Bluetooth Gun Safe Cracked By Researchers

December 13, 2017 by Tom Nardi 64 Comments

Believe it or not, there are quite a few people out there who have purchased gun safes that can be remotely unlocked by Bluetooth. Now we can understand why somebody might think this was a good idea: the convenience of being able to hit a button on your phone and have your weapon available in the heat of the moment is arguably a big selling point for people who are purchasing something like this for home defense. But those with a more technical mind will likely wonder if the inherent risks of having your firearm (or other valuables) protected by a protocol that often relies on security by obscurity outweighs the convenience of not needing to enter in a combination on the keypad.

Well, you can wonder no more, as researchers at [Two Six Labs] have recently published a detailed document on how they managed to remotely unlock the Vaultek VT20i with nothing more exotic than an Ubertooth. In the end, even the Ubertooth wasn’t actually required, as this particular device turned out to be riddled with security issues.

[Two Six Labs] has not publicly released the complete source code of the software demonstrated in their YouTube video for very obvious reasons, but the page on their site does go into fantastic detail on how they uncovered the multiple vulnerabilities that allowed them to write it. Even if you’re not the kind of person who would ever need a gun safe, the information contained in their documentation about analyzing Bluetooth communications is fascinating reading.

It was discovered that the PIN for the safe was actually being transmitted by the accompanying smartphone application in plain-text, which would be bad enough normally. But after further analysis, it became clear that the safe wasn’t even bothering to check the PIN code anyway.

Scripting app interactions with ADB and Python

For extra style points, [Two Six Labs] also show a way to brute force the PIN using the Vaultek Android application by writing a Python script that punches in codes sequentially until it hits on the right one; the developers didn’t even bother to put in limits on failed attempts.

For a device that is ostensibly designed to contain a deadly weapon, the security flaws the team at [Two Six Labs] discovered are absolutely inexcusable. But there is a positive outcome, as the manufacturer has vowed to update the vulnerable safes and make a better effort in the future to more rigorously design and test their Bluetooth implementation. This is the goal of responsible disclosure, and we’re encouraged to see the manufacturer doing the right thing

The security concerns of Bluetooth controlled locks are well known, so it’s a bit disappointing that devices like this are still slipping through the cracks. We suggest you remain skeptical of any security device utilizing Bluetooth until the industry starts taking things a little more seriously.

Continue reading “Bluetooth Gun Safe Cracked By Researchers” →

Ossmann Talks About Ubertooth At Schmoocon

February 9, 2011 by Mike Szczys 9 Comments

[Michael Ossmann’s] talk from Schmoocon about his open source Bluetooth test tool called Ubertooth is now available to watch online. The video really fills in the gaps from the first time we looked at the project, as he covers why he took on the challenge, and what has happened since. He talks about how his work with the IM-ME helped in choosing hardware along the way, and the choices he made while developing the USB dongle. His hardware considerations included parts that didn’t require a nondisclosure agreement (keeping it open source) and that were available in single quantities so that individuals could build and populate their own boards quite easily.

We’ve embedded the talk after the break. The project is coming along great, and his Kickstart funds have almost doubled the original goal.

Continue reading “Ossmann Talks About Ubertooth At Schmoocon” →

Ubertooth Board For Bluetooth Experimentation

November 26, 2010 by Mike Szczys 9 Comments

Ubertooth Zero is the first offering in [Michael Ossman’s] quest for a Bluetooth sniffing and hacking hardware platform. We’ve seen some of his hacks in the past, like the build-in guitar tuner and some pink pager fiddling. The Ubertooth dongle is his original design based around an LPC1758 ARM Cortex-M3 processor paired with a Texas Instruments 595-CC2400-RTB1 to handle the 2.4 GHz RF communications. Looking at the bill of materials shows a very low cost for the components at just under $30 (if you can get your hands on a PCB to mount them on). He’s written firmware as well as host code to help you up start pulling Bluetooth packets out of the air as quickly as possible.

What can you do with this? That’s up to you, but whatever it is you accomplish, we’d like to hear about it.