Researchers use BlueSteal to remotely crack ‘smart’ handgun safe in seconds
Researchers use BlueSteal to remotely crack ‘smart’ handgun safe in seconds
Researchers hacked a Bluetooth-enabled gun safe, Vaultek VT20i, showing how the 'smart' safe can be remotely opened in mere seconds.
Folks wanting not merely a handgun safe, but one that is “smart,” might have selected the Vaultek VT20i — a Bluetooth safe with a biometric scanner that includes anti-theft protection guarantees, such as not being able to pry it open with a crowbar.
It turns out, though, the safe — one of the top sellers on Amazon and approved by the TSA for transporting firearms — can be cracked using a laptop.
Security researchers from Two Six Labs revealed BlueSteal, describing how they chained multiple security exploits in Vaultek VT20i to remotely hack into the gun safe. The disclosure included “redacted” proof of concept code that can be used to unlock the safes.
3 vulnerabilities in the Vaultek VT20i handgun safe
The vulnerabilities in the Vaultek VT20i were broken down into the “fun” one, the “really fun” one, and the “how does this even happen” vulnerability.
The “fun” flaw revolves around Vaultek’s Android app, which allows “for unlimited pairing attempts with the safe.” The PIN code, which would manually open the safe, is also the same as the pairing PIN code. The PIN can be four to eight digits long, but must only use the numbers 1 through 5. Therefore, the researchers resorted to a brute force attack.
Sadly, the app allowed for an unlimited number of pairing attempts. The researchers explained, “In the attacker’s best-case scenario of a 4-character PIN code, the search space is a reasonable 5⁴. This would require around 72 minutes at conservative 7 seconds per try.”
The “really fun” vulnerability revolved around the fact that there was no encryption between the app and the safe.
“The application transmits the safe’s PIN code in clear text after successfully pairing,” wrote the researchers. While the safe may be pimped out via marketing as supporting AES-256 encryption, Bluetooth LE supports only AES-128 encryption, which the manufacture also didn’t use.
As for the “how-does-this-even-happen” flaw, the researchers warned that attackers could “remotely unlock any safe in this product line through specially formatted Bluetooth messages, even with no knowledge of the PIN code.” The safe’s app “requires the valid PIN to operate the safe, and there is a field to supply the PIN code in an authorization request,” but “the safe does not verify the PIN code, so an attacker can obtain authorization and unlock the safe using any arbitrary value as the PIN code.”
These flaws, the researchers said, highlight the need to carry out security audits early on in the manufacturing process for “smart” devices.
At first, the researchers believed the best-case scenario for Vaultek VT20i safe owners would be to disable Bluetooth, but the manufacturer said firmware for the safes can be updated.
Vaultek’s response and free firmware update ‘upgrade’
Vaultek said it “understands the value and seriousness of security” in its safes, adding, “Through the team at Two Six Labs, we discovered several ways to protect our safes from future hacks, and promote a healthier future for all upcoming Vaultek Bluetooth products.”
Vaultek considered the risk of being hacked a “low risk” due to the knowledge required to carry out the attack, but the company’s security update notification said new firmware will be used in new production, as well as be made “available to current customers interested in having the upgrade.”
The Bluetooth feature can always be disabled, but for safe owners wanting the new firmware patch, Vaultek said, “We are offering an upgrade service for your safe’s firmware at no charge and will cover the shipping costs. Please check back soon for specific instructions and how to register for the upgrade.”
Our Methodology
Anyone can claim they do wireless site surveys, including those that walk around using free utilities that check for basic signal strength, without any training or understanding of how wireless works. That may be fine if you only need basic Internet connectivity, but if your network supports mission-critical applications, you need a professional-grade solution.
Our methodologies are what differentiate us from our competition. We start with the belief that combining the best tools and training with years of experience leads to the best wireless solutions available. Our formula for success includes the following:
Expert Certified Personnel
We start with a commitment to having the best trained personnel possible. We only employ or contract with Certified Wireless Network Professionals (CWNP).
We are proud to be a member of the prestigious CWNE roundtable, an exclusive committee of wireless experts dedicated to developing the highest level and most respect vendor-neutral certification in the wireless industry, as well as writing technical whitepapers.
Predictive Modeling
Predictive models, also known as virtual site surveys allow us to efficiently and accurately identify the number of access points required, as well as their initial placement and configuration. Modeling is ideal for creating "what if" scenarios that show us the effects of changes in real time. Our designs always start with a model which we then validate.
RF Spectrum Analysis
Because wireless networks operate in unlicensed frequencies, potential interference from numerous devices such as microwaves, cordless phones, Bluetooth devices, video cameras, etc. can have a significant negative impact. RF spectrum analyzers are the only devices that can identify physical-layer interference, and no onsite wireless site survey is complete without this service.
Onsite Site Surveys / Validation
When the highest degree of accuracy is required for your mission-critical applications, there is no substitute for a professional-grade manual site survey.
Our surveys start with temporarily mounting the same access points and antennas that will be permanently installed. We then use professional-grade software to test not only for signal strength, but Signal-to-Noise ratio (SNR) to test the signal's viability, interference and data rates. Our thorough approach is the most accurate solution available.
Detailed Deliverables
Our reports spell out the facts, and leave no doubt in the customer's mind as to what the wireless network does or will look like.