A Penny For Your Laptop
by Atom Smasher (atom@smasher.org) (PGP: 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808)
I recently purchased a brand new Kensington MicroSaver combination notebook lock and, overall, I'm not happy with it.
Perhaps the most disappointing feature of this lock, which retails for $30-$40 (US), is that it can be opened with a penny in less than 20 seconds without damaging the lock or the device it's attached to. The technique described below can likely be applied to similar locks.
I'll take this opportunity to point out that this information is being shared for the purpose of informational use, educational use, and the advancement of physical security by exposing current vulnerabilities, just the same as exposing software and protocol vulnerabilities leads to the advancement of software and protocol security.
Not only can a malicious attacker (a.k.a. thief) use this technique to walk away with a laptop, but also an undamaged lock that can be reset to any combination. In some cases the attacker may gain something more valuable than the laptop. Keep reading.
These types of locks use a bar that extends through the four dials and through one end of the lock housing into a laptop (or other device).
The bar has four slots in it, allowing the rings to turn around it. Each ring has one slot in it, allowing the bar to slide when all of the rings are properly aligned. As long as any one of the dials is not in the correct position the bar cannot slide - in theory.
In practice, tension can be applied to the bar so that the dials can be jammed into the "correct" positions, revealing the combination. The trick is to apply tension to the bar while turning the dials.
For this particular lock, I've found that a coin can aid in applying the proper pressure on the bar.
Slide a coin between the lock and the computer case. Wiggle the lock so the coin can be seated as close as possible to the locking bar. Bear in mind that the goal is to not cause damage to the lock or the laptop.
With the coin in place, the lock will tend to lean away from the coin.
By pressing the lock against the coin (squeezing the coin between the lock and computer case) push the lock perpendicular to the computer case and at the same time apply tension to the locking bar. A firm pressure is best; too much pressure may damage the lock and/or computer.
With the proper pressure applied to the bar, the dials can be spun back and forth until they each stick, at which point the lock should open. With practice this can be done in well under 20 seconds by turning two to three dials at a time to start.
In testing this technique, the dials seem to have a tendency to stick starting with the last digit and moving towards the first digit. This may or may not apply universally. If all but one of the digits is found, I recommend removing the coin and turning the dial of the unknown digit until the lock opens.
People are creatures of habit, and in most cases the four digit combination used on the lock will probably be the same PIN as the owner's bank card, voice mail, luggage locks, etc.
In many situations just learning the PIN may be more valuable than the laptop. In any case, the coin can now be used to turn the slot opposite the T-bar, which will expose a RED dot adjacent to the combination.
When the RED dot is exposed, a new combination can be chosen and set by turning the slot to its original position. This allows an attacker to reset the combination and replace the lock.
This type of attack can be easily avoided if the dials of the combination lock are manufactured with grooves in each position corresponding to an incorrect digit. The bar would then jam in the grooves, making it impossible to determine if each dial is jamming in the slot (indicating a correct digit) or a groove (indicating nothing).
Thanks to my dad, who taught me how locks are supposed to work and how they often don't. He also taught me that thieves break into things; locksmiths gain access to secure areas after receiving proper authorization.