Submitted via IRC for Bytram
One of Amazon's top-selling electronic gun safes contains a critical vulnerability that allows it to be opened by virtually anyone, even when they don't know the password.
The Vaultek VT20i handgun safe, ranked fourth in Amazon's gun safes and cabinets category, allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.
As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that's required to make it work is that the safe have Bluetooth connectivity turned on.
[...] The vulnerability means that anyone who relies on a VT20i safe to secure valuables should immediately turn off Bluetooth connectivity and leave it off indefinitely. Safes can still be locked and unlocked using a traditional physical key, as well as by owners' fingerprints. Some Amazon customers, however, have complained the fingerprint feature is flawed as well.
[It's not clear from the story if the issue can be patched. - Ed]
(Score: 3, Insightful) by theluggage on Monday December 11 2017, @12:05PM (2 children)
Presumably, though, the only real requirement is to ensure that anybody taking the guns and using them for nefarious purposes has to break/pick the lock - thus legally covering the ass of the owner.
...in which case having an electronic lock that can be hacked without leaving physical evidence is doubly stupid c.f. the cheapest, most useless padlock.
(Score: 4, Insightful) by EvilSS on Monday December 11 2017, @12:12PM
(Score: 2) by etherscythe on Monday December 11 2017, @03:29PM
This illustrates one reason that legal standards need to better track reality; the mere appearance of safety causes an appalling risk for those who get the impression that their safety measures are actually good enough. I realize some things take time, but what's going to happen when cryptocurrency or VR spaces totally disrupt regular life (in the "new normal" after the revolution hits)? There will be severe legal loopholes that are really going to stir chaos until the law catches up in 5 years or however long it takes to push through Congress. And as tech evolution accelerates, it's only going to get worse.
"Fake News: anything reported outside of my own personally chosen echo chamber"