SIMPLEX LOCKS An Illusion of Security Original research and article published in 2600, The Hacker Quarterly, by Scott Skinner and Emmanuel Goldstein Electronic form created by Magic Man Courtesy of : -=Restricted -=Data -=Transmissions : : : : "Truth is cheap, but information costs." : About this Article ================== This article on Simplex locks was originally published in 2600 magazine, Volume 8, Number 3 (Autumn, 1991). This electronic form has created for those people that do not have access to 2600 magazine (or have never heard of it!). I HIGHLY suggest that you subscribe -- It's worth your while to support this magazine. A yearly home delivered subscription is $21 for an individual, $50 for a corporate subscription. Overseas it's $40 individual, $65 corporate. You can reach 2600 on the net by writing mail to: 2600@well.sf.ca.us. Subscription Correspondence can be sent to: 2600 Subscription Dept. P.O. Box 752 Middle Island, NY 11953-0099 This is NOT the article in its entirety. I left out parts that I felt were not of dire need, such as quotes from Simplex personel, locksmiths, and Federal Express and other non-essentail information. A few sentences have been reworded, and corrections have been made that were pointed out in the next issue (Winter 1991/1992). Here it is.. Share the knowledge. -Magic magic@atdt.org Some Background on Simplex Locks ================================ No lock is one hundred percent secure. As any locksmith will tell you, even the best lock can be opened if one wishes to invest the time and resources. However, a good lock should at least be secure enough to prevent the average person from compromising it. Common sense dictates that a lock which can easily be opened by anyone is simply not a safe lock to use. While an average person may not have the necessary skills and expertise to use a lock pick or a blowtorch, almost everyone has the ability to count, and the ability to cound is all that is necessary to compromise a Unican/Simplex pushbutton lock. In addition, one needn't count very high. Only 1081 combinations are used, and in most cases this number is reduced considerably. Although Simplex claims that "thousands of combinations are available," in truth only 1081 combinations are used. Another 1081 combinations are available in the guise of "high security half-step codes." These are codes which require the user to push one or more buttons only halfway. Because of the extreme difficulty in setting and using these half-step codes, Simplex advises against their use, and in most cases, does not even inform the user that these codes are available. Naturally, the addition of 1081 combinations does not make the lock considerably more secure. (If 2162 combinations seems like a large number, consider that a $5 Master lock has 64,000.) It has been found that nuberous organizations use Simplex locks as a primary lock source. Among the guilty parties in the New York metropolitan area are Federal Express, United Parcel Service (UPS), Citicorp Center, John F. Kennedy International Airport, and the State University of New York at Stony Brook. Others around the nation include General Motors, the State Department, McDonald's, NSA, and the University of Wisconsin. The biggest offender is Federal Express, which uses Simplex locks on over 25,000 dropboxes nationally. The dropboxes are particularly insecure because Federal Express uses the same combination for all of their dropboxes in every state on the east coast! So by opening one dropbox, we now have access to thousands. Access was also gained to a UPS dropbox -- in one shot. UPS did not even bother to change the default combination which is set by Simplex. And, just like Federal Express, UPS figures that a single combination is good enough for every dropbox. Hacking Simplex Locks ===================== What follows is a list of all possible combinations for Simplex locks. They have been divided into four groups acording to how many pushbuttons are used. Listed after each group name is the total number of combinations in the group. The numbers listed in parentheses refer to pushbuttons that must be pressed together. If you find that none of the combinations appear to open the lock, then it may be a rare instance of a half-step code. In this case, only the last number (or numbers if they are in parentheses) should be pressed in HALFWAY and held while the knob or latch is turned. Slowly press in the pushbutton(s) until you feel pressure. If you hear a click then you have pushed the buttons in too far. If all of this sounds complicated, then you are beginning to understand why it is that Simplex does not recommend the use of half-step codes, and subsequently why half-step codes are virtually never used. Simplex locks come in many different shapes, sizes, and colors. However, the two models that you will most likely see are the 900 and the 1000 series. The characteristic features of the 900 series are five black buttons spaced in a circular fashion on a round, metallic cylinder. In addition, the 900 series utilizes a latch instead of a doorknob. The 1000 series is much larger, with five (usually metallic) pushbuttons spaced vertically on a rectangular metal chassis. Unlike the 900 series, the 1000 has a doorknob. It is suggested that novices attempt their first hack on a Simplex 900 model. If the latch is located below the buttons, then the procedure is as follows: 1) turn the latch counterclockwise to reset the lock; 2) enter a combination from the list; 3) turn the latch clockwise to open. If the latch is located above the buttons then simply reverse this procedure. Make sure that you reset the lock after each try. To hack a 1000 model, simply enter a combination from the list and turn the knob clockwise. You will hear clicks as you turn the knob, indicating that the lock has been reset. It is sometimes difficult to tell when you have cracked a 1000 model by simply turning the knob. When you do get the correct code, you will hear a distinctive click and feel less pressure as you turn the knob. You will find that turning the latch on a 900 model requires less wrist motion and makes much less noise than turning the knob on a 1000 model. These details seem trivial until you realize that you may have to turn the latch or doorknob a few hundred times before you crack the lock. It can not be stressed enough how much easier it is when you know the range. For instance, if you know that only three digits are being used, then you do not have to waste time trying four digits. One way to find out the range is to stand nearby while someone punches in the code. You will hear distinctive clicks which will give you an idea of the range. If you cannot stand nearby then try hiding a voice activated tape recorder near the door. The tape recorder will remain off until someone comes up to punch in the code. You can then retrieve the recorder later at your convenience and listen for the telltale clicks. It was found that this method only works in quiet areas, such as the inside of a building. Another way to find out the range is to take a pencil eraser and carefully rub off a tiny bit of rubber on each of the pushbuttons. When someone comes to enter the combination, they will rub off the rubber on all of the pushbuttons that they use, while leaving telltale traces of rubber on the pushbuttons that they do not use. This method works particularly well because you eliminate pushbuttons, which drastically reduces the number of combinations that must be tried. It has been found that certain ranges tend to be used more than others. Group B (three pushbuttons) tends to be used in "low security areas," while Groups C and D tend to be used in areas which seem like they should be more secure. A lock which uses a combination from Group A has never been found. For some reason, the 1000 series mostly uses Group C (four pushbuttons). In addition, most combiniations tend to be "doubles," which require at least two of the pushbuttons to be pressed together. When you decide on a particular range to start with, try the doubles first. For instance, try "(12)345" before you try "12345." A lock which uses a triple, quadruple, or all five pushbuttons pressed at the same time has never been found. Although a list of all the possible combinations is provided, you may find it useful to invest some time and record these codes onto cassette. This makes it much easier for one person to hack a Simplex lock. A walkman looks far less conspicuous than sheets of paper filled with numbers. Finally, it is always good to take a few lucky shots before initiating a brute force hack. Always try the default combination "(24)3" before trying anything else. Above all, DON'T give up! Even if you do not get the combination in ten minutes, you are still that much closer to figuring it out. It is recommended that you do not stress yourself out trying every combination in one shot. A few minutes a day will do just fine, and the thrill of achievement will be well worth the wait. Changing Combinations on the 900 Series ======================================= You may change combinations to any sequence you wish, using any or all buttons, in any order, separately or pushed at the same time with other buttons. You cannot use the same button more than once in a combination. 1) With the door OPEN and the Simplex LOCKED, turn the FRONT CONTROL KNOB (marked "Simplex") to the LEFT, and RELEASE. Push the EXISTING combination and RELEASE the buttons. 2) Remove the screw in the Lock Housing with an Allen wrench. Insert the wrench into the screw hole and depress button within. Remove wrench. 3) Turn the front control knob (marked "Simplex") to the LEFT, and RELEASE. 4) Press the buttons in the sequence desired for your new combination. Record your new combination. 5) Turn the front control knob RIGHT. Your new combination is now installed. Before shutting the door, try it to be sure you have recorded it correctly. Replace the threaded screw in the Lock Housing. NOTE: If the front control knob opens the lock without pushing the combination, steps 3, 4, and 5 were performed out of order and your Simplex is in a "0" combination. To reinstall a combination, follow the above steps above, but omit step #1. All possible Simplex Combinations ================================= Note: Numbers in parentheses should be pressed together GROUP A: GROUP B: 423 (34)5 (234) 2354 35 130 425 (35)1 (235) 2413 431 (35)2 (245) 2415 1 123 432 (35)4 (345) 2431 2 124 435 (45)1 2435 3 125 451 (45)2 GROUP C: 2451 4 132 452 (45)3 375 2453 5 134 453 3(12) 2513 12 135 512 4(12) 1234 2514 13 142 513 5(12) 1235 2531 14 143 514 2(13) 1243 2534 15 145 521 4(13) 1245 2541 21 152 523 5(13) 1253 2543 23 153 524 2(14) 1254 3124 24 154 531 3(14) 1324 3125 25 213 532 5(14) 1325 3142 31 214 534 2(15) 1342 3145 32 215 541 3(15) 1345 3152 34 231 542 4(15) 1352 3154 35 234 543 1(23) 1354 3214 41 235 (12)3 4(23) 1423 3215 42 241 (12)4 5(23) 1425 3241 43 243 (12)5 1(24) 1432 3245 45 245 (13)2 3(24) 1435 3251 51 251 (13)4 5(24) 1452 3254 52 253 (13)5 1(25) 1453 3412 53 254 (14)2 3(25) 1523 3415 54 312 (14)3 4(25) 1524 3421 (12) 314 (14)5 1(34) 1532 3425 (13) 315 (15)2 2(34) 1534 3451 (14) 321 (15)3 5(34) 1542 3452 (15) 324 (15)4 1(35) 1543 3512 (23) 325 (23)1 2(35) 2134 3514 (24) 341 (23)4 4(35) 2135 3521 (25) 342 (23)5 1(45) 2143 3524 (34) 345 (24)1 2(45) 2145 3541 (35) 351 (24)3 3(45) 2153 3542 (45) 352 (24)5 (123) 2154 4123 354 (25)1 (124) 2314 4125 412 (25)3 (125) 2315 4132 413 (25)4 (134) 2341 4135 415 (34)1 (135) 2345 4152 421 (34)2 (145) 2351 4153 4213 (12)54 (35)41 3(25)4 41(23) (23)(15) 4215 (13)24 (35)42 4(25)1 45(23) (23)(45) 4231 (13)25 (45)12 4(25)3 51(23) (24)(13) 4235 (13)42 (45)13 1(34)2 54(23) (24)(15) 4251 (13)45 (45)21 1(34)5 13(24) (24)(35) 4253 (13)52 (45)23 2(34)1 15(24) (25)(13) 4312 (13)54 (45)31 2(34)5 31(24) (25)(14) 4315 (14)23 (45)32 5(34)1 35(24) (25)(34) 4321 (14)25 3(12)4 5(34)2 51(24) (34)(12) 4325 (14)32 3(12)5 1(35)2 53(24) (34)(15) 4351 (14)35 4(12)3 1(35)4 13(25) (34)(25) 4352 (14)52 4(12)5 2(35)1 14(25) (35)(12) 4512 (14)53 5(12)3 2(35)4 31(25) (35)(14) 4513 (15)23 5(12)4 4(35)1 34(25) (35)(24) 4521 (15)24 2(13)4 4(35)2 41(25) (45)(12) 4523 (15)32 2(13)5 1(45)2 43(25) (45)(13) 4531 (15)34 4(13)2 1(45)3 12(34) (45)(23) 4532 (15)42 4(13)5 2(45)1 15(34) (123)4 5123 (15)43 5(13)2 2(45)3 21(34) (123)5 5124 (23)14 5(13)4 3(45)1 25(34) (124)3 5132 (23)15 2(14)3 3(45)2 51(34) (124)5 5134 (23)41 2(14)5 34(12) 52(34) (125)3 5142 (23)45 3(14)2 35(12) 12(35) (125)4 5143 (23)51 3(14)5 43(12) 14(35) (134)2 5213 (23)54 5(14)2 45(12) 21(35) (134)5 5214 (24)13 5(14)3 53(12) 24(35) (135)2 5231 (24)15 2(15)3 54(12) 41(35) (135)4 5234 (24)31 2(15)4 24(13) 42(35) (145)2 5241 (24)35 3(15)2 25(13) 12(45) (145)3 5243 (24)51 3(15)4 42(13) 13(45) (234)1 5312 (24)53 4(15)2 45(13) 21(45) (234)5 5314 (25)13 4(15)3 52(13) 23(45) (235)1 5321 (25)14 1(23)4 54(13) 31(45) (235)4 5324 (25)31 1(23)5 23(14) 32(45) (245)1 5341 (25)34 4(23)1 25(14) (12)(34) (245)3 5342 (25)41 4(23)5 32(14) (12)(35) (345)1 5412 (25)43 5(23)1 35(14) (12)(45) (345)2 5413 (34)12 5(23)4 52(14) (13)(24) 4(123) 5421 (34)15 1(24)3 53(14) (13)(25) 5(123) 5423 (34)21 1(24)5 23(15) (13)(45) 3(124) 5431 (34)25 3(24)1 24(15) (14)(23) 5(124) 5432 (34)51 3(24)5 32(15) (14)(25) 3(125) (12)34 (34)52 5(24)1 34(15) (14)(35) 4(125) (12)35 (35)12 5(24)3 42(15) (15)(23) 2(134) (12)43 (35)14 1(25)3 43(15) (15)(24) 5(134) (12)45 (35)21 1(25)4 14(23) (15)(34) 2(135) (12)53 (35)24 3(25)1 15(23) (23)(14) 4(135) 2(145) 21534 41325 (12)435 (35)142 1(25)34 3(145) 21543 41523 (12)453 (35)214 1(25)43 1(234) 23451 41532 (12)534 (35)241 3(25)14 5(234) 23415 42315 (12)543 (35)412 3(25)41 1(245) 23514 42351 (13)245 (35)421 4(25)13 4(235) 23541 42513 (13)254 (45)123 4(25)31 1(245) 23145 42531 (13)425 (45)132 1(34)25 3(245) 23154 42135 (13)452 (45)213 1(34)52 1(345) 24513 42153 (13)524 (45)231 2(34)15 2(345) 24531 43512 (13)542 (45)312 2(34)51 (1234) 24135 43521 (14)235 (45)321 5(34)12 (1235) 24153 43125 (14)253 3(12)45 5(34)21 (1245) 24351 43152 (14)325 3(12)54 1(35)24 (1345) 24315 43215 (14)352 4(12)35 1(35)42 (2345) 25134 43251 (14)523 4(12)53 2(35)14 25143 45123 (14)532 5(12)34 2(35)41 GROUP D: 25341 45132 (15)234 5(12)43 4(35)12 541 25314 45213 (15)243 2(13)45 4(35)21 25413 45231 (15)324 2(13)54 1(45)23 12345 25431 45312 (15)342 4(13)25 1(45)32 12354 31245 45321 (15)423 4(13)52 2(45)13 12453 31254 51234 (15)432 5(13)24 2(45)31 12435 31452 51243 (23)145 5(13)42 3(45)12 12534 31425 51324 (23)154 2(14)35 3(45)21 12543 31524 51342 (23)415 2(14)53 34(12)5 13452 31542 51423 (23)451 3(14)25 35(12)4 13425 32451 51432 (23)514 3(14)52 43(12)5 13524 32415 52314 (23)541 5(14)23 45(12)3 13542 32514 52341 (24)135 5(14)32 53(12)4 13245 32541 52413 (24)153 2(15)34 54(12)3 13254 32145 52431 (24)315 2(15)43 24(13)5 14523 32154 52134 (24)351 3(15)24 25(13)4 14532 34512 52143 (24)513 3(15)42 42(13)5 14235 34521 53412 (24)531 4(15)23 45(13)2 14253 34125 53421 (25)134 4(15)32 52(13)4 14352 34152 53124 (25)143 1(23)45 54(13)2 14325 34251 53142 (25)314 1(23)54 23(14)5 15234 34215 53214 (25)341 4(23)15 25(14)3 15243 35124 53241 (25)413 4(23)51 32(14)5 15342 35142 54123 (25)431 5(23)14 35(14)2 15324 35241 54132 (34)125 5(23)41 52(14)3 15423 35214 54213 (34)152 1(24)35 53(14)2 15432 35412 54231 (34)215 1(24)53 23(15)4 21345 35421 54312 (34)251 3(24)15 24(15)3 21354 41235 54321 (34)512 3(24)51 32(15)4 21453 41253 (12)345 (34)521 5(24)13 34(15)2 21435 41352 (12)354 (35)124 5(24)31 42(15)3 43(15)2 524(13) 231(45) (23)1(45) (123)54 24(135) 14(23)5 542(13) 312(45) (24)5(13) (124)35 42(135) 15(23)4 235(14) 321(45) (24)3(15) (124)53 23(145) 41(23)5 253(14) (12)(34)5 (24)1(35) (125)34 32(145) 45(23)1 325(14) (12)(35)4 (25)4(13) (125)43 15(234) 51(23)4 352(14) (12)(45)3 (25)3(14) (134)25 51(234) 54(23)1 523(14) (13)(24)5 (25)1(34) (134)52 14(235) 13(24)5 532(14) (13)(25)4 (34)5(12) (135)24 41(235) 15(24)3 234(15) (13)(45)2 (34)2(15) (135)42 13(245) 31(24)5 243(15) (14)(23)5 (34)1(25) (145)23 31(245) 35(24)1 324(15) (14)(25)3 (35)4(12) (145)32 12(345) 51(24)3 342(15) (14)(35)2 (35)2(14) (234)51 21(345) 53(24)1 423(15) (15)(23)4 (35)1(24) (234)15 (123)(45) 13(25)4 432(15) (15)(24)3 (45)3(12) (235)14 (124)(35) 14(25)3 145(23) (15)(34)2 (45)2(13) (235)41 (125)(34) 31(25)4 154(23) (23)(14)5 (45)1(23) (245)13 (134)(25) 34(25)1 415(23) (23)(15)4 3(12)(45) (245)31 (135)(24) 41(25)3 451(23) (23)(45)1 4(12)(35) (345)12 (145)(23) 43(25)1 514(23) (24)(13)5 5(12)(34) (345)21 (234)(15) 12(34)5 541(23) (24)(15)3 2(13)(45) 4(123)5 (235)(14) 15(34)2 135(24) (24)(35)1 4(13)(25) 5(123)4 (245)(13) 21(34)5 153(24) (25)(13)4 5(13)(24) 3(124)5 (345)(12) 25(34)1 315(24) (25)(14)3 2(14)(35) 5(124)3 (45)(123) 51(34)2 351(24) (25)(34)1 3(14)(25) 3(125)4 (35)(124) 52(34)1 513(24) (34)(12)5 5(14)(23) 4(125)3 (34)(125) 12(35)4 531(24) (34)(15)2 2(15)(34) 2(134)5 (25)(134) 14(35)2 134(25) (34)(25)1 3(15)(24) 5(134)2 (24)(135) 21(35)4 143(25) (35)(12)4 4(15)(23) 2(135)4 (23)(145) 24(35)1 314(25) (35)(14)2 4(23)(45) 4(135)2 (15)(234) 41(35)2 341(25) (35)(24)1 4(23)(15) 2(145)3 (14)(235) 42(35)1 413(25) (45)(12)3 5(23)(14) 3(145)2 (13)(245) 13(45)2 431(25) (45)(13)2 1(24)(35) 1(234)5 (12)(345) 12(45)3 125(34) (45)(23)1 3(24)(15) 5(234)1 (1234)5 21(45)3 152(34) (12)5(34) 5(24)(13) 1(235)4 (1235)4 23(45)1 215(34) (12)4(35) 1(25)(34) 4(235)1 (1245)3 31(45)2 251(34) (12)3(45) 3(25)(14) 1(245)3 (1345)2 32(45)1 512(34) (13)5(24) 4(25)(13) 3(245)1 (2345)1 345(12) 521(34) (13)4(25) 1(34)(25) 1(345)2 5(1234) 354(12) 124(35) (13)2(45) 2(34)(15) 2(345)1 4(1235) 435(12) 142(35) (14)5(23) 5(34)(12) 45(123) 3(1245) 453(12) 214(35) (14)3(25) 1(35)(24) 54(123) 2(1345) 534(12) 241(35) (14)2(35) 2(35)(14) 35(124) 1(2345) 543(12) 412(35) (15)4(23) 4(35)(12) 53(124) (12345) 245(13) 421(35) (15)3(24) 1(45)(23) 34(125) 254(13) 123(45) (15)2(34) 2(45)(13) 43(125) 425(13) 132(45) (23)5(14) 3(45)(12) 25(134) 452(13) 213(45) (23)4(15) (123)45 52(134)