Sunday, April 15, 2012

Mathematics of Security Combinations

After my grandfather had a few medical issues, my family had a remote monitoring device installed in case he needed assistance.  For the system to work properly a secure lock box, that the monitoring company had the combination to, was installed at his back door to hold a set of house keys.  If ambulance officers had to gain access to the house the monitoring company could give them the combination.  As the box is no longer in use, I was having a look at it to see how secure it really is.


From the image above you can see that the unit, the SUPRA StorAKeY, consists of 10 numbered buttons, an open button, and a clear button.  The first thing to do when you get the product is set a secret PIN.  To set each number in the PIN, a set screw corresponding to the number is turned.  This has three implications, firstly the PIN can't contain duplicate numbers, secondly the PIN can contain any number of digits from 0 to 10, and thirdly the order of the numbers in the PIN doesn't matter.  So if we were to try and guess the PIN, and knew that it had 3 numbers in it, we are just randomly selecting 3 numbers out of 10, the order doesn't matter.  It's like the lottery.  Imaging that there were 10 numbered balls in a dish and you randomly selected 3 balls from it, we can calculate the probability of getting the right combination as follows.

Suppose that each time you selected a ball it was part of the correct combination.  For the first ball you have a 3 in 10 chance of a correct selection.  As there are now nine balls left and only two correct ones, the probability of selecting another correct number is 2 in 9.  It then follows that a third correct selection has a probability of 1 in 8.  By multiplying these probabilities we can calculate the overall probability of the correct combination.  (3/10)x(2/9)x(1/8) = 1/120.  So the probability of selecting the right combination is 1 in 120 which implies that there are 120 different combinations.  If we return to the problem at hand, all we need to do is calculate how many combinations there are for each PIN length and add them up to calculate the total number of combinations.

Calculating the number of combinations is easy by using the following well known statistical formula, where n is the size of the set to select from, and k is the number of selections to make.  This is the same as the process we just went through.

We can now easily calculate the number of different combinations.

So for a device that has 10 buttons, all we end up having is 1024 different combinations.  Pretty pathetic really.  If we were to attempt to brute force the PIN, and assume that each combination takes 15 seconds, it would take just over 4 hours to try every combination, but on average you will find the combination half way through the process at around 2 hours.  Therefore if you attempted this you would need 4 hours maximum but it would probably take a lot less time than that.  If you were then to take into account psychology, It would take even less.  I'd wager that most people that use these would use birthdays and years as the PIN, so by trying these first you may get lucky.

I think the thing to take away from this is that these kind of devices are a deterrent and not extremely secure.  If they are in a secluded place where someone can go unnoticed for several hours, they aren't that effective.  If however they were placed in a more prominent location where someone standing there for 4 hours would draw attention, they become more effective.

An interesting side note about combinations is that they can be used to calculate the odds of winning the lotto.  For Gold Lotto in Australia you pick 6 balls from 45 to win, by using the above formula we can calculate that the odds of winning are 1 in 8145060.  PowerBall is a little different, to win you have to select 5 balls from 45 and then select a PowerBall which is a separate draw of 1 ball from 45.  The odds of the first part of this work out to be 1 in 1221759, but when multiplied by the second part of 1 in 45 the odds rise dramatically to 1 in 54979155.  It's a neat little trick, in both draws you have to pick 6 numbers, in both draws you are picking from 45 numbers, so you may think you have a similar chance of winning, but winning PowerBall is significantly less likely.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.