Unlock ATMs in Minutes at Defcon27
Story by Wired 8/9/2019 on presentation at Defcon27
SAFECRACKERS OF THE past put a stethoscope to a safe’s panel while turning its dial, listening for the telltale murmurs of the interlocking components inside. It turns out that modern safecracking, despite all its electronic upgrades, isn’t always so different. But now those involuntary murmurs are electric, and the combination they betray takes the form of ones and zeros in transit between a lock’s silicon chips.
At the Defcon hacker conference Friday, security researcher Mike Davis will present the results of years of research into a family of electronic safe locks all sold by Switzerland-based lock giant Dormakaba. Over the last two and a half years, Davis has found techniques to crack three different types of the Kaba Mas high-security electronic combination locks the company has sold for securing ATM safes, pharmacy drug cabinets, and even Department of Defense facilities, representing millions of locks around the world. Davis found that he could open many of those ATM and pharmacy locks in as little as five minutes with nothing more than an oscilloscope and a laptop. The technique also leaves no physical trace—other than the safe’s contents disappearing.
Unlock ATMs in Minutes article continued
Davis says he initially warned Dormakaba about the vulnerability of its Cencon locks two years ago, and shared findings about the other models over the following months. But fixing the vulnerabilities that Davis has exposed won’t be easy. Davis says that in at least some of the locks, there’s no hardware capable of encrypting the locks’ combinations to prevent his attack. Even if a software update could prevent Davis’ attacks in some cases, it likely would have to be implemented across millions of locks around the world, an expensive process sure to take years.
But Davis says he also isn’t giving anyone a simple playbook to replicate his attacks. He’s not publishing the code for his power analysis program, for instance, and he believes it would take significant, sophisticated work to recreate even the simpler techniques he pulled off. “I’m not looking to expose the locks that protect the nuclear codes,” Davis says. “I don’t think I’m giving anyone a loaded gun.”
Read full story by Wired 8/9/2019
DEF CON 27
August 8-11, 2019
Paris, Ballys, & Planet Hollywood, Las Vegas