Security Advisory - Mechanical Combination Locks

October 31, 2014

Combination locks have long been utilised, to secure items without the need for keys and the associated issues they present (key management, loss, difficulty of change).

Several vendors of door furniture and locking hardware have developed and sold mechanical push-button combination locks which can be used to unlock doors and gates, deadbolts and spring latches. These are sold by numerous manufacturers and vendors under a variety of names including "digital" "cypherlock/cipherlock" "combolock" "keyless entry" and so forth.

Calamity have reviewed and tested a number of similar products on the market which all exhibit a potential weakness that would allow anyone to defeat them.

Specifically, that the digits used to open the lock, can be entered in any sequence.

For example, if the code to open is 1 2 3 4, a person entering code 2 4 3 1 or the code 3 1 4 2 will also be able to open the lock. Note, some products have a "C" key, for clearing any prior code entry. This must always be the first button pressed, e.g. C1234, C2431 etc. however this is widely known.

From a mathematical perspective, this issue greatly reduces the available number of combinations, and raises questions about at least one vendor's claims of "millions of possible combinations".

A far larger threat is however present. All an unauthorised party or criminal needs to determine, is which buttons were pressed, whereupon they can press them in any sequence and the lock will open. There are several trivial ways in which this sensitive information can be discovered.

  • By examining the buttons for fingerprints, to identify which buttons have been recently pressed. Yes, it is that simple.
  • By examining the buttons for uneven wear, noting that buttons which are pressed more often, may be less shiny or smoother than the others.
  • By dusting the lock with a thin layer of powder, for example, talcum powder, or 'invisible' UV thief-detection powder, they can return after the code has been entered by an authorised party to see which buttons are no longer coated. That will identify the numbers used within the combination. In a naturally dusty, cold or outdoors environment, this may already be obvious with no prior effort.

It has also been reported that some of these systems can be trivially bypassed using a magnet.

You can try these yourself. Note the above issues do not affect electronic push-button combination locks as badly, as these units do require digits to be entered in the correct sequence. Electronic systems are however partly subject to similar weaknesses in terms of button-wear, or in situations where a person could identify the digits and then try multiple combinations until correctly guessing the correct sequence. Similarly, persons entering the code are susceptible to hidden cameras, 'shoulder surfing' or a well-aimed set of binoculars.

Note that the efforts of any person exploiting a combination lock to enter your premises will likely be undetected, as opposed to an attempt at forcibly opening a door.

Workaround

There is no means of preventing the above attack with this technology.

Minimal benefit may be achieved by regularly cleaning the keypad and changing the combination to encourage even wear on the keys. Users may also be encouraged to press 'other' keys after entering the code and opening the door. It is recommended that users examine their locks and consider disabling them or augmenting them with another security mechanism.

Alternatives

Users should be aware of this threat when determining the suitability of such a locking system to their environment. Calamity is by no means suggesting these systems should not be used. In many cases they are highly useful in low-security environments, such as employee toilets in shopping centres or residential front gates (where an intruder could likely jump the fence anyway). However they should not be used on the 'perimeter' of your facility, e.g. the front door or any external area where unauthorised parties might have uncontrolled access to the codepad.

They should also not be used in any high-security building's access points, which should instead rely on an electronic or other suitable key system which can be properly managed and/or audited.

For further enquiries or reprint information, click here to contact Calamity.

Have a question?
We'll answer your enquiry within 24 hours.