Visited Ross Locks Factory a month or two ago. Assembled one of the electronic locks and one of the key locks. Very impressive the standards they hold themselves to. It really shows through in the end product
Government buildings here in the US with electronic locks use a keypad that changes the orientation of the numbers each use. It is also recessed into a wall so unless you literally watched them input every number then it would impossible to redo.
Definitely would like to see an attack video on the electric lock, and the BT one. The mechanical lock should get shipped off to the Lock Pickling Lawyer for a collaboration video! I was quite please you couldn't open the electronic lock you tested a while back, as that's the one on my gun vault!!
Supervisor code in the 'dumb' keypad to encrypt traffic is needed both to prevent sniffing the interface and also to prevent someone swapping out the keypad for one with a keylogger/alternative firmware .. show us the micro in the keypad! would be a crying shame if the swapped keypad attack rested on a uC fuse-bit!
Bluetooth and keypad practically ask for making a 2FA lock where you have to own the right phone and the keypad only works if you have that. (or better behaves as if it was working but doesn‘t)
break into where the safe is. pry the control head off. insert a small microcontroller INSIDE the roomy head to record key entries. Break back in a few weeks later after you know the safe has been accessed. Remove the micro and get the code from it. type in the code. OPEN.
Attacking the firmware would be the way I would go, I would attempt to dump the firmware in the chips, probably with voltage glitching (since I assume they set the protection bits up correctly) and then find possible encryption flaws, and then add a custom PCB to sniff the data, to decode the data (assuming that there is no replay possible)
7:26 not just that, but with a high enough resolution on the thermal camera, you could figure out the order these keys were pressed. A pretty good countermeasure to that would be repeating some numbers - covering the earlier thermal trace. Of course pressing the keys quickly, like you did it, helps too. 9:38 it's a kitty head :D Motor drive is damn cool, the engineers definitely put some thought into it. Do that side channel attack! These Ross locks are damn cool as you show them. I love the simplicity of the design. Not overengineering things, making them with great precision and quality materials instead - way to go Ross! Waiting for LPL to pick that :)
I agree with U about high sensitivity thermal cameras picking up residual decaying fingerpint temps. My risk mitigation approach to minimising/eliminating stealth detection of my keypad entry comprises 2 things: a) 1st I have an overhanging cloth cover that shrouds my hand & keypad from observation when I punch in a pin #. This mitigates against small spy cameras possibly installed in the room - where it is not obvious. b) randomly pushing other pin numbers after I have opened the safe in order to leaves print signatures on all pin numbers.
Impressive 9 levers are each a single piece, including the spring! How about the Wi-Fi lock, from the keyhole, could a thin sliver of metal fit between the levers to push the pin out of the way?
I didn't know about ROSS Locks (made in Australia) , so thanks for the info. Very useful to know. I recently replaced a defective La Gard BASIC (keypad + swingbolt lock mechanism) set with the new version La Gard (701 keypad + 733 swingbolt lock mechanism) set. I suspect one weak point with these lock mechanisms - regardless of brand - is that the lock mechanism is secured to the safe internal wall via 3 high-tensile screws. However, from the external front door of the safe, there is a hole - approx say 10mm diameter - that allows either the data cable of an electronic keypad, or the connecting rod of a deadbolt/springbolt lock mechanism to pass through to the inside. After removing the 'keypad' & using a crude brute force method of hammering a high-tensile pin-punch, I envisage it is possible to force the internal lock-mechanism away from the 3-screw holes in the internal wall. I suspect in most safes, these screw holes are threaded through mild-steel plates. Thereby, defeating the lock mechanism. Hence, some electronic safes also incorporate a vertical glass-plate between the safe's internal wall & the lock-mechanism. Driving a pin-punch through the entry hole, or drill through the front-wall will crack the glass causing a spring-loaded pin to plunge towards the safe's locking plate thus locking it permanently. This means even with the subsequently correct use of a keypad password, it will not be possible to open the safe door except by cutting through the safe. So a robust burglar-proof safe will require the application of a good lock mechanism + clever engineering design around the safe's door mechanism as well. I always enjoy your videos as your presentation style goes into deep-dive explanation - which I love 🙂. Thanks for the knowledge sharing.
Send that key lock to LPL or Lock Noob. Lever locks are uncommon in the States, but in the UK they are quite traditional and picks are available commercially.
I'd be more worried about it not working when you need it to. As for security, you can have all vulnerabilities in the drivers you want, but the secure key has to match what's inside the sealed lock, so I wouldn't be concerned with security.
Can you test some powerful rf emitter nearby them like 433Mhz walkie-talkie on >5W. interesting if it can reboot these locks somehow and return to open state.
What is your opinion on electronic dial locks like the Kaba Mas X-10? Seems to circumvent all the issues of both keypads and mechanical dials. I guess a scramble keypad would work too, but there don't appear to be any safe locks with a scramble keypad
It would be interesting to sniff some message from the keypad to the lock with an oscilloscope.. maybe there is some flaw. For example I'll give a look to the command for programming or changing the supercode :)
Is there a tie between Ross and Securam? The one with the little OLED is very reminiscent of my Securam that are on a few of my safes right down to the yellow banner over blue text.
there are quite a few safe locks with exploits available, i own tools to defeat them, the tools are not easy to procure. Never touched a ross though im here in the states!
Dude yay I found you :D on my old channel I used to watch you all the dang time, I thought you quit RUclips but it turns out I was typing the name wrong
Very well built lock, but as with all locks, they are only one small part of security. If no one is around, very few would resist a battery powered grinder with a zip disk🤣
I really want someone to design a TOTP safe lock. (TOTP: Time-based One Time Password, aka the 6-digit rotating code in your Authenticator app.) That would certainly help get around the IR camera attack, and the worn keys attack. Put a QR-capable display (e-ink display?) on the inside to share the key, and limit how often the clock's time can be changed. No wireless of any kind required, either.
@@bartomiej368 How about having 2 batteries, and requiring them both to be good to lock the safe? I know it's not a long term fix, but if the safe is used every day it might work OK.
@@McTroyd if you allow setting time when power on (even if locked) you just made it susceptible to replay attacks on the other hand if you allow changing only when unlocked it could lock forever.
@@bartomiej368 That's why I was thinking about limiting the number of time changes while power is on (maybe a max of once per 24 hour period). Could still potentially allow time set at power-on, but introduce a delay of several minutes during the "boot" process prior to setting the time, to mitigate replay attacks. With a six digit pseudorandom code yielding 100000 potential possibilities, a delay of even five minutes between guesses still yields nearly a year of brute forcing time. Even if the actual guessing takes a tenth of that time, I'd bet it's still longer than a key lock and pick set combo, even with the tricky lock Dave showed. Allowing for the fact that nobody is going to completely stop a determined professional, I would think this is a fair compromise between security, and making sure the legitimate user isn't inadvertently locked out permanently.
It took 3 frigg'n minutes for the LPL fanboys to enter the chat, I'm disappointed. I have challenged the LPL on my 2nd channel to pick the 700 series lock NOT using any custom picking tool. He has done four videos on lever based locks and none of them are in the same class as this one, and he had to use the specialised picking tool for those.
@@EEVblog2 At 19:35 you’ll see the 6 pads (2x3) on the right, follow the traces that go left. Within the 4 white corner stencil marks. Is there an ARM BLE SoC under there?
Nope, I just like locks and they sent them into the mailbag. You could say the exact same thing about every product companies have sent in and I've torn apart and reviewed the last 13 years.
@@make-u-rich879 I have absolutely no idea what you are tsalking about. I do not ban people form the forum "for no reason". It's really hard to get banned form the forum in fact. Tell me which user I banned you are unhappy with.
@@make-u-rich879 you sound like suuuuch a loser. Like just a complete loser at life. LOL. Like a butt hurt little broad. You are constantly crying. Bwahahaha. Loser
Nope. Manual kicks are trash. Why do you think no one uses them anymore. The only companies putting them on their safes are those companies that make big giant heavy sales, with 16 ga sheet metal stretched around it. So old guys who buy them can think they're secure. They are a dial and think it's going to be secure just because it has a dial. LOL
@@littlejackalo5326 not true, every single police station / prison / watchhouse / etc that had temporary or long-term pistol storage in QLD / Aus use mechanical keys somewhere. You're thinking of low-end key locks. Just because you don't see the high end doesn't mean they don't exist and work day in, day out.
Bullshit, they never paid me anything, they just sent the locks into the mailbag. I like locks. I've never done a single paid sponsor video in the 13 years I've been doing this. I regularly turn down requests for doing paid content, and some offer a LOT of money. I don't care, I turn them all down.
Gotta send one to Lock Picking Lawyer
hell ya
He opens each of them in
Before LPL can take a look at them I wouldn't dare to say they are safe 😁
He practices a lot before recording the final take...
@@jkxss not always. he'd done some unbox&pick in one take within minutes.
Visited Ross Locks Factory a month or two ago. Assembled one of the electronic locks and one of the key locks. Very impressive the standards they hold themselves to. It really shows through in the end product
You now need to forward these onto LockPickingLawer for further analysis 😊
Completely agree, his videos are great.
„VdS“ is a german standard. It stands for „Verband der Sachversicherer“ (Association of property insurers).
I wonder if LockPickingLawyer can find some security flaws in these
I wonder if LockPickingLawyer would need more than 10s to open these
The LPL would just glare at them and he'd hear a click out of all the locks at the same time.
LPL could open Chuck Norris!
I wonder if someone is going to mention LockPickingLawyer in the comments.
@@posi_de Chuck Norris doesn't need keys. The locks pick themselves.
@5:20 "It doesn't connect to the cloud at all": That is where the real security is :)
Side channel attack definitely sounds interesting!
Yes, please do try a side channel attack!
Government buildings here in the US with electronic locks use a keypad that changes the orientation of the numbers each use. It is also recessed into a wall so unless you literally watched them input every number then it would impossible to redo.
Welcome to the Lockpicking Aussie 😄
LockPickingLawyer is already planning his next holiday in Australia
It will probably be a short visit, about 2 mins for each lock
click out of 1, small click out of 2, 3 is binding...
@@EricK-vz5ww Ok!...just enough time to catch my flight back home. That's all I have for you today.
Definitely would like to see an attack video on the electric lock, and the BT one. The mechanical lock should get shipped off to the Lock Pickling Lawyer for a collaboration video! I was quite please you couldn't open the electronic lock you tested a while back, as that's the one on my gun vault!!
Supervisor code in the 'dumb' keypad to encrypt traffic is needed both to prevent sniffing the interface and also to prevent someone swapping out the keypad for one with a keylogger/alternative firmware .. show us the micro in the keypad! would be a crying shame if the swapped keypad attack rested on a uC fuse-bit!
Bluetooth and keypad practically ask for making a 2FA lock where you have to own the right phone and the keypad only works if you have that. (or better behaves as if it was working but doesn‘t)
wow when I first clicked on this I though I was going to get to watch the Lock Picking lawyer unpick all those.
I think we all know what collaboration we need here! 😉
Paging LPL...
Demolition Ranch?
By the thumbnail I was sure I was clicking on an LPL video. No lock picks in this video, then.
Locksmith in QLD here. Good teardown.
break into where the safe is. pry the control head off. insert a small microcontroller INSIDE the roomy head to record key entries. Break back in a few weeks later after you know the safe has been accessed. Remove the micro and get the code from it. type in the code. OPEN.
"The rubber glove treatment"? That sounds invasive, personal, and painful.
Ohh, yes to the side channel attack please.
Attacking the firmware would be the way I would go, I would attempt to dump the firmware in the chips, probably with voltage glitching (since I assume they set the protection bits up correctly) and then find possible encryption flaws, and then add a custom PCB to sniff the data, to decode the data (assuming that there is no replay possible)
7:26 not just that, but with a high enough resolution on the thermal camera, you could figure out the order these keys were pressed. A pretty good countermeasure to that would be repeating some numbers - covering the earlier thermal trace. Of course pressing the keys quickly, like you did it, helps too.
9:38 it's a kitty head :D
Motor drive is damn cool, the engineers definitely put some thought into it. Do that side channel attack!
These Ross locks are damn cool as you show them. I love the simplicity of the design. Not overengineering things, making them with great precision and quality materials instead - way to go Ross! Waiting for LPL to pick that :)
I agree with U about high sensitivity thermal cameras picking up residual decaying fingerpint temps. My risk mitigation approach to minimising/eliminating stealth detection of my keypad entry comprises 2 things:
a) 1st I have an overhanging cloth cover that shrouds my hand & keypad from observation when I punch in a pin #. This mitigates against small spy cameras possibly installed in the room - where it is not obvious.
b) randomly pushing other pin numbers after I have opened the safe in order to leaves print signatures on all pin numbers.
@@DIYhabitat plus you can also delicately wipe the keypad with your hand or cover it so that all keys get the heat, might help too.
Impressive 9 levers are each a single piece, including the spring!
How about the Wi-Fi lock, from the keyhole, could a thin sliver of metal fit between the levers to push the pin out of the way?
Impressive stuff Dave. Amazing quality lokecs indeed.
I didn't know about ROSS Locks (made in Australia) , so thanks for the info. Very useful to know.
I recently replaced a defective La Gard BASIC (keypad + swingbolt lock mechanism) set with the new version La Gard (701 keypad + 733 swingbolt lock mechanism) set. I suspect one weak point with these lock mechanisms - regardless of brand - is that the lock mechanism is secured to the safe internal wall via 3 high-tensile screws. However, from the external front door of the safe, there is a hole - approx say 10mm diameter - that allows either the data cable of an electronic keypad, or the connecting rod of a deadbolt/springbolt lock mechanism to pass through to the inside.
After removing the 'keypad' & using a crude brute force method of hammering a high-tensile pin-punch, I envisage it is possible to force the internal lock-mechanism away from the 3-screw holes in the internal wall. I suspect in most safes, these screw holes are threaded through mild-steel plates. Thereby, defeating the lock mechanism. Hence, some electronic safes also incorporate a vertical glass-plate between the safe's internal wall & the lock-mechanism. Driving a pin-punch through the entry hole, or drill through the front-wall will crack the glass causing a spring-loaded pin to plunge towards the safe's locking plate thus locking it permanently. This means even with the subsequently correct use of a keypad password, it will not be possible to open the safe door except by cutting through the safe. So a robust burglar-proof safe will require the application of a good lock mechanism + clever engineering design around the safe's door mechanism as well.
I always enjoy your videos as your presentation style goes into deep-dive explanation - which I love 🙂. Thanks for the knowledge sharing.
Send that key lock to LPL or Lock Noob. Lever locks are uncommon in the States, but in the UK they are quite traditional and picks are available commercially.
Send it to LPL !
BT is notorious for having vulnerabilities being found in drivers and firmwares. Would not trust it for high sec.
I'd be more worried about it not working when you need it to. As for security, you can have all vulnerabilities in the drivers you want, but the secure key has to match what's inside the sealed lock, so I wouldn't be concerned with security.
I think the anti tamper plate is just to stop the bolt going too far back.
Take a look at the Little Black Box Safe tool. It can open any of these.
wheres the lock picking lawyer?
Can you test some powerful rf emitter nearby them like 433Mhz walkie-talkie on >5W. interesting if it can reboot these locks somehow and return to open state.
What is your opinion on electronic dial locks like the Kaba Mas X-10? Seems to circumvent all the issues of both keypads and mechanical dials. I guess a scramble keypad would work too, but there don't appear to be any safe locks with a scramble keypad
It would be interesting to sniff some message from the keypad to the lock with an oscilloscope.. maybe there is some flaw. For example I'll give a look to the command for programming or changing the supercode :)
Is there a tie between Ross and Securam? The one with the little OLED is very reminiscent of my Securam that are on a few of my safes right down to the yellow banner over blue text.
You'd wanna keep that initial pairing code in a very safe place, obviously not inside this safe, but some where quite secure
The Unboxing Knife is a bit of an overkill.
I would expect the reset button to only work if the lock is opened anyway. If thats the case there would't even be a need to cover it in any way.
there are quite a few safe locks with exploits available, i own tools to defeat them, the tools are not easy to procure. Never touched a ross though im here in the states!
So what is the signal from keyoad to lock. Is it like a I²C or spi buss etc. Can we decode it?
I'd LOVE an attack video!!
Dude yay I found you :D on my old channel I used to watch you all the dang time, I thought you quit RUclips but it turns out I was typing the name wrong
LOL
You can reach motor from keyhole. The lever springs dont stop that
No, do not do a side channel attach - said no one, ever.
"Today on Lockpicking Lawyer we will pick this electronic safe with a small electromagnet and a piece of tin foil . . .".
Very well built lock, but as with all locks, they are only one small part of security. If no one is around, very few would resist a battery powered grinder with a zip disk🤣
Dave is now the downunder LPL?
The Lock Picking Aussie!
A man and his pocket knife.
I really want someone to design a TOTP safe lock. (TOTP: Time-based One Time Password, aka the 6-digit rotating code in your Authenticator app.) That would certainly help get around the IR camera attack, and the worn keys attack. Put a QR-capable display (e-ink display?) on the inside to share the key, and limit how often the clock's time can be changed. No wireless of any kind required, either.
Issue with that is synchronization, you have to keep track of accurate time and if battery goes flat you must resynchronize.
@@bartomiej368 How about having 2 batteries, and requiring them both to be good to lock the safe? I know it's not a long term fix, but if the safe is used every day it might work OK.
You could allow one time setting at power-on too, come to think of it. They just won't be able to re-set it until the door is opened.
@@McTroyd if you allow setting time when power on (even if locked) you just made it susceptible to replay attacks on the other hand if you allow changing only when unlocked it could lock forever.
@@bartomiej368 That's why I was thinking about limiting the number of time changes while power is on (maybe a max of once per 24 hour period). Could still potentially allow time set at power-on, but introduce a delay of several minutes during the "boot" process prior to setting the time, to mitigate replay attacks. With a six digit pseudorandom code yielding 100000 potential possibilities, a delay of even five minutes between guesses still yields nearly a year of brute forcing time. Even if the actual guessing takes a tenth of that time, I'd bet it's still longer than a key lock and pick set combo, even with the tricky lock Dave showed. Allowing for the fact that nobody is going to completely stop a determined professional, I would think this is a fair compromise between security, and making sure the legitimate user isn't inadvertently locked out permanently.
What happens to that keypad lock in ten years when those electrolytic capacitors dry out?
Love it!
Hi, do Australians keep their smartphones down the side of their shoe?
I do and I'm not Australian
They keep them in their upside pockets which are regular pockets just upside down
It's the get smart thing to do.
Sidechannel Attack please =D
*LockPickingLawer* has entered the chat
It took 3 frigg'n minutes for the LPL fanboys to enter the chat, I'm disappointed. I have challenged the LPL on my 2nd channel to pick the 700 series lock NOT using any custom picking tool. He has done four videos on lever based locks and none of them are in the same class as this one, and he had to use the specialised picking tool for those.
LPL could pick it open twice in 30 seconds in the middle of a hurricane using only a paper bag full of grass and a half dead Bic lighter.
Harry the Fluke hater would bring out his special magnet?
what's a "shoe phone"?
I am sure a brute force attack is feasible, possibly to access the motor wiring.....
The internal controller can always rate limit
@@0xbenedikt true so take it out of the circuit
damn you guys got some big spoons
A bit to much like a commercial, but very COoL still and interesting.
Shaped charge
I feel like that electronic one could be easily hacked.
wtf is the "rubber glove treatment" lmao
if you hear a snap of rubber gloves being put on at the doctor's office when he assured you he didnt need to examine anything....
You have to bend over and get examined in every cavity.
all i hear is lock picking lawyer "nice click out of one, nothing on two. Three seems binding
Summon LPL
If it's got Bluetooth in it, it ain't "high security"...
Bluetooth is just the transport layer.
@@EEVblog2 doesnt make it safe, im willing to bet that it doesnt even kick you out if you send a few attempts a second.....
I can't wait for the Lock Picking Lawyer to do review of these locks. Do they use relays that can be activated by a magnet?
Those Ross locks look very 'Skookum' as we say here in Canada.
Nayh thets a knoyfe!
Dave, do you know if they ship to America reasonably priced?
You could ask them yourself?
No idea, sorry.
Why? There’s plenty of other options in the US.
@@martinlutherkingjr.5582 usa electronic locks are crap. Quality of LG and SG very low.
@@mofflops8406 There are plenty of non-US companies that sell in the US. For example, LG isn’t a US company but they have distribution in the US.
Why didn't they NFC, it should be more secure than BT?
EEVBlock...
I saw an ARM SWD connector and BLE logo, there's another MCU under that grey cover, or on the underside of the PCB, an nRF5x probably.
What grey cover?
@@EEVblog2 At 19:35 you’ll see the 6 pads (2x3) on the right, follow the traces that go left. Within the 4 white corner stencil marks. Is there an ARM BLE SoC under there?
First? Guess not, shouldn't have watched the video first.
@@Okurka. comment police 🚓
@@Okurka. I needed to refresh. It didn't show anybody else.
@@Okurka. Are you?
looks like an advert to me?
Nope, I just like locks and they sent them into the mailbag. You could say the exact same thing about every product companies have sent in and I've torn apart and reviewed the last 13 years.
@@make-u-rich879 WTF are you on about. "purging" what competition from my forum? How?
@@make-u-rich879 I have absolutely no idea what you are tsalking about. I do not ban people form the forum "for no reason". It's really hard to get banned form the forum in fact. Tell me which user I banned you are unhappy with.
@@make-u-rich879 you sound like suuuuch a loser. Like just a complete loser at life. LOL. Like a butt hurt little broad. You are constantly crying. Bwahahaha. Loser
@@make-u-rich879 Let me guess, you're a Biden voter and you have dyed your huge pubic wig blue?
HI DAVE. REALLY REALLY GOOD CALL. THANKS FOR SAVING US ALL WITH A VIDEO. YES STEAL THE TIME WED RATHER WATCH YOU ALWAYS
You sound incredibly biased. You do not talk like an engineer at all
Biased about what exactly. What statement did you have a problem with?
Stick to electronics. Mechanical locks are the only reliable solution for guns.
Nope. Manual kicks are trash. Why do you think no one uses them anymore. The only companies putting them on their safes are those companies that make big giant heavy sales, with 16 ga sheet metal stretched around it. So old guys who buy them can think they're secure. They are a dial and think it's going to be secure just because it has a dial. LOL
I said EXACTLY that in the video, obviously you didn't watch.
@@littlejackalo5326 not true, every single police station / prison / watchhouse / etc that had temporary or long-term pistol storage in QLD / Aus use mechanical keys somewhere.
You're thinking of low-end key locks. Just because you don't see the high end doesn't mean they don't exist and work day in, day out.
8:08 And that's why, after I used such a pad, I always press all the buttons and wipe over the pad with my hand a few times.
FYI this is a paid advertisement for Ross lock Co. Take the opinions in this video as a grain of salt.
Bullshit, they never paid me anything, they just sent the locks into the mailbag. I like locks. I've never done a single paid sponsor video in the 13 years I've been doing this. I regularly turn down requests for doing paid content, and some offer a LOT of money. I don't care, I turn them all down.