“Smart” Gun Safe Can Be Unlocked With A Simple Bluetooth Hack

One of the top-selling electronic gun safes available from Amazon contains a critical vulnerability which, with the right know-how, can allow someone with no knowledge of the combination to open it.

The Vaultek VT20i handgun safe, described by its designers as being slim enough to slide under a car seat, meets the requirements outlined by the Transportation Security Administration for transporting firearms on airplanes. Such an endorsement, we would hope, would surely mean the VT20i is secure, right?

What’s the problem?

Whilst the safe’s physical strengths (a precision engineered 16-gauge steel body and heavy duty 5mm diameter steel security cable) sound sturdy enough, and would surely prove impenetrable to the most determined thief.

The problem, it turns out, lies with some elements of the smart technology that has been integrated into the safe. Billed as providing “a new level” of personal security, the safe can be opened with a high-resolution biometric fingerprint scanner, which could store up to 20 different user IDs.

Whilst this feature wasn’t the problem, and, like the case itself, is believed to work securely as designed, customers were offered a secondary means to open the lock. In addition to the fingerprint scanner, the VT20i can be opened with a smartphone if its within range.

Connecting with the safe via Bluetooth, the remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device, a feature which many people have cited in reviews as being a notable selling point due to the ease and convenience it entails.

Indeed, the safe has an average rating of 4.5 stars on Amazon aggregated from hundreds of reviews. Not bad for a safe that isn’t secure!

How can it be unlocked?

Security researchers at Two Six Labs have reported that it is simple enough to gain knowledge of the correct pin and open the safe, with nothing more than some simple programming knowledge. They explain three – yes, three – ways which they could gain access to the safe using the Bluetooth function.

First, the manufacturer’s Android application allows for unlimited pairing attempts with the safe.  The pairing pin code is the same as the unlocking pin code. This allows for an attacker to identify the shared pin by repeated brute force pairing attempts to the safe.

Second, there is no encryption between the Android phone app and the safe. The application transmits the safe’s pin code in clear text after successfully pairing. The website and marketing materials advertise that this communication channel is encrypted with “Highest Level Bluetooth Encryption” and “Data transmissions are secure via AES256 bit encryption”.

However, these claims are not true. AES256 bit encryption is not supported in the Bluetooth LE standard and Two Six Labs say they have not seen evidence of its usage in higher layers.  AES-128 is supported in Bluetooth LE, but the manufacturer is not using that either. This lack of encryption allows an individual to learn the passcode by eavesdropping on the communications between the application and the safe.

Third, an attacker can remotely unlock any safe in this product line through specially formatted Bluetooth messages, even with no knowledge of the pin code. The phone application requires the valid pin to operate the safe, and there is a field to supply the pin code in an authorization request. However, the safe does not verify the pin code, so an attacker can obtain authorization and unlock the safe using any arbitrary value as the pin code.

Solutions like TRIG, a cryptocurrency based on blockchain technology, are one approach to addressing this security hole. But more needs to be done.

What next?

Vaultek Vice President of Product Development Dustin Culbreth has notified customers that a firmware update will be made available to remedy the current flaws in the not-so-smart “smart” parts of the safe.

As the safe has no online update mechanism, however, such a process promises to be difficult. Customers will have to return the safe to the manufacturer for installation, or be sent a USB stick and install it themselves.

Of course, some of the best biometric gun safes on the market rely on old-school technology which cannot be hacked, and perhaps these are the safest bet for those who wish to store their guns securely and responsibly.

For those opting to stick with the VT20i, you should immediately turn off Bluetooth connectivity and leave it off indefinitely. The safes can still be locked and unlocked using a traditional physical key, as well as by owners’ fingerprints.

Sam Bocetta

Sam Bocetta is a retired Naval contractor who worked for over 35 years as an engineer specializing in electronic warfare and advanced computer systems. Past projects include development of EWTR systems, Antifragile EW project and development of Chaff countermeasures. Sam now teaches in Ottawa, Canada as a part time engineering professor and is the ASEAN affairs correspondent for GunNewsDaily.com.

Leave a Comment

Share this!

Enjoy reading? Share it with your friends!

Send this to a friend