Submitted via IRC for Bytram
One of Amazon's top-selling electronic gun safes contains a critical vulnerability that allows it to be opened by virtually anyone, even when they don't know the password.
The Vaultek VT20i handgun safe, ranked fourth in Amazon's gun safes and cabinets category, allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.
As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that's required to make it work is that the safe have Bluetooth connectivity turned on.
[...] The vulnerability means that anyone who relies on a VT20i safe to secure valuables should immediately turn off Bluetooth connectivity and leave it off indefinitely. Safes can still be locked and unlocked using a traditional physical key, as well as by owners' fingerprints. Some Amazon customers, however, have complained the fingerprint feature is flawed as well.
[It's not clear from the story if the issue can be patched. - Ed]
(Score: 0) by Anonymous Coward on Monday December 11 2017, @09:00AM (2 children)
from the story:
(Score: 3, Insightful) by Anonymous Coward on Monday December 11 2017, @09:36AM (1 child)
A Safe, with a firmware update mechanism: not a safe. So this one, with promiscuous bluetooth and properly no way to hack the firmware to open the safe, which is already open, is not actually a safe, then. Let us just consider it to be a large metal box that some keep their manhood inside of. Fair enough?
(Score: 3, Insightful) by urza9814 on Monday December 11 2017, @09:27PM
If it's an electronic safe, it's no good if it DOESN'T have a firmware update mechanism. As we can see with this example...if it's electronic, it'll probably be hacked eventually; and if you can't update it after that point then it's no longer safe.
Of course, that firmware update mechanism must be properly secured as well. Would seem reasonable to make it only accessible from *inside* the safe...if they can access that to hack it then they already don't need to.
(Score: 5, Interesting) by bradley13 on Monday December 11 2017, @09:37AM (24 children)
Electronic safes...aren't.
We could rage on this specific product (and it is a stupid product, on a lot of different levels). Which makes the consumers who bought it...
Anyway, this happens at all levels. A bank in our small town installed a fingerprint reader on their main safe, so they didn't have to mess with the physical keys all the time. The reader was an external box, with just a couple of ordinary-looking wires going into the locking mechanism. I have no way to know for certain, but there's a real chance that the wires just sent a "lock/unlock" signal to a solenoid. Meaning: tap into the wires, send a pulse, and open the safe.
Most product engineers - and most programmers - think only about functional requirements. When I do X, then Y must happen. If the user enters their PIN, the safe must unlock. This completely excludes security; security is fundamentally a nonfunctional requirement. Add in pressure from PHBs and sales droids to keep a product cheap and deliver it yesterday, and...when does who have time to consider security?
The best suggestion I have seen would be an external certification, some stamp of quality that *any* IOT or electronic device wants to display, to reassure customers. This should ideally be offered by an insurance company, such that any product with the seal automatically has a certain about of liability insurance. The insurance company would then have a real incentive to check the security of devices carrying the seal, and could impose certain quality requirements on the producers.
Everyone is somebody else's weirdo.
(Score: 5, Informative) by Wootery on Monday December 11 2017, @09:51AM (3 children)
I wouldn't blame the consumer here. Not everyone is clued-up about cyber-security. If someone sells a gun-safe, it should be fit-for-purpose. If it's not, it's a moral crime on the part of the designer.
To put it another way, satisfying the PHB becomes the overriding non-functional requirement.
Good idea. This already happens with bike locks. Unfortunately it probably discriminates against small companies in the lock business (Wootery's Innovative Lock Company won't be on the whitelist), but the customer gets additional peace-of-mind that their lock is effective, and the insurer knows the customer is taking proper precautions.
(Score: 3, Insightful) by CoolHand on Monday December 11 2017, @12:14PM
But the designer is likely part of a corporation. We all know that corporations have no morals...
Anyone who is capable of getting themselves made President should on no account be allowed to do the job-Douglas Adams
(Score: 2) by schad on Monday December 11 2017, @03:43PM (1 child)
You can just have the tester offer a limited number of free tests per year. Maybe 3 new-product tests plus 5 re-tests (of new products which failed the first time and were redesigned in response, or of upgraded products that were previously certified). That should be plenty for any small company, while not so much that the big players could drain the tester's resources by spamming them with products.
And you could pay the tester with royalties collected from sales of certified products. Any excess collected would be refunded at the end of the year, after taking out the cost of the "free" tests. If there's a deficit, the tester would increase its rates for the next year.
It's not perfect, but it's probably good enough.
(Score: 2) by drussell on Monday December 11 2017, @05:41PM
Something like that would make sense... Too much sense for a world where the rules are generally controlled by the biggest corporations with the most money. That kind of testing requirement and fee structure would never actually be implemented in the current environment. It will be designed to create as many barriers to entry as possible for non-established players.
(Score: 5, Informative) by TheRaven on Monday December 11 2017, @09:58AM (5 children)
sudo mod me up
(Score: 2, Interesting) by Anonymous Coward on Monday December 11 2017, @10:36AM
Actually the bluetooth stack doesn't need to be the weak part either, as in principle all it should do is to deliver the key to the lock. So if done correctly (which means using encryption between the lock and whatever provides the key, so the actual key is never seen by the Bluetooth module), the worst thing an attacker could do would be to prevent the key to reach the lock, thus disabling the bluetooth functionality.
Having said that, unlocking a safe using your smartphone is a very bad idea no matter how secure your delivery mechanism is, as the smartphones themselves are not exactly the most secure things in the world.
(Score: 2) by meustrus on Monday December 11 2017, @04:29PM (3 children)
Maybe a good electronic could be secure. If it was also physically secure in every way that matters. But the very act of installing an electrically-activated unlock mechanism makes it susceptible to electromagnetic perturbances, which can be very difficult to secure against. Do you encase the thing in lead to keep signals from leaking through and unlocking it outside of the normal command protocol? And then there's the fact that cheaper locks can be triggered just by physically jolting them. Some lighter gun safes with electronic locks can be unlocked simply by dropping them about a foot onto a solid surface.
Bottom line: unless the limitations of a physical lock (mainly the inability to have multiple codes) are a major security concern, a physical lock is always going to be more secure.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by bob_super on Monday December 11 2017, @05:41PM
The physical lock also still works when the power gets cut off at the beginning of the Alien Zombie Apocalypse.
The guy who hid his physical backup safe key 3 years ago may have a problem at bug-out time.
What do you mean by "it's a corner case with low probability"? Aren't people overly sensitive to low-probability events the exact target in that market?
(Score: 2) by TheRaven on Tuesday December 12 2017, @10:35AM (1 child)
The same is true for physical locks. I don't have any experience with gun safes, but I've seen cash lock boxes that can be opened by dropping them and ones that can be opened with a flat-edged screwdriver instead of the key. A well-designed electronic safe has two wires going through the case into the locking mechanism and (unlike a mechanical lock) has no physical access from the outside to any part of the locking mechanism. The two wires run a serial protocol that is rate limited to one try every few seconds and sends simple bidirectional messages. The hardware inside sends a random number, the electronics on the outside encrypt this with an asymmetric key held by the unlocking token and send it back. The interior electronics then decrypt it with the other key from the keypair and trigger an unlock if they match. This requires a hardware random number generator, a clock (for the delay) and either a few dozen lines of code and a hardware RSA implementation, or a few hundred lines of code without. The sensitive electronics are inside the safe and so difficult to tamper with.
Outside the safe, you can have a full general-purpose OS with all of the vulnerabilities that this implies: It can't open the safe unless it can sign something with the correct key, and that key is held in a smartcard, which will just do signing and not allow the key to be exfiltrated.
Such a design, if implemented correctly, is more secure than any mechanical lock design.
sudo mod me up
(Score: 2) by meustrus on Tuesday December 12 2017, @03:45PM
It's too bad there's no way to prove an electronic lock on the market is built according to your design. Marketing doesn't need proof because customers will buy shit based on misplaced trust in the manufacturer, retailer, and government regulations keeping them safe.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2, Disagree) by The Mighty Buzzard on Monday December 11 2017, @12:06PM (12 children)
FTFY.
A gun's purpose isn't to be safe, it's to be as unsafe as possible in a directional manner. If it's not easy to lay your hands on in an emergency, it's a decorative knickknack not a weapon. The only excuse for using a gun safe is something along the lines of "I already have more guns easily handy than I could possibly need. The safe is for my rare and/or antique firearms."
My rights don't end where your fear begins.
(Score: 3, Informative) by coolgopher on Monday December 11 2017, @12:21PM (11 children)
Depends on the reason for having guns in the first place. If you're a recreational hunter with kids in the house, a gun safe is the sane thing to do (in addition to teaching your kids to respects guns, of course). If your primary use case is defense against home invasion, then obviously you might be better off with it under your pillow (assuming that's a legal storage place in your area, etc).
Oh, and I'll add another use case: not having your weapons stolen when someone does break into your place when you're not around to defend it.
(Score: 2) by The Mighty Buzzard on Monday December 11 2017, @12:29PM (4 children)
I'll grant you that last one. The first should be taken care of by putting the necessary educational effort into assuring your descendants do not receive a Darwin Award once they're old enough and by taking advantage of height differential until then.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Monday December 11 2017, @02:08PM
never rely on the height difference, if you care about the kid involved.
my son started stacking stuff when he was around two. in the sense of a kid chair on top of a bag of megablocks (kind of like legos, but bigger), etc.
much safer to have a locked door that he can pull/kick and bite ineffectively.
(Score: 2) by schad on Monday December 11 2017, @04:00PM (1 child)
The security onion. I use it on my computer. I also use it on firearms, which can, unlike my computer, be used -- by a malicious or ignorant user -- to cause permanent harm.
Don't underestimate the ingenuity of small humans, the majority of whom are literally incapable of gun safety until four or five (if not later). But they are absolutely capable of physically getting at any unsecured weapon well before then, as another commenter noted.
Another reason for a gun safe is for travel. Not only do many states require it by law when in a vehicle, you may also find yourself in a situation where you're not able to carry your firearm and need a safe place to keep it for a while.
(Score: -1, Flamebait) by Anonymous Coward on Monday December 11 2017, @04:19PM
Too big a dose of reality for TMB's personal responsibility routine. Can't we just label people idiots every time something bad happens?
(Score: 2) by Virindi on Monday December 11 2017, @05:19PM
Once again:
You cannot control the training level of every child (and adult) in the world, and reasonable people will not want to exclude guests from visiting their home merely because they failed to meet a firearms training level. Thus, any weapons not under your direct control should be stored in a way that makes them not accessible to casual operation (stopping a determined thief is more difficult and may be impractical).
Unless you never have guests in your home...
(Score: 1) by Sulla on Monday December 11 2017, @04:30PM
Going to repeat this. In general anyone dedicated will find a way into a safe or find a way to steal it and crack it later. I typically keep all my guns in a safe except one in the bedroom and never store ammo with firearms, but where I live the problem is not crime its three year olds.
Ceterum censeo Sinae esse delendam
(Score: 2) by VLM on Monday December 11 2017, @08:38PM (4 children)
That's why you buy the biggest heaviest gaudiest overdecorated ostentatious gun safe in the store, fill that dude with pieces of angle iron from the hardware store to make it even heavier, prominently place it unsecured in the garage or living room, and then keep the 9mm under your pillow (assuming no toddlers in the house, etc). Then when some idiot steals your entire safe, you tell the cops to check the ER for folks with hernias and broken backs.
My grandfather bought a broken safe at a yard sale once; this was decades ago but now I'd call it a "redundant array of inexpensive safes". They had a real safe in the floor of their basement, the broken safe was a distractor.
I own some guns but they're in super boring locked boxes that are not prominently displayed. Yeah yeah I see cool looking high tech star trek safes and nice looking victorian era work of art safes but I don't see the interior decorating appeal of a giant "please rob me" sign. A pelican (or ripoff clone) case in a gym bag can be locked and is easy to carry to the range or where ever. Someone with the machinery and patience to open a pelican without damaging the gun inside probably doesn't have to work as a thief for a living so its kinda self limiting in that way.
I live in an expensive non-diverse neighborhood, which is yet another variation on "spend money to not get your stuff stolen".
One interesting side effect of the ubiquitous surveillance society with cameras and drones everywhere is we're probably in the last generation of property crimes. The next generation of gun safe will have like 17 webcams on the safe and in the room and some dude in India or some drunk college kid in American will do the Amazon Mech Turk thing to decide if the 100 webcam pixs from the safe and the room match your provided pix and remotely unlock (or not). Fascinating startup idea #23515 that I'm not going to seriously pursue is the FaceBook(TM) connected gun safe where one of your 100+ facebook "friends" has to look at the gun safe's webcam pix and click OK to unlock your gun safe if they recognize you, or 3 outta 5 friends or WTF. Presumably if your facebook(TM) post history appears suicidal your friends will all click "deny", unless they're assholes of course. The next step being the "i-gun" where 3 outta 5 friends have to click "like" on the sight pix before the rifle fires. Of course there will be "oh shit yo thats a funny pix of some farmers cow" and the poor thing will get blown away but at least they tried, LOL.
(Score: 2) by chromas on Monday December 11 2017, @09:37PM (3 children)
Then when you post something Offensive™ then your account gets Zucced and you're locked out of the safe for 15 days. Can't trust the 'analog hole' so there's no mechanical backup.
👍Like 🗨 Comment
😢👍❤25
(Score: 2) by VLM on Monday December 11 2017, @10:50PM (2 children)
Weirdly enough this whole idea got started at a former employer where I/we began with the idea of a social media connected fridge lock for weight loss where you need permission to open the fridge from your FB friends. Which led to a discussion of liking Trump memes will cause family starvation if the holier than thou cat ladies find out. So I proposed, well, what would cat ladies hate more than Trump supporters and their families being able to eat, well, obviously, a facebook(tm) connected "gun safe".
Then the discussion (at least at work) ran off the rails with the proposal that you permit negated friends, so if you have a crazy friend, the nut needs to click "no" to let you open your fridge or gun safe, so you're gonna have weird standoffs where the gun confiscation nut has to think over if he's tagged as normal or inverted permissions, etc. The coworkers also helpfully suggested this technology is also applicable to liquor cabinets and condom dispensers.
(Score: 2) by chromas on Monday December 11 2017, @11:12PM (1 child)
OMG! This is fat shaming! This is Not Okay™. #HealthAtEveryTon
Literally Nazis!
Sad reacts only.
These are the details left out of A Brave New World—If you're not social enough, people won't just shun you; they'll shame you, lock you out of your booze and try to get you fired.
(Score: 2) by VLM on Monday December 11 2017, @11:59PM
The brain trust at work eventually decided the remotely locked condom dispenser was the most social idea because a "like" could be interpreted in so many socially interesting ways. Or a lack or "like". Many topics in a binary yes/no answer, is it a social decision on the basis of slut shaming, disease, pregnancy, jealousy...
I'll see your "Brave New World", which is admittedly a good bid, and raise you "The Scarlet Letter". Now you have to squint and read it kinda sideways and upside down, but you can kinda see both Scarlet Letter and Brave New World as both being Puritan holier than thou pricks screwing everything up the path to hell being paved with good intentions by Puritan assholes anyway. This would make a hell of a school essay. I almost never drink and I had a big glass of hard cider so I will see how this reads when I sober up tomorrow. I think this is brilliant analogy, but it could be mere alcohol vapor. BNW and Scarlet Letter are basically the same setting, hmm...
(Score: 2) by edIII on Monday December 11 2017, @09:44PM
Reminds of garage door consoles you can install. I've seen keyed ones, and keypads. All of them though connect the same exact way to the garage door itself, and that's two wires that directly act like a wall mounted momentary switch next to the entry door to the house.
The keyed one was really funny since all you had to do was pick it, or just grab it from the side with a screwdriver and pry it off. The keypad one was worse, the screws to undo it were unprotected under the cover. Once you had the two wires in your hand it was trivially easy to open the door.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Interesting) by MostCynical on Monday December 11 2017, @10:30AM (13 children)
The safe is also the most expensive of the top 20 bestsellers on amazon, by a large margin, so lots of people seem to equate "expensive" with "effective"
https://www.amazon.com/Best-Sellers-Home-Improvement-Gun-Safes-Cabinets/zgbs/hi/4200861 [amazon.com]
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by PiMuNu on Monday December 11 2017, @10:34AM (6 children)
> so lots of people seem to equate "expensive" with "effective"
Not necessarily stupid equation to make. There is probably a correlation at least.
(Score: 2) by MostCynical on Monday December 11 2017, @10:51AM (3 children)
Hmm
https://cars.usnews.com/cars-trucks/honda/civic [usnews.com]
https://www.caranddriver.com/rolls-royce/phantom [caranddriver.com]
$23,000 vs $420,000 (US pricing - in Australia, $24,000 vs $855,000)
Eighteen times better? Thirty-four times?
I know, cars have more Marketing and "branding" and crap, but the Honda will get you to work and back, and not be a liability parked in a multi-storey (it will fit, for a start)
I wonder if any insurance companies offer premium reductions, if you use any/a particular safe? Will they now be increasing the premiums of people with this safe?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Insightful) by c0lo on Monday December 11 2017, @01:17PM (2 children)
Honda vs Roll Royce?
Come on, stop the rhetoric, it's unbecoming for a cynic.
You know very well Roll Royce is not about such a mundane reason as "get you to work and back".
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday December 11 2017, @03:48PM (1 child)
Haven't driven a new Rolls in years, but 30+ years ago we had one on loan for a short project. It wasn't better by the price multiple, but it was a very nice touring car in nearly every respect (not around town, too big to park easily). As well as paying for the name, there is something to be said about paying for craftsmanship--many parts of the car involved hand labor which has the nice effect of making every one a little special (or just different, depending on your point of view).
Members of the Rolls-Royce Owner's Club consider themselves temporary custodians of these cars. They maintain them such that they will still be good for future owners. A friend uses his 1912 Silver Ghost for trips of several hundred miles, it's a lovely ride.
(Score: 3, Insightful) by lentilla on Wednesday December 13 2017, @02:58AM
You'd like to think so... but I suspect it's more of a case of having oodles of money. Every single scratch is promptly fixed and the cost isn't even a blip on the financial radar.
(Score: 2) by Wootery on Monday December 11 2017, @12:01PM (1 child)
I wonder. It's possible that the top end of the market attracts shysters and form-over-function products.
(Score: 2) by chromas on Monday December 11 2017, @09:44PM
Heh [amazon.com]
(Score: 2) by EvilSS on Monday December 11 2017, @11:54AM (3 children)
(Score: 3, Insightful) by theluggage on Monday December 11 2017, @12:05PM (2 children)
Presumably, though, the only real requirement is to ensure that anybody taking the guns and using them for nefarious purposes has to break/pick the lock - thus legally covering the ass of the owner.
...in which case having an electronic lock that can be hacked without leaving physical evidence is doubly stupid c.f. the cheapest, most useless padlock.
(Score: 4, Insightful) by EvilSS on Monday December 11 2017, @12:12PM
(Score: 2) by etherscythe on Monday December 11 2017, @03:29PM
This illustrates one reason that legal standards need to better track reality; the mere appearance of safety causes an appalling risk for those who get the impression that their safety measures are actually good enough. I realize some things take time, but what's going to happen when cryptocurrency or VR spaces totally disrupt regular life (in the "new normal" after the revolution hits)? There will be severe legal loopholes that are really going to stir chaos until the law catches up in 5 years or however long it takes to push through Congress. And as tech evolution accelerates, it's only going to get worse.
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 1, Flamebait) by VLM on Monday December 11 2017, @09:15PM (1 child)
Don't forget the insurance rider game.
Every insurance plan and state law is different but if I wanted an insurance rider I'd have to pay something like $5/mo for anywhere from $2500 up to like a million dollar collection (less than $2500 of guns is mere generic household property). So at the low end assuming that I have less than one total loss house fire per 40 years (so far ahead on that one) then I'm better off not insuring guns at all and just pay cash to replace. Depending on your local insurance costs, it might be mathematically logical to spend, say, $2K, on a fire proof safe on the assumption the guns will be pretty safe in a fire proof safe if the cost of insurance per likely fire exceeds $2K by a large enough margin. The safe mfgrs know that and price to be cheaper than insurance ripoffs but every penny below $2K (or whatever) is profit the mfgrs are leaving on the table... so "safe" (like for backup tapes or whatever) might cost $500 but a mechanically identical "gun safe" will cost $2K. Essentially the insurance company is setting the price of gun safes.
Meanwhile the other side of the insurance coin is the ins co doesn't want to play games with fraud so they want some skin in the game WRT buying a safe. So if the ins company says if you want a rider for over $2500 coverage, you're buying a safe regardless what the safe mfgr wants to charge.
A third argument is "a safe" might hold fairly worthless tape backups so they charge $500 but a $2K gun safe presumably holds many expensive guns so they know you got the cash and they want it.
This came from a project that never went thru for offsite tape storage in my basement; an X cubic foot fire proof safe was going to cost like $300 but adding the word "gun" to the search terms magically multiplied the cost of X cubic feet of fire proof storage by a factor of 3 to 5 over a non-gun safe. I used Pelican style cases when I was in the army like decades ago to hold all kinds of IT stuff; I now keep guns in pelican cases, which are not cheap but are a fair price given the high quality and indestructibility. I admit I was amused at the idea of expensing a gun safe; that was kinda the handshake and wink agreement with the employer that I'd get a free safe but I had to rotate an encrypted tape every week. I think the failure mode was we couldda snuck this past if it was just me, but the idea was to buy the whole department (gun?) safe and corporate freaked out and we ended up with Iron Mountain instead (spending probably 100x as much money, I suspect)
I did some Amazon research in the course of writing this post; "Case Club Waterproof 4 Pistol Case with Silica Gel" $105, or a similar size Pelican 1200 for $40. There are ripoffs of the Pelican available for like $10.
(Score: 3, Insightful) by MostCynical on Monday December 11 2017, @09:56PM
Maybe the insurance companies fall for the same crap; if it is sold as a gun safe, it must be better than a safe sold as a safe - why would they sell it as a gun safe, otherwise?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Monday December 11 2017, @12:18PM
executive prison stint
(Score: 0) by Anonymous Coward on Monday December 11 2017, @04:55PM
"Hey, Google/Alexa, open the gun safe."
(Score: 4, Informative) by drussell on Monday December 11 2017, @05:49PM
They have already stated that they have fixed the issue in current production and are rolling out a program to service the units for existing customers, since it seems that they do not have any easy way to do some kind of user-applyable update in the field, it will be some kind of exchange or warranty repair program. They basically say "stay tuned for the details," but there is some basic information:
You can follow their progress, announcements, etc. here:
https://vaulteksafe.com/index.php/vaultek-bluetooth-security-update/ [vaulteksafe.com]
So... Yeah, a bonehead move in the first place, but they're going to fix it, at least. Hopefully more carefully! :)