How not to secure your server room #2
Here we have a Kaba Simplex Unican 1000 Series push button code lock. The lock is expensive, high quality and fairly secure for indoor use. The main vulnerability discussed here has supposedly been fixed a few years ago but I have still seen many being sold containing it, this may be due to new old stock or people selling refurbished stock. Due to the locks prevalence there will be many out there that are still exploitable.
The first problem with this lock is user error (HTTP 418). Fresh out of the box there is a bright orange sticker saying change the combination at time of installation. You will be surprised how many of these locks out there have the default combination in use. The default combination is 2 and 4 pressed together then press 3 once 2 and 4 have been released.
When the correct code is entered on the keypad and the handle is turned, the opening mechanism lifts up and the door will open as shown in the left image below. When the wrong code is entered and the handle is turned the opening mechanism collapses as shown in the right image below.
When a stack of strong N52 magnets is applied to the side of the lock the metal bar (shown below) moves sideways allowing the opening mechanism to lift up when the handle is turned. You usually have to rotate the handle twice for the mechanism to lift up. The door will now open without a code being entered.
The code bypass lock cylinder in the handle of the lock is extremely difficult to pick or rake open as it is a Multi-Shearline design, one control and one operator. You have to pick all the pins to the correct height for one shearline, you cannot mix and match.
If the lock is damaged and you need access then you can drill a hole in the side of the lock to manipulate the opening mechanism. The lock metal is not very hard and takes approximately 10-15 seconds to drill through, I recommend using a 8mm or 10mm drill bit. Once the hole is drilled you will need a C clamp remover or fashion your own as I did with an old screw driver. Insert the C clamp remover through the hole, rotate the clamp if needed and push it off.
Push the top of the metal bar down to release the piece of metal the C clamp was attached to then push the metal bar out of the way, the door will open once you have turned the handle. This procedure can easily be done blind and is not difficult.
