Autodialing a Keypad Safe Lock

Guy loses code to a shitty — ok, deeply mediocre — fire safe. Not just his code, but the manufacturer-provided backdoor code.* The solution? Solder relays to each of the keypad contacts and one more to the power line, then write some code to cycle through every possible combination.

Why the power line? The safe has an anti-brute-forcing security feature that triggers a two-minute lockout after three incorrect combinations… but that lockout goes away if you and cut the power.

* Hopefully linked to the serial number and not the same for every safe of that model!

“[Teatree] tells a sad, sad story about the lost password for his fire safe. The electronic keypad comes with a manufacturer’s code as well as a user selected combination. Somehow he managed to lose both of them, despite storing the user manual safely and sending the passwords to himself via email. He didn’t want to destroy the safe to get it open, and turning to the manufacturer for help seemed like a cop-out. But he did manage to recover the password by brute forcing the electronic keypad.

There is built-in brute force protection, but it has one major flaw. The system works by enforcing a two-minute lockout if a password is entered incorrectly three times in a row. But you can get around this by cutting the power. [Teatree] soldered a relay to each set of keypad contacts, and another to the power line and got to work writing some code so that his Arduino could start trying every possible combination. He even coded a system to send him email updates. Just six days of constant attacking netted him the proper password.”

%d bloggers like this: