Safecrackers of the past put a stethoscope to a safe's panel while turning its dial, listening for the telltale murmurs of the interlocking components inside. It turns out that modern safecracking, despite all its electronic upgrades, isn't so different. But now those involuntary murmurs are electric, and the combination they betray takes the form of ones and zeros in transit between a lock's silicon chips.

At the Defcon hacker conference Friday, security researcher Mike Davis will present the results of years of research into a family of electronic safe locks all sold by Switzerland-based lock giant Dormakaba. Over the last two and a half years, Davis has found techniques to crack three different types of the Kaba Mas high-security electronic combination locks the company has sold for securing ATM safes, pharmacy drug cabinets, and even Department of Defense facilities, representing millions of locks around the world. Davis found that he could open many of those ATM and pharmacy locks in as little as five minutes with nothing more than an oscilloscope and a laptop. The technique also leaves no physical trace—other than the safe's contents disappearing.

"We've identified a design flaw, a pattern we’ve been able to leverage in almost every model of the lock," says Davis. The result is that, with just a couple of oscilloscope probes—simple metal pins that allow a common electrical engineering tool to measure voltages of the components they touch—inserted into a port on the lock's side and some clever power analysis, "we basically know everything the lock knows and can generate a combination to unlock the safe."

When the affected Kaba Mas locks turn on, they transfer their unique combination from the EEPROM memory chips they use for storage to their processor. The CPU can then compare any combination the user enters on its dial or touchpad to the correct one and, if that combination checks out, instantly open its bolt.

But Davis found that by inserting his oscilloscope probes into a lock's electronic components, he could deduce those combinations by studying the lock's internal voltage changes when it boots up. The voltages that "leak" when the CPU receives the patterns spell out the ones and zeros that represent the lock's combination in binary form. Davis can analyze them with the help of an automated Python script. "There's a very sharp transition between zeros and ones, and that's where the leakage comes from in this case," Davis says. "It's pretty easy to see the difference."

The oscilloscope setup that allows Mike Davis to crack Dormakaba’s Cencon lock in minutes. Andy Greenberg

Two models of the Kaba Mas locks, the Cencon locks Dormakaba sells for use on ATM vaults and the Auditcon locks it markets for use in pharmacies, have a port on their left side that Davis says offers easy access for his voltage probes. "You put your oscilloscope probes right in the port, then you spin the dial so the lock boots," Davis says. "It copies its EEPROM contents over to its CPU, and that’s sufficient to unlock it." Dormakaba's marketing materials boast that it has sold 1 million of the Cencon locks alone for use on ATMs.

Kaba-Cracking Tools

In his Defcon talk, Davis plans to demonstrate the basic form of his attack as a proof of concept. It works only on those two lock models and—for the Cencon in particular—only with certain default settings in place. But Davis has spent the last two years developing variations on that technique that can also open the Cencon when it has other security settings enabled, as well as other higher-security locks the company sells, albeit with more complex methods that in some cases involve serious surgery on the locks' exterior.