The appearance of security

Why Am I writing this?

I discovered something a while ago and found it interesting. I've never told anyone about it until now.  I thought I'd share it as people might enjoy my discovery, because it shows how something that gives a great impression of being secure may be nothing of the kind.

A secure office door

These are quite popular in offices, they cost about £25 on up depending on brand.

You can buy them on Amazon and Screwfix for example, and they're all pretty much the same design internally. To unlock the door is fairly simple: the C button clears or resets the state, you simply enter the 5-button combination and turn the handle. 

Changing the combination requires the lock to be removed from the door plate and some simple adjustments made.

How many combinations are there? How long would a brute force attack take?

There are 13 buttons, ignoring the Clear button. The combination consists of ONLY non-repeating symbols, so you'd expect the number of combinations to be 154440 (13 * 12 * 11 * 10 * 9).

Even if someone is pretty quick, and takes only 5 seconds to test each combo, you'd expect it to take over 4 days of continous trial and error (154440 try * 5 sec/try / 3600 sec/hour / 24 hour/day / 2), or eight if you were really unlucky!

How can you speed up the brute force attack?

One trick might be to use a soft pencil and lightly mark the buttons when there's nobody around to notice, then come back a day later and observe which buttons have been pressed. At worst you'd have to try all 120 combinations (5 factorial), about 10 minutes at five seconds per test (120 try * 5 sec/try / 60 sec/min).

It's secure, isn't it?

With 154440 combinations, and a physical attack taking typically four days, you can be fairly sure it's pretty secure.

However, there's a snag. Every one of these locks I've encountered suffers from the same design flaw. Take five seconds to think how a bad design might significantly compromise the lock's security.

... 1 mississipi

... 2 mississipi

... 3 mississipi

... 4 mississipi

... 5 mississipi


OK? Did you guess that it doesn't matter what order you press the buttons? I presume it allows the lock design to be very simple.

Wait, did I really mean that? Yes! it really doesn't matter whether you enter the combo as 12345 or 54321 or 32154.

Worse, now the pencil marking attack is trivial

You know what buttons are in the combination, just press them in order and you're in.

In some cases, the combination is never changed, and it leads to the buttons becoming visibly polished, which means an attacker doesn't have to do anything at all, simply press the buttons!

Exercise for my reader

* How many combinations are there effectively?

* How long would a brute force attack take in the worst case scenario of only the very last one succeeding?


scroll down

wait, did you work it out?

scroll down

scroll down

scroll down

Answers

We've dropped from 154440 combinations (13 * 12 * 11 * 10 * 9) to 1287 (13 choose 5), i.e. reducing the time to crack it by 2 orders of magnitude!

Assuming we were unlucky and had to try every combination, with 5 secs/test, it would be less than two hours! ( 1287 * 5 / 60 minutes)