Last updated at Mon, 31 Jul 2017 15:15:39 GMT

I recently spent a wonderful week in London to participate in Infosecurity Europe as part of a larger group of internationally-based Rapid7 employees. If you've been to many events, you know that vendors quite often come up with clever ways to attract people to their booth through giveaways, technical presentations, and product demonstrations. Lucky for me, our booth happened to be right next to a vendor who had a rather neat contest involving a keypad lock on a plexiglass case holding a tablet computer. While I didn't want the tablet computer (nor do I think I was eligible to win it), the allure of trying to break into the case seemed worth a little bit of effort.

Explaining the Contest

The lock involved in this contest had some interesting properties that made winning by a random attendee possible, but still unlikely. It was explained by the vendor's marketing team that the specific solution to this challenge would involve 4 numerics and 1 alpha. This keypad had the following traits, which made the contest go from "there's no way this can be done" to "sure, maybe we can get this to work" pretty quickly.

  1. The keypad its self was composed of 13 selectable buttons (0-9, X-Z) and a "clear" button (C).
  2. Each key can only be entered once per code (e.g. a code such as 2112 cannot be made).
  3. The order that keys are pressed does not matter for the code (e.g. you can enter 1234 even if the code is 4321).

While many people refer to locks with any kind of numerical entry as "combination locks," they are quite often actually "permutation locks" in reality. In a combination, the order of entry does not matter, but it does for permutations. This lock happens to be a true combination lock. Further, there's no repetition allowed in our code, either, greatly reducing the total number of possible combinations once again.

Determining the Odds

Let's first breakdown just how much we can reduce this keypad's possibilities. Each result will represent 5 keys being pressed. Remember that with permutations order matters, but with combinations it does not.

  1. Permutations with repetition: 371,293
  2. Permutations without repetition: 154,440
  3. Combinations with repetition: 6,188
  4. Combinations without repetition: 1,287

So simply by having order not matter and not allowing for repetition, we dramatically reduce the possibilities for this code. For the contest, however, we actually have even fewer possibilities than 1,287. Because the keypad combination involves only 4 numerics and 1 alpha, we actually have three sets of 4-digit combinations, each one featuring a different letter (e.g. 1234X, 1234Y, 1234Z). There are 210 combinations (order does not matter, no repetition allowed) for four numerics from a set of 10 (0-9). Because each set of combinations could have an X, Y, or Z, this means we just have to multiply 210 * 3, leaving us 630 combinations to try.

Cracking the Lock

While 630 combinations seems like a lot, you'd be surprised just how quickly you can enter numbers when there's a little bit of logic behind your entry. With some Ruby scripting, I was able to generate a list of all 630 possible combinations and then split that up into files of 20 just to reduce the number of combinations I was staring at and to help me track my progress (and not lose my place). Further, I ordered the possibilities numerically and put the letter at the end. So, for instance, I'd have 0123X, 0123Y, and 0123Z. By ordering my attempts like this, I effectively just had to type the same number three times, simply changing the letter at the end. By using both hands to key in the combination, I was able to enter an attempt roughly every 1-2 seconds.

Unfortunately, I had a few issues to contend with while doing my brute force:

  1. People came up to me quite frequently to ask what I was doing, telling me that my math was wrong, and then suggesting how to do it the right way.
  2. For each code, I had to hit the clear button (C) prior to pressing the next combination, meaning that each 5-character code was effectively 6 characters.
  3. After each code, I had to twist the handle both ways to check to see if I was successful.

Due to each of these circumstances (and my fingers hurting from pressing mechanical, metal buttons), it took me about 20 minutes to hit attempt 376, the winning combination! For those curious, the combination turned out to be 1648X and appeared to have no nerdy significance, unfortunately. My reward? A huge amount of satisfaction and a really awesome plastic crown that I donned a few times during the afternoon for fun.