Smart Handgun Safe Not Smart Enough Not To Let Basically Anyone Break Into It
from the bang-bang dept
When we discuss the problems around "the internet of things" and app-controlled everything, we typically have to get into the weeds a bit about privacy, whether you own what you purchased, and the ethical implications of opening up an internet-connected service or product to potential hacking. On the security and hacking side of things, it should be clear by now that far too many companies don't take this stuff seriously enough. Our pages are rife with IoT devices being hacked, including everything from Barbie dolls to sports cars. It's enough to make you long for a company with a mission basic enough to develop a product so geared towards security that it couldn't possibly get this app-controlled thing wrong.
Well, how about a handgun safe? Take the Vaultek VT20i handgun safe, for instance. This safe can be opened either by inputting the user's PIN number, up to eight digits, either on the box itself or via a smartphone app. Now, you're probably wondering why someone who needs their hand-cannon would need to open the safe up with an app. It's a great question, but one we probably shouldn't worry about considering that some security researches found that you can just open that damn thing with a laptop instead, no PIN number needed.
The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.
As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that's required to make it work is that the safe have Bluetooth connectivity turned on.
Once this video and the code for the hack was released publicly, Vaultek snapped into action by releasing a statement claiming that this hack would take hours to pull off and would "require the ability to observe a correctly paired phone." To Which Two Six Labs said: "Nuh-uh!"
"Once you have developed this capability or written a script to do it, you can affect any safe in this product line in a matter of seconds," Austin Fletcher, Two Sixes Labs' lead vulnerability research engineer, told Ars. "Anyone can do this."
In a blog post disclosing the vulnerability, the researchers included most of the code required to exploit the vulnerability. A competent developer would need 20 to 60 minutes to supply the missing portion. With that, the developer could build a smartphone app that could silently break into any existing VT20i safe in seconds, as long as Bluetooth was turned on.
Now, Dustin Culbreth, VP of Product Development for Vaultek, has issued a second statement from Vaultek, promising a firmware update that will address this exploit. There are a couple of problems with that. First, despite all of the Bluetooth back-and-forth from this gun safe and Bluetooth devices, the safe isn't actually connected to the internet. So, to patch this exploit, gun owners are going to be sent a USB device and install the patch themselves (perhaps through no more effort than plugging it in, but this is unclear) or will have to ship the safe back to Vaultek to be fixed. In a world where user error is the mantra of anyone involved in supporting technology, one shudders to think so much security over a weapon would be effective only at the pleasure of the average end-user's dedication to patching their own gun safe.
And that brings me back to the question of why such an app-controlled gun safe is necessary to begin with. I know we have gun owners among our readers, so please chime in below with what I'm missing, but isn't it enough to unlock the PIN from the box instead of your phone? And, if not, is the application controlled unlocking feature worth this kind of risk?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: gun safe, iot, locks, smart handgun, vaultek vt20i
Companies: vaultek
Reader Comments
Subscribe: RSS
View by: Time | Thread
It isn't
There is absolutely no reason whatsoever to ever make a gun safe able to connect to any kind of device, anywhere for any reason. If you can't get to the safe to open it, what possible reason could you have to open it?
If connections like this could be perfectly secured then I suppose some might like the "convenience", but I can't even see an argument behind that. Again, the only point of opening the safe is to GET the gun.
The fact that you can't perfectly secure applications just kills this idea before it even gets started. It's bad enough that many modern gun safes have put fingerprint readers on them for "convenience" despite those being one of the easiest security features to break on the planet. We don't need and should never want more ways for someone else to be able to hack open access our firearms.
[ link to this | view in chronology ]
Re: It isn't
NOTHING can be perfectly secured. There is always a way to compromise something. The trick is to make the compromise expensive or time consuming to achieve and then it at least becomes reasonable.
[ link to this | view in chronology ]
Re: Re: It isn't
[ link to this | view in chronology ]
Re: It isn't
> gun safe able to connect to any kind of device, anywhere
> for any reason.
I agree. I don't even like my own gun safe's electronic lock. Every time I go to open it, the battery is dead and needs to be replaced, so in terms of quick access, I don't recommend anything electronic. Good old fashioned lock and key or combination is the way to go.
[ link to this | view in chronology ]
Re: Re: It isn't
I'd consider one that is primarily battery powered that can't be constantly plugged in to be a deal killer of a design flaw.
[ link to this | view in chronology ]
Re: It isn't
Setting that bit of kidding aside, sometimes features get added just for the sake of features and people figure out they are useful later. While I may think this feature is pretty useless, I also thought a touch-screen was pretty dumb when I already had a mouse and keyboard.
Technology does not always march in easily identifiable directions, so it is difficult to fault someone for making what appears to be a useless feature.
On the other hand, a feature that renders your safe useless is not exactly a good plan and their implementation was terrible here.
[ link to this | view in chronology ]
Re: Re: It isn't
[ link to this | view in chronology ]
Re: It isn't... but it could be
As you leap out of bed to confront the man entering your room, you tell your AI (Siri, Android, etc) Open my gun safe (which triggers your phone to send the PIN to unlock the safe). You can then shove the assailant across the room before reaching down to grab your gun out of your now unlocked gun safe.
Could this happen? Sure in a movie somewhere, in reality probably not, but it demonstrates a potential scenario where a bluetooth enabled gun safe (and some pre arranged app support) could be useful when those extra few seconds to punch in the code could mean the difference between stopping the assailant and becoming the victim.
[ link to this | view in chronology ]
Re: Re: It isn't... but it could be
Interior bedroom, midnight:
A man hears a prowler in the hallway outside his bedroom.
**Man:** (whispers) Siri, unlock the gun safe.
**Siri:** I'm sorry, I didn't get that. Please speak louder.
**Man:** (normal voice) Siri, unlock the gun safe.
**Siri:** I think you said you want to unlock your gun safe. I found 5 locksmiths in the area who can help with that.
**Man:** No, unlock my Vaultek gun safe.
**Siri**: Now dialing "Walt's Locksmith Service".
[ link to this | view in chronology ]
Could this happen.
If you kept a pepper-spray riot gun in your bedside drawer, your chances of a positive outcome would sharply rise.
[ link to this | view in chronology ]
Re: It isn't
I'm sorry, but i reeeeaaaalllly need to be able to unlock my gun safe remotely, over the internet, like when i am in Singapore or something. Because reasons. Home defense!
Honestly, you'd think those who so admire the craftsmanship of firearms would also appreciate the beauty of keys.
[ link to this | view in chronology ]
Trump would like to order several of these and put the nukulur footballs in them!
[ link to this | view in chronology ]
A firmware update.
That sounds like the next attack vector. Does it involve cryptographically signed images verified by a mask programmed element in the safe?
What's the actual amount of physical access and identification required to do the update?
The problem is that a safe manufacturer cannot just add features like firmware updates and apps. Those are significant new points of attack with significant security implications for which you need to have as much expertise on board than for your physical locks and materials.
If they did not manage to make the app secure, I have severe doubts that they have what it takes to make firmware updates secure.
[ link to this | view in chronology ]
Re: A firmware update.
[ link to this | view in chronology ]
Re: Re: A firmware update.
[ link to this | view in chronology ]
Re: Re: Re: A firmware update.
[ link to this | view in chronology ]
Re: A firmware update.
As far as official updates go, i think we know enough about those. They fix one thing (maybe) and introduce new regressions or vulnerabilities. Particularly in commercial code, released asap to make a buck, in in their scramble-to-patch-after-denial-doesn't-work updates. Thank god a gun safe doesn't need an entire OS. (Then again, neither do TVs and what, but you know.)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
If any smartgun ever does emerge, it will NOT be from any traditional gun manufacturer, all of which are vulnerable to a mass boycott of their existing products as a result.
[ link to this | view in chronology ]
The problem with mandating smartguns is...
It just makes criminals from gun enthusiasts who often like to mix and match gun parts and engineer better guns. Gun modding is big in the US.
Smart guns are great for people who use guns for defense or their job (e.g. law enforcement). Sadly, guns are not great for defense or law enforcement.
Until we choose to militarize the resistance, guns are good for hunting game and shooting targets. None of these functions are well served by single-person smart guns.
Regarding this gun vault, I don't get the need for either a bluetooth lock or an IoT lock. At a gun-store / shooting range, a gun vault with a secure lock would allow the owner or chief armorer to be the sole person who can open the locker, even if he's on vacation in Maui.
[ link to this | view in chronology ]
Re: The problem with mandating smartguns is...
what I meant to say was...
At a gun-store / shooting range, a gun vault with a secure online-accessible lock would allow the owner or chief armorer to be the sole person who can open the locker...
So far it sounds like most such locks are still easily hackable. But that's a good reason to have a secure one.
[ link to this | view in chronology ]
Re: The problem with mandating smartguns is...
Don't outsmart yourself.
[ link to this | view in chronology ]
Heh...nuclear security.
Yeah, it turns out for the longest time we set our bomber nukes to arm with something like 0000-0000. The thing that kept us from bombing anyone is that our Air-Force lieutenants didn't want to be the guy who nuked somebody.
The submarine thriller Crimson Tide (1995, Denzel Washington, Gene Hackman) pointed at some of the problems of localized security. Granted, it's a rare problem, and one that has never lead to major disaster.
After the Germanwings Co-Pilot suicide event, an article got bounced here about post 9/11 security which allowed for the co-pilot to take control of the plane without intervention, but given the tech we have, the system we had was the one with the lowest chance of exploitation...and we got unlucky.
So yeah, a reinforced locker with a tough lock to pick and only a few keys is plenty secure to stop most problems. Sometimes we want to look at how we can stop a few more, for situations where we're stowing things that folks might be really determined to obtain.
[ link to this | view in chronology ]
Re: Re:
It's based on the 2002 New Jersey Childproof Handgun Bill, requiring that all guns sold in New Jersey have a mechanism to prevent unauthorized users from firing it, taking effect three years after such a smart gun is approved by the state. All efforts to introduce a smart gun anywhere in the US are met with protests, the NRA arguing that allowing them anywhere would trigger the law.
Except that the NRA's opposition to smart guns predates that law by several years. The NRA and its membership boycotted Smith & Wesson in 1999 because the company was developing a smart gun.
And they've gone to war against smart gun sales in other states, even though the Attorney General of New Jersey determined that sales elsewhere wouldn't trigger the New Jersey mandate.
[ link to this | view in chronology ]
Re: Re: Re:
https://www.nraila.org/articles/20000320/the-smith-wesson-sellout
[ link to this | view in chronology ]
No kidding.
It's very rational given examples like this.
My view on this is "cops first". Until they are using the technology and comfortable with it, it shouldn't be forced on the rest of us. They shouldn't get access to anything that's denied to other civilians.
Between this and BLM, people (conveniently) forget about the problem of over-militarized cops.
Anyone with half a brain knows to be skeptical of attempts to "secure" 100 year old technology with something produced with modern IT practices.
[ link to this | view in chronology ]
"Not Smart Enough"?
Timothy, have you considered the possibility that the safe is too smart, and happens to be pro-gun? Less realistic, true, but much more interesting.
[ link to this | view in chronology ]
Re: "Not Smart Enough"?
[ link to this | view in chronology ]
Re: "Not Smart Enough"?
/s on the partisanship
[ link to this | view in chronology ]
Reason
I would imagine people that lock there weapons away in a small safe like this would also buy it so it is out of site in a closet or something. My guess is you could, in the night, grab your phone and put in the code as you get up to your firearm. I am not a fan of this product or the idea of it, but I have had enough conversations about gun storage that I can imagine the "rational" for a product like this. The idea that because you are on your phone you are not "fooling around in the dark" with a combination (then you get the but you screw up your night vision folks chime in...)has a marketing appeal. There are plenty of debates about gun storage already that this is just one more thing on the pile.
[ link to this | view in chronology ]
I do enjoy the companies trying to say these guys who made a video faked it all, we are totally secure & only super hackers could do this... (isn't that what the first response to skimmers was? only super hackers could do it?)
As to why it has bluetooth... marketing buzz.
There are people who pay a premium for exhaust pipes that make the car run worse, but make them louder. Because louder is what the cool kids are doing.
Bluetooth is magical technology that will save us all from having to do anything but put our cell phones near things to use them.
Bluetooth did wonders for skimmers, cheaper than cell links & don't have to reopen the pump to dump the memory. Only have to be kinda near the pumps, its such a time saver.
Bluetooth, internet connected are becoming the energy star sticker of today.
<insert the link to the gas powered alarm clock that got the certification (yes this was a real thing)>
Bluetooth is new to many people & Apple moving to all bluetooth means it has more mindshare now.
If you don't have an app you're out of touch with the market.
In our rush to stuff more features in, less attention is paid to possible downsides. They need to get it to market before the other guy, or just slap their name on the same rebranded Chinese product (see also the DVR botnet) & toss it out on the market.
It took what 2 or 3 weeks for the first let amazon drop packages off in your house hack. Nothing is hack proof, some things are harder than others... and the current level of security concern is still really low despite some massive PR damage. We need to demand better & stop just getting caught up in the glow of bells & whistles of the cyber.
[ link to this | view in chronology ]
Could be fun
Use a Raspberry Pi Zero W ($10) with a USB battery pack. Put it in your pocket.
Go look at the "safes" and turn on their Bluetooth "feature".
Ask the salesman why they won't stay closed. Watch him play wack-a-mole trying to get them to stay closed.
[ link to this | view in chronology ]
So that a robber can shoot the house owner with his own gun.
/s
[ link to this | view in chronology ]
Re:
Statistics would seem to suggest this is a valuable design feature....
[ link to this | view in chronology ]
Wardriving for guns to steal
Here's another scenario.
Simply adapt the setup in the "Screwdriving" article to detect these "safes".
Make a list of houses and wait till the owners are out, break in, pop open the crackerjack box for your prize.
Even if they are hidden, there are a lot of apps you could use to watch the Bluetooth signal strength and play hot/cold till you find it.
[ link to this | view in chronology ]
Re: Wardriving for guns to steal
BT devices are by their nature promiscuous to make them easy to use. Putting them on locks and other security devices invites unauthorized access and should be included with only extreme caution. That said, I still think if I had a wireless lock in my house I'd go for a bluetooth one with no cloud component at all rather than have my front door exposed to the world.
[ link to this | view in chronology ]
How to train your users to be hacked
1. Comb the Internet for mentions of this safe.
2. Engage the owners posing as a company rep.
3. Offer to send them the SuperSpecialSekritUpdate.
4. Send them a USB device with appropriate packaging, letterhead notes, logo, etc.
5. Brick their safes.
[ link to this | view in chronology ]
PIN Number
[ link to this | view in chronology ]
Re: PIN Number
ATM Machine
[ link to this | view in chronology ]
Just a guess
My theory is that the idea is that typing in a PIN when you're half-asleep, possibly in the dark, is more difficult than doing so on your backlit smartphone. Of course, why they couldn't just backlight the keypad on the safe itself, instead, is beyond me.
That, or you don't trust your wife/child/etc. to handle your gun, but you want to be able to unlock it remotely when they're not home "just in case." Though, since it's bluetooth, "not home" would mean no farther away than your driveway.
Really, it's a stupid optional feature that only a tiny handful of extremely paranoid people would want. What's amazing is they actually believe that such a feature would mean the difference between defending themselves or not, yet they aren't paranoid at all about the iOS or Android device they use to do it.
I mean, I use Android, but the difference is I'm not paranoid about EITHER. I know exactly what google is collecting about me, and I also know that, in the real world, if someone is already inside my damn house, unless they're going to wait 20 minutes while I drink my first 2 cups of coffee, having access to a gun is only going to get me killed faster.
But people buy a Glock or an AR-15 and suddenly they think they're a Navy SEAL. *sigh*
[ link to this | view in chronology ]
Re: Just a guess
The unfortunate flip side is that merely living in a country where people commonly have guns is going to get you killed faster -- especially by cops.
Another question is if you would actually have the nerve to fire your gun at a bunch of armed bandits who bust into your house in the middle of the night screaming "police" and "search warrant" etc. I'm going to guess that the vast majority of gun owners would not. If that's the case, then it severely diminshes the rationale of keeping a gun for home self-defence.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
That being said, there are smart toasters. Why would anyone make a smart toaster?
My guess? Because they could?
[ link to this | view in chronology ]
Re:
https://youtu.be/LRq_SAuQDec
[ link to this | view in chronology ]
Re: Re:
Prescient glimpse of the future, that, i'd say.
[ link to this | view in chronology ]
Neat Story
" All that's required to make it work is that the safe have Bluetooth connectivity turned on."
There are a finite number of combinations for the safe. However, the testers (trying to prove their point) choose 5 digit codes rather than 8. If the 5 digit code took 10 seconds to hack, the 6 digit would take 50 seconds (5 times as many numbers), the 7 digit would take 250 seconds, and the 8 digit would take 1250 seconds (or about 21 minutes). Essentially, they choose the sweet spot that would look like they didn't make it too easy, but not too hard either.
If I understand correctly, if you do not use the Bluetooth option (never set a code) then the unit cannot be opened via this method. So part of the question would be how many people use an app rather than just the biometric stuff on the unit itself.
It's a product fail for sure, however. There is no real and valid reason to have bluetooth connectivity to start with. Clearly, their code doesn't have an apple style "5 tries and locked out for 5 minutes" type thing in it, so basically they are just jamming codes at it as a fast as possible until it pops.
[ link to this | view in chronology ]
1 digit: 5 codes
2 digits 25 codes
3 digits 125 codes
4 digits 625 codes
5 digits 3125 codes
6 digits 15,625 codes
7 digits 78,125 codes
8 digits 390,625 codes
So basically, by hacking it at 5 digits, it was less than 1% of the possible codes. It's a nice proof of concept, but 21 minutes would be much different from 10 seconds.
[ link to this | view in chronology ]
Re:
It waits to hear a magic word via bluetooth and opens.
They figured out the magic word.
Doesn't matter what the pin is, once you know the magic word...
This is the same sort of laziness that lead someone to make a skimmer scanner app, the criminals never renamed the bluetooth chip they use, so the app scans for the name thats used by 90% of them & warns you if it find its.
[ link to this | view in chronology ]
Re: Re:
:)
[ link to this | view in chronology ]
This is as much of a safe as lockable suitcase is a safe.
[ link to this | view in chronology ]
why such an app-controlled gun safe is necessary?
[ link to this | view in chronology ]
I wonder how Bethesda feels about that name.
Megh.
Once you add the suffix or prefix "Tek" to any formerly "dumb" device or mechanism, that's basically the the nail in the coffin...
Especially the CoffinTek-2000...
[ link to this | view in chronology ]
Word substitution
[ link to this | view in chronology ]
Re: Word substitution
Don't you know we got smart bombs? It's a good thing that our bombs are clever Don't ya know that the smart bombs are so clever? They only kill bad people now
[ link to this | view in chronology ]
The company's response
"Once this video and the code for the hack was released publicly, Vaultek snapped into action by suing the researchers and issuing a copyright-takedown notice on YouTube for finding this vulnerability."
[ link to this | view in chronology ]
I'd like to buy an analogy, please.
Well, if that isn't an analogy for US gun laws.....
/ducking
[ link to this | view in chronology ]
---
It's a classic answer to a question nobody asked.
I expect the manufacturer will be making Bluetooth+app toilet paper dispensers, shower mixer valves, and lawnmower start interlocks next.
[ link to this | view in chronology ]
I realize this is a late reply, but I just bought this safe and have a few comments to some of the comments.
I’m not worried about Ethan Hunt and his team coming to my house to gain access to my hand gun. I bought this to prevent my grand nieces and nephews (ages 2-6 and not programmers) from accidentally gaining access to my weapon. Like someone else mentioned, it’s not likely your common criminal will come prepared with a laptop and a program to get into my particular gun safe.
I bought it so I could have fast access to my gun should it ever be needed and with an 8 digit code I know I’ll have to be awake enough to not make a terrible mistake but can still get to my gun in under 2 seconds if I need to. I see the “APP” as nothing more than a way in if I should forget my code. I can enter my code way faster than going through my phone.
For those talking about bricking the thing so the owner can’t get back in, nice try. There is of course a key if all else fails (my keys are in my safety deposit box so the apps a nice touch if I forget my code. I can also see if anyone has tampered with my safe).
As far as battery life, I read a lot of reviews before settling on this safe and most people were reporting 4-6 months without a charge with access a couple times a day (I guess they are cc people). More than adequate and easy to check the charge status by pushing a couple keys or in the app (mine is still at 100% after a week and frequent entries.
[ link to this | view in chronology ]
Remote monitoring
Everybody has focused on The value or up value of using an app to open the safe. I think the real Smart feature benefit is of being able to get instant tamper/open alerts when you are away from your safe. Being able to also set alarms for temp and humidity is helpful too.
[ link to this | view in chronology ]