Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday December 11 2017, @08:44AM   Printer-friendly
from the unsafe-handgun-safe dept.

Submitted via IRC for Bytram

One of Amazon's top-selling electronic gun safes contains a critical vulnerability that allows it to be opened by virtually anyone, even when they don't know the password.

The Vaultek VT20i handgun safe, ranked fourth in Amazon's gun safes and cabinets category, allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.

As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that's required to make it work is that the safe have Bluetooth connectivity turned on.

[...] The vulnerability means that anyone who relies on a VT20i safe to secure valuables should immediately turn off Bluetooth connectivity and leave it off indefinitely. Safes can still be locked and unlocked using a traditional physical key, as well as by owners' fingerprints. Some Amazon customers, however, have complained the fingerprint feature is flawed as well.

[It's not clear from the story if the issue can be patched. - Ed]

Source: https://arstechnica.com/information-technology/2017/12/top-selling-handgun-safe-can-be-remotely-opened-in-seconds-no-pin-needed/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by bradley13 on Monday December 11 2017, @09:37AM (24 children)

    by bradley13 (3053) on Monday December 11 2017, @09:37AM (#608231) Homepage Journal

    Electronic safes...aren't.

    We could rage on this specific product (and it is a stupid product, on a lot of different levels). Which makes the consumers who bought it...

    Anyway, this happens at all levels. A bank in our small town installed a fingerprint reader on their main safe, so they didn't have to mess with the physical keys all the time. The reader was an external box, with just a couple of ordinary-looking wires going into the locking mechanism. I have no way to know for certain, but there's a real chance that the wires just sent a "lock/unlock" signal to a solenoid. Meaning: tap into the wires, send a pulse, and open the safe.

    Most product engineers - and most programmers - think only about functional requirements. When I do X, then Y must happen. If the user enters their PIN, the safe must unlock. This completely excludes security; security is fundamentally a nonfunctional requirement. Add in pressure from PHBs and sales droids to keep a product cheap and deliver it yesterday, and...when does who have time to consider security?

    The best suggestion I have seen would be an external certification, some stamp of quality that *any* IOT or electronic device wants to display, to reassure customers. This should ideally be offered by an insurance company, such that any product with the seal automatically has a certain about of liability insurance. The insurance company would then have a real incentive to check the security of devices carrying the seal, and could impose certain quality requirements on the producers.

    --
    Everyone is somebody else's weirdo.
    Starting Score:    1  point
    Moderation   +4  
       Interesting=3, Informative=1, Total=4
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 5, Informative) by Wootery on Monday December 11 2017, @09:51AM (3 children)

    by Wootery (2341) on Monday December 11 2017, @09:51AM (#608235)

    Which makes the consumers who bought it...

    I wouldn't blame the consumer here. Not everyone is clued-up about cyber-security. If someone sells a gun-safe, it should be fit-for-purpose. If it's not, it's a moral crime on the part of the designer.

    Add in pressure from PHBs and sales droids to keep a product cheap and deliver it yesterday, and...when does who have time to consider security?

    To put it another way, satisfying the PHB becomes the overriding non-functional requirement.

    The best suggestion I have seen would be an external certification, some stamp of quality that *any* IOT or electronic device wants to display, to reassure customers.

    Good idea. This already happens with bike locks. Unfortunately it probably discriminates against small companies in the lock business (Wootery's Innovative Lock Company won't be on the whitelist), but the customer gets additional peace-of-mind that their lock is effective, and the insurer knows the customer is taking proper precautions.

    • (Score: 3, Insightful) by CoolHand on Monday December 11 2017, @12:14PM

      by CoolHand (438) on Monday December 11 2017, @12:14PM (#608250) Journal

      If someone sells a gun-safe, it should be fit-for-purpose. If it's not, it's a moral crime on the part of the designer.

      But the designer is likely part of a corporation. We all know that corporations have no morals...

      --
      Anyone who is capable of getting themselves made President should on no account be allowed to do the job-Douglas Adams
    • (Score: 2) by schad on Monday December 11 2017, @03:43PM (1 child)

      by schad (2398) on Monday December 11 2017, @03:43PM (#608288)

      Unfortunately it probably discriminates against small companies in the lock business (Wootery's Innovative Lock Company won't be on the whitelist)

      You can just have the tester offer a limited number of free tests per year. Maybe 3 new-product tests plus 5 re-tests (of new products which failed the first time and were redesigned in response, or of upgraded products that were previously certified). That should be plenty for any small company, while not so much that the big players could drain the tester's resources by spamming them with products.

      And you could pay the tester with royalties collected from sales of certified products. Any excess collected would be refunded at the end of the year, after taking out the cost of the "free" tests. If there's a deficit, the tester would increase its rates for the next year.

      It's not perfect, but it's probably good enough.

      • (Score: 2) by drussell on Monday December 11 2017, @05:41PM

        by drussell (2678) on Monday December 11 2017, @05:41PM (#608340) Journal

        Something like that would make sense... Too much sense for a world where the rules are generally controlled by the biggest corporations with the most money. That kind of testing requirement and fee structure would never actually be implemented in the current environment. It will be designed to create as many barriers to entry as possible for non-established players.

  • (Score: 5, Informative) by TheRaven on Monday December 11 2017, @09:58AM (5 children)

    by TheRaven (270) on Monday December 11 2017, @09:58AM (#608237) Journal
    I don't entirely agree with your assessment. A lot of places use electronic locks because they're more secure than physical ones: the reader just has to do an RSA or similar signature verification check, most of which is in hardware and the rest is a few dozen lines of code. It's pretty hard to get this wrong and much harder to attack than a traditional mechanical lock (where people have a couple of hundred years of practice working out the best ways of picking them). The problem is creeping featuritus. No secure system should have a bluetooth stack: it is far too much code to be trusted on a critical path for security.
    --
    sudo mod me up
    • (Score: 2, Interesting) by Anonymous Coward on Monday December 11 2017, @10:36AM

      by Anonymous Coward on Monday December 11 2017, @10:36AM (#608240)

      Actually the bluetooth stack doesn't need to be the weak part either, as in principle all it should do is to deliver the key to the lock. So if done correctly (which means using encryption between the lock and whatever provides the key, so the actual key is never seen by the Bluetooth module), the worst thing an attacker could do would be to prevent the key to reach the lock, thus disabling the bluetooth functionality.

      Having said that, unlocking a safe using your smartphone is a very bad idea no matter how secure your delivery mechanism is, as the smartphones themselves are not exactly the most secure things in the world.

    • (Score: 2) by meustrus on Monday December 11 2017, @04:29PM (3 children)

      by meustrus (4961) on Monday December 11 2017, @04:29PM (#608307)

      Maybe a good electronic could be secure. If it was also physically secure in every way that matters. But the very act of installing an electrically-activated unlock mechanism makes it susceptible to electromagnetic perturbances, which can be very difficult to secure against. Do you encase the thing in lead to keep signals from leaking through and unlocking it outside of the normal command protocol? And then there's the fact that cheaper locks can be triggered just by physically jolting them. Some lighter gun safes with electronic locks can be unlocked simply by dropping them about a foot onto a solid surface.

      Bottom line: unless the limitations of a physical lock (mainly the inability to have multiple codes) are a major security concern, a physical lock is always going to be more secure.

      --
      If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
      • (Score: 2) by bob_super on Monday December 11 2017, @05:41PM

        by bob_super (1357) on Monday December 11 2017, @05:41PM (#608339)

        The physical lock also still works when the power gets cut off at the beginning of the Alien Zombie Apocalypse.
        The guy who hid his physical backup safe key 3 years ago may have a problem at bug-out time.

        What do you mean by "it's a corner case with low probability"? Aren't people overly sensitive to low-probability events the exact target in that market?

      • (Score: 2) by TheRaven on Tuesday December 12 2017, @10:35AM (1 child)

        by TheRaven (270) on Tuesday December 12 2017, @10:35AM (#608689) Journal

        Some lighter gun safes with electronic locks can be unlocked simply by dropping them about a foot onto a solid surface.

        The same is true for physical locks. I don't have any experience with gun safes, but I've seen cash lock boxes that can be opened by dropping them and ones that can be opened with a flat-edged screwdriver instead of the key. A well-designed electronic safe has two wires going through the case into the locking mechanism and (unlike a mechanical lock) has no physical access from the outside to any part of the locking mechanism. The two wires run a serial protocol that is rate limited to one try every few seconds and sends simple bidirectional messages. The hardware inside sends a random number, the electronics on the outside encrypt this with an asymmetric key held by the unlocking token and send it back. The interior electronics then decrypt it with the other key from the keypair and trigger an unlock if they match. This requires a hardware random number generator, a clock (for the delay) and either a few dozen lines of code and a hardware RSA implementation, or a few hundred lines of code without. The sensitive electronics are inside the safe and so difficult to tamper with.

        Outside the safe, you can have a full general-purpose OS with all of the vulnerabilities that this implies: It can't open the safe unless it can sign something with the correct key, and that key is held in a smartcard, which will just do signing and not allow the key to be exfiltrated.

        Such a design, if implemented correctly, is more secure than any mechanical lock design.

        --
        sudo mod me up
        • (Score: 2) by meustrus on Tuesday December 12 2017, @03:45PM

          by meustrus (4961) on Tuesday December 12 2017, @03:45PM (#608759)

          It's too bad there's no way to prove an electronic lock on the market is built according to your design. Marketing doesn't need proof because customers will buy shit based on misplaced trust in the manufacturer, retailer, and government regulations keeping them safe.

          --
          If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
  • (Score: 2, Disagree) by The Mighty Buzzard on Monday December 11 2017, @12:06PM (12 children)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Monday December 11 2017, @12:06PM (#608248) Homepage Journal

    Gun safes...aren't.

    FTFY.

    A gun's purpose isn't to be safe, it's to be as unsafe as possible in a directional manner. If it's not easy to lay your hands on in an emergency, it's a decorative knickknack not a weapon. The only excuse for using a gun safe is something along the lines of "I already have more guns easily handy than I could possibly need. The safe is for my rare and/or antique firearms."

    --
    My rights don't end where your fear begins.
    • (Score: 3, Informative) by coolgopher on Monday December 11 2017, @12:21PM (11 children)

      by coolgopher (1157) on Monday December 11 2017, @12:21PM (#608254)

      Depends on the reason for having guns in the first place. If you're a recreational hunter with kids in the house, a gun safe is the sane thing to do (in addition to teaching your kids to respects guns, of course). If your primary use case is defense against home invasion, then obviously you might be better off with it under your pillow (assuming that's a legal storage place in your area, etc).

      Oh, and I'll add another use case: not having your weapons stolen when someone does break into your place when you're not around to defend it.

      • (Score: 2) by The Mighty Buzzard on Monday December 11 2017, @12:29PM (4 children)

        by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Monday December 11 2017, @12:29PM (#608255) Homepage Journal

        I'll grant you that last one. The first should be taken care of by putting the necessary educational effort into assuring your descendants do not receive a Darwin Award once they're old enough and by taking advantage of height differential until then.

        --
        My rights don't end where your fear begins.
        • (Score: 0) by Anonymous Coward on Monday December 11 2017, @02:08PM

          by Anonymous Coward on Monday December 11 2017, @02:08PM (#608265)

          never rely on the height difference, if you care about the kid involved.
          my son started stacking stuff when he was around two. in the sense of a kid chair on top of a bag of megablocks (kind of like legos, but bigger), etc.
          much safer to have a locked door that he can pull/kick and bite ineffectively.

        • (Score: 2) by schad on Monday December 11 2017, @04:00PM (1 child)

          by schad (2398) on Monday December 11 2017, @04:00PM (#608294)

          The security onion. I use it on my computer. I also use it on firearms, which can, unlike my computer, be used -- by a malicious or ignorant user -- to cause permanent harm.

          Don't underestimate the ingenuity of small humans, the majority of whom are literally incapable of gun safety until four or five (if not later). But they are absolutely capable of physically getting at any unsecured weapon well before then, as another commenter noted.

          Another reason for a gun safe is for travel. Not only do many states require it by law when in a vehicle, you may also find yourself in a situation where you're not able to carry your firearm and need a safe place to keep it for a while.

          • (Score: -1, Flamebait) by Anonymous Coward on Monday December 11 2017, @04:19PM

            by Anonymous Coward on Monday December 11 2017, @04:19PM (#608303)

            Too big a dose of reality for TMB's personal responsibility routine. Can't we just label people idiots every time something bad happens?

        • (Score: 2) by Virindi on Monday December 11 2017, @05:19PM

          by Virindi (3484) on Monday December 11 2017, @05:19PM (#608333)

          Once again:

          You cannot control the training level of every child (and adult) in the world, and reasonable people will not want to exclude guests from visiting their home merely because they failed to meet a firearms training level. Thus, any weapons not under your direct control should be stored in a way that makes them not accessible to casual operation (stopping a determined thief is more difficult and may be impractical).

          Unless you never have guests in your home...

      • (Score: 1) by Sulla on Monday December 11 2017, @04:30PM

        by Sulla (5173) on Monday December 11 2017, @04:30PM (#608309) Journal

        Going to repeat this. In general anyone dedicated will find a way into a safe or find a way to steal it and crack it later. I typically keep all my guns in a safe except one in the bedroom and never store ammo with firearms, but where I live the problem is not crime its three year olds.

        --
        Ceterum censeo Sinae esse delendam
      • (Score: 2) by VLM on Monday December 11 2017, @08:38PM (4 children)

        by VLM (445) Subscriber Badge on Monday December 11 2017, @08:38PM (#608420)

        Oh, and I'll add another use case: not having your weapons stolen when someone does break into your place when you're not around to defend it.

        That's why you buy the biggest heaviest gaudiest overdecorated ostentatious gun safe in the store, fill that dude with pieces of angle iron from the hardware store to make it even heavier, prominently place it unsecured in the garage or living room, and then keep the 9mm under your pillow (assuming no toddlers in the house, etc). Then when some idiot steals your entire safe, you tell the cops to check the ER for folks with hernias and broken backs.

        My grandfather bought a broken safe at a yard sale once; this was decades ago but now I'd call it a "redundant array of inexpensive safes". They had a real safe in the floor of their basement, the broken safe was a distractor.

        I own some guns but they're in super boring locked boxes that are not prominently displayed. Yeah yeah I see cool looking high tech star trek safes and nice looking victorian era work of art safes but I don't see the interior decorating appeal of a giant "please rob me" sign. A pelican (or ripoff clone) case in a gym bag can be locked and is easy to carry to the range or where ever. Someone with the machinery and patience to open a pelican without damaging the gun inside probably doesn't have to work as a thief for a living so its kinda self limiting in that way.

        I live in an expensive non-diverse neighborhood, which is yet another variation on "spend money to not get your stuff stolen".

        One interesting side effect of the ubiquitous surveillance society with cameras and drones everywhere is we're probably in the last generation of property crimes. The next generation of gun safe will have like 17 webcams on the safe and in the room and some dude in India or some drunk college kid in American will do the Amazon Mech Turk thing to decide if the 100 webcam pixs from the safe and the room match your provided pix and remotely unlock (or not). Fascinating startup idea #23515 that I'm not going to seriously pursue is the FaceBook(TM) connected gun safe where one of your 100+ facebook "friends" has to look at the gun safe's webcam pix and click OK to unlock your gun safe if they recognize you, or 3 outta 5 friends or WTF. Presumably if your facebook(TM) post history appears suicidal your friends will all click "deny", unless they're assholes of course. The next step being the "i-gun" where 3 outta 5 friends have to click "like" on the sight pix before the rifle fires. Of course there will be "oh shit yo thats a funny pix of some farmers cow" and the poor thing will get blown away but at least they tried, LOL.

        • (Score: 2) by chromas on Monday December 11 2017, @09:37PM (3 children)

          by chromas (34) Subscriber Badge on Monday December 11 2017, @09:37PM (#608452) Journal

          FaceBook(TM) connected gun safe

          Then when you post something Offensive™ then your account gets Zucced and you're locked out of the safe for 15 days. Can't trust the 'analog hole' so there's no mechanical backup.
           
          👍Like   🗨 Comment

          😢👍❤25

          • (Score: 2) by VLM on Monday December 11 2017, @10:50PM (2 children)

            by VLM (445) Subscriber Badge on Monday December 11 2017, @10:50PM (#608510)

            Weirdly enough this whole idea got started at a former employer where I/we began with the idea of a social media connected fridge lock for weight loss where you need permission to open the fridge from your FB friends. Which led to a discussion of liking Trump memes will cause family starvation if the holier than thou cat ladies find out. So I proposed, well, what would cat ladies hate more than Trump supporters and their families being able to eat, well, obviously, a facebook(tm) connected "gun safe".

            Then the discussion (at least at work) ran off the rails with the proposal that you permit negated friends, so if you have a crazy friend, the nut needs to click "no" to let you open your fridge or gun safe, so you're gonna have weird standoffs where the gun confiscation nut has to think over if he's tagged as normal or inverted permissions, etc. The coworkers also helpfully suggested this technology is also applicable to liquor cabinets and condom dispensers.

            • (Score: 2) by chromas on Monday December 11 2017, @11:12PM (1 child)

              by chromas (34) Subscriber Badge on Monday December 11 2017, @11:12PM (#608522) Journal

              social media connected fridge lock for weight loss

              OMG! This is fat shaming! This is Not Okay™. #HealthAtEveryTon

              liking Trump memes

              Literally Nazis!

              this technology is also applicable to liquor cabinets and condom dispensers

              Sad reacts only.

              These are the details left out of A Brave New World—If you're not social enough, people won't just shun you; they'll shame you, lock you out of your booze and try to get you fired.

              • (Score: 2) by VLM on Monday December 11 2017, @11:59PM

                by VLM (445) Subscriber Badge on Monday December 11 2017, @11:59PM (#608544)

                The brain trust at work eventually decided the remotely locked condom dispenser was the most social idea because a "like" could be interpreted in so many socially interesting ways. Or a lack or "like". Many topics in a binary yes/no answer, is it a social decision on the basis of slut shaming, disease, pregnancy, jealousy...

                If you're not social enough, people won't just shun you; they'll shame you, lock you out of your booze and try to get you fired.

                I'll see your "Brave New World", which is admittedly a good bid, and raise you "The Scarlet Letter". Now you have to squint and read it kinda sideways and upside down, but you can kinda see both Scarlet Letter and Brave New World as both being Puritan holier than thou pricks screwing everything up the path to hell being paved with good intentions by Puritan assholes anyway. This would make a hell of a school essay. I almost never drink and I had a big glass of hard cider so I will see how this reads when I sober up tomorrow. I think this is brilliant analogy, but it could be mere alcohol vapor. BNW and Scarlet Letter are basically the same setting, hmm...

  • (Score: 2) by edIII on Monday December 11 2017, @09:44PM

    by edIII (791) on Monday December 11 2017, @09:44PM (#608454)

    Reminds of garage door consoles you can install. I've seen keyed ones, and keypads. All of them though connect the same exact way to the garage door itself, and that's two wires that directly act like a wall mounted momentary switch next to the entry door to the house.

    The keyed one was really funny since all you had to do was pick it, or just grab it from the side with a screwdriver and pry it off. The keypad one was worse, the screws to undo it were unprotected under the cover. Once you had the two wires in your hand it was trivially easy to open the door.

    --
    Technically, lunchtime is at any moment. It's just a wave function.