Kyle Vogt

[...] Safe Cracker [...]

[...] you spent the big bucks and got that fancy safe but if these guys can build a robot to brute-force the combination you can be there are thieves out there who can pull it off too. [Kyle Vogt] mentioned that we [...]

[...] want to subscribe to the RSS feed for updates on this topic.Some curious students have built a robot that mechanically cracks a electronic safes. It is worth noting that the standard lock for classified documents has since been upgraded to an [...]

[...] Safe Cracking Robot – “This isn’t one of those telephone spamming machines that call you during dinner time or while you’re sleeping. This is robotic safe cracking. Two curious MIT studentswith a mysterious safe and a bit of free time built a laptop-controlled robotic fixture that opened a “manipulation proof”, high security safe in just a few hours….” [...]

I love smart people!, rock on guys!

Hi, This is a very nice build, I am impressed!
I have been wanting to do this exact same thing for a while using a Mark 3 Manifoil combination lock which is used extensively here in the UK and had the similar thought pattern as you guys (using an encoder to detect a win and utilising the fact that the lock has a number of forbidden zones) though unfortuantly university and the lack of a combination lock got in the way

One thing I did always wonder though was how fast you could accellerate / decellerate without causing the internals to spin / mis-align – you video shows it operating at a very high speed?

Regards,
- Alex

i love your brain, kyle.

[...] robot “brute-forces” high end lock combinations – [Link] Tags: brute-forces, lock, Robot Filed in Robots | 1 views No Comments [...]

This is not a new thing, it is pretty old. The big advantage is that the lock will run out in fast speed )

This is a very interesting project. Of course, use brute force can in theory can crack any security measures that rely purely on numerical permutations. The main challenge for this type of mechanical hacking is to develop mechanisms that are fast enough to perform such attack.

While software based deciphering can rely on multiple machines working concurrently, mechanical hacks can not be easily paralleled.

[...] informacijos galite rasite vaikinukų iš Masiučiuseto technologijų universiteto svetainėje. Nors nieko tokio jų puslapyje nesužinosite ko ne būtų galima įsivaizduoti pagalvojus apie [...]

I’d be interested to know how long it to actually open the safe once the device was in place, versus the theoretical time needed to exhaust all possible combinations.

How much time is “21,000 cycles”?

[...] jest dziełem dwóch studentów MIT. Pokonany sejf ma zamek Sargent and Greenleaf [...]

amazing..how many combinations did it took to crack this safe ?

@Uthor: First paragraph: “…in just a few hours”

While it’s great that your GSA security container with the S&G 8400 series lock was opened, machines such as this have been around for several decades. Commercial versions which can open common types of safe locks called “Group 2 Locks” are available to the safe & vault industry and law enforcement agencies. This type of lock called a “Group 1 or 1R Lock” depending on the materials of the combination lock wheels has had specialized autodialers manufactured before. That is exactly what the machine is, an autodialer that performs an additional function which in this case is to turn the butterfly every time each combination is dialed.

It takes advantage of known mechanical tolerences and manufacturer’s specifications and then dials every combination bringing the dial back to zero, then turning the butterfly right and finally turning the dial further right to see if the lock is unlocked.

Not a simple concept or machine to make but it has been done before which is the main reason the newer more advanced electronic lock you mentioned above has been in service since 1991. This version of locks called the X-07, X-08 and X-09 locks used on GSA security containers and vault doors is an electromechanical lock which makes it’s own power by a small generator powering up the lock for a limited time for the end user. Are you up to another challenge??? Design and manufacture a machine for the newer electromechanical locks.

Thanks for the article – certainly very interesting to see how you went about cracking the safe lock!

Would y’all mind disclosing what the combination was?

I’d like to see if it fits into my idea of the limited keyspace.

tank you

I saw one of these years ago at MITRE, and watching it in operation is impressive.

Have you considered front-loading a dictionary based attack? I used to see 6-letter words turned into a combination via the standard telephone keypad mapping, and have always wondered just how big a keyspace that would encompass.

dremel will do the same thing… =D

[...] Blowing safes open with dynamite is so twentieth century. When Kyle Vogt wanted to know if an old safe contained “cool stuff like gold coins, ancient relics or even mummified body parts” the MIT student roped in a friend and built a safe cracking robot. [...]

@David Schuetz That’s where I was heading when I asked for the combo.

there are ~15,553 6-letter words, minus all the ones that make forbidden combinations – i.e. for the 8400 lock: no numbers between 35 & 55 for the last number, no numbers ending in 0 or 5, and no rising or falling sequences.

@David Schuetz That’s a really clever idea.

It doesn’t seem intuitive to me to do the phone keypad mapping, but that would make a great first pass of combinations.

The reason we spent so much time thinking about combination space optimization is that we thought the dial would seize up after something between 20,000 and 100,000 combinations. We had to turn the safe on it’s side and let some lubricant drip down into the lock to loosen it up after the first 5,000 or so combinations were tried.

So, the combination was…

[...] it might be the first one using Legos. Massachusetts Institute of Technology student Kyle Vogt has posted a blog that describes an autodialing device that he and a colleague configured and programmed to open a [...]

Like Mr LaBarge’s comments above, the dialers for the mechanical locks, including those used by the government, have been around for decades. The Mas X-07/08/09 was designed to detect mechanical motion. I know people who know the combinations to them and can’t open them because of their dialing methods, and after . They have three modes of operation, one allows access
by dialing a six-digit combination (xx-xx-xx), one allows access only when two separate codes are entered within 40 seconds of one
another, and one allows access by a subordinate’s code only after a supervisor’s code has been entered. Additionally, they have a full complement of auditing features, including a non-resettable record of openings and an unsuccessful attempts record (audits after 3 unsuccessful attempts) that resets once the proper access code is entered. 10-14 errors results in a 3 minute time out, 15 errors or
greater results in a 4 minute time out. The error count and penalty time resets with valid combination. All of this is built into the lock, no external reader is required. Want a real challenge, build an automatic dialer that can open one within 20 man-hours.

[...] Build a robotic safe cracker, of course! It’s either that or die of curiosity – the Magic Safe could contain anything! Recommend on Facebook Share on Linkedin Tweet about it Subscribe to the comments on this post [...]

[...] Build a robotic safe cracker, of course! It’s either that or die of curiosity – the Magic Safe could contain anything! [...]