Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

G DATA: Hotel safes - are they really safe?

July 2014 by G DATA

This is the beginning of the holidays; a lot of people will travel during the next weeks and may stay in a hotel. The rooms are usually equipped with a safe to store valuables such as money, passports or your laptop. Experts of the G DATA SecurityLabs checked the security level of one safe which is made in China and is sold under many different brands. We expose the findings in this article.

Presentation of the safe

The safe is a mid-size standard hotel room safe, made out of steel, running with batteries, meaning it is grid-independent. The model has several ways to open it: We can either use a PIN code (between 4 and 10 digits) or a credit card. Furthermore, it is possible to open the safe with an emergency key. This key is not available for the customer but only for the manager of the hotel. The key can be used:

if the customer forgets his PIN code
if the batteries are low and the electronic does not work anymore
if the customer leaves his room without unlocking the safe
Picture of the analyzed hotel safe model

The golden plate can be removed by unfastening 2 screws. Then the lock of the emergency key will be accessible. Video 1 shows how to lock and unlock the safe, as intended by the vendor.

How does the safe work?

Using the safe is simple. The safe consists of three parts:

The safe itself (in steel)
The input panel, in front of the safe, to enter the PIN code or swipe a card through the credit card reader
The opening mechanism, behind the door
Picture of the safe’s opening mechanism

To better understand the internals, we can disassemble the door and see the content.

Picture of the door’s inside

Picture of another insight into the door

If we look at the opening mechanism, we can identify the lock where we can insert the emergency key, we can see the motor used to open the cylinders and an electronic board. When a customer enters a PIN code to open or close the door, this PIN is checked by the board. If the PIN code is correct, the motor is enabled and the cylinders are moved, as you can see in video 2.

Hacking 1: how to open the safe?

Master code

The easiest way to open the safe is to use the master code. The master code allows configuring the safe, showing the history of the usage of the safe or opening the door. The default master code is a simple sequence of numbers. To be able to enter the master code, we have to push twice, quickly, the # button.
Of course, the master code can be changed. However, during our tests, we found a lot of safes with the default master code. We advice hotel managers to change the default master code!

Lock picking

A mechanical method to open the door is the use of the emergency key. The emergency key seems to be complex:

Picture of the emergency key to open the safe

Picture of the emergency key, seen from a different angle

If we look carefully at the image, we can see that the key has four sections. For a beginner, it is complicated to lock pick this kind of key. But the manufacturer helps us a lot… Only one of the four sections is really used in the cylinder. Video 3 shows some lock picking action.

Short circuit

The third way to open the door is to simulate the opening of the door by causing a short circuit. To understand this technique, we need to know how the safe detects if the door is opened or not.

Picture of the lock’s position when the door is closed

Picture of the lock’s position when the door is opened

We can see a green connector pressed when the door is opened. By causing a short circuit on the solder of the component, we are able to simulate the opening of the safe. Here is the scenario:

we close the door by entering a PIN code;

we cause a short circuit for the safe to think that the door is opened (in reality it is closed);
instead of asking for a PIN code to open the door, the safe awaits a new PIN code to lock the door;

we enter a new code;

the safe tries to close the door already closed;

the new code can be used to actually open the door.

The difficulty is to perform the short circuit from the outside. We use the screw hole of the brand logo plate to insert a wire. In our tests with very simple tools we needed about 30 minutes to correctly cause the short circuit. A professional thief could create a specialized tool which would reduce the time for a successful attack to a few minutes. Mitigation of this hack depends on the producer of the safe. Simple solutions could be to put the holes for the brand logo in a different place. More effective counter measures would be based on a piece of hardware that prevents access to the switch and a more sophisticated opening logic.

Hacking 2: the risk of the credit card use

Presentation of the feature

As explained before, the customer can use a credit card to lock and unlock the door. During our tests we discovered that the magnetic card must be a credit card. The customer cannot use an alternative magnetic card to lock the door. The system checks if the card used really is a credit card or not.

How a magnetic card reader works

A magnetic card reader is an extremely basic technology. It is composed of two elements:

A sensor to detect if a card is present or not
The reader itself
The reader is a play head, comparable to a sound head inside of old hi-fi tapes. The reader is composed of two wires: the data and the clock. To read the magnetic card it basically needs three wires: the sensor state, the data and the clock.
The sensor is the green block on the left with a metal strip underneath, and the reader is the element in the middle with the white and red wire.

Piture of the magnetic reader

Can someone steal the credit card number of the customers?

People stealing credit card numbers frequently use “skimmers” to perform their mischief. It could be an extension to an ATM to copy the magnetic card. Here is an example of an ATM skimmer:

Picture of an ATM skimming device

Picture of an ATM skimming device mounted to an ATM

In our case it is not complicated to create the same mechanism, but from the inside of the safe. To perform this task, we used an Arduino Uno board. Here is a picture of the montage:

Picture of skimming device, inserted into the analyzed safe

As we can see, the added elements do not need a lot of space. They could be placed within a manipulated safe.

A credit card uses two tracks on the magnet strip, but the reader in the safe only supports one track. Nevertheless, this track contains the credit card number, the name of the owner of the card and the expiration date. Here is a screenshot of the stolen data on a credit card:

Screenshot of the stolen credit card data

Furthermore, we can imagine an update of this attack in which the safe asks the customer to enter the PIN code of the credit card on the PIN code panel after using the credit card to operate the safe. Then, the thieves would steal the magnetic track and the PIN code too.

Conclusion

As you can see, the security level of the analyzed safe is not very high. We can easily open it with different approaches and in the worst case can modify it to steal personal data.

We definitely recommend hotel managers to change the default master code.
We also recommend to refrain from buying models which can be opened with credit cards. Such safes should be checked for modifications by both hotel staff and hotel guests.

We suggest that users of a hotel safe limit their trust in it to a moderate level and that they do not rely too much on the safety of their personal items stored away.

Furthermore, we strongly recommend to never use your credit card to lock a safe! Thieves can alter the hardware quite easily to modify the behavior of the system. In our case, it is impossible to detect the scam without disassembling the safe.

We wish you a safe holiday!


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts