Smart Handgun Safe Not Smart Enough Not To Let Basically Anyone Break Into It

from the bang-bang dept

When we discuss the problems around "the internet of things" and app-controlled everything, we typically have to get into the weeds a bit about privacy, whether you own what you purchased, and the ethical implications of opening up an internet-connected service or product to potential hacking. On the security and hacking side of things, it should be clear by now that far too many companies don't take this stuff seriously enough. Our pages are rife with IoT devices being hacked, including everything from Barbie dolls to sports cars. It's enough to make you long for a company with a mission basic enough to develop a product so geared towards security that it couldn't possibly get this app-controlled thing wrong.

Well, how about a handgun safe? Take the Vaultek VT20i handgun safe, for instance. This safe can be opened either by inputting the user's PIN number, up to eight digits, either on the box itself or via a smartphone app. Now, you're probably wondering why someone who needs their hand-cannon would need to open the safe up with an app. It's a great question, but one we probably shouldn't worry about considering that some security researches found that you can just open that damn thing with a laptop instead, no PIN number needed.

The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.

As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that's required to make it work is that the safe have Bluetooth connectivity turned on.

Once this video and the code for the hack was released publicly, Vaultek snapped into action by releasing a statement claiming that this hack would take hours to pull off and would "require the ability to observe a correctly paired phone." To Which Two Six Labs said: "Nuh-uh!"

"Once you have developed this capability or written a script to do it, you can affect any safe in this product line in a matter of seconds," Austin Fletcher, Two Sixes Labs' lead vulnerability research engineer, told Ars. "Anyone can do this."

In a blog post disclosing the vulnerability, the researchers included most of the code required to exploit the vulnerability. A competent developer would need 20 to 60 minutes to supply the missing portion. With that, the developer could build a smartphone app that could silently break into any existing VT20i safe in seconds, as long as Bluetooth was turned on.

Now, Dustin Culbreth, VP of Product Development for Vaultek, has issued a second statement from Vaultek, promising a firmware update that will address this exploit. There are a couple of problems with that. First, despite all of the Bluetooth back-and-forth from this gun safe and Bluetooth devices, the safe isn't actually connected to the internet. So, to patch this exploit, gun owners are going to be sent a USB device and install the patch themselves (perhaps through no more effort than plugging it in, but this is unclear) or will have to ship the safe back to Vaultek to be fixed. In a world where user error is the mantra of anyone involved in supporting technology, one shudders to think so much security over a weapon would be effective only at the pleasure of the average end-user's dedication to patching their own gun safe.

And that brings me back to the question of why such an app-controlled gun safe is necessary to begin with. I know we have gun owners among our readers, so please chime in below with what I'm missing, but isn't it enough to unlock the PIN from the box instead of your phone? And, if not, is the application controlled unlocking feature worth this kind of risk?

Filed Under: gun safe, iot, locks, smart handgun, vaultek vt20i
Companies: vaultek

DailyDirt: Keep It Secret. Keep It Safe.

from the urls-we-dig-up dept

Not that long ago, a very common bike lock was rendered ridiculously insecure when it was revealed on the internet that a cheap plastic pen and some twisting skills were all that were needed to open the lock without a key. Lock picking has been around for centuries with some locks being easier to crack than others, making some people distrust various lock-makers or distrust certain lock-pickers. Whoever the "bad guy" is, keeping things secret and safe has been a challenge and will continue to be one. Here are just a few more examples of locks and insecure locks.

• Some (perhaps your?) Master Lock branded padlocks can be cracked in 8 tries or less. Thieves don't need a soda can shim -- anymore to break into these locks, and hopefully you don't keep anything really valuable behind a combination padlock. [url]
• The XPUZMAG lock is an unconventional device with a huge key that uses 6 pins to insert into its lock faceplate with 23 holes. It's not the most convenient key to carry around, but if you'd like to foil the casual lockpickers in your neighborhood, this lock would probably do the trick. [url]
• Alfred Charles Hobbs was an American locksmith who picked the Chubb detector lock in 1851. Before Hobbs demonstrated his lock picking skills, there was about a 70-year period of time when locks were considered to be pretty much perfect security, but after the 1850s, "perfect security" has been merely an illusion. [url]

After you've finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.

Filed Under: alfred charles hobbs, bike locks, chubb detector lock, combination locks, lock picking, locks, locksmith, padlocks, perfect security, soda can shim
Companies: kryptonite, master lock, xpuzmag

TSA Agents Outwitted By Cory Doctorow's Unlocked, 'TSA-Safe' Suitcase

from the the-skies-won't-be-safe-until-every-checked-bag-has-been-destroyed dept

Prior to the 9//11 attacks, you only had to worry about airport baggage handlers beating the hell out of your luggage or stealing your valuables. Thanks to the post-attack panic, there's a new layer of ineptitude and deceit your luggage is subjected to on its way to its destination (which may not be your destination).

Boing Boing's Cory Doctorow (or rather, his luggage) was recently subjected to the brutish charms of the Transportation Security Administration.

[T]he TSA still routinely and unaccountably destroys luggage equipped with "TSA-safe" locks, just because they can. Last week, TSA inspectors at Phoenix's Sky Harbor airport pried the locks off of my unlocked, "TSA-safe" suitcase before taping it shut again and loading it onto my London-bound flight.

Here's what Doctorow's luggage looked like after the "TSA-safe" locking mechanism outmaneuvered the TSA agent in charge of crowbar-wielding and packaging tape application.


This appears to be the luggage Doctorow "submitted" to the TSA (although Doctorow's is possibly an earlier iteration), which then handled it with all the grace and skill of two male supermodels trying to retrieve files from a computer.


The TSA should have had no trouble unlocking the suitcase (using keys, rather than physically attacking it). Rimowa's site states that its luggage features "TSA combination locks."


Bypassing it with a master key was the option the TSA was supposed to use. Instead, it just forced it open, taped it back together and handed it back to Doctorow without even a shrug of bureaucratic regret.

It did, however, respond to his legitimate complaint. If you can call it a response. First, it loads up on disclaimers. (Doctorow's interjections are bracketed.)

Thank you for contacting the Transportation Security Administration (TSA) Contact Center regarding damaged or missing checked baggage locks.

TSA is required by law to screen all property that goes onboard commercial passenger airlines, including checked baggage. To ensure the security of the traveling public, it is sometimes necessary for Transportation Security Officers (TSOs) to inspect checked baggage by hand. Locked checked baggage [[MY BAG WAS UNLOCKED]] may cause delays due to the need for TSOs to open locked baggage by using alternative measures, including force. Please be advised that TSA is not liable for any damage to locks or bags that are required to be opened by force for security purposes. [[HOW CONVENIENT – WHY NOT?]]

Yes. The agency takes no responsibility for breaking something that was a.) unlocked and b.) even if it wasn't, had passkeys it could have used. It inexplicably mentions this unused option while explaining why it manhandled Doctorow's luggage like the world's most inept burglar.

In cooperation with private industry, TSA implemented a system under which TSOs are able to identify, unlock, and then relock certain locks using passkey sets available to TSA screeners [[AND ANYONE WITH HALF A BRAIN AND A BIT OF GUMPTION]]. TSA-recognized locks can be opened and relocked by TSOs without force and with little delay. TSA cannot, [[WHY THIS COMMA?]] guarantee that such locks will never be damaged or lost while TSOs and airline employees handle checked baggage [[HOW CONVENIENT]].

On top of being unable to perform its job without destroying luggage, the TSA is apparently unaware that URLs can be copied and pasted, rather than carelessly typed into a response email for maximum ineffectiveness.

To learn more about damaged locks, please visit www.tsa.gov\node\1428.

Just try to do what the TSA didn't and paste that not-a-URL-at-all into an omnibox. (Well, it will be automatically converted into a real URL, but that's only because web browsers are smarter than TSA Customer Service agents.) Doctorow says this indicates some sort of DOS mindset, which is its only level of scary.

So, to recap: the TSA can break your stuff, despite having the tools to do otherwise and despite having a number of luggage manufacturers specifically making passkey-compliant suitcases to prevent this sort of thing from happening and despite the suitcase being UNLOCKED THE WHOLE TIME. And the traveler's path of recourse is a mistyped URL surrounded by "not our fault" boilerplate.

The TSA will never have to pay for broken luggage. Because terrorism.

I miss the good old days when this sort of behavior was only displayed by baggage handlers searching for valuables/setting distance records in amateur luggage-tossing competitions. At least then you could find someone to hold accountable for the damage sustained.

The TSA, however, is above even the most minimal level of accountability. If its employees are outsmarted by a "TSA-safe" lock, it's your fault for not ensuring your checked luggage was already open and dumping its contents all over the conveyor belts by the time it reached the TSA's elite group of suitcase-battering counterterrorists. This entire situation (especially the TSA's "response") cleary shows that Doctorow is the guilty party here. If he truly loved America, he'd have prepared for this eventuality… or at least just taken back the taped-together remains of his $1000 suitcase and shed a tear of gratitude for all the hard work the TSA did to ensure his flight didn't get blown up/hijacked.

Filed Under: cory doctorow, homeland security, locks, luggage, tsa

Onity Wins: Hotels That Bought Their Easily-Hacked Door Lock Can't Sue According To Court

from the locked-in dept

A couple years back, I wrote about the curious case of Onity, a company that makes door locks for hotel rooms. Thing is, their locks fail to do the one thing they're supposed to do, as shown when one man at a Black Hat security conference used a cheap device to access the lock's dataport and cause it to unlock. The idea was that a lock that is defeated by equipment that costs pocket change isn't so much a lock as it is a decoration. Onity, in the company's infinite wisdom, claimed the long term fix, a new system board, was available to its customers...for a price.

A class action's worth of hotels weren't satisfied with paying twice for the same product just to make it work, so they filed a lawsuit. That filing was recently rejected by a judge using some awfully strange logic.

The court’s decision turns on three key facts. First, the plaintiffs didn’t allege any actual security breaches; the courts says they are suing “only for the costs of preventing future unauthorized access.” Second, each lock still works in the sense that it “still performs the functions of locking the door upon closing it and unlocking it upon insertion of a properly-coded key card….the locks do not begin to fail on their own upon installation, nor are they all ‘doomed to fail’ eventually.” Third, the court says any future security breaches “could occur only if third parties engaged in criminal conduct to enter Plaintiffs’ hotel rooms.”

Let's deal with these in order. Onity's lock has a gaping security hole that's laughably easy to exploit. For anyone with fifty dollars in their pockets, the lock might as well not be there at all. The very nature of the condition of the product is a breach and, in any case, at least is easily understandable as a product that doesn't perform its basic functions, which is what makes the second claim by the judge so galling. Deciding the lock "works" by the most childish evaluation possible is insane. The lock either performs to industry standards or it doesn't, and this one doesn't. As for the argument that a cheap lockpick can also defeat a hardware lock, there is an important difference here, I think. A hardware lock is limited in terms of a fix by its very nature, whereas Onity is proclaiming that an electronic fix does exist for its electronic lock, it only wants hotels to pay for the pleasure of having their product work properly.

As for that last claim: in what sort of insane world do we live in when a manufacturer that makes a product designed to prohibit illegal behavior can get out of paying to repair its product that doesn't stop illegal behavior because the behavior its product isn't stopping is illegal? An alarm system that fails to alarm when criminals break into a building isn't protected by the fact that the break-in is illegal.

The whole ruling appears to be a case of an ill-informed judge, one that may have unfortunate consequences in other areas of the law.

The court instead analogized Onity’s situation to data breach cases like Reilly v. Ceredian, where consumers’ personal data is stolen but consumers can’t show directly attributable adverse consequence from this theft. I understood the analogy: just like consumers might fear future harm from identity theft, hotels might fear harm from future breaches of their locks. However, this analogy doesn’t work very well. While there aren’t many actions consumers can take to proactively protect their data after a data security breach (even credit monitoring isn’t particularly useful), everyone benefits if the hotels proactively remediate this problem.

This ruling could help defendants in future privacy violation cases. First, if lock buyers lack standing when a physical object fails to perform its basic function, plaintiffs with more abstract data-related risks shouldn’t either. Second, if the risk of future third party criminal behavior doesn’t count as an injury, data breach victims’ purported concerns about future data misuse (like identity theft) are also irrelevant.

Thankfully the ruling is being appealed, so hopefully a future court will get this corrected, but keep in mind that all this is the result of a lock company that makes locks that do not lock if someone comes along with fifty dollars worth of low-end technology. Happy traveling, readers....

Filed Under: digital locks, hotels, locks, security
Companies: onity

Awesome Stuff: Lock It Up

from the safe-not-sorry dept

This week's awesome stuff is all about security, but not of the "cyber" variety. No, we're taking a look at some brand new takes on good old fashioned locks.

Lock Your Mail!



Though technology has drastically changed the role of snail mail in the world, that doesn't mean the latter can't benefit from the former. The wi-fi enabled Smart Mailbox is designed to offer convenient security (it locks and unlocks via smartphone app) and plain old convenience (it can notify you inside when new mail has arrived). And despite American preconceptions about us not even bothering to lock our doors, it's being made in Canada! The project has only just launched, so it remains to be seen if it will come anywhere close to its $50,000 goal.



Lock Your Bike!

Speaking of local locking habits, they seem to swing wildly from place to place. In some cities, locking up a bicycle isn't enough — some enterprising thief will strip it of its precious wheels. If you live in one of those places, you might benefit from the Nutlock system, which builds extra security into the nuts and bolts of the bike, literally:





Some cities, however, are the exact opposite — people don't even need to bother locking their bike to a rack or post, instead sticking with the token gesture of locking the frame to one wheel, because who would steal a bike they can't ride away on? If you're lucky enough to be a cyclist in such a city, the ultra-compact VIER lock might be for you:





Lock Your Locker!



It's back to school season, which I imagine is like Christmas for combination padlock manufacturers. But if the nearly $400,000 (at time of writing) raised by the Bluetooth-activated, smartphone-controlled Noke is any indication, people are getting a little tired of the old standard.

Filed Under: awesome stuff, locks

Hotel Lock Company Wants Hotels To Pay For Fixing Their Hackable Product

from the and-probably-will-next-time,-too dept

Picture yourself on vacation. You leave your hotel room, listening to the fully-licensed music in the lobby on your way out. You make sure not to ask the hotel staff for anything as you leave, lest something called a PARFF come after you. And as you're out frolicking on the beach, sucking in that gut and puffing out your chest (asexual insults FTW!), Zero Cool takes a small electronic device that costs less than your average Electronic Arts videogame and hacks your hotel room's lock, giving him access to all the tourist crap you bought in the past three days.

Now, I know what you're thinking. You're thinking that this couldn't possibly happen. After all, Johnny Lee Miller is probably still too busy spinning in place from the speed with which Eli Stone was cancelled after two seasons (and again, I'm reminded that Firefly lasted one. Sigh...) to be stealing stuff from your hotel room. And besides, it can't be that freaking easy to hack into a hotel lock, can it?

Yes, it can. Forbes has the story of hotel lock-maker Onity's reaction to Cody Brocious revealing at a Black Hat security conference how to hack the company's locks (found on over 4 million hotel room doors) with $50 worth of equipment.

The company’s response to that epic security bug has two parts–a quick fix, and a more rigorous one, both of which it plans to make available by the end of August: First, it’s issuing caps that cover the data port Brocious’s hack exploited, which can only be removed by opening the lock’s case. To further stymie hackers who would try to open the locks and remove that cap, it’s also sending customers new, more obscure Torx screws to replace those on the cases of installed locks.

The second fix is more substantial: Onity will offer its customers new circuit boards and firmware that ostensibly fix the problems Brocious demonstrated.

Not bad, right? We've certainly seen companies in the past react poorly when shown the security flaws in their products, attempting to silence those that point them out rather than just fixing the problems. So this would seem to be a step in the right direction, yes? Maybe, except for this:

But Onity is asking owners of some models of its locks of some to pay a “nominal fee” for the fix, while offering others “special pricing programs” to cover the cost of replacing components. It’s also asking its customers to cover the shipping and labor costs of making hardware changes to the millions of locks worldwide.

That's ridiculous. Onity sold hotels a product that had one job to do: keep the wrong people out of hotel rooms. The product does the job so poorly that $50 worth of equipment and a little technical know-how defeats it entirely. And now you want customers to pay to fix your bad device?

Even Brocious himself pushed back on Onity's statement.

Brocious criticized Onity’s move to put the financial onus for the fix on its customers after selling them what he’s described as fundamentally insecure products. While the free mechanical cap solution could create hurdles for hackers, he says that’s only a partial fix replacement until the lock’s circuit boards are replaced–something that’s not likely to happen if it requires millions of dollars in costs for Onity’s customers. “This will not be insignificant, given that the majority of hotels are small and independently owned and operated. Given that it won’t be a low cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” he writes.

It's an especially bizarre move in terms of public relations. How quickly do you think word will get around to other hotel owners, particularly small independent hotels, about how Onity designs their locks and treats their customers? This could be a win for Onity, if they go out of their way to properly fix their flawed product, but instead they appear to want to turn this into a double-dip of bad business.

Filed Under: cost, fixes, hotels, locks, security
Companies: onity

Forget Just Locking Your Laptop's Wireless Modem, Now Operators Can Lock The Whole Machine

from the more-bars,-but-not-the-good-kind dept

Mobile operators are increasingly looking to sell non-phone devices like laptops and netbooks with embedded or add-on wireless modems as a way to boost their subscriber figures and generate extra income. Typically, consumers buy the device at a discounted upfront cost, then get tied in to a long-term contract for monthly data service (2 years at $60 per month seems to be the norm in the US). If users quit paying their bills, in theory, they've gotten a laptop on the cheap, though of course they're still subject to the terms of the contract, and damage to their credit, and so on. But Ericsson, which makes a lot of the embedded modems, has announced some new technology it's calling a "kill pill" that allows mobile operators to remotely lock a laptop by sending a signal to it over their network. The company says it's ideal if a data user quits paying their bills, but it's not hard to imagine mobile operators coming up with more nefarious uses for the device -- like shutting a machine down if a user closes their account, even if they've fulfilled their contract.

Filed Under: laptops, locks, subsidies, wireless
Companies: ericsson