Lutetium-
Hack Chat Transcript, Part 3
06/03/2020 at 20:05 • 0 comments![]()
heh, classic 'get into the gated community party' trick![]()
Which is why I installed my own ;-) Just wondering if there are any undocumented surprises that got slipped in there![]()
sorry, i'm a bit confused you mean, you attach a metal plate, and use a microphone + amp? What's the metal for?![]()
Speaking of default codes. Many safes use 50-25-50 before installation... Also common but less so, 25-50-25 and I've seen 25-50-75 in one case![]()
@Eric this is correct... but we've used it when in a building during the daytime to add a new user =)![]()
I have seen safes in the field where that code wasn't changes. Employees actually using 50-25-50 as "their" code.![]()
@anfractuosity so that my mag-mount audio pickup has something to which it can attach![]()
ohhh![]()
sorry :)![]()
@Eric yes, those are all common. i have a list somewhere, standby...![]()
![]()
![]()
haha cool![]()
@anfractuosity no worries@!![]()
These are fun. I have access to one if I need it... https://www.google.com/search?client=firefox-b-1-e&q=TL2000+safe+dialer![]()
Welp, that was a wicked fast hour! We usually like to let our hosts get back to life at this point, but of course everyone is free to stay on and chat as long as you like. I want to thank @Deviant Ollam for his time today and for sharing his expertise. This was a fun one!![]()
@Eric the ITL-2000 is a nice unit, but the Combi blows it out of the water![]()
do some of those dialers, use acoustic analysis?![]()
The "Soft-drill" You don't see those very often however.![]()
https://www.qtactical.com/combi-qx3-autodialer-preview/
QTACTICAL® TOOLS AND TECHNOLOGY
![]()
Combi QX3 Autodialer Preview
Lockmasters, Inc: 859-885-6041 - www.lockmasters.com MBA USA, Inc.: 859-887-0496 - www.mbausa.com Combi QX3 is a high-speed, wirelessly controlled safe lock dialer (autodialer) for opening Group 2 mechanical combination locks. 8 Hour Average Opening Time Combi QX3 uses a precision step motor with an optical encoder to maintain accuracy even at exceptionally high speeds.
Read this on Qtactical® Tools and Technology
![]()
cool!![]()
thank you @Dan Maloney for having me here!![]()
FYI, I'll post a transcript in a few minutes, in case anyone missed any links. And don't forget next week, when we'll be talking about Rapid Prototyping (sorry, no link yet)![]()
(the combi was made by guys we know at Q-Tactical specifically to be an ITL-2000 competitor)![]()
Softdrill I think we <13 minutes. They took them off the market except for limited 'special' customers![]()
Thanks Dev and all!![]()
@Deviant Ollam cheers for your time and knowledge, awesome as always :-) -
Hack Chat Transcript, Part 2
06/03/2020 at 20:04 • 0 commentsDeviant Ollam12:26 PM
when i say "any one" i mean any super clear one
![]()
silly question, do you ever use a stethoscope ?![]()
@anfractuosity something similar! i use an audio pickup amp at times![]()
ooh, cool i wasn't sure if they where really used![]()
i saw some safe locks which claim to be resistant against x-ray which sounds interesting i thought![]()
think of it as a stethoscope but it mag-mounts to the safe door. and it's not like a little cup on the end... it has a metal probe that hears vibrations within the safe. (and you're mostly hearing contact points where the nose interacts with the drive cam, as opposed to hearing the "wheels" as it were)![]()
I'd buy safe cracking 101 if I could. I have a couple of tell coin safes I'd like to open and put to use.![]()
neat @Deviant Ollam :)![]()
Do you have any tools that caused a "where has this been all my life?" moment. (For me, the recent answers are Knipex cutters and step drills.)![]()
@anfractuosity Grade 1R safes, yes. "resistant to Radiographic attack" ... often Delrin plastic wheels. they have other vulnerabilities![]()
Safe against x-rays could just mean they're lead lined.![]()
@Douglas Henke the A-1 pak-a-punch and the new Lishi 2-in-1 decoder picks![]()
@Deviant Ollam heh neat, could you expand on other vulnerabilities, if you can![]()
@Tametomo shielding became a ladders-and-walls game during the cold war. new materials, like polymer wheels, were the solution![]()
@anfractuosity you can melt the wheels... enough heat or even acid injected in the right spot, and the wheels just fall apart, lol![]()
haha wow![]()
that's very cool![]()
Aren't most modern containers electronic locks?![]()
@Deviant Ollam Can you point me to any case studies or news articles where poor physical security practices have directly led to thefts or data breaches? I know it's implied, but sometimes its good to have independent sources to show that not focusing on this stuff has real consequences.![]()
Get the safe too hot and the fusible link goes and triggers relockers and no one is opening that safe!![]()
Management folks are not always the most tech savvy![]()
@oz i would say that most modern "building security solutions" are moving to electronic. and electronic locks are making in-roads even in residential spaces, yes. but mechanical locks will still be with us for quite a while![]()
@thomas.august most stories like that are ones that entail stolen laptops or other endpoints![]()
To anyone who thinks they might try drilling a quality safe, watch out for tempered glass between the door and the lock. Break it and relockers trigger.![]()
@Eric yes, it's a delicate balance, that kind of attack![]()
The security industry isn't often what outsiders think it is. You have to deal with risk bars, which are just a way of saying "will the solution cost more than the potential problem"? So depending who does the calculations, something can either be critical to fix, or something just worth ignoring.![]()
Do you think that electronic systems have higher a higher barrier to entry for the common criminal?![]()
Here's a question: do electronic safes have built-in back doors, like service technician codes so they can get in no matter what the owner does?![]()
@Deviant Ollam I was thinking of modern classified document storage containers. I thought that mechanical locks could not meet the requirements. \![]()
Really really really old safes had explosives loaded in them. Watch out.![]()
here's another interesting kind of auto lock with a specialized entry pick tool... ![]()
@oz this is correct as of FF-L-2740![]()
![]()
![]()
I get clients all the time trying to come up with the dumbest ways to explain away why they can safely ignore something, or try to fault the method in which the vulnerability was found. Until a company gets seriously bitten, security is something often seen as something which can be argued away.![]()
Any experience with those?![]()
@oz all modern containers for C, S, or TS materials must support "true" million combinations and auditing capability so for those reasons alone, effectively electro-mechanical locks are the only ones allowed on GSA containers now, etc![]()
@Nicolas Tremblay that looks like a kind of clone of the Mul-T-Lock MT5![]()
Dev - when we get back to in-person CONs, what are you most interested to talk about?![]()
(but a cheaper clone... without the interactive element on the key tip)![]()
I'd say the electronic physical locking systems can be more secure when installed properly. But all too often, it's low bidders and low skill hacking the thing into a working state. Not bothering to connect tamper switches to 24hr alarm zones, drilling incorrectly, skipping 'unneeded' connections.![]()
Chinese Euro-lock![]()
I wonder how much those requirements contribute to real security. It's finite, but I wonder what the real contribution is vs how much is "fighting the last war"![]()
@Scott H that's a good question, hah. i am not sure right now. we've had some good RFID content for a while that we'll release eventually![]()
RFID as in hacking entry locks? Or ???![]()
@eric Yeah, things are often about trying to save a few dollars here or there. Tends to take a major security event and a culture change to get a company to care about actual security. Until then, it's basically about trying to justify doing nothing or as little as possible.![]()
Cooper (From Dangerous Things), Max (from TOOOL), and I have an implantable RFID talk![]()
but my team is also doing things in the entry space a great deal, too![]()
Always more fun to deal with clients who understand the value of the service being provided, rather than seeing it as a necessary regulation hurdle that needs to be muffled as much as possible.![]()
@Deviant Ollam is there a good guide to getting started with RFID?![]()
@Tametomo most definitely![]()
@tonkas64 i'd sound self-serving if i said "Red Team Alliance has a terrific 2-day Access Control training" =)![]()
@Deviant Ollam ;-) do you run them in the UK?![]()
Is it just me, but I find HF RFID very confusing![]()
There is NFC, mifare, the stuff credit cards use![]()
i have a venn diagram or two that can help...![]()
@Tametomo Always better to deal with a truly informed client regardless of the topic. I consult for a living, and I'll pick a skilled client over a clueless one (even a benign clueless one) and day![]()
Cool![]()
![]()
![]()
from my slides![]()
it's helpful to first recognize that "RFID" is, broadly, in three groups: Low Frequency, High Frequency, and Ultra High Frequency. (the latter is basically never used for access control, etc, so we'll leave that aside... that's a tech used in things like tracking tags... think warehouse inventory, luggage, etc)![]()
![]()
![]()
Wow, didn't know the freq. were all over. I really need to start working with RFID![]()
@oz Yup, but you don't always get to choose the whole chain. Sometimes the client you're working with is subcontracting with someone else, who is the one being the pill. Always can tell the client that they suck, but sometimes they're large companies themselves, so... yeah.![]()
among Low Frequency and High Frequency tags, there are a wide array of different credential technologies (and protocols, effectively)![]()
Cool, did you do a talk about just RFID hacking? Would love to watch it![]()
you may recognize some of those names in the second slide with two circles![]()
@Deviant Ollam nice they help a lot, there's just so much to find out![]()
Like I said, it usually takes getting hit seriously and a culture change to really get that attitude cemented.![]()
but i can simplify this a lot for you folk who are looking to acquire tools or RFID tags for hacking...![]()
And then sometimes it's even more complicated than that too. Might just be specific divisions that suck.![]()
Especially for global companies.![]()
![]()
![]()
boom... simplified![]()
on the Low Freq side, the Atmel T5577 chip can emulate almost all existing, common-use credential types![]()
on the high frequency side, while there are many technologies, there are at least some real standards bodies overseeing them![]()
Was there any research into using phones with NFC as a proxmark for HF tags?![]()
So the black hats are using these too - are there common types of targets, or is it more of a, "we want to break into abc company for xyz reason" ?![]()
What would you recommend for a HF implantable chip? I've been looking at the Dangerous Things xNT. Ideally I'd like something that would be programmable or upgradable, if they exist.![]()
@pop13 proxmark?![]()
@thomc the xNT is great, but have you seen the NExT ? (it's the xNT and the low freq xEM in the same package)![]()
@pop13 say again? phones with NFC as proxmark?![]()
@Deviant Ollam Oh I haven't seen that, that sounds fantastic. Many thanks![]()
@thomc you bet! https://dangerousthings.com/product/next/![]()
Thanks for taking the time to be here and answer all of our questions @Deviant Ollam !! I love your work! ... One question for you: I know alarm systems are nearly impossible to bypass (perhaps considered holy grails?), unless mitm before trigger goes to central ... anyways, have you ever encountered one on an engagement?![]()
Yeah, was there any research into emulating tags and cloning tags discreetly?![]()
@0xOverflow imma leave this here... https://redteamalliance.com/Red%20Team%20Alliance%20Alarm%20Bypass%20(2-day).pdf =)![]()
@OxOverflow Might depend on what type of alarm it is.![]()
Would you be able to point me in the right direction for the term to search for, for probing vibrations from a safe lock, my googling is failing me. And also are there 'cheap' group 1 safe locks i could search for on fleabay?![]()
@anfractuosity when you say "probing" the vibrations... what you mean, specifically? learning how to feel the contact points?![]()
to listen acoustically i mean sorry![]()
search eBay for a LaGard 3330 or an S&G 6700 series. then you may need a mount, etc.![]()
cheers![]()
On a related note, do alarm systems come with a back-door code that service techs or law enforcement can use for bypassing? Same question applies to electronic combo locks like the ones on some safes. Talking consumer-grade stuff here.![]()
ah... so most safe lock cases are Zamak, not ferrous. I wound up epoxying some small metal plate to some in order to test out the ear amp device i have![]()
@Dan Maloney 4140 is a popular installer code, often left enabled![]()
@Dan Maloney There might be a default manufacturer code that the company never bothered to change on installation.![]()
What @Deviant Ollam said.![]()
also, on many access control gates, 911 or 911# is sometimes in the system for emergency access![]()
Most alarm panels will not accept the dealer/installer code while armed.![]()
heh, classic 'get into the gated community party' trick![]()
Which is why I installed my own ;-) Just wondering if there are any undocumented surprises that got slipped in there![]()
sorry, i'm a bit confused you mean, you attach a metal plate, and use a microphone + amp? What's the metal for?![]()
Speaking of default codes. Many safes use 50-25-50 before installation... Also common but less so, 25-50-25 and I've seen 25-50-75 in one case![]()
@Eric this is correct... but we've used it when in a building during the daytime to add a new user =)Hack Chat Transcript, Part 1 06/03/2020 at 20:04 • 0 comments
Good evening, good morning, and good 'morrow... depending on what time zone you're in while reading this! 👍
![]()
Hello all, welcome to the Hack Chat today. I'm Dan Maloney, I'll be moderator today for our chat with Deviant Ollam. We'll be talking about physical security - locks, lockpicking, etc.Hi @Deviant Ollam, welcome to the Hack Chat! Perhaps you can start us off with a little aboutyourself and how you got into the security game?
![]()
Sure thing![]()
Thank you for having me, BTW![]()
=)![]()
I get a lot of folk who reach out to me or approach me at events and speak with awe over the idea that my career exists -- that I get paid to break into secure facilities -- and the first thing I try to always tell folk is that I got here by tripping over backwards into opportunities that I wasn't expecting, and that some of the best things you will get to do in your life are things you haven't even considered yet.![]()
I started as a computer and network engineer, with lockpicking merely as a hobby. That hobby became my full-time work (in a manner of speaking) and I credit this almost entirely to my attempts at giving away knowledge and teaching as much as possible![]()
Dang, that's what I've been trying to tell my son for years now. You put it way better than I ever could have.![]()
looking forward to hanging out @Deviant Ollam![]()
How did others get involved with "hacking" (Depending on your definition of it)![]()
I wanted to make airplanes do stupid things in flight simulator when I was a kid.![]()
Mostly by just messing with stuff and discovering there is a community around it![]()
for me it was BBS's and it seemed like something super interesting, i like to tinker. then defcon. now its part of life![]()
@31337Magician oh totally! seeing how far straight up it could fly, etc? (or crashing it into things, or trying to)![]()
For me, it's just wanting to know how everything works. Can't really do that with tearing it apart, whether it's hardware or software![]()
I used to switch physics profiles of airliners and aerobats then join public servers and freak people out at the airfield.![]()
@pop13 absolutely... it's one thing to tinker and want to disassemble and learn, but meeting with communities of other folk who are resources is so rewarding![]()
and im teaching my spawn to tinker and question everything![]()
Got into programming when I was 5, and was fascinated with breaking things in unusual ways.![]()
I always was interested in electronics and how stuff was built. The my boss wanted to know more about 3D printers. That got me to find Make magazine and the whole community.![]()
Never grew out of that.![]()
Started programming when a teacher gave me a book about basic and let me sit behind the computer because I always finished my assignments early, rolled in to the rest from there.![]()
@t.w.otto do you find that you're buying kits or items specifically for that or using things around the house? my wife and i were saying recently how modern products (a remote control, for example) are all tabs and not screws and usual fasteners anymore, etc.![]()
Officially, during an special IT audit for a DOD contractor. Unofficially, I learned a lot about radio and telephones as a kid.![]()
And by taking stuff apart as a kid![]()
@Nicolas Tremblay what 3D printers do you have or use, may i ask? Our firm has a PRUSA![]()
that is a challenge. some kits some dumpster diving/ garage sales/etc everything is a plastic tab that always pops when you try to open the case![]()
@thomas.august I've been wanting to establish more connections with Ham folk and get better with radio, especially since we're seeing telephones be less reliable in big cities if there's an incident![]()
Back in the days of early Internet, when it was still largely classed as "mischief". Then eventually became a choice between getting paid to do it, or trying to get away with it lol. I'm interested to know if you have any kind of formal methodology to work to on engagements, as I consider you someone who helps define how our industry progresses.![]()
Took almost 3 years to convince my boss to buy a Makerbot 2X. I have an Anet A8 (heavily upgraded) at home![]()
Ham ops are some of the original sharers of knowledge![]()
the other side is with the maker movement has come the arduino and the Pi and etc so while tinkering with manufactured gear has gotten more frustrating. making whatever you want is more accessible.![]()
@Deviant Ollam - you're playing my song. N7DPM![]()
@thomc that's such a valid point: the collapse and evaporation of space for curious kids to explore without massive ramifications if they do something dumb![]()
@Dan Maloney my wife has her license, i do not yet![]()
Speaking of @Tarah, congrats on the Fulbright Scholarship!![]()
Yeah @t.w.otto you either have stuff intended for tinkering, and you have the stuff used in products which is really fun but locked down tight![]()
I think some electronics have become *easier* to modify; so many devices run linux or have exposed JST ports![]()
@Deviant Ollam growing up my neighbor had a 50" antennae on his house, his radio setup was epic. At night when the KH layer was right we could listen to truckers all over the southwest.![]()
@pop13 its a challenge. my goal as a hacker parent is to provide anything i can to allow them to get around the lock downs.![]()
I'd expect getting license to be a snap for anyone here. A weekend project at most, and more likely an evening with a study guide and a test the next day. Oz (N1OZ ) in DFW![]()
at least thats how i see it![]()
@.io she says thanks! We're very excited. I'm amazed, it's a tremendous honor for her and well-deserved.![]()
@thomas.august very cool![]()
I have picked locks but do not practice enough at all, i bumped the lock to my workshop about a week ago. first time using bump keys.![]()
@t.w.otto exactly... i've been thrilled seeing so many hacker voices discussing who to disrupt and subvert unconstitutional restrictions of freedom![]()
Why pick when you can bump, why bump when you can bypass? :)![]()
I tried bumping but never had any luck. The videos make it seem so easy![]()
@t.w.otto nice! may i ask how many attempts it took?![]()
took about 3-4![]()
something about bumping that is funny... most brand new bump keys need some breaking-in![]()
youngest locked the keys in the workshop![]()
gotta sand em down![]()
and everything was locked up, so it was bump, pick or break![]()
figured i have had them for years lets try it out![]()
take a beater lock and wail on it with a new bump key 20 to 30 times hoping it will bump open. it likely will eventually. then try the same key on a better lock, then a better lock.![]()
My oldest has taken a liking to picking H&W cuffs with a paperclip. He thinks he's Batman.![]()
oh this lock on this building is garbage![]()
Have you had a lock which seemed to pick ok for many attempts, then later it seems very difficult to pick? (i think the tools are ok)![]()
S&W![]()
Lock innards get worn down after repeated picking![]()
Wow I combined H&K and S&W in my head...![]()
@anfractuosity yea the pins can get scratched and it gets harder![]()
ahh![]()
interesting![]()
at least thats what i have experianced![]()
@t.w.otto so glad you got in, and quickly! i was in a parking lot the other day and saw two guys fiddling with a car that had keys locked inside. I asked if they needed help. They said "no, but thanks!" so I went about my business. Came back 40 minutes later to my truck and they were still at it. I offered again, "I'm sure you've got this, but I am an entry technician... I have proper tools in my truck right now... want me to give this a shot?" (30 seconds later, the door was open)![]()
It's been a treat, but also a horror over the years to see hardware hacking get easier, but at the same time, more restricted due to DRM.![]()
@anfractuosity I have seen locks that get "over-picked" so to speak. the springs wear down and don't perform as well![]()
@Deviant Ollam ha, they had no idea who you were... im glad you were there to help![]()
Actually how hard is to pick a car lock?![]()
@Deviant Ollam cheers![]()
@anfractuosity lockpicks are made of a harder material than the brass pins in a lock, so they wear down or get damaged. @Deviant Ollam don't you sometimes do lock forensics for this sort of stuff?![]()
@pop13 it depends greatly on the vehicle, especially its age. from the mid 70s until the late 90s or early 00s most car locks were relatively simply wafer ocks![]()
And the modern stuff like the last 10 years?![]()
Frankly needs to be a hacking bill of rights or so that puts the consumer in a position of being able to control their own hardware.![]()
@thomas.august yes, we have a lock forensics team... https://enterthecore.net/post-intrusion-forensic-locksmithing/![]()
Just interested, as almost every car maker over here in the EU uses the same style of key![]()
Or even just a right to repair![]()
@pop13 we're starting to see many more locks incorporating advanced wafers or what we'd say are locks with wafer-based sidebars. car keys with a "squiggle track" on them, etc![]()
ooh that sounds really cool re. forensics, not heard of that before re. locks![]()
How are you able to carry lock picks with you over there? Do you need a locksmith permit, or is it just allowed? In the UK we could be charged with "going equipped [to commit a burglary]". If I'm heading to a job it is okay, but I can't carry them around every day.![]()
@pop13 they are still able to be attacked, but custom tools are MUCH more helpful. ![]()
i assume that entails pulling the lock completely apart to do analysis on?![]()
Thanks![]()
Are teh squiggle track keys a wafer variant? My VW uses them![]()
@thomc in the USA there are a variety of laws, that vary from state-to-state. still... https://toool.us/laws.html ...lotta green on this map!![]()
@oz many are, yes![]()
@Deviant Ollam nice!![]()
I prefer to think of them as dental cleaning tools LOL![]()
@anfractuosity yes, there are specific ways of disassembling locks so as to preserve forensic evidence, tool marks, etc![]()
sculpture tools![]()
You know, for those difficult to reach places![]()
neat, i guess you use metallurgical microscopes too for that @Deviant Ollam ?![]()
@Deviant Ollam do you have any of the NFC implants, if so what do you use them for? I've been using it to send folks to my LinkedIn personally.![]()
@anfractuosity conventional microscopes tend to be sufficient![]()
gotcha :)![]()
Do you have any interesting stories from the job to share (which you didnt talk about on cons)?![]()
@31337Magician both my wife and I have RFID implants, yes. neither of mine are NFC, however. one of hers is![]()
i have one implanted low-frequency RFID tag (a T5577, which is reprogrammable to be HID Prox, Indala, ioProx, EM, AWID, etc.) my other is a "Magic MIFARE" which is essentially an emulated NXP S50 (MIFARE classic)![]()
i have been strongly interested in a magnetic one for ever![]()
Tarah has the same Low Freq chip that I do (the xEM, T5577) and her other chip is an NTAG216 (so a Type-2 NFC chip)![]()
Have you ever played with non-electronic safe locks? or could recommend any books about them![]()
@anfractuosity I am a SAVTA certified safe technician and GSA safe and vault inspector. "yes" is the short answer. ;-)![]()
ooh :)![]()
there isn't any one safe-cracking book of which I'm aware, and my wife always says I have to write one.About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API
Which is why I installed my own ;-) Just wondering if there are any undocumented surprises that got slipped in there
