[Etienne Sellan] Got one of these pretty যুক্ত 5 logic analysts. Like any shiny new tool, he starts looking for things to investigate with it and his eyes fall on a sentry safe (produced by Master Lock). At the surface level, this keypad-equipped safety is decently designed when it comes to privilege separation. You can remove the keypad board and access the back of it, but the keypad makes no decision, it just sends the numbers to a different board embedded behind a secure door. The solenoid-attached board takes the pin, verifies it, and then controls the solenoid that unlocks the secure.
[Etienne] Communication Wire has installed a logic analyzer, which has become a UART channel and logs keypad communication packets – both for password entry and password change. Then, he wrote some Arduino code to send the same packet manually, which worked wonders. Brutforcing was not effective due to rate limitations on the solenoid controller. Something from there draws his attention – if you want to change the password, you have to type the factory code on the keypad, each is unique and provided in the manual for security. That code entry is a different kind of packet from “change password”.
More after the break.
Equipped with an Arduino capable of sending packets that mimic packets produced by the keypad, [Etienne] A complex bug was found – the factory code packet did not actually need to be sent first to send the password change command. Sending a single packet saying “Please change the code to 00000”, the pin code will be reset. All you need for this is a serial packet of MCU injection and [Etienne] Exactly what was created, embedded an ATmega circuit in a shell of a marker, the tip was replaced with a two-pin header.
If you want to do such a secure hack, all you have to do is move the keypad, remove the cap from the marker, touch the two pins to check the points on the keypad board and press a button that safely sends a packet – Shown in a video by [Etienne]. A little shy of a James Bond-appropriate tool, this marker will give you a gun, or perhaps cash, when you need it, until you find a sentry safe in the woods.
This is exceptionally bad, obviously – this is the advertisement for storing these safe valuables and firearms. The company was notified of the problem but never responded. If you have a safe that is affected, however, [Etienne] Designed an intermediate board that mounts securely inside, between keypads and solenoid boards, and blocks potentially contaminated packets. Designed open source for the best of everything in the hacker tradition. With this board, the safety of your safe is one PCB order away. Like [Etienne]No matter how cool its work, he also wrote a firmware that adds OTP code support to this board, so you can also use your favorite 2FA app to open this secure.
We tip our hats [Etienne] Finding this bug, creating a great proof-of-concept, and then creating a fix – ignores the problem directly in the face of the manufacturer. We often see hardware hackers upgrading or breaking into their safes, and it’s nice to see a project that can do both.
I just found a software vulnerability in your electronically secure firmware that allows you to unlock securely without a secret code.
I created a pocket payload injector as PoC.
Is it possible to consult with you to provide details and help fix it?
– Etienne Sellan (etienne_sellan) February 21, 2022