Stories
Slash Boxes
Comments

SoylentNews is people

Top-Selling Handgun Safe Can be Remotely Opened in Seconds—No PIN Needed

posted by Fnord666 on Monday December 11 2017, @08:44AM   Printer-friendly
from the unsafe-handgun-safe dept.

MrPlow writes:

Submitted via IRC for Bytram

One of Amazon's top-selling electronic gun safes contains a critical vulnerability that allows it to be opened by virtually anyone, even when they don't know the password.

The Vaultek VT20i handgun safe, ranked fourth in Amazon's gun safes and cabinets category, allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.

As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that's required to make it work is that the safe have Bluetooth connectivity turned on.

[...] The vulnerability means that anyone who relies on a VT20i safe to secure valuables should immediately turn off Bluetooth connectivity and leave it off indefinitely. Safes can still be locked and unlocked using a traditional physical key, as well as by owners' fingerprints. Some Amazon customers, however, have complained the fingerprint feature is flawed as well.

[It's not clear from the story if the issue can be patched. - Ed]

Source: https://arstechnica.com/information-technology/2017/12/top-selling-handgun-safe-can-be-remotely-opened-in-seconds-no-pin-needed/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Top-Selling Handgun Safe Can be Remotely Opened in Seconds—No PIN Needed | Log In/Create an Account | Top | 45 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Informative) by drussell on Monday December 11 2017, @05:49PM

    by drussell (2678) on Monday December 11 2017, @05:49PM (#608347) Journal

    They have already stated that they have fixed the issue in current production and are rolling out a program to service the units for existing customers, since it seems that they do not have any easy way to do some kind of user-applyable update in the field, it will be some kind of exchange or warranty repair program. They basically say "stay tuned for the details," but there is some basic information:

    ...
    We have since made revisions and are continuing to make updates for all future models released and planning a new firmware upgrade available for current customers.
    ...
    This new firmware will be directly integrated into new production, as well as available to current customers interested in having the upgrade.
    ...
    We are offering an upgrade service for your safe’s firmware at no charge and will cover the shipping costs. Please check back soon for specific instructions and how to register for the upgrade.

    You can follow their progress, announcements, etc. here:

    https://vaulteksafe.com/index.php/vaultek-bluetooth-security-update/ [vaulteksafe.com]

    So... Yeah, a bonehead move in the first place, but they're going to fix it, at least. Hopefully more carefully! :)

    Starting Score:    1  point
    Moderation   +2  
       Informative=1, Underrated=1, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4