Key Insights: Defeating The Most Common Key Boxes

In the realm of physical security, key boxes are a common sight, often overlooked by the untrained eye. These nondescript devices are mounted on the walls beside entrances, tucked away in the shadows of back doors, or sometimes boldly displayed in plain sight. They serve a simple yet vital purpose: to securely store keys or access devices such as RFID key fobs for authorized personnel. You'll find them guarding the gates to various facilities, from the single-family home that's listed for sale to the sprawling office complex housing top-tier corporations.

They may hold the keys to an entire building, or in more advanced scenarios, RFID key fobs that provide comprehensive access to a network of facilities. For office managers overseeing multiple buildings or complexes, these key boxes can contain master keys—keys that unlock the doors to every room and service area within their domain. The implications are significant; if a master key were to fall into the wrong hands, the security of the entire facility, or even multiple facilities, could be compromised.

In this blog post, we will dissect the two most common types of key boxes—the dial wheel combination key boxes and push button key boxes—and guide you through the process of legally and ethically defeating them to test an organization's physical security measures.

Whats the Plan?

Before you ever go after a key box during a pentest ask yourself what exactly is your plan if you get it open? There may be physical keys or key fobs inside, if you get them what then?

If you are planning on cloning a key fob, bring something to do it.

If you are going to use the key and return it, be ready to go as soon as you get the key, or know when you need to return it so it isn’t reported missing.

And of course, when are you attacking the key box, hours or days before you need the key, or when you need it?

Have answers to these questions and be prepared before you go after them

Dial Wheel Combination Key Boxes

Dial wheel combination key boxes are often found securing spare keys for real estate agents, Airbnb rentals, and even residential homes. These boxes use a series of rotating dials, each marked with numbers or letters, which must be aligned to the correct combination to open.

These key boxes work by having a single rod that runs through the dial wheels. On this rod are small notches that you can feel for with a thin piece of metal.

Defeating the Dial Wheel Key Box:

Obtain Your Tool: You will need a specialized decoder tool, designed for this type of key box. Obviously before you even begin on this assignment, you will need to purchase or create your own decoding tool. You can purchase such a tool at many online lock picking vendors such as this one.

1. Set the Decoder Tool: Adjust your decoder tool to fit into the space between the dial wheels. This is usually done on the left side of the each dial wheel, but if this isn’t working for you, try the right side.

   • In the image below Red is where the bar you are feel is located and Green is where you should insert your tool to feel

     

2. Feel for Notches: Carefully insert the decoder tool into the space between the wheels. You're feeling for the notches or gates where the wheels align to the correct combination.

   1. The image below shows the the rod and the small notches cut into it at every dial wheels position. This shows what the notches look like from a front and side view, and it is these notches that you are trying to locate

      

3. Turn and Decode: Slowly rotate each wheel with the tool in place. You should feel a distinct drop or less resistance when the correct number is reached.

   1. Put the decoder into the slot and feel for a notch on the rod

   2. take the tool out and move the wheel by one number and repeat. Trying to drag the tool across the rod while moving the wheel is very difficult and often its far easier and quicker to check after the wheel has been set to a number

4. Align the Wheels: Once you've decoded each wheel, align all the notches. This should be the correct position but not necessarily the correct numbers.

5. Test the Combination: Pull or push the release mechanism. If the box doesn't open, double-check your alignment.

   1. If you are confident that all the notches are lined up, try the release / open lever, if it doesn’t open than move all wheels by one position and try again. Do this 10 times (for all numbers 0-9).

   2. NOTE THAT YOU HAVE TO MOVE ALL WHEELS TOGETHER NOT INDEPENDENTLY

For example, lets suppose that you have the image below, and you are confident you have all the notches lined up

The current numbers are set to 2581, if this doesn’t open the box, next try :

• 3692

• 4703

• 5814

• …

In each case you are adding one to each number than trying again, if you have successfully lined up the notches earlier one of the sequences will work.

Push Button Key Boxes

Push button key boxes are another common security measure, often used for the same purposes as dial wheel boxes. These require the correct sequence of buttons to be pushed to release the lock … BUT … and this is very important, the correct order almost never matters. Meaning that if 1234 is the correct code, than 4321 will also work.

Defeating the Push Button Key Box:

1. Examine the Buttons: Before you start, inspect the buttons. Wear and tear can be a telltale sign of the most frequently used buttons. In some instances you may see some buttons that are very worn out from obvious use, and since the correct order doesn’t matter, try those first. Also look around, you may find the correct code is listed somewhere near or on the box

2. Apply Pressure on the Open Button: Press down on the "open" button. It won't open yet, but this is a crucial part of the process.

3. Test the Buttons: While maintaining pressure on the "open" button, press the other buttons one at a time. If a button is part of the combination, it will typically feel different when pressed – it may stick or not depress as far. In many instances you are feeling for a “binding” button. Meaning that the correct buttons will likely be springy and easily pressed while the incorrect ones will be a bit more difficult (some models may be the opposite but in my experience this is usually the case).

   1. The iterative process here is like this

      1. Press the “clear” button to reset all numbers

      2. press every number in a row

      3. press hard on the open button and then push each button you just pressed in the given row feeling for a difference.

      4. Mark down any button you think is or might be correct (eg different, usually this means lose and not binding)

      5. Press the reset button, any buttons you think from the previous row might be correct and every button in the next row

4. Identify the Sequence: Once you've determined which buttons are part of the combination, you'll need to find the correct sequence. This may require some trial and error.

5. Open the Box: With the correct sequence of buttons pressed while holding the "open" button, the lock should release.

Example:

1. Press reset button (bottom button with a C)

2. Press buttons 1,2,3

3. Hold the Open button (top big button) and press buttons 1,2,3 feeling for which ones are not binding and are easy to move. Lets suppose buttons 1 & 3 move freely but button 2 is very stiff or wont press completely. Button 2 is likely NOT a valid button but 1 & 3 are maybe

4. Press Reset button

5. Press 1,3 (your maybes from first row) and buttons 4,5,6 from second row

6. Hold Open button and press buttons 4,5,6 feeling for which buttons are binding or stiff. Lets suppose buttons 5 & 6 are stiff (eg not valid) and button 4 is very easy to move (maybe a valid number)

7. Press reset

8. Press 1,3 (maybe from first row), 4 (maybe from second) and 7,8,9 (all possible from next row. Repeat the above steps for this row and the final row ( #, 0, *)

   1. Suppose you have 1, 3, 4, 7, 9 as maybes and the box will not open.

   2. Press clear, press 1,3,4,7,9 and feel for the binding buttons. Suppose now you feel 9 is binding.

   3. Press reset than buttons 1,3,4,7 and if you were correct, the box opens.

      1. NOTE THAT ANY SEQUENCE WITH THESE FOUR NUMBERS WOULD ALSO OPEN THE BOX

Conclusion

Remember, the goal of a physical penetration tester is to identify and report security vulnerabilities so they can be addressed, not to exploit them for unauthorized access. Always ensure you have permission and are operating within legal boundaries when attempting to defeat any security device.

By understanding the mechanisms of these common key boxes and practicing the techniques to defeat them, you'll be well on your way to becoming a more effective and skilled physical penetration tester. Stay ethical, stay legal, and happy testing!

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.

• Private one on one Instruction - Book time to get private and personalized instruction on physical penetration testing

Comments

[datadotlog]

Nice work!