You probably remember MySpace: back in 2005, it was the the place to be online, making it the place to try out social networking malware.
Assuming, that is, that you hadn’t learned the lesson of Robert Morris, whose Internet Worm of 1988 went sufficiently ballistic to end up in a courtroom conviction for its author.
And that’s what happened when Samy’s virus, dubbed JS/SpaceHero-A, evaded MySpace’s security filters and spread like crazy.
Samy figured out how to booby-trap a MySpace profile posting so that if you viewed it, the booby-trap would be added to your profile, and so on, and so on.
Every time the virus spread to a new profile, it “friended” young Samy Kamkar, who allegedly ended up with over 1,000,000 friends within 24 hours.
At this point MySpace, fixed the hole that allowed the payload to trigger.
In an interview shortly after the worm hit, Samy claims to have been surprised after reaching 200 friends, but worried after 2000 – after all, it wasn’t going to take a lot of detective work for the FBI to find out whodunnit.
A few hours later, at 200,000, he says he “went to Chipotle and ordered myself a burrito,” figuring that was one innocent way to “enjoy whatever freedom I had left.”
In the end, Samy owned up and pleaded guilty, making him a convicted virus writer, but helping him to avoid a custodial sentence.
He ended up paying restitution, getting 90 days of community service and agreeing to three years of control over how and when he used a computer.
He’s still a hacker, though.
A couple of years ago, he followed up on the efforts of some students in New Jersey, who built a Wi-Fi-hacking drone they called (who would have thought?) SkyNET, by building and open-sourcing a drone-hacking drone that he called (who would have thought?) SkyJack.
SkyJack was more targeted that just an airborne warbike, because it would, or so Samy claimed, seek out, hack into, and take over other drones of the same make in real time.
That would give a whole new sort of dual control: instead of a pilot and co-pilot having joint control of one aircraft, the SkyJack pilot got individual control of two drones at the same time.
→ As far as we know, SkyJack was never made viral, so a pwned drone wouldn’t then fly off and seek other drones to co-opt into a SkyJack zombie network. Perhaps Samy figured that piloting two drones at once was enough of a challenge without suddenly finding that you have 17 of the things careering above you in the local park in some kind of aerial lockstep, complete with 16 wailing kids and 16 angry dads bearing down on you, ready to show you what to do with your remote control unit.
Anyway, Samy’s most recent publication is an open-source 3D-printed robot that can crack a combination lock in just 30 seconds by twiddling the dial all by itself.
We don’t normally feature products that don’t have obvious legitimate uses, but this one seems harmless enough, and it’s quite neatly done, if you’re looking for a cool project to try out at your local Hackerspace or similar.
It only cracks those ultra-budget school locker combination padlocks: the ones that the cool kids used to put on their lockers at school, even though everyone else knew they were much less secure than a keyed lock costing a third of the price.
A quick trawl with a search engine or two will reveal that the standard locker-room combo padlock has a 40-number dial and a hard-wired (unchangeable) three-number combination.
The same search engines will provide you with numerous ways to open such locks without the combination – it seems that the more worn the lock mechanism, the easier it is to “feel” the combination.
So Samy’s robot is more in the way of hacker fun than a criminal hazard.
→ If you were at a school where the other kids used combo locks, you probably already
figured out how to heard excitable stories about how to open them. I certainly did. But, then, I also heard an earnestly-repeated warning that if you swallowed chewing gum, it would wrap around your heart and probably be fatal.
The locks we’re talking about here open like this: two spins right past the first number, until you reach it on your third lap; one spin to the left past the first number again, then stop at the second number; then simply turn right to the third number and the lock will open.
Note that the third number is a bit of a red herring.
On expensive combination locks, you have to stop at the the final number, and then reverse the dial one last time to activate the lock mechanism, so all the numbers play an critical part in the combination.
But on the cheap three-spin padlocks, the lock pops open as soon as you reach the last number.
So if you know the first two numbers, you don’t need to remember the third. You just pull down on the lock and spin the dial until the lock opens. (The dial will freeze at the actual number, so you can read it off if you like.)
In effect, the last partial turn to the right to pop open the lock, like the first two spins to the right to prime the mechanism, are just part of the “flagfall”, or operational overhead, of working the lock.
So, the keyspace of 64,000 (40x40x40, or approximately 216) apparent combinations offered by these locks is actually only 1600 (40×40, or less than 211).
That’s ideal for automation with a dedicated Arduino-powered robot like Samy’s, which can slog through the necessary repetitive motions in somewhere between one and two hours, assuming no components in the robot come loose, fall off or burn out.
Samy also figured out a simple way to work out, by feel, the likely first and second numbers, using some arithmetical relationships derived from the operation of the low-cost mechanism used in these budget locks.
His robot can’t do that initial “find by feel” stage, but if you can, it will do the rest, which reduces the cracking time to a mere 8 tries, which it can polish off in just 30 seconds.
Of course, you could just try those eight possible combos yourself, but that’s not why you join a Hackerspace!
9 comments on “Former virus writer open-sources his DIY combination lock-picking robot”
Duck wrote “It only cracks those ultra-budget school locker combination padlocks: the ones that the cool kids used to put on their lockers at school, even though everyone else knew they were much less secure than a keyed lock costing a third of the price.”
Ah, but we were required to use those locks and only those locks because they had a master-key slot on the back for use by school administrators.
Bolt cutters not good enough 🙂
But why? Why?
Any store-bought padlock can be opened with two crescent wrenches (easily concealable) or bolt cutters. Many purpose-built “security” padlocks are equally as vulnerable. Your run-of-the-mill lock from the hardware store has a very low resistance to shearing on the clasp. Compression resistance can only reach a given point (you can always get bigger bolt cutters.. I have some with 1.2 meter arms) before the lock itself cannot be suited for its purpose.
Amazingly enough, some of the top padlocks out there are a combination of malleable and hardened materials, with little-no access to the clasp. They are not cheap, they are not light, and they are not immune to cheap imitators. They also “self-destruct” when violently tampered with, so you’d better be ready to pony up for replacements AND have a means to remove it. (E.G. An Oxyfuel torch)
Padlocks are not (and never have been) secure. They are a deterrent. They keep honest people honest and discourage a quick “grab and go”.
Remember U-Locks and being able to be picked with a BiC Pen?
Who would ever carry around this monstrosity just to pop a lock? So you can lock it back up after you’re done?
Just be smart. Be safe. If it is important enough, use proper (correct) security measures.
For all the potential cyclist concerns.. if you use a chain, cable, U-lock, etc.. you’re doing nothing against someone intent on taking your possession. I’ve been to a few countries with excellent bike “housing” for cyclists… with the locks built into the door. (Think T-shaped garages, big enough just for a bike and stacked together like a zipper)
Why? Because he can 🙂
You have to admit, it’s a fun way to play with 3D printing, robotics and near-real-time programming for a low cost. We featured it because (as you say) carrying round something like this to pop a lock in an hour that you might very well be able to open “by feel” yourself in a minute is not something crooks are likely to benefit from.
OTOH, this does help to remind us that with automation, things that used to “take too long” can be made practicable. You’d run out of dexterity and patience long before you could try all 1600 combinations by hand (approximately 10,000 co-ordinated rotations and counter-rotations, one-third of them precise to within about 10 degrees), but this puppy can twiddle the dial all day without getting bored.
And, yes, there is a purpose to not damaging a lock on entry: you can remain covert. Use your bolt cutters and the intrusion is obvious, unless you replace the lock with a similar one, but the owner will be suspcious when they can no longer open it…
Oh, for sure. The things people have come up with since 3D printing has become “affordable” has been astounding.
Your second and third points are spot on as well.
My OP really stemmed from the fact this was the 3rd or 4th place I’ve seen an article about this device. Pruning through the comments (not here on Sophos), people seem to be in some kind of panic mode over it. Really, there’s a YouTube vid from nearly a decade ago detailing how to break the Master Lock combinations with simple math (IIRC it took 15-20 mins tops if it was the last possible series of combinations)
A lock, like any other security device, has its strengths, weaknesses, and vulnerabilities. You don’t _need_ a super security lock on everything. The primary “defense” of a lock is as a deterrent control. The security of the lock has many more facets. EG: Padlocking a hollow core door won’t actually offer true physical security, whereas padlocking a steel door with a protective hasp and a good security lock will thwart most intrusions.
I wholly agree that, automation is very important to keep in mind when choosing a security device, as well as when upgrading. The various defenses afforded is also important. Pick the right device(s) to offer the control you’re after.
Having a security alarm system installed, doesn’t mean not to use a big fat padlock on the door. As I noted, it is a visual deterrent. Same reason why industrial security cams haven’t gone the way of the dodo. They provide a visual deterrent (Yup, there’s cameras here, I’ll move along) as well as the actual monitoring of the location.
Ahh and there we enter the whole “layered defense”/”defense in depth” area.
There’s a lot of reasons for using a lock though and true physical security is rarely at the top. Most of the time (in my experience), it has been to be the visual deterrent and/or to meet legal requirements. (Some things need to be “secured” such that intent of access can be proven, rather than trying to disprove negligence on the part of the owner)
(Meh…, the amount of times I repeated the same concept of defense, in this post, is going to get me reported to the Department of Redundancy Department….But I don’t feel like editing. Time for some coffee)
Why not build something more useful for many people?
I hear you, and it’s a good question.
But sometimes even examples that aren’t directly useful in the real world are good learning aids…and inventing genuinely practical tools of this sort that can both teach and be of real-world use is not as easy as you might think…
Love ya, Paul, but the Morris worm was in 1988. I was a student at Berkeley at the time and remember that day. Interesting times.
Don’t know how that happened, not least because I linked to a ’25 years of’ article from 2013 that was written by, errrr, me.
Thanks for spotting, now fixed.