How to open a safe
I've 'broken' in to two safes, purely for interest. I'm not quite sure why, but locks and safes have always fascinated me. From ancient times, man has invented ever more complex mechanisms and contraptions to keep certain people out from certain places and items. I guess it's this ever increasing ingenuity that fascinates me. The juxtaposition of people's perception of security, against the actual security on offer is also interesting from a psychological point of view. Some modern locks really aren't very secure at all, whilst others are extremely secure, yet few people can tell the difference. Safes very much fall in to this category.
"There's two ways into a safe"
1. The Elegant way
This is the typically Hollywood way in, using a stethoscope and a pair of white gloves, the secret agent manipulates the mechanism by listening to the gears and within minutes the safe is open. I'm not going to go in to the detailed workings of safe locking mechanisms here (go see Wikipedia) but suffice to say that its really not hard to design a lock that you can't break by simply listening to it. You can use x-ray photographs (top end safes are lead lined), miniature cameras drilled through into tiny holes and other elaborate tricks but these tools are not easily portable and the process is not fast.
Most low to middle range safes can be manipulated though, but it's a tedious and time consuming process. The longest process is a brute force attack - the trial of every single combination. For 100 graduations on a dial, by a three number combination that's a million combinations, or at 10 seconds a combination just over 115 days. The faster way uses assumptions and generally relies on manufacturing defects in the mechanism itself.
The dial on the front is attached to the first wheel inside, which then bumps the next wheel and so on to the third. Thus to clear a combination takes revolving the dial 3 full turns in either direction. Each dial has a deep notch cutout of it and the lever of the safe will only move when the three notches line up and the lever can move. The dials are rarely perfectly round, and rarely all identical in size, nor is the internal lever perfectly straight - it'll hit some wheels before others and at different times. Here lies the vulnerability. Safe manufacturers also know their (legitimate) customers will want to open safes relatively quickly and so the notches are generally oversize by 1-2 digits depending on the model. Thus 16 through to 18 will probably be accepted for a 17 on the combination.
Knowing this we only need to try every 2nd to 3rd number. In my case I choose to try every 2.5th number (I did this on a safe with the owners permission in case you wondered). That takes it from 1,000,000 combinations to just over 90,000. Still a very long time!
If you measure the safe handle movement (right is the scale I printed off to do this, with a long pointer taped to the handle for accuracy) as you rotate the first wheel you can measure for any sudden but minor drops. This indicates where the notch is. With one notch down in just 45 tries we're now down to just 2000 combinations. It's not quite this simple, chances are the imperfections won't shown on the first disk until you know the second number and the manufacturers often put false notches in to confuse you, but with a spreadsheet it's not too hard. One of the plots is shown below.
I managed to get two out of the three numbers right on a reasonably cheap, but commercial safe. It took 135 measurements and around 300 dialled numbers. That still took me over 2 hours and I never actually opened the safe! A professional could have done this in an hour or so with a good degree of success I reckon.
2. The Crude Way
The crude way involves just physical brute force - grinders, hammers, chisels and drills. Safe makers certainly try to make things hard for you including mixtures of metal and stone so no one drill will cut both, adding in steel balls that spin rather than cut, using harden steel casings etc. This is where the physical security of safes might surprise you - almost all safes can be opened in under 30 minutes with the right tools, many cheaper safes in just a couple of minutes. Most are rated 0 to 6 with 0 being easy and 6 being hard (hotel safes and domestic money boxes don't even get close to a 0 I'm afraid). The rating is derived from actual tests where the time taken is multiplied by the rating of the highest tool used. Tools vary in points from basic (crow bar), to more noisy (grinder), to specialist (diamond drilling rig). The deterrent here is not the impossibility of cutting them open, but the amount of noise required in doing so and the amount of equipment that needs to be carried in to do the job - thieves don't like having to carry lots of power tools, extension leads nor making lots of noise it seems. A safe only needs to remain safe enough for a few minutes until security can respond to the alarm (yes, you need an alarm!).
I'd known this for a while, until one day I was presented with a safe that quite literally came with the building and no one had the key. It must have weighed well in excess of 100kg as two people couldn't lift it.
The outside was mild steel, a couple of millimetres thick, followed by 50mm of concrete which contained hard lumps of stone or silica, and an inner layer of steel a bit thicker than the first. Tools of choice: 6" grinder, jack hammer, 4" grinder, crowbar. The process took about 25 minutes, but could have been done faster with experience. Add to that about 15 minutes getting all of the tools out and plugged in though. So unless you have time to kill and want the safe to still work afterwards, powertools are probably much faster than skill.
And the winnings? About £26 in small change and some snowman wrapping paper.