Two factor authentication safe deposit box

github 2fa dialog

A skilled hacker attempts to crack 2FA

Securing your digital life with two-factor authentication (2FA) is pretty common nowadays. A password alone just doesn’t hack it. (Or does it?) Typically, 2FA on the web requires a one-time code, sent to your phone, as well as your password to log in. Other systems may use factors such as biometrics (e.g. fingerprints) or hardware dongles. (My own bank requires me to use a silly little (very losable) card reader every time I want to transfer a fiver.)

Safety deposit box with two-factor authentication

Safety deposit box with two-factor authentication

Thinking inside the box

Pablo Carranza Vélez decided to apply the principle of 2FA to a physical object, a Raspberry Pi controlled safe deposit box. To get into the box you need both your personal entry code and the code sent to your phone. This then triggers a solenoid to unlock the box.

Lots of cool stuff going on

The box uses and Authy API. Full details, schematics and code can be found on  Pablo’s page. It’s a simple concept but there’s lots going on in terms of hardware and software—Authy,, MongoDB, node.js, Bootstrap, breadboard circuits, solenoids—to make a great project and an interesting proof of concept. It’s also an excellent introduction to the contemporary technologies used and there’s even some computer science with a nod to state machines.

Opening the resin safebox from Pablo Carranza Vélez on Vimeo.

A pre-emptive note thing

“Just hold on this minute!” shouts a completely imaginary concerned reader. “You could (literally) brute force it with a sledge hammer/ hack it with a giant Wile E. Coyote magnet/ steal the building it was attached to / drill a hole in it and send in a tiny monkey to feebly tug at the solenoid.” Well yes, you could. To all of them.

Our advice is: do not make one of these to store your ultra-rare U2 Panini stickers in as they might get nicked (my brother swears to this day that it wasn’t him who drew NHS specs on Bono in red biro). The 2FA safe box is a thought provoking Raspberry Pi / IoT project, not the Old Lady of Threadneedle Street, lawks! (I’ve always wanted to write that, it’s a cracking name :))

Solenoid control breadboard prototype

Solenoid control breadboard prototype


James avatar

Looks cool! Assuming the metal box doesn’t shield the WiFi and lock you out.

Mitch avatar

What happens if you loose power or the usb gets pulled while locked?


bertwert avatar

You could (literally) brute force it with a sledge hammer/ hack it with a giant Wile E. Coyote magnet/ steal the building it was attached to / drill a hole in it and send in a tiny monkey to feebly tug at the solenoid.

Dougie avatar

So you’ve seen this video on how to open a hotel safe

bertwert avatar

Have not seen that :-)
Just copied and pasted the article.

JBeale avatar

You might think that a metal box prevents any radio inside from working. That would be true if you had a *perfectly sealed* metal box. It turns out that unless you really try, almost all metal boxes have joints and seams that work to some extent as slot antennas at high enough frequencies. And that is not even counting any power or signal cables penetrating the box. Bottom line, you may have quite usable signal levels on the outside- give it a try.

Jim Manley avatar

OK, as the rightly-feared, tin-foil-hatted individual (but not an In-DUH-vidual :) who has run a federal government military academic digital forensics lab, I applaud this as an entry-level, introductory, totally non-secure opportunity for learning very limited computing fundamentals. Unless every single line of code and the totality of the system are subjected to a rigorous mathematical proof (and software exists to aid in such analysis – it is far from automatic, however), such a system cannot be relied upon to be secure, whether Wile E. Coyote is involved or not. The problem isn’t the relatively benign use of this technology, it’s the inevitable creep of such examples where they are adopted as if they really are secure for totally inappropriate uses down the line. Some infamous examples of this are Unix and other very popular operating systems and applications software. The creators of Unix are on record as saying that if they had known that their software would be used in the real world for any kind of serious work, they never would have released it outside their lab. The history of other very popular software should have been considered the same way, as the resultant burgeoning computing security industry provides ample and obvious evidence on a continuing basis, assuming you enjoy Internet access unmarred by daily distributed denial of service (DDoS) attacks as many do these days. These attacks are possible due to poorly designed and implemented software that is further exacerbated by being improperly configured, let alone used for inappropriate uses.

Please do not participate in educational opportunities such as this lockbox example from being allowed to be used for any serious security situations – in other words, be ready, willing, and able to lose whatever you may have locked in the box. Point out loudly and continuously that this should never happen because clueless In-DUH-viduals will still attempt to do this far into the future. To paraphrase Smokey (there is no “the” in his name) Bear, “Only YOU can prevent security lapses.” Thank you and we now return you to your blog, already in progress :D

Dougie avatar

So I take it that you’re not saying can’t be trusted. The code the author of this application is using is mostly a trivial NODE.js wrapper for Authy’s public API. When the 2FA is passed it just sets a GPIO pin high.

The hardware side is simply the GPIO pin driving the base of a transistor to pull a solenoid to open the box. If I can set the GPIO pin high the box will open regardless of what funky software might be the “official” way to drive it. If I aim for root access (which is open to me through the pi user having sudo without a password) I can activate the pin and I’m in.

This will never be secure until you harden the security on the RPi regardless of how the official way to wiggle the pin is implemented. There’s a lot of work needed on a RPi to do that because Raspbian is set-up as a very insecure system (with published passwords) for ease of use reasons. That choice made by the Raspberry Pi Foundation and the Raspbian builders is not the way I’d have done it. NOOBS opens another exposure since the NOOBS recovery system runs in a root shell.

I’ll assume it’s LAN only and the NODE.js web server isn’t being port forwarded to the public Internet (so you can open the box from a mobile phone in Timbuktu). Doing that opens another can of security worms.

Mike P avatar

Well this does look like a nice project to play with. However it does have a few flaws if you wanted to use it seriously as already said. However security can be increased if using ubuntu mate as it is a raspberry pi 2. The only draw backs I see are you have to have it near a power supply and If you use a battery there is not much room left for keys. For someone who just likes tinkering this is a great project.

arcko avatar

looks good!

Mike avatar

the problem with all this is the dependency on other devices that might not be fully under the user’s control.
(the phone!)

how much do you trust whatever is running on that phone? or whoever else might have access to data on there?

and what happens if you lose your phone?

sure there’s no perfect solution and I’m not trying to put anything down but those risks are still worth a thought!

Comments are closed