Bluetooth Gun Safe Cracked By Researchers

Believe it or not, there are quite a few people out there who have purchased gun safes that can be remotely unlocked by Bluetooth. Now we can understand why somebody might think this was a good idea: the convenience of being able to hit a button on your phone and have your weapon available in the heat of the moment is arguably a big selling point for people who are purchasing something like this for home defense. But those with a more technical mind will likely wonder if the inherent risks of having your firearm (or other valuables) protected by a protocol that often relies on security by obscurity outweighs the convenience of not needing to enter in a combination on the keypad.

Well, you can wonder no more, as researchers at [Two Six Labs] have recently published a detailed document on how they managed to remotely unlock the Vaultek VT20i with nothing more exotic than an Ubertooth. In the end, even the Ubertooth wasn’t actually required, as this particular device turned out to be riddled with security issues.

[Two Six Labs] has not publicly released the complete source code of the software demonstrated in their YouTube video for very obvious reasons, but the page on their site does go into fantastic detail on how they uncovered the multiple vulnerabilities that allowed them to write it. Even if you’re not the kind of person who would ever need a gun safe, the information contained in their documentation about analyzing Bluetooth communications is fascinating reading.

It was discovered that the PIN for the safe was actually being transmitted by the accompanying smartphone application in plain-text, which would be bad enough normally. But after further analysis, it became clear that the safe wasn’t even bothering to check the PIN code anyway.

Scripting app interactions with ADB and Python

For extra style points, [Two Six Labs] also show a way to brute force the PIN using the Vaultek Android application by writing a Python script that punches in codes sequentially until it hits on the right one; the developers didn’t even bother to put in limits on failed attempts.

For a device that is ostensibly designed to contain a deadly weapon, the security flaws the team at [Two Six Labs] discovered are absolutely inexcusable. But there is a positive outcome, as the manufacturer has vowed to update the vulnerable safes and make a better effort in the future to more rigorously design and test their Bluetooth implementation. This is the goal of responsible disclosure, and we’re encouraged to see the manufacturer doing the right thing

The security concerns of Bluetooth controlled locks are well known, so it’s a bit disappointing that devices like this are still slipping through the cracks. We suggest you remain skeptical of any security device utilizing Bluetooth until the industry starts taking things a little more seriously.

62 thoughts on “Bluetooth Gun Safe Cracked By Researchers

  1. Someone needs to set up an independent testing lab that tests/attacks all these IoT/”smart” devices and rates them based on how good their security is (much like how the IIHS crash tests cars and gives them ratings based on their safety)
    Make it possible for those consumers who do care about security to at least know if what they are getting has anything resembling security or if its so insecure its as bad as just leaving your door (or gun safe) unlocked.

    That said, I dont see the point in any kind of “smart lock” (be it for a safe or a door or otherwise). If I need a lock, I will either buy a really high security conventional lock (such as an Abloy Protec) or an electronic lock with a keypad entry system or something that is actually secure rather than these crappy insecure “smart” bluetooth locks :)

    1. Smart locks are the buzzword version of key fob systems. They’re handy for managing access control for a large number of people. Think about badging in to work to unlock the door. For individuals they’re rather useless.

      1. The difference is that building access controls are A.Not using easily hackable mobile apps or bluetooth systems but difficult-to-hack smart cards (and they are usually hard-wired into the building systems rather than being connected to the internet via easily hackable wireless). In some cases its possible to clone the card and get in but as a general rule these are a lot more secure than the so-called “smart locks” being peddled to home users and B.Are generally being used as one part of a larger system with guards/staff, cameras and other things (not usually the case in a home setting)

          1. It depends on the card technology.
            They could use plain old 125kHz RFID, which indeed is easy to clone. Then there’s mifare classic, bit more difficult, but with known holes. The more recent version, DESfire EV1 is better.
            He is actually talking about smart cards, which are microcontrollers designed to be physically impenetrable. (also your SIM card is one) Since it’s a micro, it can be programmed to do anything. Basic solution is PKI: reader generates random number and the card signs it using it’s private key.

  2. “These safes are advertised to hold firearms
    They have regulatory approval to be used to transport firearms through TSA
    Are advertised to use security technologies such as encryption”

    Seems like the TSA are up to their usual standards in approving devices then..

      1. For just this reason, TSA requires that gun carriers be very well secured (usually people use multiple padlocks) and will ask you to open them for inspection/FOID check.

        “Firearms must be unloaded and locked in a hard-sided container and transported as checked baggage only. As defined by 49 CFR 1540.5 a loaded firearm has a live round of ammunition, or any component thereof, in the chamber or cylinder or in a magazine inserted in the firearm. Only the passenger should retain the key or combination to the lock unless TSA personnel request the key to open the firearm container to ensure compliance with TSA regulations.”

  3. “….as the manufacturer has vowed to update the vulnerable safes and make a better effort in the future to more rigorously design and test their Bluetooth implementation.”

    This reeks of RSN (“Real Soon Now”) BS. Likely the fingerprint-reader versions they sell are similarly vulnerable.

    I think the whole Bluetooth lock thing is to keep kids out – putting a radio transponder on an easily-carried gun safe isn’t very smart, nor is it much use against them being stolen unless the whole unit is firmly mounted down (yes, there’s a cable – ask any bike owner how much use those are).

  4. Even with its vulnerabilities, how many orders of magnitude better is it than just leaving the gun on/in the nightstand? If your goal is to keep small children from getting the gun, it’s 100% effective. If your goal is to keep teenagers from getting it, it’s still pretty effective. Again, way way more effective than a lot of alternatives.

    Not that I’m saying we should just ignore the flaws or anything like that. Obviously, manufacturers should be held accountable to make their products secure.

        1. Heavy? Well… maybe a really big one. Noisy.. sure.

          Who cares?
          Are we talking about the safe in the picture? That thing is basically a locking carrying case for a handgun. Nobody is going to open that with an angle grinder right there on the spot. They are going to take it home and open it there!

      1. I won’t name names, but there is a widely sold brand that makes a briefcase style gun case like this but it uses a standard lock and key. The only thing is, a two foot drop on the corner of the case pops it right open. Security sold to civilians is more of an idea than anything else.

      1. Then again, it’s about access control. If the kid is smart enough to hack into one I’m pretty sure they’d know what they’re getting into. It’s to keep access away from people who doesn’t know fire arm safety/what a fire arm is.

        1. i wouldn’t make that assumption, just because a youngster understands programming and that guns are dangerous doesnt make it safer. Look at the many trained professionals who have mishaps with guns in the real world, for example the police officer showing a gun to a class who then shoots himself in the foot while holstering his weapon.

          One should be able to expect that if a youngster is smart enough to crack one of these gun safes then their parents should have taken the time to instruct that same youngster about proper gun safety. Unfortunately what one should expect and reality are quite often two different things.

          1. I think your example says more about what kinds of idiots the powers that be are allowing (or maybe even encouraging) to become police officers. Honestly.. don’t just fire the guy, fire the guy that hired him and maybe the one that hired that guy too!

          2. Fire the guy who designed the holster. If a “trained” officer can’t access the gun safely in “laboratory” conditions, it’d be even harder to use it safely in an emergency.

          3. found the video:

            regardless of who you think should be fired, my simple argument was that just because someone understands programming and security analysis does not mean that they fully understand how guns work, or how to properly verify that they are not loaded.

          4. If someone is trying to break into something, I think it’s safe to assume that they know (or have an idea of) whats inside, hence their motivation to crack it open. I’m not implying that who ever is trying to break in knows what a gun can do, and/or what gun safety is; again, is why the gun was placed in a safe in the first place. To prevent unknowledgeable people from getting to it.

    1. The point is not “better than leaving it out” but “better than using a mechanical safe.” There exist many safes out there that are inexpensive and don’t need batteries or Bluetooth.

      This is not the first or the only gun safe out there on the market.

  5. There is also the issue that these bluetooth devices are constantly broadcasting out advertisements. In this case, it is highly likely that one of these devices has a firearm in it. So someone could just drive around to listen for this specific device.

    1. This is an excellent point; the first thing the tool they’ve developed does is listen for advertisements from one of these safes. It would be easy to make a completely passive scanner that logs these advertisements and when/where they were detected.

  6. For get about the Manufacturing companies. I think that anyone that makes decisions to be accountable for there actions and should be dealt with the “Proper” full power of the law. And that goes for politicians as well. “No All Politicians” should be accountable for there mistakes, Not this nit picking and baby talk they do at there so called gatherings. They are using our money and are not accountable. For companies to get away with what they are doing is criminal and should be dealt with properly.

    Our Law system stinks. To many people are getting away with murder.
    It is way way too sad.

    Yea ruff night!!

  7. ahhh… another security breached and now the whole safe isn’t safe any more. Bullocks… nothing is perfectly safe. Everything that is made by man is eventually broken, what amazes me is all the surprised faces that somebody actually broke it. Although I have to admit, that endlessly sending passwords without a delay after x failed attempts is a bit silly and makes you wonder who programmed it AND who approved this.
    The box makes it more difficult to access the gun then to grab it of the shelf, so in that it succeeded it’s mission. But I wonder how quickly it opens when you really need it to open because of a “die hard” hostage situation of some sort (a simple burglar could actually be your wife returning a day too early from a visit to her mother, though accident do happen).
    What happens when the batteries of the device are dead, does it open or does it stay closed?

    1. “But I wonder how quickly it opens when you really need it to open because of a “die hard” hostage situation of some sort”

      you can throw the safe at the intruder? or use it as a bludgeoning instrument?

    2. “(a simple burglar could actually be your wife returning a day too early from a visit to her mother, though accident do happen)”

      Only an imbecile who is actually eager to shoot someone and prove himself “the hero” goes running down the stairs shooting at the noise he hears without actually seeing what or who it is. A responsible gun owner is also a decent human being who doesn’t actually WANT to shoot anyone but rather just wants his/her self and family safe. Simply being seen with a weapon is usually more than enough to turn a would be thief away. At the worst you might actually point the gun at your wife creating a really tense moment before you realize who she is and immediately point the gun back down. I for one wouldn’t even place my finger on the trigger until I knew for sure I was facing a real threat.

      That being said, when I visit family who I know own guns I always knock and announce myself before entering. It’s just the sensible thing to do! If my wife carried then I would do the same even entering my own home if I know I am returning at an unexpected time. That’s just “common” sense!

      1. Yes, you are Captain America and do everything right as a gun owner. But others are not. Deal with the fact that most imbeciles in the US are able to get guns. Therefore the remark in the article.

  8. I have a small lockbox I keep important papers in. (Is it really a safe when it is small enough to carry away?) It has both a combination lock and a key. I never installed the batteries. It isn’t something I get into often. If I used the electronic combination I would be that much more likely to use the (unused) keys. Then what happens when the battery wears out? I’d be stuck until I found the keys anyway! Worse yet, what if those dead batteries start leaking acid?

    I prefer my lockboxes and safes to be mechanical devices thank you!

  9. It’s not a gun safe by any stretch of the imagination, its a lockable carry case for a hand gun, it only needs to be safer than tucking a gun in your waistband, pocket or holster.
    what it is for is a mystery to me, imagine being woken by some lowlife as he opens your bedroom door, you grab you phone and turn on bluetooth, wait for it to connect and then press the unlock button, grab guncase, open it, cock weapon and your finally ready, this was all way too slow foy my liking, but what if your phone’s turned off? He’s probably got time to find your 3d printer and print one before you’re ready.
    The bottom line is if you’re at home and your gun is for protection, it needs to be near and ready to use, if you’re out and you don’t carry, it needs to be locked away.
    I can imagine nothing more depressing than coming home to a kid/non secure firearm incident, except maybe some lowlife shooting you with your own handgun!

    1. Agree. But there are idiot designers and idiot end-users that are installing ‘electronic’ locks on large gun safes. Have automated the unholy crap out of everything at home, have automated warehouse and technician jobs out of existence, and have recently stood up a ‘smart’ monitoring system at employer’s building; so am not a Luddite. But will never ‘electronicate’ my gun safe – it is traditional and big and mechanical and manual. Anyone that can walk in and pick it up will be wished a nice day, and will probably hold the door open for anyone than could detach 250kg safe that is held to foundation by (4) 3/4 inch bolts.

    2. It is to meet legal and insurance requirements that hassle gun owners and create the market for these devices. A hundred years ago, nearly every drawer on every piece of furniture had a lock.

  10. To be clear, most of the security flaws in this safe don’t even go as deep as the Bluetooth stack – it seems more as if they’ve outright not bothered to use any of the security features that were available to them. It’s approximately as bad as “I used SSL, but not really, because I decided to transmit plaintext HTTP over port 443 and pretended it was SSL”

  11. While BLE is a much improved version of bluetooth, it still sucks shit through a straw for an application where real security is important, like keeping guns locked up. Just use a real safe bolted to your home foundation. Any IoT platform sucks shit for this app.

    1. I’d just keep my gun on top of the closet.
      I mean all you need is to keep it away from kids, and burglars, but burglars would take your fancy BT box and just pry it open at home anyway and you’d lose your gun AND a $150+ box. (I’m just guessing at the silly prices I expect they ask).

  12. My friend had a problem that his gun safe wouldn’t reliably unlock. From the *manufacturers* own web site were directions about (1) prying it open with a flat-blade screwdriver, and (2) dropping it at a particular angle from about 3 ft.

    What a joke.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.