Content

Defeating the CODi Titanium Series 4-Digit Combination Cable Lock

From time to time we find ourselves with the need to lock a laptop down to a piece of furniture so that it may be left unattended or unsupervised for a period of time. This may be a case of a device that you want to leave at your seat at a conference, of an institutional deployment that needs some security so the laptops don’t walk away.
In reality, all these laptop security locks do is to keep honest people honest, and introduce a small barrier to entry for theft.
CODi.jpgRecently, I’ve had the pleasure to deal with a procurement group who began looking for a more cost effective and secure product for securing laptops to some mobile carts. They offered to send me over a sample of one of the final contenders, the CODi Titanium Series 4-Digit Combination Cable Lock. This lock features 4 rotating dials (numbered 0 through 9), delivering 10,000+ combinations.
It was delivered to me locked (as if placed in a laptop), with a custom 4 digit combination set. I was not informed of the combination or provided a manual and was asked to recover, it essentially defeating the lock.
I love a challenge.
So, I proceeded to evaluate the lock in a vacuum. No manual, no internet, no combination. Tools? Only what I could find in the office supply closet.
To start off, I will agree that the quality of the lock cable and housing seem to be relatively well made. I do think that there is one weak point where the cable meets the lock housing to provide cable movement and swivel. This would require some sort of heavy duty cutting tool however.
Lets recover the combination! The lock appears to operate by disengaging the mechanism by pulling on the plunger after the correct 4 digit code is entered. I employed the same methodology that one would use to compromise other 4 digit combination locks; provide tension against the shackle or release mechanism and manipulate the dials until you find some resistance.
CODi_elastic.jpgGrabbing a trusty rubber band from the supply closet, I wrapped it around the release plunger forcing it “open”, and providing a significant amount of pressure against the internal mechanism. So, in effect, the “pin” inside that needs to slide through the grooves in each dial is being pushed against the dial forcefully. Variations in manufacturing in the internal parts cause the pin to bind against the dial under pressure.
I began rotating the dial at the bottom of the lock and found that it became very difficult (or impossible) to turn at a certain number. I rotated the dial in the opposite direction, and it also became difficult to turn, however this time at a different number. The numbers were separated by one digit. In this case, it became difficult to turn at 5 and 7. I suspected that the actual combination for this dial was 6, as I figured the pin was binding up on the dial where there had been some manufacturing irregularities next to the groove that allows the pin to pass through and unlock the lock.
I tried this for the remaining dials, and this was what I found for sticking points on this custom combination
Dial one stuck at 0 and 2
Dial two stuck at 7 and 9
Dial three stuck at 6 and 8
Dial four stuck at 5 and 7
I released the tension off the the plunger by removing the elastic band, and set the combination to the numbers in the middle of the sticking points, so in this case “1876”. A pull of the plunger unlocked the lock.
Only 15 minutes to from receipt of lock to combination recovery. I wanted a challenge!
After all is said and done, the lock will provide a deterrent to most folks looking to steal something secured with this, or similar locks. It is actually quite difficult to manufacture a lock that is resistant to compromise based on manufacturing defects or tolerances, and keep them in a price point that is affordable for the majority of users. With that, realize that you get what you pay for and don’t be fooled into a false sense of security with any lock.
combination-padlock.jpgPracticing defense in depth for physical security certainly makes sense in these situations were you are looking to secure mobile equipment. consider the lock, in combination with a software alarm (such as iAlertU on the Mac) as well as some post exploitation recovery methods, such as something along the lines of a Lojack for Laptops type product.
I’m up for suggestions on other cable locks to better secure laptops. Send them on over to psw [at] securityweekly.com
– Larry

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds