How about something like this… A device which can analyze the oils left behind on the buttons from when the user enters the combo. The buttons with finger oil on them make up the combo. And because the oil wears off as you press the button, you can figure out the order of the combo. The button with the most oil is the first, second most is the second, etc.
That is the method. You’re unlikely to determine the order that way. But you don’t need to, the number of possible combinations will be relatively small if there are a small number of digits. In the story the safecracker can just use a UV light to examine the keypad to see which digits have been pressed most often by the buildup of oils. If the same combination has been used enough time, there will be physical wear on the keys even if they’ve been wiped down.
Fingers leave an oily residue on surfaces they come into contact with. Presumably, there would be more oil on keys that are pressed first, and less oil on keys that are pressed last.
Get your safe-cracker to “dust” the keypad with wizard dust chemical powder x, which is a powder that will turn various shades of blue depending on the oiliness of the surface it is applied to.
So, if the key code is six digits long, after dusting, no more than 6 keys on the pad will be a shade of blue (possibly less if keys are repeated in the code) . If he’s lucky, 6 different keys will be shades of blue and he can just push them in order to darkest to lightest. If he’s unlucky, he will have to do try several combinations but shouldn’t take too long.
EDIT: Damn you filmore…
Mention in your story that this is the ‘old’ model of the safe, that does NOT have these 2 more advanced safeguards:
- must wait x seconds/minutes after a wrong entry before trying again.
- system locks up after 3 (or 5 or some small number) of wrong tries and must be reset by factory technician.
Then, without those, your master thief can have a neat little gadget he has built, a box that fits over the keypad with suction cups and contains 10 robotic fingers (rubber-tipped solenoids?) electronically controlled to press every combination from 00-00-00 to 99-99-99 super fast, way faster than human fingers. With this, all the possible combinations can be tried in only an hour or two, until the right one is found.
You can even have this ‘fingers’ box connected by a cable to the latest electronic gadget fad – an ipad, smart phone, etc. That lets you have a nice visual of the combination numbers quickly flashing by on that as each one is tried. (Also an opportunity to collect a ‘placement fee’ from some company who wants their gadget to be the one shown.)
Also, the fingers box can make a fast clicking noise as the buttons are pressed so quickly – creating tension as your thief worrys about the nearby guard overhearing that noise.
I know nothing about digital lock systems, so this is pure invention based on a knowledge of well-documented cryptographic style attacks, and the sort of shortcuts programmers can make without thinking about the problem too much. It is a variant of the Password Slot Machine TVTrope. I do not believe for a minute that you could actually do this, but it hopefully sounds good enough. If the mods think it is too revealing, then so be it …
What about basing your attack on a Timing Attack, using an external EMF monitor. This is suitably plausible, but not actually practical (in practice, the metal of the safe shields the circuit from monitoring, and the code should not work how I describe anyhow). The explanation is that a correct digit triggers a different EMF response from an incorrect one before the unlock button is pressed - the attacker can clear the incorrect input and retry to get the next correct digit.
The Safe Manufacturer internet message board could discuss the firmware upgrade that addresses this problem (too many retries only pressing clear) and the additional circuit shielding that prevents electrical interference (and by implication, monitoring). The attacker only need to know that the safe has not been updated. This approach gives a maximum of 10 attempts per digit in the code, and an average of 5. It could also be automated as t-bonham suggests.
Si
Not a digital safe, but a digital burglar alarm.
When I recently bought a property and was doing it up, one evening the burglar alarm (which I had assumed had been disabled) went off. I hadn’t been given the code and I couldn’t get it to stop so I ended up having to call the number on the box and get an engineer from the alarm company out.
When he arrived, he flipped open the lid of the little keypad and punched in quite a long series of numbers - at least a dozen I’d say, maybe as many as sixteen. He didn’t have to refer to any records, afaik, so I assume it was a standard factory override code.
Back in high school a friend of mine mentioned to me that when you wanted to gain access to something with a digital lock (IIRC he was actually talking about disarming an alarm, but it still applies) he suggested cleaning the keypad the day before and then dust for prints the next day. This way you (in theory) would only have one set of fingerprints to deal with.
Safes like the ones used in hotels, generally have a “master” code.
The same way you open any other safe (drill and scope). It’s boring, but it (almost) always works.
I don’t know if this is true for private safes (although likely for the ones sold at K-Mart). Otherwise they wouldn’t be very ‘safe’. The major advantage of an electronic safe is the ability to reprogram the combination, so no one but the owner would have access to it, and it couldn’t be cracked with a stethoscope (and I have some doubts if that can actually be done on a quality safe despite the anecdotal evidence). I have cracked dial safes before, using techniques similar to those that Richard Feynman wrote about, all based on cheating by having access to a safe that is alreay open, or not cleared by spinning the dial. Just like with the electronic keypad, there are a lot of ways to derive the combination rather than listening for non-existent tumblers or feeling things with sandpapered fingertips.
samclem, I don’t know if you’ll see this, but why the ban on mentioning specific techniques? The knowledge of how to crack a safe isn’t illegal.
“Almost” is the key word. I never had much luck (or patience) with scoping. 
I don’t think using a boroscope would work for an electronic lock, since you’re not lining up the gates as you do on a manual lock. I would suspect that there is something like a solenoid that is activated by the correct numbers being punched in, but that’s a guess, as the digital safes came out after I was long gone from that sort of work.
Let’s say you know that 4 keys have been pressed most often. The safe takes a 6-digit code. If you can do one combination every 3 seconds (good luck with that) it would take you on the average 2 hours to open the safe.
Dear SDMB,
I seem to have locked my crowbar and dynamite in a digital safe. Can anyone help? As you can probably guess, need answer fast!
Respectfully,
G. Freeman
I did say before that this method was based on a combination that was not too complex. If there were 6 unique digits, it would only take you a little over 3 minutes. The OP can adjust his story to deal with this though. But you’re right that 3 seconds is pretty fast, usually there’s a reset time after a bad combination. **t-bonham **is also correct in pointing out that some safes will need an additional reset after a few bad combinations too. But we are talking about fiction here. The technique only has to satisfy the need to suspend disbelief. It’s usually easier to pick up a safe, carry it somewhere, and lacking any other means, hit it with a sledge hammer until welds crack or the door warps enough to pry it open. But that usually doesn’t make good fiction.
I always keep a copy of the combination carefully locked in the safe in case of such a circumstance. I also keep a wire coat hanger in the trunk of my car in case I lock my keys in it.
Some low-quality locks don’t even have discrete boundaries to the combination at all, and just require that the right keys be pushed in succession at some point in the key sequence. Thus, for instance, if the combo is “3456”, then hitting “1234567890” would work (actually, it’d work after “123456”). This considerably cuts down on the time to brute-force them (especially if you combine with a fingerprint method to find out what digits to use).
No matter what it looks like from the front, the mechanical parts are still the same. The “electronic” part is merely the user interface.
I spent a couple of years doing almost nothing but opening (and installing new locks on) GSA safes, and though the KABA X-series have a dial and looks like a traditional old-school safe lock, it’s electronic. Drilling worked all but a few times, and when it failed was because of some other mechanical issue within the locking mechanism. Then we had to lance it (an extremely messy and dangerous procedure).
Yeah, Feynman had a point- the fancy huge safe used by the (non-scientist) officer in charge of his area of the Manhattan project had never been reset from the factory default.
You see this on the news every so often; at least a few stories about those stand-alone ATMs or in one case, a gas pump - where the device could be put in admin mode using the default code because it had never been changed. In the gas pump’s case, it was used to set the price down, then a few hundred people filled up (self serve) before someone told the clerk “your pump is charging a ridiculously low price.” I the case of ATM’s, they set the 20-dollar tray to tell it it had five-dollar bills, so every withdrawal gave them 4x the amount.
The video camera in the ceiling to record PIN strokes (for ATM’s or Point of sales devices) is a classic; combined with a skimmer tool to record person’s ATM card stripe, or the clerk was in on it and gave the crooks the details of each card used. Make a fake card, use pin, withdraw contents of account. Aren’t banks secure!!??? My bank has gone to the trouble of putting a row of flasing LED’s around the ATM card slots, so it’s more obvious if someone has added a skimmer/reader over top of the slot. SOme merchants were hit by people swapping out their handheld debit units when they weren’t looking, replacing them with devices that recorded and captured PIN numbers.
That’s always a classic - a replacement keypad that snaps over the existing one and records the keypresses while passing them on.
That’s not as effective: the bank has a record of who withdrew money & how much; they could just debit your account for the 3x amount extra you got. And banks would do this, and if you disputed it you would have to fight with them about it.
Back when I worked for a big bank, only a few of our ATMs actually videotaped the transactions; now I think almost all do that. So the bank would likely have video of you getting the extra money. (Also, they probably have video of whoever accessed the ATM with the Admin password & changed the tray denominations. And on at least some of the more modern ATMs, the Admin password is not accepted if entered on the public keys – you have to unlock the ATM and use an internal keyboard, or use the public keyboard while the machine is open & unlocked).
That would still let thieves get 4X the money from a stolen ATM card before hitting a limit.