First of all, thanks for all of your positive feedback on our recent post on physical security. One of the comments we’ve received multiple times is that these types of locks and the practice of using mnemonics for their codes is primarily limited to government facilities. It turns out that’s not really a limitation. Like a muted post horn, now that these locks have piqued our curiosity we’re starting to see them everywhere we look. Check out this find we made today:
Don’t bother checking, we scrubbed the Exif. Bank of America: Feel free to contact us directly if you’d like to know the location ;-)
Another thing we neglected to emphasize in the original post was that our time estimates are upper bounds based off of the assumption that the lock will have a four minute timeout for successive failed attempts. For locks that do not have such a timeout (e.g., basically all mechanical locks, and presumably the one on this ATM), you can divide the brute-force cracking time by at least a factor of four.