• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > R&D > Research > MasterLock Combination Lock Vulnerabilty and Exploit

MasterLock Combination Lock Vulnerabilty and Exploit

May 14, 2015 By Jeremy

A couple of weeks ago, I came across an article from Samy Kamkar on how to successfully guess a combination for a standard MasterLock combination lock. It seemed pretty interesting so I gave it a try, and to my surprise it worked! However, a big downside was having to visit his website to run the algorithm in order to get the list of eight possible combinations. On a typical penetration test, it’s usually not particularly easy to visit a website to complete a task even from a mobile device. So I decided to write a Python tool for ease of use, and later a mobile app using Kivy, though that won’t be covered in this post.

In order to write the exploit in Python, I could have simply just taken his already done algorithm and translate it, and I’ll admit, I took a look at it to see what was going on and it’s simple enough. However, I decided to dig a little more into the vulnerability and understand what was going on in the first place and figure out exactly why these locks are vulnerable.

How Combination Locks Work:

Combination Lock Interior

Combination locks are fairly simple in design. They use what’s known as a wheel pack, or a set of wheels that are set for a specific combination. The number wheels are determined by the numbers required for the lock, i.e. three wheels for a three number lock. The wheels are attached to a spindle, which is subsequently attached to the dial. Connected to the spindle is a drive cam. On the drive cam is a drive pin which makes contact with small tabs on each of the wheels known as a wheel fly. These wheel flies are what catch and spin the other wheels. This is why you have to spin the dial a few times (on a common MasterLock combination lock, it’s twice counter clockwise) to get all three wheels moving. Once you have your first number,  clockwise one full turn to grab the middle wheel for the second number, then straight to the third number. Once you have the proper numbers lined up, a notch becomes apparent. A hook known as the fence will then drop into the aligned notches and release the lock.

The Vulnerability

MasterLock combination locks give away clues to their respective combinations through the specific points of resistance a user can detect when pulling up on the shackle. Initially, there are some points where the dial will get stuck between 0 and 11 when lifting up completely on the shackle. This is because there gear-like teeth on the drive cam of the lock and finding the first two gaps between those teeth will give us an idea of where the teeth are placed in relation to the numbers on the dial.

Catchpoint

A little trickier catch will reveal a third point right before the wheel notch will graze past the fence. The clockwise motion of this will catch a tooth that’s slightly larger than the rest and you’ll feel a slightly different catch when lifting about half-way up on the shackle.

Resistant Catch

The Algorithm

Step 1: The First number is found by taking the 3rd number you’ve noted (called the resistant) adding five and finding the mod of 40.

FirstNumber = (resistantIn + 5) % 40

Step 2: The Third number is essentially a choice of two numbers. You’ll have to decide which number has the bigger gap of movement and choose that number which will give you the choice of your 8 numbers for the second number in the combination. The math follows:

for i in range(0,4):
if (((10 * i) + firstIn) % 4 == mod):
First Choice is: ((10 * i) + firstIn)
if (((10 * i) + secondIn) % 4 == mod):
Second Choice is: ((10 * i) + secondIn)

Step 3: For the second number, an array of eight numbers is calculated through the following means:

for i in range(0,10):
tmp = ((mod + 2) % 4)+(4*i)
if choice == 0 or ((ThirdNumber[choice-1] + 2) % 40 != tmp and ((ThirdNumber[choice-1] – 2) % 40) != tmp):
SecondNumber.append(tmp)

The Code

Here’s my full exploit to test this whole thing out.

Enjoy and happy hunting!

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Jeremy

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.