It's been a long time since I've done any physical security hacking, but recently I came across an interesting vulnerability almost by chance.
For some time I've had an old SentriLock Realtor lockbox kicking around in the garage. It's the type of thing your real estate agent puts on the door while your house is on the market so other agents can get the key to show your house. I didn't have any way to get it open, so I'd never made any attempt to figure out how it worked. Last year I did a liquid nitrogen demo for a bunch of friends - we spent an evening breaking things and making ice cream. While I was gathering up things to freeze and break, I came across the lockbox. I threw it in the pile, and when we were done shattering carnations and racquetballs, we soaked the lockbox for a couple of minutes and attacked it with a sledge hammer. The box held up reasonably well, but a solid blow to the key compartment door shattered it.
The unit sat on a table for about a year, and recently I saw it there and realized that with the compartment open, the only thing holding it closed was a pair of screws. I took them out with my Leatherman and opened it up.
(Pictures to follow later, I left the unit in the shop and I'm blogging from home on a dull Sunday night.)
There's a single circuit board in the unit with the contacts for a rubber keypad on one side and components on the other. The only actuator is a small gear motor that drives the latch mechanism. This is where I noticed a design flaw.
The motor's leads connect to the PCB near the '1' button on the keypad, and the pads are exposed on the keypad side. The keypad itself is soft silicone rubber, and the PCB is separated from the front of the housing by the thickness of the silicone sheet. Therein lies the problem: If you rip off the '1' button (or the do-not-disturb indicator) you can stick a couple of angled probes (I used curved tweezers) into the hole and inject a voltage directly to the latch motor. With properly constructed probes, you could probably do this by piercing the keypad and not have to damage it significantly. As it is, you could easily stick the button back on with some silicone adhesive around the edges and very likely avoid detection.
My unit was pretty significantly damaged by the beating it took from the sledge hammer, so I can't do a proper demo here. If anyone happens to have an undamaged unit they'd like to contribute, I'd be happy to give it a shot.
I emailed the company to inform them of my discovery, and to my surprise I received a response from the founder and CEO, Scott Fisher, within an hour. He stated that the model I've got hasn't been made in a few years, and that there have been improvements since then. Based on the white paper for their new model, it sounds like they're meeting significantly more stringent security standards these days.
The chances of anyone using this flaw to break into a house are pretty slim, especially when a rock through a window will accomplish the same thing. What's most interesting to me is the gap in their analysis of the threat space that this vulnerability would imply. The mechanical construction of the lockbox seems to be more than adequate - I'd certainly have had a lot of trouble forcing it by less violent means than I used, especially if it was still hanging on a door. And presumably the smart card system has a reasonable degree of security (though this is something I'd also like to check out if I had time), but it's like they didn't anticipate a direct electrical attack on the PCB. Simply relocating the motor leads would have made it considerably more difficult to exploit - there could still be other interesting traces accessible through the keypad openings, but they'd take considerably more precision to tap into.
It also seems likely that it was an economic decision that led to the flaw. Using a single PCB to handle both the control functions and the keypad undoubtedly reduced component costs, mechanical complexity, and assembly time, but compromised the design in a way that would not be tolerated in something like an electronic safe or an alarm system.
In fact, next time I'll cover the cheap Chinese safe I just got on eBay - and how they got the keypad separation right, but still managed to leave the safe vulnerable to a simple, non-invasive attack that lets an unskilled intruder open it in seconds without any tools. It's simultaneously an interesting flaw and kind of a bummer, since I'd intended to actually keep stuff in the safe.
Update (5/9/2011): Scott Fisher at SentriLock says my approach won't work with an undamaged unit, but declined to elaborate. If anyone has one that hasn't been beaten on with a sledge hammer and frozen to -320 F, let me know and we can see if he's right.