This part of Paul Ziegler’s presentation is dedicated to an insight into the security measures for mailboxes and electronic PIN code locks in Japan and Korea.
No matter if you live in an apartment or in a mansion, one of the other central parts you will run into is this thing: it’s a mailbox (see image). These are actually kind of cool: they’ve got number combination locks, rotation locks with 10 digits each. Now we’re going to look at how you can basically reduce the efficiency of a lock to zero in only four steps. If we look at the lock itself, we have an entropy of about 20^8. How do I come up with this number? Well, we have 20 numbers we can select: right turn, left turn, 10 digits, and an average person can obviously remember a phone number which is 8 digits, but this is a conservative guess – of course, if you want you can remember much longer combinations. Now, here is 20^8 – good luck cracking that lock; you probably have much better chance just breaking it open.
So, the country of Japan makes some really smart decisions to address this obvious problem of a secure lock: #1 – it’s legally prohibited for any rotation lock on a mailbox to have more than 3 digits. Alright, we still have an entropy of 20^3. #2 – legally force all locks to open in a clockwise-clockwise-counterclockwise pattern. #3, which kind of kills it, is legally force the first two digits of the combination to be the same. Now, those of you who are good with math may have figured that we are at this point down to 100 combinations.
The fourth part is actually not the government’s fault, it’s the fault of people who build these locks: there’s no crank that you have to activate, and no button to push, so if you just pull on the lock and try, at some point the mailbox is going to pop open if you apply the right amount of pressure. I ran some checks, and to do a full rotation it takes about 1.5 seconds to try a combination, so if you do a full rotation, you can rotate it to one digit. So, if we do a little math, we end up with a 50% unlock chance in 75 seconds and a 100% unlock chance in 150 seconds. But this is actually not the worst part.
There is a fairly large monthly apartment rental company in Tokyo which shall remain unnamed for this purpose that I’ve had the pleasure of living with twice several years apart. Now, I’m the weird kind of person who remembers codes for old credit cards and phone numbers that I used 10 years ago, so I still remembered the lock key for my mailbox. And I moved in there again earlier this year for a couple of months, and I found it very curious that my mailbox in a completely different area of town had the exact same code.
I figured there’re only 100 combinations, so the collisions are actually quite rational, so I asked the real estate agent lady, and she told me: “No, that’s not a coincidence; all of our mailboxes have the same code.” When I asked her if she happened to consider that it might be a bad idea, her answer was, and I quote: “Yeah, but who would try that?” Not me, that’s for sure.
Let’s jump over to Korea for a second. So, we’ve seen the mail locks in Japan, we’ve got to take a look at common locks in Korea for a second, no necessarily mail. They look like this (see image), they are PIN code locks. They are installed onto your door, and of course, if you look at it, again, assuming that a person can remember a phone number, we get an entropy of 10^8, which is really high. The problem is that even though it’s not a law, most of these locks only take four digits.
If you look at the manufacturers, most of them don’t go above that number, so we get an entropy of 10,000. And the real problem is that the vast majority of them are not wired to anything. There’s actually a small battery inside that you can replace from inside your apartment that powers the lock. And they also don’t really block you out after numerous attempts, or it’s a very short block out, because, of course, if the lock locks down for an hour, then a lot of kids in the neighborhood are going to have a really good time trolling you by just running around and punching random numbers into every door they find, and then when you come home your lock says: “Yeah, please try again in 48 hours.” So, obviously they can’t do that.
I ran some tests, and the average amount of time it takes to check out one combination is about 0.85 seconds over a span of 120. So, again, if we do some math, we got a 50% unlock chance in 66 minutes and a 100% unlock chance in a little over 2 hours. Now, if that was a mailbox I could say this is adequate, but this is your apartment, this is where you keep your passport, this is where you keep all of your important stuff, all of your tech, your money, if you store it at home. So, in that context, 2 hours to crack the lock without any sign is not a good idea.
Now, of course, the fact that the lock has a battery case on the other side kind of gives you an impression of how sturdy those doors are, so if you run out of time, just kick it in. But there is actually a way more interesting vector here to piss people off, if you’re into that, which you can see up here (see left-hand image). It says: “Emergency power DC9V.” So, obviously, if your battery is inside the apartment, and your battery runs out of power, you won’t be able to open your door even if you know the code, so there is this brilliant method that you can just take a 9 Volt battery you buy somewhere else, and you hold it up to these two pins up there, and then the lock will draw power from the battery.
What that tells us, however, is that those two pins go directly into the circuitry of that lock. So, if you want to have a really good time and make a really bad time for a lot of people, you get yourself a couple of these locks, a high amperage car battery, and just blow them out.
Now, how do you counter-exploit that? If you’re having an apartment in one of these two countries, you basically better assume that if someone wants to get into your apartment, they will. Now, this is true for all over the world: if you have enough resources and power, you can get into an apartment wherever you go, but it’s particularly easy here.
Read previous: Hacking in the Far East 3: Home Insecurity in Japan