As a kid, I remember seeing the cool Master Lock commercial with the lock that was secure even after being drilled clean through by a rifl e round. For me, Master® became synonymous with security. To this day, many people purchase Master Lock based on the brand name alone. However, do not buy just based on the brand name, because almost all brands offer locks at a variety of security levels. Always investigate all the product offerings to make sure you’re getting a product that suits your needs. For example, this Master Lock model 1500D combination lock is sold everywhere.
But the company does not promote this as a high-security lock. They recommend this lock be used for the most basic of security applications. Still, I see this exact lock used in high-security applications almost daily, despite the fact that there’s a dangerous brute-force attack that renders most versions of this lock all but useless.
Brute forcing describes a technique in which every possible solution for a problem is checked to see if it is the solution. For example, on a barrel lock with three barrels, all possible combinations fall between 000 and 999. If someone started with 001, 002, 003, and progressively tried every possible combination, brute force guarantees they will open the lock in one thousand tries. Most mechanical combination locks can be brute-forced if an adversary has enough patience to complete the attack—and that’s what gives a lock its level of security.
68 Chapter 4 • Physical Security
Fortunately most bad guys aren’t patient enough to brute force a combination lock. In the case of the Master Lock, if we assume each of the numbers on the dial is active (which is not the case) we are left with 403 or 64,000 possible combinations. If an attacker tries one combination every fi ve seconds—a reasonable speed considering the clearing process and the left-right turns—it could take as long as 88 hours, or nearly four days, to work through every combination. At this rate, the attacker would fail, not the lock.
A shortcut I’m about to describe to you reduces the number of combinations to 100. At fi ve seconds per attempt, it would take an attacker a mere eight minutes to brute force one hundred combinations. Since this book is about protecting your own assets, I won’t go into all the details required to open a lock using this technique, but I will tell you how to fi gure out the last number of your combination. If you can discover the third digit of your combination, you should get a stronger lock. Better yet, have a professional locksmith evaluate your situation.
To begin, apply tension to the shackle of the lock. A simple way to do this is to hold the lock in one hand and use a fi nger to apply upward pressure on the shaft, as shown in the next photo. The stylish thumb ring is optional for this exercise.
Next, begin turning the dial. If enough tension is applied, the dial should stick between two numbers. I’ll call this a sticking point. Twelve sticking points exist on each affected lock. The fi rst step is to fi nd and record the location of each sticking point. For example, the lower boundary of this lock’s fi rst sticking point is, as shown in the next photo.
www.syngress.com
Physical Security • Chapter 4 69
The high boundary of this same sticking point is 2, as shown in this next photo.
This midpoint between these digits is 1.5, which is obviously not a whole number.
To fi nd the next sticking point, release the tension on the shackle, turn the dial past the current sticking point’s high boundary and reapply tension. The dial should stick again, revealing the location of the next sticking point. Some sticking points will rest on whole numbers. For example, the next photo shows that the low boundary of the next sticking point is 7.5.
70 Chapter 4 • Physical Security
I realize that you, kind reader understand what I’m talking about without all these pictures, but let’s just take a look at one more so that we’ve covered even, odd, high and low sticking points. The high boundary of this same sticking point is 8.5 as shown in the next photo.
The Sticking Points on My Lock
Low Boundary High Boundary Sticking Point
1 2 1.5
This means that the sticking point rests on. By keeping a record of each sticking point, you will eventually arrive at something like what I’ve got in this table.
www.syngress.com
Physical Security • Chapter 4 71
Notice that more than half of the sticking points do not land on whole numbers.
These are decoys and should be removed from the list of potential combination digits.
In this example, that leaves fi ve numbers: 8, 15, 18, 28, and 38. Notice that most of these numbers end in the same digit—the number eight. These matching numbers should be removed from the list as well, leaving only one number (15) which is the last digit of my lock’s combination.
If this technique works on your lock, there’s a good chance the lock is vulnerable to a brute force attack. If the technique does not work, you may have a newer 1500D Master Lock. It is speculated (on www.wikihow.com/Crack-a-Master-Combination-Lock) that 1500D Master Locks with serial numbers beginning with the number 800 are not vulnerable to this attack, although unverifi ed sources have reported success against these newer locks as well. Either way, don’t be quick to throw stones at Master Lock.
Do your research, and don’t purchase basic security products for high security tasks.
Consider purchasing a higher security Master Lock for your application, or get the advice of a professional locksmith or security professional.