      "Given that the geek who owns this device will probably be looking at the locker door from the inside, it will be rather difficult to access the lock dial."

      Sir, I owe you a pint, and you owe me a new keyboard.

    4. JeffyPoooh Silver badge
      Pint

      "3D Printed Device"

      Bull feathers.

      Most of the device is a stepper motor, a solenoid, wires, a programmable device, etc., etc. A crappy plastic frame is not a 'device'. At best, it's the least interesting item on the parts list.

      The headline reveals woolly thinking.

      It's become a pandemic, where the phrase '3D printed' causes human brains to fail to correctly process simple facts.

  2. skeptical i

    Clever, gotta give him that.

    Now I need to upgrade the security on my toolbox.

    1. Mark 85 Silver badge

      Re: Clever, gotta give him that.

      And perhaps, if you own one, the bicycle lock. Many are made by Master Lock and are the combination type.

      1. Anonymous Coward
        Anonymous Coward

        ...For example, break into someone's high school or gym locker

        I'ma gonna steal a LOT of dirty jockstraps!

  3. virhunter

    but most of all, samy is my hero

    That name immediately sounded familiar to me.

  4. DNTP

    Brings back the memories

    The device really is clever, but the same two problems that it exploits have been around forever in Masterlocks. First is that the combination is never truly random, and second is that the shackle-and-dial variability of resistance leaks a great deal of information which can be used to drastically reduce the number of possible combinations, allowing brute forcing. I got pretty good at this back in the university days, where I could open most Masterlocks in fifteen or or twenty minutes. Inexpensive multi-dial locks are a lot easier, key locks (with picks) can be easier or harder (thank you MIT guide).

    I would hope no one is actually using a consumer grade Masterlock to protect anything extremely valuable or dangerous anyway, but I'm sure some government paper-pusher who had one in high school just ordered a gross for securing nuclear weapons or something.

    1. Crazy Operations Guy Silver badge

      Re: Brings back the memories

      You also have the issue where in most locks, you don't need the exact combination, just +/- from it.

      ON the subject of nuclear weapons, in the past the activation code used to be all 5's (Or was it 7's, can't remember). But even then, the lock-out mechanism could be bypassed by ripping it out and connecting two wires together (The lock on the bomb itself used to just be a basic switch operated by a combo and sat in series with the positive side of the detonator circuit). Modern bombs, I hope, are a little more complicated, but not enough, really the only security the bombs really have is that its difficult to get to them.

      1. Paul Crawford Silver badge

        Re: Brings back the memories

        I think this is what you mean:

        http://en.wikipedia.org/wiki/Permissive_Action_Link

        And indeed there was an element of Dr Strangelove being a documentary not a black comedy.

        1. Loyal Commenter Silver badge

          Re: Brings back the memories

          "Mr. President, we must not allow a mineshaft gap!"

      2. Alistair Silver badge

        Re: Brings back the memories

        but not enough, really the only security the bombs really have is that its difficult to get to them if you get it wrong they tend to go BANG really really loud.

        FTFY

  5. Crazy Operations Guy Silver badge

    "This isn't not the first time Kamkar has caused a ruckus"

    So this is the first time he has caused a ruckus?

    1. cortland

      Re: "This isn't not the first time Kamkar has caused a ruckus"

      Apparently "we don't know nothing!"

  6. cortland

    And is now?

    and is now an independent -- *so far* -- security consultant

  7. Anonymous Coward
    Anonymous Coward

    I guess it depends what you want it for.

    At my allotments many of us have decided not to bother too much about using a lock.

    The scum just smash past them anyway. No hi tech new fangled 3d printed Arduino job. Just a lever.

    I keep the padlock there to deter casual pilferers, but it isn't actually doing anything, it's held on with thin wire since the last time it was snapped. I just can't leave any good stuff there.

    The ba*****s even nicked me barrer.

    1. This post has been deleted by its author

    2. YetAnotherLocksmith

      Re: I guess it depends what you want it for.

      You can stop them, but for a shed is it worth it? A cheap hidden camera recording to SD card is probably best, position it do it gets a nice photo of them opening the door.

      For a proper brick building, how much do you want to spend to stop what level of threat?

      Of course, as a fellow locksmith said when asked on Wednesday night's lockpicking session at fizzPOP, "If I can drill a safe rated for £300,000, I can drill any door lock."

      Hence layered security.

      1. Alan Brown Silver badge

        Re: I guess it depends what you want it for.

        "You can stop them, but for a shed is it worth it?"

        Even a cheap lock is worthwhile on the shed. The Plod won't prosecute if the shed was unlocked because "it was open" is hard to disprove. A broken lock plus the hidden camera is usually enough to secure a conviction for burglary.

    3. Anonymous Coward
      Anonymous Coward

      Re: I guess it depends what you want it for.

      Of the few times I've had anything "broken into", two of them smashed a window, and the other (maybe three) times I'd just left the thing unlocked. My old Ford Escort (and most other Fords from the era) could be opened quite easily with little or no damage by pulling the lock cylinder out of the door and replacing it when finished.

      Anon because... I do have a habit of leaving things unlocked.

  8. Wommit
    Devil

    In the late '70s I had a discussion with a colleague regarding the efficiency of cylinder combination locks. I said that they were crap, he thought that his was good security.

    To prove him wrong I opened his lock, dissembled it and rearranged the combination cylinders. The whole job took less that 5 minutes.

    When I later found him cursing & swearing at his 'broken' lock, I paused and told him the new combination. He changed his bike lock that night.

    1. Anonymous Coward
      Anonymous Coward

      He changed his bike lock that night.

      Minor nit pick: a lock bought from shops open late at night isn't going to be much better :)

    2. Havin_it

      How much cursing and swearing did you let him go through before you showed him how clever you were?

  9. Anonymous Coward
    Anonymous Coward

    It might be hard to use this device if the lock is actually attached to something.

    It's a cool toy I suppose, but nothing really new. The weaknesses in master combination locks have been plastered all over the interwebs for at least 100 years.

    1. graeme leggett

      Eg if it's looped through one of those staples designed to reduce the ability of a miscreant to get bolt cutters onto the shackle?

    2. Anonymous Coward
      Anonymous Coward

      > The weaknesses in master combination locks have been plastered all over the interwebs for at least 100 years.

      And on Usenet for at least 1,000.

  10. Anonymous Coward
    Anonymous Coward

    Stop with the 3D printing headlines

    The 3D printed aspect of this is not novel.

    1. Joey M0usepad Silver badge

      Re: Stop with the 3D printing headlines

      indeed it illustrates the gimmick that 3d printing is , seeing as most of the machine isnt 3d printed

    2. JeffyPoooh Silver badge
      Pint

      Re: Stop with the 3D printing headlines

      Amen.

      Place one trivial crappy '3D Printed' plastic bracket on the Parts List, and suddenly the top level assembly magically become a "3D Printed Airplane / Car / Space Shuttle / Mobile Phone..."

      It's beyond annoying now...

      3D Printing news items are contributing to the rapid drop in average IQ. People are losing the ability to correctly process information.

      People, I've met them, ACTUALLY believe these headlines.

      1. Charles Manning

        3d printed commentards

        Using 3D in the headline seemed to have worked on both accounts:

        1) It got you to read the article. Tick.

        2) It wound you up. Tick.

        Anyone half savvy realises you could have made the bracket faster & cheaper & more durable from a recycled baked beans can with $5 of hand tools.

        1. JeffyPoooh Silver badge
          Pint

          Re: 3d printed commentards

          Based on comments I've read on various forums, some folks actually believe that such complex assemblies are actually being 3D printed. The whole completed product pops out of the 3D printer ready to go, in their mind.

          It's scary when one catches a glimpse of what's inside some heads.

  11. Unicornpiss Silver badge
    Happy

    The ability to open these is old news

    I even have a spreadsheet somewhere that helps you with calculating the possible combinations after you find the first number and based on the lock's behavior. I have opened a few Master combination locks over the years that were left unattended attached to fences, in people's junk drawers, and ones in my personal possession using just the spreadsheet and some tinkering. Typically it takes me under 5 minutes to obtain the combination. (I have never stolen anything or opened a lock used to lock up anyone's personal property, though I sometimes used to find some amusement in flipping the locks that my school faculty had facing backwards so they could use the little keyhole on the back on 'storage' lockers :P )

    Basically a cheap lock like this is more a deterrent. Most thieves are not very sophisticated or all that bright and are only interested in "smash and grab". And my own lock at home is reasonable, but not excessive, as it's pointless to put a fancy lock on a house that has more than a dozen glass windows that anyone can open with their lucky brick.

    I do think this is a very cool device though, very creative, and tuning it to get the tension just right on the lock's shackle must have been a real chore.

    Not everyone knows that you can open a Master combo and other combo locks with a "left hand" combination too. This might be fun if you need to write down a combination to remember it--anyone using a combination lock is used to turning it right-left-right, not left-right-left:

    https://woodgears.ca/combolock/left.html

    1. boltar Silver badge

      Re: The ability to open these is old news

      Yeah, its called a "bolt cutter". 100% guaranteed every time on these sorts of locks. Why anyone would waste their time picking them beats me.

      1. YetAnotherLocksmith

        Re: The ability to open these is old news

        Why waste your time walking back to the van?

        These Matter locks are so poor a fire extinguisher or hammer can work, & often leaves the locks still usable.

        You can even open them with a towel.

        Complete tatt.

      2. chivo243 Silver badge

        Re: The ability to open these is old news

        Aahh, the bolt cutter, the master key to master locks.

  12. J.G.Harston Silver badge

    I don't see anything in that video that needs a 3D printer.

  13. JeffUK

    11:10, to anyone wondering if/when he shows it working.

  14. imanidiot Silver badge

    Master locks are total and utter crap. The combination and keyed locks alike. Most of the keyed locks can be very easily bypassed, most of the combination locks can be shimmed. Master is pretty much my LAST choice when it comes to locks.

  15. bex

    simple Fix

    Looking at the video before this, all Master have to do to stop this is manufacture the first disc without the nub that does nothing on that disc.

  16. Anonymous Coward
    Anonymous Coward

    Forget lock picking..

    ...drill thru the wall!

    http://www.bbc.co.uk/news/magazine-32431557

    1. Anonymous Coward
      Anonymous Coward

      Re: "...drill thru the wall!"

      I've missed the news a bit in the last few weeks.

      Have Hilti come clean yet and admitted that it was a slightly unfortunate publicity stunt for their range of portable concrete drilling machines?

      And is it just me, or was there a distinct lack of reinforcement in the concrete in question? If anyone has links to pictures where the traditional reinforcing bars are clearly visible, that'd be most welcome, thanks.

  17. Maty

    The best security is to live in the right place.

    Two years ago a builder was working on part of our house. When he left for the night there was a thousand or so quids worth of power tools on the lawn. Since this was visible from the street I asked him if the tools would be okay. He gave me a worried look and asked 'It's not going to rain, is it?'

    Pick the right bit of the backwoods, and security consists of making sure the doors have doorknobs and not handles. Bears figured out doors long ago, but you need opposable thumbs to open a doorknob.

  18. spacecadet66

    Wouldn't a more accurate headline be "Hacker 3D prints casing for device which, when combined with an Arduino, a stepper motor, and custom software, can crack a combo lock in considerably longer than it takes to cut the shackle with a bolt cutter"?

  19. ZenCoder

    Its always important to know how much security your getting.

    You always have to decide upon the correct balance between cost, effectiveness, and convenience when dealing with security.

    As a consumer I have a need to know whether a $200 lock is any better more secure than a $5 lock, and have a rough idea of the tools, skills, and time required to defeat each so I can make good decisions.

    And you simply cannot trust the creators of security products and services to seek out and make you aware of the limitations of their products.

    I go to a manufacturer's site and it has a video of someone spending an hour clumsily smashing a lock with a sledge hammer. I go to you tube and I see that a random 11 year old girl with two simple tools needs about 5 minutes to learn how to defeat the lock in 11 seconds.

    1. Loud Speaker

      Re: Its always important to know how much security your getting.

      Unfortunately, these days, 11 year old girls demand $200 to defeat locks!

    2. JeffyPoooh Silver badge
      Pint

      Re: Its always important to know how much security your getting.

      I had a $200 lock once. Somebody stole it.

  20. Fink-Nottle

    It's all about street cred ...

    'Fingers' MacGraw has a much better ring to it than 'Arduino' MacGraw.

  21. Stevie Silver badge

    Bah!

    So the story is really that an electric lockpicker uses 3d printed bits to hold the lock in place?

    I have to say I find the headline just a whole lotta misleading there. It seems to me that the one completely disposable component in the solution is the 3d printer.

  22. Bbbbit

    3D printed?

    If I 3D print a lego brick and then glue that to my car would the headline read "Boffin 3D prints W-reg Ford Focus"? I rest my case.

    1. JeffyPoooh Silver badge
      Pint

      Re: 3D printed?

      Yes, that's what the headline wluld read.

  23. E 2

    Misleading headline (yes, I know, this *is* the Register).

    He printed a chassis that holds a bunch of machinery controlled by a small computer, which entire assembly automates cracking locks.

    He did not print a lock cracking machine.

  24. Anonymous Coward
    Anonymous Coward

    Should be "4D Printed"

    Unless it was printed instantaneously.

    1. Anonymous Coward
      Anonymous Coward

      Re: Should be "4D Printed"

      "Unless it was printed instantaneously"

      Very good! :-D

  25. Unicornpiss Silver badge
    Flame

    @Bolt cutters

    You're utterly missing the point. This was a fun experiment, and labor born of love and chutzpah, which is how computing and other fields have advanced by leaps and bounds over the years by hackers doing it for the sheer joy of it. I can open my car with a hammer too, forgo the twist tie and just rip the plastic on my loaf of bread, and get into all manner of spaces I'm not supposed to with brutality and no finesse, but anyone can do these things.

    This guy's device can open a lock in under a minute and leave it intact, and tell you the combination so the lock can be reused. The practical applications (unless you count impressing his friends) are practically nil, but again, this isn't the point at all. It's more inspiration than a better mousetrap.

  26. Omgwtfbbqtime Silver badge
    Trollface

    It's not about the value - it's all about the weight

    a 5Kg bike needs a 20Kg lock and chain.

    a 15Kg bike needs a 10Kg lock and chain.

    a 25Kg bike doesn't need a lock.

    Simples

  27. Nibinaear

    I don't get science

    How can this possibly be responsible science? Telling everyone how to break into everyone else's shed, bike etc is totally nuts.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't get science

      This isn't particularly science. It's a lot closer to "I know something that you don't know".

      And with lock picking, there's now more than enough "how to" videos on Youtube that any sane person should soon realise that simple locks in widespread use (not just on sheds and bikes either) are very easily pickable.

      Security by obscurity? It's never a good idea.

    2. Morrolan

      Re: I don't get science

      It's not science, this is security information. Security researchers (who aren't scientists, they aren't trying to deduce physical laws of reality or the like) try to break security mechanisms all the time.

      The effectiveness of a security mechanism is determined by how difficult it is to break it. Personally, I don't consider combination locks to be security mechanisms really at all, because they are easier to open than a jammed door. I've yet to find one that didn't make an audible click when you hit the right number, and that means that anyone with good enough hearing can open any combo lock regardless.

      It'd be interesting to see how difficult it would be to construct a mic-based combo lock breaker.

  28. Pookietoo
    Boffin

    Such a talented guy

    But he can't figure out how to use a micrometer.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019