A couple of weeks ago, I came across an article from Samy Kamkar on how to successfully guess a combination for a standard MasterLock combination lock. It seemed pretty interesting so I gave it a try, and to my surprise it worked! However, a big downside was having to visit his website to run the algorithm in order to get the list of eight possible combinations. On a typical penetration test, it’s usually not particularly easy to visit a website to complete a task even from a mobile device. So I decided to write a Python tool for ease of use, and later a mobile app using Kivy, though that won’t be covered in this post.
In order to write the exploit in Python, I could have simply just taken his already done algorithm and translate it, and I’ll admit, I took a look at it to see what was going on and it’s simple enough. However, I decided to dig a little more into the vulnerability and understand what was going on in the first place and figure out exactly why these locks are vulnerable.
How Combination Locks Work:
Combination locks are fairly simple in design. They use what’s known as a wheel pack, or a set of wheels that are set for a specific combination. The number wheels are determined by the numbers required for the lock, i.e. three wheels for a three number lock. The wheels are attached to a spindle, which is subsequently attached to the dial. Connected to the spindle is a drive cam. On the drive cam is a drive pin which makes contact with small tabs on each of the wheels known as a wheel fly. These wheel flies are what catch and spin the other wheels. This is why you have to spin the dial a few times (on a common MasterLock combination lock, it’s twice counter clockwise) to get all three wheels moving. Once you have your first number, clockwise one full turn to grab the middle wheel for the second number, then straight to the third number. Once you have the proper numbers lined up, a notch becomes apparent. A hook known as the fence will then drop into the aligned notches and release the lock.
MasterLock combination locks give away clues to their respective combinations through the specific points of resistance a user can detect when pulling up on the shackle. Initially, there are some points where the dial will get stuck between 0 and 11 when lifting up completely on the shackle. This is because there gear-like teeth on the drive cam of the lock and finding the first two gaps between those teeth will give us an idea of where the teeth are placed in relation to the numbers on the dial.
A little trickier catch will reveal a third point right before the wheel notch will graze past the fence. The clockwise motion of this will catch a tooth that’s slightly larger than the rest and you’ll feel a slightly different catch when lifting about half-way up on the shackle.
Step 1: The First number is found by taking the 3rd number you’ve noted (called the resistant) adding five and finding the mod of 40.
FirstNumber = (resistantIn + 5) % 40
Step 2: The Third number is essentially a choice of two numbers. You’ll have to decide which number has the bigger gap of movement and choose that number which will give you the choice of your 8 numbers for the second number in the combination. The math follows:
for i in range(0,4):
if (((10 * i) + firstIn) % 4 == mod):
First Choice is: ((10 * i) + firstIn)
if (((10 * i) + secondIn) % 4 == mod):
Second Choice is: ((10 * i) + secondIn)
Step 3: For the second number, an array of eight numbers is calculated through the following means:
for i in range(0,10):
tmp = ((mod + 2) % 4)+(4*i)
if choice == 0 or ((ThirdNumber[choice-1] + 2) % 40 != tmp and ((ThirdNumber[choice-1] – 2) % 40) != tmp):
Here’s my full exploit to test this whole thing out.
Enjoy and happy hunting!