Hackers Remotely Crack Top-Selling Bluetooth-Enabled Gun Safes
While searching for gun safes and smart technology, Americans have most likely stumbled across the next generation of affordable gun safes– manufactured by Valutek, which produces a line of Bluetooth-enabled safes coupled with biometric fingerprint technology, that is regarded as “more advanced than ever” on the website.
The demand for Valuetek safes has surged as of recent, sending the company sky-high onto an elite top-list of sellers on Amazon.. Amazon has labeled the Vaultek VT20i safe as an ‘Amazon Choice’ product, one where the company calls the item “highly rated, a well-priced product available to ship immediately.”
Besides a top seller on Amazon, the company’s safes are approved for transport by the Transportation Security Administration (TSA)….
But according to a new report from Ars Technica, a group of hackers from the security firm Two Six Labs were able to open a Vaultek VT20i handgun safe in a matter of seconds using a standard MacBook pro to send Bluetooth data while in range. The wireless entry into the safe required no prior knowledge of the “device’s PIN or any advanced scanning of the vulnerable safe.” Even if the PIN is changed, the hack will still work, all that is required is that the safe is in Bluetooth range.
As you can see in the accompanying video, the wireless hack unlocks a Vaultek VT20i handgun safe in under one minute.
Hackers from Two Six Labs outline the vulnerabilities in the Vaultek VT20i were broken down into 3 bullet points:
- The Fun Vulnerability – The manufacturer’s Android application allows for unlimited pairing attempts with the safe. The pairing pin code is the same as the unlocking pin code. This allows for an attacker to identify the shared pin code by repeated brute force pairing attempts to the safe.
- The Really Fun Vulnerability- CVE-2017-17436 – There is no encryption between the Android phone app and the safe. The application transmits the safe’s pin code in clear text after successfully pairing. The website and marketing materials advertise that this communication channel is encrypted with “Highest Level Bluetooth Encryption” and “Data transmissions are secure via AES256 bit encryption”. However these claims are not true. AES256 bit encryption is not supported in the Bluetooth LE standard and we have not seen evidence of its usage in higher layers. AES-128 is supported in Bluetooth LE, but the manufacturer is not using that either. This lack of encryption allows an individual to learn the passcode by eavesdropping on the communications between the application and the safe.
- The ‘How Does This Even Happen?’ Vulnerability- CVE-2017-17435 – An attacker can remotely unlock any safe in this product line through specially formatted Bluetooth messages, even with no knowledge of the pin code. The phone application requires the valid pin to operate the safe, and there is a field to supply the pin code in an authorization request. However the safe does not verify the pin code, so an attacker can obtain authorization and unlock the safe using any arbitrary value as the pin code.
Here is Vaultek’s response to Two Six Lab’s troubling find:
In an e-mail, Vaultek Vice President of Product Development Dustin Culbreth confirmed that the VT20i has no online update mechanism. Still, he said Vaultek plans to offer a firmware fix, either by sending customers a USB dongle that stores the update or by asking customers to ship safes back to the manufacturer, where the update will be installed.
“The new firmware will implement a time out feature to prevent against brute force attacks, as well as updating the PIN code verification process to prevent any transmissions from attempting to open the safe without the correct access code,” Culbreth wrote. Vaultek engineers “are actively working on this and planning to release a new firmware update as early as next week for all customers with applicable models.”
Culbreth’s statement no longer claimed that the attack demonstrated in the video would be hard to execute, as a statement companies officials on Friday said.
“What you are not seeing is the prep time required to isolate the correct code and the time required to study the safe and it’s transmissions, and the subsequent decoding time needed to generate the final code,” company officials wrote on Friday. “This can take hours of work and also requires the ability to observe a correctly paired phone.”
Two Six Lab’s responds to Valuetek’s response and says not so fast…
Two Six Labs researchers, however, disputed the claim and said the Vaultek statement fundamentally mischaracterizes their exploit.
“Once you have developed this capability or written a script to do it, you can affect any safe in this product line in a matter of seconds,” Austin Fletcher, Two Sixes Labs’ lead vulnerability research engineer, told Ars. “Anyone can do this.”
In a blog post disclosing the vulnerability, the researchers included most of the code required to exploit the vulnerability. A competent developer would need 20 to 60 minutes to supply the missing portion. With that, the developer could build a smartphone app that could silently break into any existing VT20i safe in seconds, as long as Bluetooth was turned on.
Two Six Lab’s hackers ended the report by saying vulnerabilities found in this safe allow an unauthorized user to access its contents.
This is particularly troubling because:
- These safes are advertised to hold firearms
- They have regulatory approval to be used to transport firearms through TSA
- Are advertised to use security technologies such as encryption