Cracking Push-Button Locks
by riemann
The following article relates to my investigations into push-button locks which are appearing in the U.K. to secure access to areas such as schools, businesses, etc.
A few years ago, the local council of the town where I live wisely decided to introduce gated security to close off the back lanes behind the numerous streets within my area. The large steel gates could be opened by residents via a push-button lock, in my case designed and built by Borg Locks (see picture). This one is the 3000 series which seems pretty resilient to physical attack by a casual intruder.
My initial satisfaction at having another level of security at the back of my property was dampened when the council sent out a mailing to all residents in my street (each street has a different gate and code) displaying the access code: C2565
Note that the C in the code just resets the lock and is irrelevant in this discussion. Now, my knowledge of these locks is such that I know they operate in such a way that, for example, once the 5 is pressed, then any subsequent 5 press will not affect the lock, i.e., 256 will work as well as 2565 (as will 2555555 ... 65555555 ...).
So the repetition of any digit in the code is an error. Also, you can punch in the digits in any order as they simply move the internal pins within the mechanism, i.e., a lock with code combination 2565 can equally be opened with, in this case: 256, 265, 625, 652, 526, and 562, thus reducing the number of total combinations available. In actual fact, using the total number of possible combinations of this lock when one of the four digits is repeated (like in my example) is 10! divided by 7!3! which equals 120 total combinations.
Imagine my horror when, a few weeks ago, the council reissued a new code to the residents on my street: C4674. Again, they make the same mistake of repeating a digit which reduces the total number of combinations back down to 120.
If it takes a thief five seconds to punch in a code, then this amounts to, at the very most, ten minutes to punch in the correct code of any gate in my town!
The easiest solution is to ensure that all four digits are "unique" and the number of combinations rises then to 210 (an improved 17.5 minutes maximum to crack). If you look at the picture, you can also see that we can have the letters X, Y, and Z as part of our code. Using these will increase the number of combinations to a more satisfactory 715 (taking up to one hour to crack).
Of course, increasing the length of the code (which is possible) is wise, and those who are familiar with the symmetry of the binomial theorem and/or Pascal's Triangle would soon tell me that the optimum code length is six. If a code of length six is used, using all available buttons and no repetitions, then the time taken to run through each combination increases to, at most, two hours and 23 minutes - enough time to arouse suspicion in the local area!
This six-digit code, however, may not be too practical for people to remember.
I do urge those responsible for push-button locks within their community/place of work/institution to really check that they are issuing the most optimum codes possible as described in this article. This is particularly relevant in areas such as schools, where children's safety is an issue.
References
Borg Locks: www.borglocks.com