Bank Vault

This project was a request from work and the requirement was to run a hacking demo/challenge for an upcoming company conference. The first person or team to complete the challenge would get a bottle of champagne.

There were some constraints; the audience most likely do not know how to hack, I'm not allowed to teach them how to hack, and real hacking is usually boring to watch for most people anyway. The Physical Security guys were proposing to do an interesting and visual challenge involving locks and so I needed something equally visual and interesting for the hacking challenge.

Cracking bank security always seems to be a Hollywood favourite so I came up with the idea of a bank vault hacking challenge that if completed unlocks the vault and bottle of champagne. It gives it a bit more visual appeal with flashing lights and the feeling that you are controlling something physical as you issue commands. I didn't have enough time to fabricate my own vault so I opted to use a toy electronic safe and modify it with some additional electronics.

Toy Safe

The challenge is thus: Your laptop is connected to the USB maintenance port on the vault (every vault has one, right?) and a serial console is open. The first challenge is to login, and once in you can explore the vault system with simple commands. Through a sequence of backdoors and simple code breaking you can elevate your privileges until you get access to the unlock command that opens the vault, allowing you and your crew to make off with the loot.

How It Works

Inside the toy vault I've added some additional electronics and a microcontroller (an Atmel AVR). The AVR is connected to the vault's internal locking mechanism and can release the vault door. The AVR also talks to the computer over a serial line and simulates a simple system shell with commands, files, authentication etc.

Vault with door open

One of the considerations was that it is hard to estimate the skill level and problem solving capability of the audience. Make it too easy and it is completed in the first 10 minutes. Make it too hard and they might not even get started. I decided to include the concept of levels in the game. Once you manage to login you are logged in as admin level 1, and this gives you access to just enough to help you elevate your privilege to admin level 2 and so on. Once you are the highest admin level the unlock command becomes available. The reasoning here is that I can make it gradually more difficult so that only the most skilled can make it all the way through. If nobody makes it to the end the prize can then go to whomever cracked the highest admin level first. Each admin level has its own admin password so you can resume the game at your highest level by logging back in with the relevant password.

Build Log

The Hardware

After installing 3xAA batteries in the base you punch in the default code of 0000 which activates a solenoid for a few seconds. When the solenoid fires it pulls back a locking bolt which was preventing the vault handle from turning. Turning the vault handle pulls back the door catch and the door can then open. When the door is opened a switch is released which activates a creaking door sound! After the door has been open for a short time it will start to beep to let you know it is still open.

The electronics and locking mechanism are contained inside the door panel. Removing four small screws gives easy access to the components:

Inside Vault Door

The first job is to measure the voltage running through the solenoid when it becomes active. This was verified at just under 5V which is ideal. We will trigger the solenoid with a transistor as detailed in the circuit diagram:

Solenoid Circuit Diagram

I used the fairly common 2N2222A type transistor because it was easy to find one but the important thing is that it is rated for 40V and up to 600mA which is plenty for the toy solenoid. D1 is there as a flyback diode to deal with the voltage spike when the solenoid releases the bolt. It might not be required for this toy solenoid but I put it in just in case. The best I could find in my parts box was a 1N4004 but a 1N4001 could have been used instead.

Prototyping was done with an Arduino and a breadboard for rapid development and easy expansion. The components were placed on the breadboard according to the circuit diagram and the solenoid disconnected from the original circuit and wired to the breadboard:

Vault with Arduino

The following code was run on the Arduino:

int lockPin =  8;    // transistor connected to digital pin 8
void setup()   {                
  pinMode(lockPin, OUTPUT);     
}

void loop()                     
{
  digitalWrite(lockPin, HIGH);   // activate the solenoid
  delay(3000);                   // wait for 3 seconds
  digitalWrite(lockPin, LOW);    // release the solenoid
  delay(5000);                   // wait for 5 seconds
}

Sure enough the locking bolt cycled through locking and unlocking.

I didn't want to embed an expensive Arduino inside the vault and I wanted a tidy build which from the outside hardly looked like it had been modified. I built an Arduino compatible custom circuit on a piece of strip board and entirely replaced the original vault circuit. The small speaker was connected between ground and an Arduino pin so that I can play sounds using my new VaultDuino, for example a "success" melody. The 2 LEDs were also connected to Arduino pins in series with resistors so I can provide feedback to the user. Finally the door switch was connected between ground and a pin so I can tell when the door has been opened.

Completed Vault Door

I thought if the job was worth doing, it was worth doing well so I added header pins for all the external components and made some female jumper wires with crimping pins and heatshrink. There is a great guide for this here. The circuit can then easily be removed for repairs or enhancement. Electrical insulation tape was put over the conductive rubber keypad which sits behind the board so that it will not short circuit.

There is a 6-pin header on the circuit for a FTDI USB cable which provides power, allows serial communication with the PC and can be used to upload new Arduino programs to the vault. One thing that had been playing on my mind since the start of the build was how I was going to route the 6-pin header to the outside of the vault. It seems a shame to get all the way to the end and ruin the build with a badly cut slot in the side of the case (my Dremel skills are not great). After a while I came up with a solution that I'm really pleased with and will be using on future projects. I found a 6-pin Mini-DIN (also known as PS/2) chassis mount socket. Being chassis mount means I just needed to drill a circular hole in the case and the mounting plate would cover up any rough edges. Then I modified my FTDI USB Cable by replacing the end connector with a PS/2 plug. I will be making a PS/2 to 6-pin header adapter cable, so I can still use the FTDI cable with circuits that have a standard 6-pin header.

One issue that wasted entirely too much time was that auto-reset on the circuit would only work once, and then I would have to unplug and re-plug the USB cable. After debugging my circuit I found out this was actually due to the combination of Linux, Arduino and the FTDI cable. It has been a known bug in Arduino or the supporting libraries for a while and is due to be fixed in Arduino 0019, which at the time of writing wasn't yet available for 64bit Linux. A quick workaround was to set the RTS pin low before uploading new code in Arduino and I used the following Python script to do it:

import sys, serial 
try: 
    PORT = sys.argv[1] 
except: 
    PORT = "/dev/ttyUSB0" 
s = serial.Serial(PORT) 
s.setRTS(0) 

The other thing that took far too long was making the circuit on strip board. Planning in your head the most efficient placement of components and doing constant continuity tests across tracks because it is so prone to short circuits is tedious. Once I got the circuit working and tested for short circuits I did spray on a layer of PCB lacquer to help protect it. Next time I think I'll just make a printed circuit board!

Still, I was happy with the end result and it works well. With the inside door panel screwed back on it looks nice and tidy, and needed only a few inexpensive components to complete.

Completed Vault

The Software

I wanted the software for the vault to emulate a shell on an embedded system. I used an existing project called Arduino UART Shell by Jiashu Lin as my starting point. I then added the concept of logging in, user levels, passwords, a fake file system and so on. These functions were woven together with the challenge story board to create a path through the "vault system" from initial login to final unlocking of the vault.

The software was developed in the Arduino IDE, compiled and uploaded to the vault.

Vault Arduino Code

Once the vault was running the software I accessed its shell from my laptop (Ubuntu Linux) with the following command:

$ screen /dev/ttyUSB0 9600

/dev/ttyUSB0 is the serial port assigned to the vault when connected and 9600 is the baud rate. To exit screen type Ctrl+a then k.

Vault Terminal Session

The Setup

When doing the challenge I didn't particularly want the participants to use my own personal laptop and I wanted a setup that was hard to break and could be reset quickly. I therefore decided to use an old laptop and make a custom Linux distribution specifically for the challenge. The distribution boots in seconds from a USB stick and contains only the software required to interact with the vault.

This isn't as extreme as it sounds thanks to TinyCore Linux. TinyCore allows you to start with a very basic graphical Linux Desktop with a terminal client and download just the packages you need from its online repository. Once downloaded those packages will be available whenever you boot it again. I won't go into detail because it is quite straightforward, but the essential steps I took were:

The Test

First of all I ran a burn-in test, leaving the vault running for about 12 hours, checking it was still stable and running every once in a while. It was perfectly stable and didn't crash or glitch once. Then I tested the challenge with a group of people in the office, not all of them technical. It was very well received and the reaction when they managed to unlock the door together was fantastic.

Source Files

I have de-branded the code and released it so others can give it a try or use it for other projects. I've changed the social engineering level because it was specific to the event and that has now become a simple task within the challenge.

I made the vault Arduino compatible so the green LED which indicates a successful unlock is on Pin 13, the same as the LED included on standard Arduino boards. Therefore you can give the challenge a go yourself by directly flashing the compiled firmware included below to an Arduino. Connect to the serial port and work through the challenge until you make LED on Pin 13 light up! The instructions for flashing the firmware file from Ubuntu Linux are as follows:

If avrdude is not installed, install it using:

$ sudo apt-get install avrdude

Plug in the Arduino and flash it with the following command:

$ avrdude -p m168 -P /dev/ttyUSB0 -c stk500v1 -b 57600 -F -u -U flash:w:bankvault_v02.m168.hex

The above command assumes the Arduino is assigned port ttyUSB0, and it has an ATmega168 chip. I also tried the exact same command and hex file with an Arduino with ATmega328 and it seemed to work fine.

Under Windows or Mac I'm not sure of the exact procedure but I'm sure you can search for it. The alternative is to open up the Arduino sketch, compile and upload, making sure you don't look at the source code because it contains the passwords and spoilers!


Download source code and firmware from GitHub


Update: This project was featured on Hackaday!