But of Course This Bluetooth-Enabled Gun Safe Got Hacked. Are You Surprised?

It's been known for many years now that any devices that use the Bluetooth LE protocol for authentication are a hack waiting to happen.

In spite of this, hardware vendors have continued to churn out Bluetooth LE devices because of the immense power consumption benefits they provide over using the original power-hungry Bluetooth protocol. After all, LE in Bluetooth LE stands for Low Energy.

Nonetheless, there are various security protections that manufacturers can include with their Bluetooth LE devices in order to prevent easy exploitation.

The latest vendor who learned this lesson is Vaultek, a company which sells one of the most popular gun safes on Amazon, the VT20i.

The company had to recently issue firmware updates for its product after security researchers from Two Six Labs found three huge security flaws in the design of their top-seller.

Attackers can guess the PIN's safe in unlimited tries

The Vaultek VT20i works by allowing users to set up an access PIN from the PIN pad. There is also an Android app that allows the safe owner to unlock the safe via the Bluetooth LE protocol.

Before unlocking the safe, an app must pair with the safe. The pairing code is the same as the safe's unlock code. According to researchers, the Android app allows for an unlimited number of pairing attempts.

This means that an attacker can brute-force the pairing process and determine a safe's PIN code. The attacker can the use this PIN code to unlock a VT20i safe via an app installed on his phone, or just type it on the safe's PIN pad if he has physical access.

App sends safe PIN code in cleartext via Bluetooth

But this is not all. According to Two Six Labs researchers, there's also a flaw in the mobile app safe unlock process. This process works by the mobile app sending a Bluetooth LE unlock message together with the PIN code. Researchers say the safe does not verify if the PIN code is correct, and just unlocks the safe if the message comes from a paired phone.

Last but not least, researchers say that despite the vendor claiming to support AES-128 encryption for the communications sent between the safe and the mobile app, there is no such exchange of encrypted data.

"The application transmits the safe’s PIN code in clear text after successfully pairing," researchers say. An attacker in the safe's vicinity can sniff Bluetooth traffic and extract the PIN. Combined with the two previous flaws, he can then pair with the safe (because the pairing and the safe PIN are the same), and then send unlock commands, even after the owner has changed the PIN (because the safe doesn't verify the PIN's validity).

Vendor issued updates over the summer

Vaultek issued updates to address these three vulnerabilities — which researchers have codenamed BlueSteal — over the summer, but Two Six Labs have delayed their public disclosure until yesterday to give safe owners more time to update their devices.

The safe maker said it "improved Bluetooth security with the option for disabling the Bluetooth unlock or the entire connection altogether," and added "a time out [sic] feature designed for brute force [sic] attacks and additional encryption for the communication between the app and safe."

The Two Six Labs research team released the following video as proof for the BlueSteal vulnerabilities (CVE-2017-17435 and CVE-2017-17436).