Biz & IT —

How to crack many Master Lock combinations in eight tries or less

Gymnasium locker rooms may never be secure again, thanks to quick and easy hack.

Dan Goodin - Apr 28, 2015 9:32 pm UTC

How to crack many Master Lock combinations in eight tries or less — Thegreenj

There's a vulnerability in Master Lock branded padlocks that allows anyone to learn the combination in eight or fewer tries, a process that requires less than two minutes and a minimal amount of skill to carry out.

The exploit involves lifting up a locked shackle with one hand while turning the combination dial counterclockwise starting at the number 0 with the other. Before the dial reaches 11, there will be three points where the dial will resist being turned anymore. One of them will be ignored as it is exactly between two whole numbers on the dial. The remaining two locations represent locked positions. Next, an attacker again lifts the locked shackle, this time with less force, while turning the dial clockwise. At some point before a full revolution is completed, the dial will resist being turned. (An attacker can still turn through it but will physically feel the resistance.) This location represents the resistance location. The two locked positions and the one resistance position are then recorded on a Web page that streamlines the exploit.

Promoted Comments

Solomonoff's SecretArs Praefectus
jump to post

Fascinating. Here is the actual algorithm that the site uses to predict numbers in the combination. Irrelevant portions have been removed.
Code:
   function combo(x)
   {
      var second = [];
      var third = [];

      var first = (Math.ceil($('input#rl').val()) + 5) % 40;

      var mod = first % 4;

      for (var i = 0; i < 4; i++)
      {
         if (((10 * i) + l1) % 4 == mod)
            third.push((10 * i) + l1);

         if (((10 * i) + l2) % 4 == mod)
            third.push((10 * i) + l2);
      }

      for (var i = 0; i < 10; i++)
      {
         var tmp = ((mod + 2) % 4) + (4 * i);

         if (!x || ( (third[x-1]+2)%40 != tmp && (third[x-1]-2)%40 != tmp))
            second.push(tmp);
      }

   }

11940 posts | registered Nov 18, 2007
DilbertArs Legatus Legionis
jump to post

nicosaurus wrote:
darthg8r wrote:
I need 30 seconds with a set of bolt cutters. I bet I win...

Bolt cutters are a lot more obvious than a guy bending over and putting in the combination. Even if the person looks at their phone and takes a little longer. It could easily look like they bought a new lock and haven't memorized the combo yet.

Yep this. It's the difference between shattering a car window, or using a hacked remote to unlock the doors. One is a half dozen 911 calls from passers by, the other people won't give it a second thought.

20020 posts | registered Mar 15, 2002
samykamkarSmack-Fu Master, in training
jump to post

There are several reductions at play that combine together here -- in the original 100 method, you must prep by producing 12 numbers, where in this attack you only produce 3, and the original attack provides the 3rd number reducing the 1st to 10 possibilities, while this attack *gives* you the 1st number *and* reduces the last to two digits instead of 10, while also reducing the middle digit even further (the original attack reduces middle to 10, while this reduces middle to 8).

Video and demonstration of what's literally happening inside the lock forthcoming!

adipose wrote:
Quote:
Kamkar then made a third observation that was instrumental to his Master Lock exploit: the first and third digit of the combination, when divided by four, always return the same remainder.

No, this is part of the 100 try method.

1st = (3rd % 4) + 4*n

All of these would have the same mod as the 3rd number. Therefore it is not a new observation but a necessary consequence of the 100 try method.

4 posts | registered Dec 3, 2013
adiposeArs Scholae Palatinae
jump to post

After looking at the algorithm, it seems his main innovation is the calculation of the first number via the resistant location (rotate 5 from resistant).

He also has a nice trick for calculating the 3rd number more quickly, but the 3rd number is actually the only "certain" number in the 100 try method, so this is not too important.

Combining those two methods would give you 10 tries.

There is also a known correlary to the 100 try method that allows you to eliminate 2 of the 10 second numbers, because they cannot be "next to" the 3rd number. This leaves you with 8 tries.

1184 posts | registered Dec 8, 2005
EssenseArs Scholae Palatinae
jump to post

Im a locksmith by trade, repeat after me. American Eleven Oh Five.

Cheap, Weather Proof, hard as fuck to pick.

-Yes they can be picked if you are a LockSport Expert and can mess with it for awhile. I pick lock everyday and I won't mess with one, not worth my time.

-There was a bypass but it's been long fixed.

-You can still cut them.

And before your too hard on Master Lock (who also owns American Lock now) the dial combo lock cost like 5 bucks and was taylor made for the school market. Security was not their first prioirty. That said, there are worse locks on the market, no name brands, and brands like Brinks, Bulldog, etc.

You can't pass judgement on "Master Lock" based off this product. It's their cheapest, lowest end lock. Even a Master No.1 is better, which is sitll quite easy to pick being a 4 pin lock. If you move up the line to the Pro Series tho, you reach parity with American Lock, you start to see 5/6 pin locks with mushroom top pins and serrated top pins. Good luck picking that shit, yeah there's dozens of video's on youtube of it being done, but it's not practical.

The Maser 175D is also very easy to open, with a bypass. I don't recommend any combination lock for security. Keys are way better for security, not always for practicality tho.

1226 posts | registered May 2, 2001

Promoted Comments

Solomonoff's SecretArs Praefectus
jump to post

Fascinating. Here is the actual algorithm that the site uses to predict numbers in the combination. Irrelevant portions have been removed.
Code:
   function combo(x)
   {
      var second = [];
      var third = [];

      var first = (Math.ceil($('input#rl').val()) + 5) % 40;

      var mod = first % 4;

      for (var i = 0; i < 4; i++)
      {
         if (((10 * i) + l1) % 4 == mod)
            third.push((10 * i) + l1);

         if (((10 * i) + l2) % 4 == mod)
            third.push((10 * i) + l2);
      }

      for (var i = 0; i < 10; i++)
      {
         var tmp = ((mod + 2) % 4) + (4 * i);

         if (!x || ( (third[x-1]+2)%40 != tmp && (third[x-1]-2)%40 != tmp))
            second.push(tmp);
      }

   }

11940 posts | registered Nov 18, 2007
DilbertArs Legatus Legionis
jump to post

nicosaurus wrote:
darthg8r wrote:
I need 30 seconds with a set of bolt cutters. I bet I win...

Bolt cutters are a lot more obvious than a guy bending over and putting in the combination. Even if the person looks at their phone and takes a little longer. It could easily look like they bought a new lock and haven't memorized the combo yet.

Yep this. It's the difference between shattering a car window, or using a hacked remote to unlock the doors. One is a half dozen 911 calls from passers by, the other people won't give it a second thought.

20020 posts | registered Mar 15, 2002
samykamkarSmack-Fu Master, in training
jump to post

There are several reductions at play that combine together here -- in the original 100 method, you must prep by producing 12 numbers, where in this attack you only produce 3, and the original attack provides the 3rd number reducing the 1st to 10 possibilities, while this attack *gives* you the 1st number *and* reduces the last to two digits instead of 10, while also reducing the middle digit even further (the original attack reduces middle to 10, while this reduces middle to 8).

Video and demonstration of what's literally happening inside the lock forthcoming!

adipose wrote:
Quote:
Kamkar then made a third observation that was instrumental to his Master Lock exploit: the first and third digit of the combination, when divided by four, always return the same remainder.

No, this is part of the 100 try method.

1st = (3rd % 4) + 4*n

All of these would have the same mod as the 3rd number. Therefore it is not a new observation but a necessary consequence of the 100 try method.

4 posts | registered Dec 3, 2013
adiposeArs Scholae Palatinae
jump to post

After looking at the algorithm, it seems his main innovation is the calculation of the first number via the resistant location (rotate 5 from resistant).

He also has a nice trick for calculating the 3rd number more quickly, but the 3rd number is actually the only "certain" number in the 100 try method, so this is not too important.

Combining those two methods would give you 10 tries.

There is also a known correlary to the 100 try method that allows you to eliminate 2 of the 10 second numbers, because they cannot be "next to" the 3rd number. This leaves you with 8 tries.

1184 posts | registered Dec 8, 2005
EssenseArs Scholae Palatinae
jump to post

Im a locksmith by trade, repeat after me. American Eleven Oh Five.

Cheap, Weather Proof, hard as fuck to pick.

-Yes they can be picked if you are a LockSport Expert and can mess with it for awhile. I pick lock everyday and I won't mess with one, not worth my time.

-There was a bypass but it's been long fixed.

-You can still cut them.

And before your too hard on Master Lock (who also owns American Lock now) the dial combo lock cost like 5 bucks and was taylor made for the school market. Security was not their first prioirty. That said, there are worse locks on the market, no name brands, and brands like Brinks, Bulldog, etc.

You can't pass judgement on "Master Lock" based off this product. It's their cheapest, lowest end lock. Even a Master No.1 is better, which is sitll quite easy to pick being a 4 pin lock. If you move up the line to the Pro Series tho, you reach parity with American Lock, you start to see 5/6 pin locks with mushroom top pins and serrated top pins. Good luck picking that shit, yeah there's dozens of video's on youtube of it being done, but it's not practical.

The Maser 175D is also very easy to open, with a bypass. I don't recommend any combination lock for security. Keys are way better for security, not always for practicality tho.

1226 posts | registered May 2, 2001

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Further Reading

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica