Vaultek Gun Safes Vulnerable to Remote Hacking

By Sydney ColeHardware Hacking

Vaultek Gun Safes Can Be Remotely Hacked and Opened

Security experts from Two Six Labs have released a detailed technical report revealing that they discovered several vulnerabilities in Vaultek gun safes last summer. The researchers assigned the codename BlueSteal to these issues.

It turns out that Vaultek safes, which previously raised over $70,000 on Indiegogo, can be hacked using a simple brute-force attack. The manufacturer’s claims about the security and reliable encryption of their products are far from accurate.

Vulnerabilities in the Vaultek VT20i Safe

The vulnerabilities were found in one of Vaultek’s most popular models, the VT20i safe. This safe can be opened not only by entering a PIN code on its built-in keypad but also via a special Android app that connects to the device using Bluetooth LE.

Before using the app, it must be “paired” with the safe. The code used to establish this connection is the same as the code that opens the safe, and there is no limit to the number of attempts to enter the combination. This means an attacker can brute-force the pairing process and discover the safe’s PIN code simply by trying all possible combinations.

Poor Bluetooth Security

Even worse, Two Six Labs analysts found that the Bluetooth LE app sends an unlock command to the safe along with the PIN code, and this data exchange is poorly protected. First, the safe does not actually verify the correctness of the PIN code received from the app. Essentially, it’s enough to send an unlock command from a paired smartphone, and the PIN code itself is irrelevant. Second, although the manufacturer claims that all communications between the safe and the app are protected using AES-128 encryption, this is not true. The researchers found that the PIN code is transmitted in plain text and is not protected at all. In essence, an attacker can simply intercept the Bluetooth traffic and extract the safe’s PIN code from it.

Patches and Responsible Disclosure

The researchers intentionally did not disclose these vulnerabilities earlier, as Vaultek released patches for the discovered issues last summer. The experts wanted to give users more time to install the updates.

The video below demonstrates the exploitation of the BlueSteal vulnerabilities (CVE-2017-17435 and CVE-2017-17436) in real life.

Leave a Reply