The OpSec Blog

Security and privacy information and advice at home and abroad.

Security Technology: Spin Dial Locks

leave a comment »

In this post I’m going to give some background on spin dial locks and how past generations of spin dials had weaknesses.  I’ll then describe the features of the Kaba Mas X-09 electro-mechanical spin dial, which is generally acknowledged to be one of the “most secure” locks in existence.

S&G 8550 Spin Dial Lock

The Sargent & Greenleaf 8550 mechanical spin dial lock.

Spin dial locks range in price and complexity from the cheap Master dial padlocks found protecting high school lockers throughout the United States all the way to the modern X-09.  The principle behind a spin dial is simple; a “combination”, or sequence of numbers, corresponds to a notch cut into the side of the wheels.  When the notches are aligned and the bolt retracting mechanism is engaged, a “fence” slides into the row of notches and provides the leverage needed to retract the bolt (or in the case of a padlock, entering the correct combination releases the shackle).   Most spin dials use a standard sequence of three numbers, which, on a lock with a dial ranging from 0-100 allows for a million possible combinations.

Mechanical spin dials (MSDs) are still found on vaults, high security safes, GSA containers, and other items with a requirement to prevent surreptitious entry.  Unfortunately MSDs have a number of major limitations.  First, the one million possible combinations are limited by a “dead zone”; a restriction on the allowable numbers usually for the last number in the combination.  On the Sargent and Greenleaf 8500, for example, the last number of the combination has to be between 0-90 instead of 0-100 due to the mechanics of the lock.    They also have no ability to prevent someone with sufficient time and patience to brute-force the combination.  This was a significant concern in the cold war (and I guess it still is now) when the existence of “robot dialers” – literally robots programmed to dial every possible combination in sequence for a given lock – started to make appearances.  A user could “pre-dial” the first two numbers of the combination so they would just have to enter the third the next day, effectively reducing the security provided by the lock by a factor of 10,0000.  MSDs have “drill points” – positions one could drill a certain-sized hole into from the attack side in order to access the bolt retraction mechanism if one knew the mechanics of the lock (Note that this is different from cutting the safe; the drill points can be covered up much more easily).  A drill point could also be used to insert a telescopic lens to view the action of the wheels and figure out the combination through some simple addition.  Side-channel attacks, like listening for the distinct sound of the fence bumping against the wheels in a poorly constructed lock, were possible, as were X-raying with the aim of finding where the notches in the wheels were located (although this was somewhat mitigated by switching to plastic wheels which were more or less transparent to X-rays but also wore down faster).  Finally, manufacturing tolerances allowed the possibility of a “fudge factor” in the combination; in which the notches were wide enough to allow the fence to engage even if the numbers in the combination were off by +/- one from their “real” value, which in turn makes the combination easier to brute force.

Despite their shortcomings, MSDs are still in widespread use today.  Many prefer them to the electro-mechanical spin dials (EMSDs) because they are generally more user-friendly and more forgiving.  But when high security is required, the only viable solution is an EMSD.

EMSDs solve all of the problems of MSDs and add features that are simply impossible without some kind of programmable logic array.  The problems with MSDs are solved in the following ways:

  • Combination space- EMSDs offer a true million combinations as the bolt is engaged electronically.
  • Brute force- modern EMSDs have a number of features in place to defeat robot dialing, including a variable rate of change when turning the dial and a randomly chosen starting point.
  • Automatic reset- EMSDs can be set to reset after a certain period of time, eliminating the possibility of someone dialing in the first two numbers of the combination to reduce the hassle the next time.
  • Drill points- While early EMSDs had drill points, modern ones do not.  Bolt retraction is controlled by the logic programmed into the lock’s computer, not by mechanical means.
  • Side-channel attacks- since there are no wheels in EMSDs, you cannot X-ray them, listen to them, or view them to work out the numbers in the combination.
  • Fudge factor- The combination is a logical function instead of a mechanical one; eliminating the need for tight tolerances in constructing the wheels and the fence.

In addition to solving the problems of MSDs, EMSDs also allow for the following added security measures.

  • Audit- number of incorrect entries since the last successful opening can be tracked.
  • Two-person integrity (TPI)- an EMSD can be set to require two combinations to be entered successfully in order to retract the bolt.
  • Lockout- EMSDs can (and will) lock you out for a period of time after a certain number of consecutive incorrect entries.
  • Speed limits- Programmable logic can cause the lock to reset if the dial is spun for too long, if it’s spun too fast, or if it’s spun too slowly.

There are trade-offs to adopting an EMSD.  You now have a power requirement not only to energize the lock’s circuitry, but also to provide enough energy to retract the bolt.  You also open the possibility to electromagnetic side-channel attacks using sophisticated RF equipment to see if you can detect emanations that might compromise the combination.  Finally, the security features such as variable speed and lockout make EMSDs less user-friendly than their mechanical predecessors.

The Kaba Mas X-09 is the king of high security spin dials.  It is used throughout the government to protect classified information.  The lock is self-powered by means of a generator activated by spinning the dial itself, eliminating the need for external power.  The digital display has a limited viewing angle (which was not found on the previous X-07 and X-08* generations) preventing “shoulder surfing” attacks.  The variable speed and random starting point allows for a true million combinations.  The electronics of the lock, while not TEMPEST certified, emit no known compromising emanations that could compromise the combination.  The circuit board inside the lock is sealed with an anti-tamper gel from the factory, making electronic tampering instantly obvious upon visual inspection.  After 10 incorrect combinations the X-09 is locked out for three minutes on each successive incorrect combination up to 14 attempts, after which the lockout period increases to four minutes.  While there are no drill points on the X-09, to add insult to injury Kaba Mas also makes a drill-resistant plate just in case someone really wants to get in to your space.

The Kaba Mas X-09 electromechanical spin dial lock.

The X-09 is notoriously unforgiving, causing its users to curse the lightning bolt symbol that flashes when you screw up.  The variable speed dialing in particular throws a lot of people off.  Free tip: if you pass a number in the combination, a quick flick of the dial in the opposite direction to the number in the sequence you’re entering will increment the counter back (or forward) by 3, eliminating the need to spin through an entire cycle again.

Mechanical spin dials are still relatively common, although electromechanical spin dials are clearly the future.  While they can’t replicate the silky-smooth action and satisfying “clink” of the mechanical models, EMSDs offer the required protections that safeguard the information our nation requires to do business.  (Mechanical) Spin dials are fascinating devices to explore, and I highly recommend that you take any opportunity you find to view the mechanics of one through a cutaway model or a movie.

*The X-08 had a slew of problems that lead to development of the X-09, which has more features in common with the X-07 than the X-08.  The X-08 only dialed in one direction, which is decidedly non-intuitive for anyone who has ever dialed left-right-left.  The software in the X-08 caused all sorts of problems, and, when paired with a faulty production run of stepper motors (the device which powers the bolt), means the X-08 is better off being replaced instead of repaired.


Written by OSB

18/07/2011 at 06:06

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: