Smart Handgun Safe Not Smart Enough Not To Let Basically Anyone Break Into It

from the bang-bang dept

When we discuss the problems around "the internet of things" and app-controlled everything, we typically have to get into the weeds a bit about privacy, whether you own what you purchased, and the ethical implications of opening up an internet-connected service or product to potential hacking. On the security and hacking side of things, it should be clear by now that far too many companies don't take this stuff seriously enough. Our pages are rife with IoT devices being hacked, including everything from Barbie dolls to sports cars. It's enough to make you long for a company with a mission basic enough to develop a product so geared towards security that it couldn't possibly get this app-controlled thing wrong.

Well, how about a handgun safe? Take the Vaultek VT20i handgun safe, for instance. This safe can be opened either by inputting the user's PIN number, up to eight digits, either on the box itself or via a smartphone app. Now, you're probably wondering why someone who needs their hand-cannon would need to open the safe up with an app. It's a great question, but one we probably shouldn't worry about considering that some security researches found that you can just open that damn thing with a laptop instead, no PIN number needed.

The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.

As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that's required to make it work is that the safe have Bluetooth connectivity turned on.

Once this video and the code for the hack was released publicly, Vaultek snapped into action by releasing a statement claiming that this hack would take hours to pull off and would "require the ability to observe a correctly paired phone." To Which Two Six Labs said: "Nuh-uh!"

"Once you have developed this capability or written a script to do it, you can affect any safe in this product line in a matter of seconds," Austin Fletcher, Two Sixes Labs' lead vulnerability research engineer, told Ars. "Anyone can do this."

In a blog post disclosing the vulnerability, the researchers included most of the code required to exploit the vulnerability. A competent developer would need 20 to 60 minutes to supply the missing portion. With that, the developer could build a smartphone app that could silently break into any existing VT20i safe in seconds, as long as Bluetooth was turned on.

Now, Dustin Culbreth, VP of Product Development for Vaultek, has issued a second statement from Vaultek, promising a firmware update that will address this exploit. There are a couple of problems with that. First, despite all of the Bluetooth back-and-forth from this gun safe and Bluetooth devices, the safe isn't actually connected to the internet. So, to patch this exploit, gun owners are going to be sent a USB device and install the patch themselves (perhaps through no more effort than plugging it in, but this is unclear) or will have to ship the safe back to Vaultek to be fixed. In a world where user error is the mantra of anyone involved in supporting technology, one shudders to think so much security over a weapon would be effective only at the pleasure of the average end-user's dedication to patching their own gun safe.

And that brings me back to the question of why such an app-controlled gun safe is necessary to begin with. I know we have gun owners among our readers, so please chime in below with what I'm missing, but isn't it enough to unlock the PIN from the box instead of your phone? And, if not, is the application controlled unlocking feature worth this kind of risk?

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: gun safe, iot, locks, smart handgun, vaultek vt20i
Companies: vaultek


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Cdaragorn (profile), 13 Dec 2017 @ 10:57am

    It isn't

    To put it bluntly, it isn't.

    There is absolutely no reason whatsoever to ever make a gun safe able to connect to any kind of device, anywhere for any reason. If you can't get to the safe to open it, what possible reason could you have to open it?
    If connections like this could be perfectly secured then I suppose some might like the "convenience", but I can't even see an argument behind that. Again, the only point of opening the safe is to GET the gun.
    The fact that you can't perfectly secure applications just kills this idea before it even gets started. It's bad enough that many modern gun safes have put fingerprint readers on them for "convenience" despite those being one of the easiest security features to break on the planet. We don't need and should never want more ways for someone else to be able to hack open access our firearms.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2017 @ 11:01am

      Re: It isn't

      "The fact that you can't perfectly secure"

      NOTHING can be perfectly secured. There is always a way to compromise something. The trick is to make the compromise expensive or time consuming to achieve and then it at least becomes reasonable.

      link to this | view in chronology ]

      • icon
        Cdaragorn (profile), 13 Dec 2017 @ 12:14pm

        Re: Re: It isn't

        I agree, but that's my entire point. By doing this they're creating more ways the safe can be compromised. And these new ways can be done without physical access to the safe. That makes this doubly insane to even consider doing.

        link to this | view in chronology ]

    • icon
      btr1701 (profile), 13 Dec 2017 @ 11:24am

      Re: It isn't

      > There is absolutely no reason whatsoever to ever make a
      > gun safe able to connect to any kind of device, anywhere
      > for any reason.

      I agree. I don't even like my own gun safe's electronic lock. Every time I go to open it, the battery is dead and needs to be replaced, so in terms of quick access, I don't recommend anything electronic. Good old fashioned lock and key or combination is the way to go.

      link to this | view in chronology ]

      • icon
        Bergman (profile), 14 Dec 2017 @ 5:41am

        Re: Re: It isn't

        Some gun safes are purely mechanical (I saw one that uses the length of your fingers as a biometric combination for example), others can be plugged in and only go to battery during a power failure.

        I'd consider one that is primarily battery powered that can't be constantly plugged in to be a deal killer of a design flaw.

        link to this | view in chronology ]

    • identicon
      Michael, 13 Dec 2017 @ 11:37am

      Re: It isn't

      If I am pinned down in one room and need to open my gun safe for my 7 year old in the next room, how else am I supposed to do so without a bluetooth app that allows me to do it remotely?

      Setting that bit of kidding aside, sometimes features get added just for the sake of features and people figure out they are useful later. While I may think this feature is pretty useless, I also thought a touch-screen was pretty dumb when I already had a mouse and keyboard.

      Technology does not always march in easily identifiable directions, so it is difficult to fault someone for making what appears to be a useless feature.

      On the other hand, a feature that renders your safe useless is not exactly a good plan and their implementation was terrible here.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Dec 2017 @ 9:30am

      Re: It isn't... but it could be

      Let's say you are startled awake by someone entering your bedroom in the middle of the night, when your gun safe is under the bed.

      As you leap out of bed to confront the man entering your room, you tell your AI (Siri, Android, etc) Open my gun safe (which triggers your phone to send the PIN to unlock the safe). You can then shove the assailant across the room before reaching down to grab your gun out of your now unlocked gun safe.

      Could this happen? Sure in a movie somewhere, in reality probably not, but it demonstrates a potential scenario where a bluetooth enabled gun safe (and some pre arranged app support) could be useful when those extra few seconds to punch in the code could mean the difference between stopping the assailant and becoming the victim.

      link to this | view in chronology ]

      • icon
        John85851 (profile), 14 Dec 2017 @ 10:13am

        Re: Re: It isn't... but it could be

        Like you said, this would be a cool scene in a movie, but I think the reality would go something like this:

        Interior bedroom, midnight:
        A man hears a prowler in the hallway outside his bedroom.
        **Man:** (whispers) Siri, unlock the gun safe.
        **Siri:** I'm sorry, I didn't get that. Please speak louder.
        **Man:** (normal voice) Siri, unlock the gun safe.
        **Siri:** I think you said you want to unlock your gun safe. I found 5 locksmiths in the area who can help with that.
        **Man:** No, unlock my Vaultek gun safe.
        **Siri**: Now dialing "Walt's Locksmith Service".

        link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 14 Dec 2017 @ 10:29am

        Could this happen.

        If you kept a pepper-spray riot gun in your bedside drawer, your chances of a positive outcome would sharply rise.

        link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 14 Dec 2017 @ 1:15pm

      Re: It isn't

      I'm sorry, but i reeeeaaaalllly need to be able to unlock my gun safe remotely, over the internet, like when i am in Singapore or something. Because reasons. Home defense!

      Honestly, you'd think those who so admire the craftsmanship of firearms would also appreciate the beauty of keys.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2017 @ 10:58am

    fucking awesome!

    Trump would like to order several of these and put the nukulur footballs in them!

    link to this | view in chronology ]

  • identicon
    David, 13 Dec 2017 @ 11:00am

    A firmware update.

    That sounds like the next attack vector. Does it involve cryptographically signed images verified by a mask programmed element in the safe?

    What's the actual amount of physical access and identification required to do the update?

    The problem is that a safe manufacturer cannot just add features like firmware updates and apps. Those are significant new points of attack with significant security implications for which you need to have as much expertise on board than for your physical locks and materials.

    If they did not manage to make the app secure, I have severe doubts that they have what it takes to make firmware updates secure.

    link to this | view in chronology ]

    • identicon
      Gecko, 13 Dec 2017 @ 11:02am

      Re: A firmware update.

      Now imagine someone uploading a bricking firmware. Forever locked will that safe be,

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Dec 2017 @ 11:06am

        Re: Re: A firmware update.

        this would be awesome... new law to require all citizens to use this gunsafe so the police and remotely brick them before bumrushing your own home. I am sure that criminals would never use that exploit.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 13 Dec 2017 @ 2:14pm

          Re: Re: Re: A firmware update.

          I'm sure all criminals would use the safe to begin with too.

          link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 14 Dec 2017 @ 1:28pm

      Re: A firmware update.

      The other fun bit: Anyone can probably supply a firmware "update" via USB.

      As far as official updates go, i think we know enough about those. They fix one thing (maybe) and introduce new regressions or vulnerabilities. Particularly in commercial code, released asap to make a buck, in in their scramble-to-patch-after-denial-doesn't-work updates. Thank god a gun safe doesn't need an entire OS. (Then again, neither do TVs and what, but you know.)

      link to this | view in chronology ]

  • icon
    Roger Strong (profile), 13 Dec 2017 @ 11:10am

    Still, it's better than one would expect. When you consider NRA opposition to smart handguns, you'd expect them to launch a jihad against any smart handgun safe that didn't act like a guns and ammo piñata.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2017 @ 11:47am

      Re:

      The NRA has never objected to smart guns. Only to laws mandating their use.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Dec 2017 @ 12:04pm

        Re: Re:

        It's not hard to predict that once smart guns hit the market, there absolutely WILL be laws mandating their use (i.e., banning all non-smart guns) and it's for that reason alone that there is a great deal of pressure, both real and implied, on US gun manufacturers to avoid developing any kind of smartgun.

        If any smartgun ever does emerge, it will NOT be from any traditional gun manufacturer, all of which are vulnerable to a mass boycott of their existing products as a result.

        link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 13 Dec 2017 @ 2:32pm

          The problem with mandating smartguns is...

          It just makes criminals from gun enthusiasts who often like to mix and match gun parts and engineer better guns. Gun modding is big in the US.

          Smart guns are great for people who use guns for defense or their job (e.g. law enforcement). Sadly, guns are not great for defense or law enforcement.

          Until we choose to militarize the resistance, guns are good for hunting game and shooting targets. None of these functions are well served by single-person smart guns.

          Regarding this gun vault, I don't get the need for either a bluetooth lock or an IoT lock. At a gun-store / shooting range, a gun vault with a secure lock would allow the owner or chief armorer to be the sole person who can open the locker, even if he's on vacation in Maui.

          link to this | view in chronology ]

          • icon
            Uriel-238 (profile), 13 Dec 2017 @ 7:57pm

            Re: The problem with mandating smartguns is...

            what I meant to say was...

            At a gun-store / shooting range, a gun vault with a secure online-accessible lock would allow the owner or chief armorer to be the sole person who can open the locker...

            So far it sounds like most such locks are still easily hackable. But that's a good reason to have a secure one.

            link to this | view in chronology ]

            • identicon
              JEDIDIAH, 14 Dec 2017 @ 6:01am

              Re: The problem with mandating smartguns is...

              Or I could employ an even older bit of technology that seems to be reliable enough to used in schools, gyms, police stations, US Naval vessels, US Air Force nuclear missile silos and any number of other places.

              Don't outsmart yourself.

              link to this | view in chronology ]

              • icon
                Uriel-238 (profile), 14 Dec 2017 @ 3:11pm

                Heh...nuclear security.

                Yeah, it turns out for the longest time we set our bomber nukes to arm with something like 0000-0000. The thing that kept us from bombing anyone is that our Air-Force lieutenants didn't want to be the guy who nuked somebody.

                The submarine thriller Crimson Tide (1995, Denzel Washington, Gene Hackman) pointed at some of the problems of localized security. Granted, it's a rare problem, and one that has never lead to major disaster.

                After the Germanwings Co-Pilot suicide event, an article got bounced here about post 9/11 security which allowed for the co-pilot to take control of the plane without intervention, but given the tech we have, the system we had was the one with the lowest chance of exploitation...and we got unlucky.

                So yeah, a reinforced locker with a tough lock to pick and only a few keys is plenty secure to stop most problems. Sometimes we want to look at how we can stop a few more, for situations where we're stowing things that folks might be really determined to obtain.

                link to this | view in chronology ]

      • icon
        Roger Strong (profile), 13 Dec 2017 @ 12:08pm

        Re: Re:

        That claim doesn't line up with reality very well.

        It's based on the 2002 New Jersey Childproof Handgun Bill, requiring that all guns sold in New Jersey have a mechanism to prevent unauthorized users from firing it, taking effect three years after such a smart gun is approved by the state. All efforts to introduce a smart gun anywhere in the US are met with protests, the NRA arguing that allowing them anywhere would trigger the law.

        Except that the NRA's opposition to smart guns predates that law by several years. The NRA and its membership boycotted Smith & Wesson in 1999 because the company was developing a smart gun.

        And they've gone to war against smart gun sales in other states, even though the Attorney General of New Jersey determined that sales elsewhere wouldn't trigger the New Jersey mandate.

        link to this | view in chronology ]

    • identicon
      JEDIDIAH, 14 Dec 2017 @ 5:59am

      No kidding.

      > When you consider NRA opposition to smart handguns

      It's very rational given examples like this.

      My view on this is "cops first". Until they are using the technology and comfortable with it, it shouldn't be forced on the rest of us. They shouldn't get access to anything that's denied to other civilians.

      Between this and BLM, people (conveniently) forget about the problem of over-militarized cops.

      Anyone with half a brain knows to be skeptical of attempts to "secure" 100 year old technology with something produced with modern IT practices.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2017 @ 11:13am

    "Not Smart Enough"?

    Timothy, have you considered the possibility that the safe is too smart, and happens to be pro-gun? Less realistic, true, but much more interesting.

    link to this | view in chronology ]

    • identicon
      David, 13 Dec 2017 @ 12:24pm

      Re: "Not Smart Enough"?

      Still sounds like "not smart enough" to me.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2017 @ 12:31pm

      Re: "Not Smart Enough"?

      Is it safe? Never pick it up, for then the agents of the Democrats will be drawn to its power. Always remember, Tim, the Gun is trying to get back to its master. It wants to be found.

      /s on the partisanship

      link to this | view in chronology ]

  • icon
    Philosopherott (profile), 13 Dec 2017 @ 11:26am

    Reason

    Gun safes are a big topic in the gun owner community. I know many people who are "I don't want anything between me and my gun" folks. Others want something that conceals and/or secures so they have ready access and if people break in they don't have an obvious target to attempt to circumvent. Others just want something like a storage cabinet to keep there kids and maybe a drunk guest away from there guns. Still yet others want a safe in the case of fire/flood/other disaster.

    I would imagine people that lock there weapons away in a small safe like this would also buy it so it is out of site in a closet or something. My guess is you could, in the night, grab your phone and put in the code as you get up to your firearm. I am not a fan of this product or the idea of it, but I have had enough conversations about gun storage that I can imagine the "rational" for a product like this. The idea that because you are on your phone you are not "fooling around in the dark" with a combination (then you get the but you screw up your night vision folks chime in...)has a marketing appeal. There are plenty of debates about gun storage already that this is just one more thing on the pile.

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 13 Dec 2017 @ 11:27am

    Except the researchers (IIRC) found no way to update the firmware....

    I do enjoy the companies trying to say these guys who made a video faked it all, we are totally secure & only super hackers could do this... (isn't that what the first response to skimmers was? only super hackers could do it?)

    As to why it has bluetooth... marketing buzz.
    There are people who pay a premium for exhaust pipes that make the car run worse, but make them louder. Because louder is what the cool kids are doing.
    Bluetooth is magical technology that will save us all from having to do anything but put our cell phones near things to use them.
    Bluetooth did wonders for skimmers, cheaper than cell links & don't have to reopen the pump to dump the memory. Only have to be kinda near the pumps, its such a time saver.

    Bluetooth, internet connected are becoming the energy star sticker of today.
    <insert the link to the gas powered alarm clock that got the certification (yes this was a real thing)>
    Bluetooth is new to many people & Apple moving to all bluetooth means it has more mindshare now.
    If you don't have an app you're out of touch with the market.

    In our rush to stuff more features in, less attention is paid to possible downsides. They need to get it to market before the other guy, or just slap their name on the same rebranded Chinese product (see also the DVR botnet) & toss it out on the market.

    It took what 2 or 3 weeks for the first let amazon drop packages off in your house hack. Nothing is hack proof, some things are harder than others... and the current level of security concern is still really low despite some massive PR damage. We need to demand better & stop just getting caught up in the glow of bells & whistles of the cyber.

    link to this | view in chronology ]

  • icon
    Blaine (profile), 13 Dec 2017 @ 11:41am

    Could be fun

    Find a store that has a few of these on display.

    Use a Raspberry Pi Zero W ($10) with a USB battery pack. Put it in your pocket.

    Go look at the "safes" and turn on their Bluetooth "feature".

    Ask the salesman why they won't stay closed. Watch him play wack-a-mole trying to get them to stay closed.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2017 @ 11:50am

    >And that brings me back to the question of why such an app-controlled gun safe is necessary to begin with.

    So that a robber can shoot the house owner with his own gun.

    /s

    link to this | view in chronology ]

    • icon
      Not an Electronic Rodent (profile), 14 Dec 2017 @ 10:53am

      Re:

      So that a robber can shoot the house owner with his own gun.

      Statistics would seem to suggest this is a valuable design feature....

      link to this | view in chronology ]

  • icon
    Blaine (profile), 13 Dec 2017 @ 12:06pm

    Wardriving for guns to steal

    Here's another scenario.

    Simply adapt the setup in the "Screwdriving" article to detect these "safes".

    Make a list of houses and wait till the owners are out, break in, pop open the crackerjack box for your prize.

    Even if they are hidden, there are a lot of apps you could use to watch the Bluetooth signal strength and play hot/cold till you find it.

    link to this | view in chronology ]

    • icon
      idearat (profile), 14 Dec 2017 @ 6:32pm

      Re: Wardriving for guns to steal

      My thought exactly. In addition to being a "open the locked gun safe" app, it becomes a "where's the hidden gun safe" app.

      BT devices are by their nature promiscuous to make them easy to use. Putting them on locks and other security devices invites unauthorized access and should be included with only extreme caution. That said, I still think if I had a wireless lock in my house I'd go for a bluetooth one with no cloud component at all rather than have my front door exposed to the world.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2017 @ 12:06pm

    How to train your users to be hacked

    "So, to patch this exploit, gun owners are going to be sent a USB device and install the patch themselves"

    1. Comb the Internet for mentions of this safe.
    2. Engage the owners posing as a company rep.
    3. Offer to send them the SuperSpecialSekritUpdate.
    4. Send them a USB device with appropriate packaging, letterhead notes, logo, etc.
    5. Brick their safes.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2017 @ 12:10pm

    PIN Number

    [Screams internally]

    link to this | view in chronology ]

  • identicon
    Chuck, 13 Dec 2017 @ 1:56pm

    Just a guess

    My wild guess - and as I own no handguns (one shotgun), it is really a guess - is that it's for the types who think that, in the event that someone breaks into their house, they will be able to defend themselves with a firearm of their own. A delusional belief, at best, but that's neither here nor there.

    My theory is that the idea is that typing in a PIN when you're half-asleep, possibly in the dark, is more difficult than doing so on your backlit smartphone. Of course, why they couldn't just backlight the keypad on the safe itself, instead, is beyond me.

    That, or you don't trust your wife/child/etc. to handle your gun, but you want to be able to unlock it remotely when they're not home "just in case." Though, since it's bluetooth, "not home" would mean no farther away than your driveway.

    Really, it's a stupid optional feature that only a tiny handful of extremely paranoid people would want. What's amazing is they actually believe that such a feature would mean the difference between defending themselves or not, yet they aren't paranoid at all about the iOS or Android device they use to do it.

    I mean, I use Android, but the difference is I'm not paranoid about EITHER. I know exactly what google is collecting about me, and I also know that, in the real world, if someone is already inside my damn house, unless they're going to wait 20 minutes while I drink my first 2 cups of coffee, having access to a gun is only going to get me killed faster.

    But people buy a Glock or an AR-15 and suddenly they think they're a Navy SEAL. *sigh*

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2017 @ 2:26pm

      Re: Just a guess

      "in the real world, if someone is already inside my damn house ... having access to a gun is only going to get me killed faster."

      The unfortunate flip side is that merely living in a country where people commonly have guns is going to get you killed faster -- especially by cops.

      Another question is if you would actually have the nerve to fire your gun at a bunch of armed bandits who bust into your house in the middle of the night screaming "police" and "search warrant" etc. I'm going to guess that the vast majority of gun owners would not. If that's the case, then it severely diminshes the rationale of keeping a gun for home self-defence.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2017 @ 2:09pm

    Wouldn't a better title be "Smart Handgun Safe Dumb Enough To Let Basically Anyone Break In"? The double negatives just seem a little unwieldy for a title.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2017 @ 2:37pm

    Yes, because no one has ever defended their home with a gun at night.

    That being said, there are smart toasters. Why would anyone make a smart toaster?

    My guess? Because they could?

    link to this | view in chronology ]

  • icon
    MyNameHere (profile), 13 Dec 2017 @ 5:13pm

    Neat Story

    I enjoy the story, but I sort of laughed when it got to this:

    " All that's required to make it work is that the safe have Bluetooth connectivity turned on."

    There are a finite number of combinations for the safe. However, the testers (trying to prove their point) choose 5 digit codes rather than 8. If the 5 digit code took 10 seconds to hack, the 6 digit would take 50 seconds (5 times as many numbers), the 7 digit would take 250 seconds, and the 8 digit would take 1250 seconds (or about 21 minutes). Essentially, they choose the sweet spot that would look like they didn't make it too easy, but not too hard either.

    If I understand correctly, if you do not use the Bluetooth option (never set a code) then the unit cannot be opened via this method. So part of the question would be how many people use an app rather than just the biometric stuff on the unit itself.

    It's a product fail for sure, however. There is no real and valid reason to have bluetooth connectivity to start with. Clearly, their code doesn't have an apple style "5 tries and locked out for 5 minutes" type thing in it, so basically they are just jamming codes at it as a fast as possible until it pops.

    link to this | view in chronology ]

  • icon
    MyNameHere (profile), 13 Dec 2017 @ 5:17pm

    For reference, here's the breakdown:

    1 digit: 5 codes
    2 digits 25 codes
    3 digits 125 codes
    4 digits 625 codes
    5 digits 3125 codes
    6 digits 15,625 codes
    7 digits 78,125 codes
    8 digits 390,625 codes

    So basically, by hacking it at 5 digits, it was less than 1% of the possible codes. It's a nice proof of concept, but 21 minutes would be much different from 10 seconds.

    link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 13 Dec 2017 @ 10:00pm

      Re:

      "The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed."

      It waits to hear a magic word via bluetooth and opens.
      They figured out the magic word.
      Doesn't matter what the pin is, once you know the magic word...

      This is the same sort of laziness that lead someone to make a skimmer scanner app, the criminals never renamed the bluetooth chip they use, so the app scans for the name thats used by 90% of them & warns you if it find its.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Dec 2017 @ 1:56am

    This is a travel safe. This is used to transport gun from home to target range and back. I would call it a lock box, not a safe. A safe becomes part of abode it is in.

    This is as much of a safe as lockable suitcase is a safe.

    link to this | view in chronology ]

  • identicon
    peter, 14 Dec 2017 @ 3:15am

    why such an app-controlled gun safe is necessary?

    To quote Big Bang Theory "Penny, everything is better with Bluetooth"

    link to this | view in chronology ]

  • icon
    McGyver (profile), 14 Dec 2017 @ 4:50am

    Vaultek?
    I wonder how Bethesda feels about that name.
    Megh.
    Once you add the suffix or prefix "Tek" to any formerly "dumb" device or mechanism, that's basically the the nail in the coffin...
    Especially the CoffinTek-2000...

    link to this | view in chronology ]

  • identicon
    Anonymous Cowherd, 14 Dec 2017 @ 9:40am

    Word substitution

    It should be pretty obvious by now that the word "smart" as attached to any device is a marketing euphemism for "insecure."

    link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 14 Dec 2017 @ 10:33am

      Re: Word substitution

      Don't you know we got smart bombs? It's a good thing that our bombs are clever Don't ya know that the smart bombs are so clever? They only kill bad people now

      link to this | view in chronology ]

  • icon
    John85851 (profile), 14 Dec 2017 @ 10:02am

    The company's response

    I thought the paragraph about the company's response (under the image) would go a little differently:
    "Once this video and the code for the hack was released publicly, Vaultek snapped into action by suing the researchers and issuing a copyright-takedown notice on YouTube for finding this vulnerability."

    link to this | view in chronology ]

  • icon
    Not an Electronic Rodent (profile), 14 Dec 2017 @ 10:58am

    I'd like to buy an analogy, please.

    Smart Handgun Safe Not Smart Enough Not To Let Basically Anyone Break Into It

    Well, if that isn't an analogy for US gun laws.....

    /ducking

    link to this | view in chronology ]

  • identicon
    TRX, 14 Dec 2017 @ 2:28pm

    > I know we have gun owners among our readers, so please chime in below with what I'm missing, but isn't it enough to unlock the PIN from the box instead of your phone?
    ---
    It's a classic answer to a question nobody asked.

    I expect the manufacturer will be making Bluetooth+app toilet paper dispensers, shower mixer valves, and lawnmower start interlocks next.

    link to this | view in chronology ]

  • identicon
    Robert, 23 Apr 2019 @ 10:47am

    I realize this is a late reply, but I just bought this safe and have a few comments to some of the comments.
    I’m not worried about Ethan Hunt and his team coming to my house to gain access to my hand gun. I bought this to prevent my grand nieces and nephews (ages 2-6 and not programmers) from accidentally gaining access to my weapon. Like someone else mentioned, it’s not likely your common criminal will come prepared with a laptop and a program to get into my particular gun safe.
    I bought it so I could have fast access to my gun should it ever be needed and with an 8 digit code I know I’ll have to be awake enough to not make a terrible mistake but can still get to my gun in under 2 seconds if I need to. I see the “APP” as nothing more than a way in if I should forget my code. I can enter my code way faster than going through my phone.
    For those talking about bricking the thing so the owner can’t get back in, nice try. There is of course a key if all else fails (my keys are in my safety deposit box so the apps a nice touch if I forget my code. I can also see if anyone has tampered with my safe).
    As far as battery life, I read a lot of reviews before settling on this safe and most people were reporting 4-6 months without a charge with access a couple times a day (I guess they are cc people). More than adequate and easy to check the charge status by pushing a couple keys or in the app (mine is still at 100% after a week and frequent entries.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2020 @ 3:36pm

    Remote monitoring

    Everybody has focused on The value or up value of using an app to open the safe. I think the real Smart feature benefit is of being able to get instant tamper/open alerts when you are away from your safe. Being able to also set alarms for temp and humidity is helpful too.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.