This is the beginning of the holidays; a lot of people will travel during the next weeks and may stay in a hotel. The rooms are usually equipped with a safe to store valuables such as money, passports or your laptop. Experts of the G DATA SecurityLabs checked the security level of one safe which is made in China and is sold under many different brands. We expose the findings in this article.
The safe is a mid-size standard hotel room safe, made out of steel, running with batteries, meaning it is grid-independent. The model has several ways to open it: We can either use a PIN code (between 4 and 10 digits) or a credit card. Furthermore, it is possible to open the safe with an emergency key. This key is not available for the customer but only for the manager of the hotel. The key can be used:
The golden plate can be removed by unfastening 2 screws. Then the lock of the emergency key will be accessible. Video 1 shows how to lock and unlock the safe, as intended by the vendor.
Using the safe is simple. The safe consists of three parts:
To better understand the internals, we can disassemble the door and see the content.
If we look at the opening mechanism, we can identify the lock where we can insert the emergency key, we can see the motor used to open the cylinders and an electronic board. When a customer enters a PIN code to open or close the door, this PIN is checked by the board. If the PIN code is correct, the motor is enabled and the cylinders are moved, as you can see in video 2.
The easiest way to open the safe is to use the master code. The master code allows configuring the safe, showing the history of the usage of the safe or opening the door. The default master code is a simple sequence of numbers. To be able to enter the master code, we have to push twice, quickly, the # button.
Of course, the master code can be changed. However, during our tests, we found a lot of safes with the default master code. We advice hotel managers to change the default master code!
A mechanical method to open the door is the use of the emergency key. The emergency key seems to be complex:
If we look carefully at the image, we can see that the key has four sections. For a beginner, it is complicated to lock pick this kind of key. But the manufacturer helps us a lot… Only one of the four sections is really used in the cylinder. Video 3 shows some lock picking action.
The third way to open the door is to simulate the opening of the door by causing a short circuit. To understand this technique, we need to know how the safe detects if the door is opened or not.
We can see a green connector pressed when the door is opened. By causing a short circuit on the solder of the component, we are able to simulate the opening of the safe. Here is the scenario:
The difficulty is to perform the short circuit from the outside. We use the screw hole of the brand logo plate to insert a wire. In our tests with very simple tools we needed about 30 minutes to correctly cause the short circuit. A professional thief could create a specialized tool which would reduce the time for a successful attack to a few minutes. Mitigation of this hack depends on the producer of the safe. Simple solutions could be to put the holes for the brand logo in a different place. More effective counter measures would be based on a piece of hardware that prevents access to the switch and a more sophisticated opening logic.
As explained before, the customer can use a credit card to lock and unlock the door. During our tests we discovered that the magnetic card must be a credit card. The customer cannot use an alternative magnetic card to lock the door. The system checks if the card used really is a credit card or not.
A magnetic card reader is an extremely basic technology. It is composed of two elements:
The reader is a play head, comparable to a sound head inside of old hi-fi tapes. The reader is composed of two wires: the data and the clock. To read the magnetic card it basically needs three wires: the sensor state, the data and the clock.
The sensor is the green block on the left with a metal strip underneath, and the reader is the element in the middle with the white and red wire.
People stealing credit card numbers frequently use “skimmers” to perform their mischief. It could be an extension to an ATM to copy the magnetic card. Here is an example of an ATM skimmer:
In our case it is not complicated to create the same mechanism, but from the inside of the safe. To perform this task, we used an Arduino Uno board. Here is a picture of the montage:
As we can see, the added elements do not need a lot of space. They could be placed within a manipulated safe.
A credit card uses two tracks on the magnet strip, but the reader in the safe only supports one track. Nevertheless, this track contains the credit card number, the name of the owner of the card and the expiration date. Here is a screenshot of the stolen data on a credit card:
Furthermore, we can imagine an update of this attack in which the safe asks the customer to enter the PIN code of the credit card on the PIN code panel after using the credit card to operate the safe. Then, the thieves would steal the magnetic track and the PIN code too.
As you can see, the security level of the analyzed safe is not very high. We can easily open it with different approaches and in the worst case can modify it to steal personal data.
We wish you a safe holiday!