Researchers use BlueSteal to remotely crack ‘smart’ handgun safe in seconds

Researchers hacked a Bluetooth-enabled gun safe, Vaultek VT20i, showing how the 'smart' safe can be remotely opened in mere seconds.

Researchers remotely crack ‘smart’ handgun safe in seconds
elhombredenegro (CC BY 2.0)

Folks wanting not merely a handgun safe, but one that is “smart,” might have selected the Vaultek VT20i — a Bluetooth safe with a biometric scanner that includes anti-theft protection guarantees, such as not being able to pry it open with a crowbar.

It turns out, though, the safe — one of the top sellers on Amazon and approved by the TSA for transporting firearms — can be cracked using a laptop. 

Security researchers from Two Six Labs revealed BlueSteal, describing how they chained multiple security exploits in Vaultek VT20i to remotely hack into the gun safe. The disclosure included “redacted” proof of concept code that can be used to unlock the safes.

As you can see in the accompanying video, it takes mere seconds to remotely open the Vaultek safe.

3 vulnerabilities in the Vaultek VT20i handgun safe

The vulnerabilities in the Vaultek VT20i were broken down into the “fun” one, the “really fun” one, and the “how does this even happen” vulnerability.

The “fun” flaw revolves around Vaultek’s Android app, which allows “for unlimited pairing attempts with the safe.” The PIN code, which would manually open the safe, is also the same as the pairing PIN code. The PIN can be four to eight digits long, but must only use the numbers 1 through 5. Therefore, the researchers resorted to a brute force attack.

Sadly, the app allowed for an unlimited number of pairing attempts. The researchers explained, “In the attacker’s best-case scenario of a 4-character PIN code, the search space is a reasonable 5⁴. This would require around 72 minutes at conservative 7 seconds per try.”

The “really fun” vulnerability revolved around the fact that there was no encryption between the app and the safe.

“The application transmits the safe’s PIN code in clear text after successfully pairing,” wrote the researchers. While the safe may be pimped out via marketing as supporting AES-256 encryption, Bluetooth LE supports only AES-128 encryption, which the manufacture also didn’t use.

As for the “how-does-this-even-happen” flaw, the researchers warned that attackers could “remotely unlock any safe in this product line through specially formatted Bluetooth messages, even with no knowledge of the PIN code.” The safe’s app “requires the valid PIN to operate the safe, and there is a field to supply the PIN code in an authorization request,” but “the safe does not verify the PIN code, so an attacker can obtain authorization and unlock the safe using any arbitrary value as the PIN code.”

These flaws, the researchers said, highlight the need to carry out security audits early on in the manufacturing process for “smart” devices.

At first, the researchers believed the best-case scenario for Vaultek VT20i safe owners would be to disable Bluetooth, but the manufacturer said firmware for the safes can be updated.

Vaultek’s response and free firmware update ‘upgrade’

Vaultek said it “understands the value and seriousness of security” in its safes, adding, “Through the team at Two Six Labs, we discovered several ways to protect our safes from future hacks, and promote a healthier future for all upcoming Vaultek Bluetooth products.”

Vaultek considered the risk of being hacked a “low risk” due to the knowledge required to carry out the attack, but the company’s security update notification said new firmware will be used in new production, as well as be made “available to current customers interested in having the upgrade.”

The Bluetooth feature can always be disabled, but for safe owners wanting the new firmware patch, Vaultek said, “We are offering an upgrade service for your safe’s firmware at no charge and will cover the shipping costs. Please check back soon for specific instructions and how to register for the upgrade.”

SUBSCRIBE! Get the best of CSO delivered to your email inbox.