Inexpensive Robot with Open Source, 3D Printed Components Cracks a Safe in 30 Minutes at Hacker Convention

While the 3D printed, PIN-protected door lock by HPI looks cool, I’m pretty sure that a determined thief would find a way to get past it. The 3D printed, heavy duty Stealth Key system looks to be much more difficult to get around, but what’s even more high-tech than a lock or a key? A safe. But a team from Colorado-based SparkFun Electronics, an online retail store that sells pieces for electronics projects, recently used an inexpensive, homemade robot, which features some 3D printed components, to crack open a SentrySafe safe in front of hundreds of excited onlookers at a convention for hackers in Las Vegas.

It’s called DEF CON, and the convention, one of the largest continuously running hacker conventions in the world, has been around since 1993. It took the SparkFun team’s robot about half an hour to reduce the number of possible safe combinations from one million to one thousand, eventually determine that the combination was 51.36.93, and open the safe live on stage.

“That was one of the scariest things we’ve done,” SparkFun founder Nathan Siedle told the BBC. “Lots of things can go wrong, and this was a very big audience. We’re really happy it opened up.”

Siedle’s wife bought him a second-hand SentrySafe for Christmas, even though they already owned one. But her online find was locked, and the previous owner forgot the combination, so she really got Siedle a challenge as a gift – open the safe.

It took Siedle and his colleagues about four months and $200 to build the automated, safe-cracking robot, using off-the-shelf and 3D printed components, that opened his safe in a little over an hour. The robot has, among other parts, a $20 Arduino board, a $40 motor, an aluminum frame, sensors for determining if the safe’s handle has been turned, and 3D printed components, including a coupler that attaches to the dial of the safe.

As Andy Greenberg explains in a WIRED magazine article, “In the most basic sense, the resulting safecracker works by ‘bruteforcing’ the SentrySafe—trying every possible combination. Like your high school locker’s combination lock, the safe has three internal rotors that each have to be set to a certain position–by dialing a series of three numbers–to open it. Since each of those rotors has 100 positions, corresponding to as many numbers on the safe’s dial, trying all one million combinations (100 x 100 x 100) at the speed of about ten seconds per guess would take nearly four months.”

Siedle and his team uncovered a “design quirk” in the safe that’s meant to compensate for human error. The robot can detect, within 20 seconds, the size of the indents on one of the three dials of the safe – the correct one is slightly larger than the incorrect indents. Only one of the dials can be measured, but this already eliminates a lot of possibilities.

“Because the safe has a rod that slips into slots in the three rotors when they’re aligned to the combination’s numbers, a human safecracker can apply light pressure to the safe’s handle, turn its dial, and listen or feel for the moment when that rod slips into those slots,” Greenberg wrote. “To block that technique, the third rotor of Seidle’s SentrySafe is indented with twelve notches that catch the rod if someone turns the dial while pulling the handle.”

Let’s say that one of the dials is set to open at 14. Thanks to this quirk, 13 and 15 will also work to open the safe. The robot was able to check every third number in this way, which majorly reduced the possible number of combinations.

The SparkFun team couldn’t travel to Las Vegas with Siedle’s original SentrySafe for DEF CON, so they purchased a brand new one when they arrived, and opened it for the very first time on stage. In a statement to WIRED, SentrySafe said it believed that even though the SparkFun team successfully cracked one of its safes, its products could still keep items safe.

The statement read, “In this case, there was a tremendous effort, uninterrupted time in a controlled environment, the right tools and significant technical knowledge needed to eventually manipulate the safe. In this environment, the product accomplished what it was designed to do and would be realistically very difficult, if not impossible, for the average person to replicate in the field.”

While the robot can’t crack a digital lock, the SparkFun team designed it with 3D printed parts that are able to be replaced in order to fit different combination safes.

“We designed it for a particular type of safe, but it doesn’t really matter – you can actually 3D-print a coupler that can match any safe that you may have,” Siedle said.

In addition, anyone can make their own safe-cracking robot, since it was built with inexpensive, open source parts. But Siedle isn’t trying to help burglars – besides having a little DIY fun, he says that his team’s work serves to warn people about the potentially lax security of safes, and to be used “as a way to demonstrate the changing nature of physical security in an era of cheap robotics.”

Siedle said, “Could someone replicate it? Yeah, that’s the point. But there are so many cheaper and better ways to open up a safe than building one of these.”

We’ve seen 3D printing bring another safecracking device to life, as well as thieves hack master keys and then 3D print the keys themselves, so we already know it’s possible to use innovative technology like robotics and 3D printing to get through physical security equipment.

“You’re going to have an army of geeks like myself poking and prodding and trying to do things like this. The nature of the toolset is getting cheaper, so more nerds are getting brave with their puzzling,” said Siedle.

To watch the SparkFun team successfully open the SentrySafe live at DEF CON, check out the BBC video. Discuss in the 3D Printed Robot forum at 3DPB.com.

[Sources/Images: BBC / WIRED]