Submitted via IRC for Bytram
One of Amazon's top-selling electronic gun safes contains a critical vulnerability that allows it to be opened by virtually anyone, even when they don't know the password.
The Vaultek VT20i handgun safe, ranked fourth in Amazon's gun safes and cabinets category, allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.
As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that's required to make it work is that the safe have Bluetooth connectivity turned on.
[...] The vulnerability means that anyone who relies on a VT20i safe to secure valuables should immediately turn off Bluetooth connectivity and leave it off indefinitely. Safes can still be locked and unlocked using a traditional physical key, as well as by owners' fingerprints. Some Amazon customers, however, have complained the fingerprint feature is flawed as well.
[It's not clear from the story if the issue can be patched. - Ed]
(Score: 2) by TheRaven on Tuesday December 12 2017, @10:35AM (1 child)
The same is true for physical locks. I don't have any experience with gun safes, but I've seen cash lock boxes that can be opened by dropping them and ones that can be opened with a flat-edged screwdriver instead of the key. A well-designed electronic safe has two wires going through the case into the locking mechanism and (unlike a mechanical lock) has no physical access from the outside to any part of the locking mechanism. The two wires run a serial protocol that is rate limited to one try every few seconds and sends simple bidirectional messages. The hardware inside sends a random number, the electronics on the outside encrypt this with an asymmetric key held by the unlocking token and send it back. The interior electronics then decrypt it with the other key from the keypair and trigger an unlock if they match. This requires a hardware random number generator, a clock (for the delay) and either a few dozen lines of code and a hardware RSA implementation, or a few hundred lines of code without. The sensitive electronics are inside the safe and so difficult to tamper with.
Outside the safe, you can have a full general-purpose OS with all of the vulnerabilities that this implies: It can't open the safe unless it can sign something with the correct key, and that key is held in a smartcard, which will just do signing and not allow the key to be exfiltrated.
Such a design, if implemented correctly, is more secure than any mechanical lock design.
sudo mod me up
(Score: 2) by meustrus on Tuesday December 12 2017, @03:45PM
It's too bad there's no way to prove an electronic lock on the market is built according to your design. Marketing doesn't need proof because customers will buy shit based on misplaced trust in the manufacturer, retailer, and government regulations keeping them safe.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?