Smart Handgun Safe Not Smart Enough Not To Let Basically Anyone Break Into It

from the bang-bang dept

When we discuss the problems around “the internet of things” and app-controlled everything, we typically have to get into the weeds a bit about privacy, whether you own what you purchased, and the ethical implications of opening up an internet-connected service or product to potential hacking. On the security and hacking side of things, it should be clear by now that far too many companies don’t take this stuff seriously enough. Our pages are rife with IoT devices being hacked, including everything from Barbie dolls to sports cars. It’s enough to make you long for a company with a mission basic enough to develop a product so geared towards security that it couldn’t possibly get this app-controlled thing wrong.

Well, how about a handgun safe? Take the Vaultek VT20i handgun safe, for instance. This safe can be opened either by inputting the user’s PIN number, up to eight digits, either on the box itself or via a smartphone app. Now, you’re probably wondering why someone who needs their hand-cannon would need to open the safe up with an app. It’s a great question, but one we probably shouldn’t worry about considering that some security researches found that you can just open that damn thing with a laptop instead, no PIN number needed.

The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.

As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that’s required to make it work is that the safe have Bluetooth connectivity turned on.

Once this video and the code for the hack was released publicly, Vaultek snapped into action by releasing a statement claiming that this hack would take hours to pull off and would “require the ability to observe a correctly paired phone.” To Which Two Six Labs said: “Nuh-uh!”

“Once you have developed this capability or written a script to do it, you can affect any safe in this product line in a matter of seconds,” Austin Fletcher, Two Sixes Labs’ lead vulnerability research engineer, told Ars. “Anyone can do this.”

In a blog post disclosing the vulnerability, the researchers included most of the code required to exploit the vulnerability. A competent developer would need 20 to 60 minutes to supply the missing portion. With that, the developer could build a smartphone app that could silently break into any existing VT20i safe in seconds, as long as Bluetooth was turned on.

Now, Dustin Culbreth, VP of Product Development for Vaultek, has issued a second statement from Vaultek, promising a firmware update that will address this exploit. There are a couple of problems with that. First, despite all of the Bluetooth back-and-forth from this gun safe and Bluetooth devices, the safe isn’t actually connected to the internet. So, to patch this exploit, gun owners are going to be sent a USB device and install the patch themselves (perhaps through no more effort than plugging it in, but this is unclear) or will have to ship the safe back to Vaultek to be fixed. In a world where user error is the mantra of anyone involved in supporting technology, one shudders to think so much security over a weapon would be effective only at the pleasure of the average end-user’s dedication to patching their own gun safe.

And that brings me back to the question of why such an app-controlled gun safe is necessary to begin with. I know we have gun owners among our readers, so please chime in below with what I’m missing, but isn’t it enough to unlock the PIN from the box instead of your phone? And, if not, is the application controlled unlocking feature worth this kind of risk?

Filed Under: , , , ,
Companies: vaultek

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Smart Handgun Safe Not Smart Enough Not To Let Basically Anyone Break Into It”

Subscribe: RSS Leave a comment
Cdaragorn (profile) says:

It isn't

To put it bluntly, it isn’t.

There is absolutely no reason whatsoever to ever make a gun safe able to connect to any kind of device, anywhere for any reason. If you can’t get to the safe to open it, what possible reason could you have to open it?
If connections like this could be perfectly secured then I suppose some might like the “convenience”, but I can’t even see an argument behind that. Again, the only point of opening the safe is to GET the gun.
The fact that you can’t perfectly secure applications just kills this idea before it even gets started. It’s bad enough that many modern gun safes have put fingerprint readers on them for “convenience” despite those being one of the easiest security features to break on the planet. We don’t need and should never want more ways for someone else to be able to hack open access our firearms.

btr1701 (profile) says:

Re: It isn't

There is absolutely no reason whatsoever to ever make a
> gun safe able to connect to any kind of device, anywhere
> for any reason.

I agree. I don’t even like my own gun safe’s electronic lock. Every time I go to open it, the battery is dead and needs to be replaced, so in terms of quick access, I don’t recommend anything electronic. Good old fashioned lock and key or combination is the way to go.

Bergman (profile) says:

Re: Re: It isn't

Some gun safes are purely mechanical (I saw one that uses the length of your fingers as a biometric combination for example), others can be plugged in and only go to battery during a power failure.

I’d consider one that is primarily battery powered that can’t be constantly plugged in to be a deal killer of a design flaw.

Michael (profile) says:

Re: It isn't

If I am pinned down in one room and need to open my gun safe for my 7 year old in the next room, how else am I supposed to do so without a bluetooth app that allows me to do it remotely?

Setting that bit of kidding aside, sometimes features get added just for the sake of features and people figure out they are useful later. While I may think this feature is pretty useless, I also thought a touch-screen was pretty dumb when I already had a mouse and keyboard.

Technology does not always march in easily identifiable directions, so it is difficult to fault someone for making what appears to be a useless feature.

On the other hand, a feature that renders your safe useless is not exactly a good plan and their implementation was terrible here.

Anonymous Coward says:

Re: It isn't... but it could be

Let’s say you are startled awake by someone entering your bedroom in the middle of the night, when your gun safe is under the bed.

As you leap out of bed to confront the man entering your room, you tell your AI (Siri, Android, etc) Open my gun safe (which triggers your phone to send the PIN to unlock the safe). You can then shove the assailant across the room before reaching down to grab your gun out of your now unlocked gun safe.

Could this happen? Sure in a movie somewhere, in reality probably not, but it demonstrates a potential scenario where a bluetooth enabled gun safe (and some pre arranged app support) could be useful when those extra few seconds to punch in the code could mean the difference between stopping the assailant and becoming the victim.

John85851 (profile) says:

Re: Re: It isn't... but it could be

Like you said, this would be a cool scene in a movie, but I think the reality would go something like this:

Interior bedroom, midnight:
A man hears a prowler in the hallway outside his bedroom.
Man: (whispers) Siri, unlock the gun safe.
Siri: I’m sorry, I didn’t get that. Please speak louder.
Man: (normal voice) Siri, unlock the gun safe.
Siri: I think you said you want to unlock your gun safe. I found 5 locksmiths in the area who can help with that.
Man: No, unlock my Vaultek gun safe.
Siri: Now dialing “Walt’s Locksmith Service”.

David says:

A firmware update.

That sounds like the next attack vector. Does it involve cryptographically signed images verified by a mask programmed element in the safe?

What’s the actual amount of physical access and identification required to do the update?

The problem is that a safe manufacturer cannot just add features like firmware updates and apps. Those are significant new points of attack with significant security implications for which you need to have as much expertise on board than for your physical locks and materials.

If they did not manage to make the app secure, I have severe doubts that they have what it takes to make firmware updates secure.

orbitalinsertion (profile) says:

Re: A firmware update.

The other fun bit: Anyone can probably supply a firmware “update” via USB.

As far as official updates go, i think we know enough about those. They fix one thing (maybe) and introduce new regressions or vulnerabilities. Particularly in commercial code, released asap to make a buck, in in their scramble-to-patch-after-denial-doesn’t-work updates. Thank god a gun safe doesn’t need an entire OS. (Then again, neither do TVs and what, but you know.)

Anonymous Coward says:

Re: Re: Re:

It’s not hard to predict that once smart guns hit the market, there absolutely WILL be laws mandating their use (i.e., banning all non-smart guns) and it’s for that reason alone that there is a great deal of pressure, both real and implied, on US gun manufacturers to avoid developing any kind of smartgun.

If any smartgun ever does emerge, it will NOT be from any traditional gun manufacturer, all of which are vulnerable to a mass boycott of their existing products as a result.

Uriel-238 (profile) says:

Re: Re: Re: The problem with mandating smartguns is...

It just makes criminals from gun enthusiasts who often like to mix and match gun parts and engineer better guns. Gun modding is big in the US.

Smart guns are great for people who use guns for defense or their job (e.g. law enforcement). Sadly, guns are not great for defense or law enforcement.

Until we choose to militarize the resistance, guns are good for hunting game and shooting targets. None of these functions are well served by single-person smart guns.

Regarding this gun vault, I don’t get the need for either a bluetooth lock or an IoT lock. At a gun-store / shooting range, a gun vault with a secure lock would allow the owner or chief armorer to be the sole person who can open the locker, even if he’s on vacation in Maui.

Uriel-238 (profile) says:

Re: Re: Re:2 The problem with mandating smartguns is...

what I meant to say was…

At a gun-store / shooting range, a gun vault with a secure online-accessible lock would allow the owner or chief armorer to be the sole person who can open the locker…

So far it sounds like most such locks are still easily hackable. But that’s a good reason to have a secure one.

Uriel-238 (profile) says:

Re: Re: Re:4 Heh...nuclear security.

Yeah, it turns out for the longest time we set our bomber nukes to arm with something like 0000-0000. The thing that kept us from bombing anyone is that our Air-Force lieutenants didn’t want to be the guy who nuked somebody.

The submarine thriller Crimson Tide (1995, Denzel Washington, Gene Hackman) pointed at some of the problems of localized security. Granted, it’s a rare problem, and one that has never lead to major disaster.

After the Germanwings Co-Pilot suicide event, an article got bounced here about post 9/11 security which allowed for the co-pilot to take control of the plane without intervention, but given the tech we have, the system we had was the one with the lowest chance of exploitation…and we got unlucky.

So yeah, a reinforced locker with a tough lock to pick and only a few keys is plenty secure to stop most problems. Sometimes we want to look at how we can stop a few more, for situations where we’re stowing things that folks might be really determined to obtain.

Roger Strong (profile) says:

Re: Re: Re:

That claim doesn’t line up with reality very well.

It’s based on the 2002 New Jersey Childproof Handgun Bill, requiring that all guns sold in New Jersey have a mechanism to prevent unauthorized users from firing it, taking effect three years after such a smart gun is approved by the state. All efforts to introduce a smart gun anywhere in the US are met with protests, the NRA arguing that allowing them anywhere would trigger the law.

Except that the NRA’s opposition to smart guns predates that law by several years. The NRA and its membership boycotted Smith & Wesson in 1999 because the company was developing a smart gun.

And they’ve gone to war against smart gun sales in other states, even though the Attorney General of New Jersey determined that sales elsewhere wouldn’t trigger the New Jersey mandate.


Re: No kidding.

When you consider NRA opposition to smart handguns

It’s very rational given examples like this.

My view on this is “cops first”. Until they are using the technology and comfortable with it, it shouldn’t be forced on the rest of us. They shouldn’t get access to anything that’s denied to other civilians.

Between this and BLM, people (conveniently) forget about the problem of over-militarized cops.

Anyone with half a brain knows to be skeptical of attempts to “secure” 100 year old technology with something produced with modern IT practices.

Philosopherott (profile) says:


Gun safes are a big topic in the gun owner community. I know many people who are “I don’t want anything between me and my gun” folks. Others want something that conceals and/or secures so they have ready access and if people break in they don’t have an obvious target to attempt to circumvent. Others just want something like a storage cabinet to keep there kids and maybe a drunk guest away from there guns. Still yet others want a safe in the case of fire/flood/other disaster.

I would imagine people that lock there weapons away in a small safe like this would also buy it so it is out of site in a closet or something. My guess is you could, in the night, grab your phone and put in the code as you get up to your firearm. I am not a fan of this product or the idea of it, but I have had enough conversations about gun storage that I can imagine the “rational” for a product like this. The idea that because you are on your phone you are not “fooling around in the dark” with a combination (then you get the but you screw up your night vision folks chime in…)has a marketing appeal. There are plenty of debates about gun storage already that this is just one more thing on the pile.

That Anonymous Coward (profile) says:

Except the researchers (IIRC) found no way to update the firmware….

I do enjoy the companies trying to say these guys who made a video faked it all, we are totally secure & only super hackers could do this… (isn’t that what the first response to skimmers was? only super hackers could do it?)

As to why it has bluetooth… marketing buzz.
There are people who pay a premium for exhaust pipes that make the car run worse, but make them louder. Because louder is what the cool kids are doing.
Bluetooth is magical technology that will save us all from having to do anything but put our cell phones near things to use them.
Bluetooth did wonders for skimmers, cheaper than cell links & don’t have to reopen the pump to dump the memory. Only have to be kinda near the pumps, its such a time saver.

Bluetooth, internet connected are becoming the energy star sticker of today.
<insert the link to the gas powered alarm clock that got the certification (yes this was a real thing)>
Bluetooth is new to many people & Apple moving to all bluetooth means it has more mindshare now.
If you don’t have an app you’re out of touch with the market.

In our rush to stuff more features in, less attention is paid to possible downsides. They need to get it to market before the other guy, or just slap their name on the same rebranded Chinese product (see also the DVR botnet) & toss it out on the market.

It took what 2 or 3 weeks for the first let amazon drop packages off in your house hack. Nothing is hack proof, some things are harder than others… and the current level of security concern is still really low despite some massive PR damage. We need to demand better & stop just getting caught up in the glow of bells & whistles of the cyber.

Blaine (profile) says:

Wardriving for guns to steal

Here’s another scenario.

Simply adapt the setup in the "Screwdriving" article to detect these "safes".

Make a list of houses and wait till the owners are out, break in, pop open the crackerjack box for your prize.

Even if they are hidden, there are a lot of apps you could use to watch the Bluetooth signal strength and play hot/cold till you find it.

idearat (profile) says:

Re: Wardriving for guns to steal

My thought exactly. In addition to being a “open the locked gun safe” app, it becomes a “where’s the hidden gun safe” app.

BT devices are by their nature promiscuous to make them easy to use. Putting them on locks and other security devices invites unauthorized access and should be included with only extreme caution. That said, I still think if I had a wireless lock in my house I’d go for a bluetooth one with no cloud component at all rather than have my front door exposed to the world.

Anonymous Coward says:

How to train your users to be hacked

“So, to patch this exploit, gun owners are going to be sent a USB device and install the patch themselves”

1. Comb the Internet for mentions of this safe.
2. Engage the owners posing as a company rep.
3. Offer to send them the SuperSpecialSekritUpdate.
4. Send them a USB device with appropriate packaging, letterhead notes, logo, etc.
5. Brick their safes.

Chuck says:

Just a guess

My wild guess – and as I own no handguns (one shotgun), it is really a guess – is that it’s for the types who think that, in the event that someone breaks into their house, they will be able to defend themselves with a firearm of their own. A delusional belief, at best, but that’s neither here nor there.

My theory is that the idea is that typing in a PIN when you’re half-asleep, possibly in the dark, is more difficult than doing so on your backlit smartphone. Of course, why they couldn’t just backlight the keypad on the safe itself, instead, is beyond me.

That, or you don’t trust your wife/child/etc. to handle your gun, but you want to be able to unlock it remotely when they’re not home “just in case.” Though, since it’s bluetooth, “not home” would mean no farther away than your driveway.

Really, it’s a stupid optional feature that only a tiny handful of extremely paranoid people would want. What’s amazing is they actually believe that such a feature would mean the difference between defending themselves or not, yet they aren’t paranoid at all about the iOS or Android device they use to do it.

I mean, I use Android, but the difference is I’m not paranoid about EITHER. I know exactly what google is collecting about me, and I also know that, in the real world, if someone is already inside my damn house, unless they’re going to wait 20 minutes while I drink my first 2 cups of coffee, having access to a gun is only going to get me killed faster.

But people buy a Glock or an AR-15 and suddenly they think they’re a Navy SEAL. *sigh*

Anonymous Coward says:

Re: Just a guess

“in the real world, if someone is already inside my damn house … having access to a gun is only going to get me killed faster.”

The unfortunate flip side is that merely living in a country where people commonly have guns is going to get you killed faster — especially by cops.

Another question is if you would actually have the nerve to fire your gun at a bunch of armed bandits who bust into your house in the middle of the night screaming “police” and “search warrant” etc. I’m going to guess that the vast majority of gun owners would not. If that’s the case, then it severely diminshes the rationale of keeping a gun for home self-defence.

MyNameHere (profile) says:

Neat Story

I enjoy the story, but I sort of laughed when it got to this:

” All that’s required to make it work is that the safe have Bluetooth connectivity turned on.”

There are a finite number of combinations for the safe. However, the testers (trying to prove their point) choose 5 digit codes rather than 8. If the 5 digit code took 10 seconds to hack, the 6 digit would take 50 seconds (5 times as many numbers), the 7 digit would take 250 seconds, and the 8 digit would take 1250 seconds (or about 21 minutes). Essentially, they choose the sweet spot that would look like they didn’t make it too easy, but not too hard either.

If I understand correctly, if you do not use the Bluetooth option (never set a code) then the unit cannot be opened via this method. So part of the question would be how many people use an app rather than just the biometric stuff on the unit itself.

It’s a product fail for sure, however. There is no real and valid reason to have bluetooth connectivity to start with. Clearly, their code doesn’t have an apple style “5 tries and locked out for 5 minutes” type thing in it, so basically they are just jamming codes at it as a fast as possible until it pops.

MyNameHere (profile) says:

For reference, here’s the breakdown:

1 digit: 5 codes
2 digits 25 codes
3 digits 125 codes
4 digits 625 codes
5 digits 3125 codes
6 digits 15,625 codes
7 digits 78,125 codes
8 digits 390,625 codes

So basically, by hacking it at 5 digits, it was less than 1% of the possible codes. It’s a nice proof of concept, but 21 minutes would be much different from 10 seconds.

That Anonymous Coward (profile) says:

Re: Re:

“The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed.”

It waits to hear a magic word via bluetooth and opens.
They figured out the magic word.
Doesn’t matter what the pin is, once you know the magic word…

This is the same sort of laziness that lead someone to make a skimmer scanner app, the criminals never renamed the bluetooth chip they use, so the app scans for the name thats used by 90% of them & warns you if it find its.

TRX (profile) says:

> I know we have gun owners among our readers, so please chime in below with what I’m missing, but isn’t it enough to unlock the PIN from the box instead of your phone?

It’s a classic answer to a question nobody asked.

I expect the manufacturer will be making Bluetooth+app toilet paper dispensers, shower mixer valves, and lawnmower start interlocks next.

Robert says:

I realize this is a late reply, but I just bought this safe and have a few comments to some of the comments.
I’m not worried about Ethan Hunt and his team coming to my house to gain access to my hand gun. I bought this to prevent my grand nieces and nephews (ages 2-6 and not programmers) from accidentally gaining access to my weapon. Like someone else mentioned, it’s not likely your common criminal will come prepared with a laptop and a program to get into my particular gun safe.
I bought it so I could have fast access to my gun should it ever be needed and with an 8 digit code I know I’ll have to be awake enough to not make a terrible mistake but can still get to my gun in under 2 seconds if I need to. I see the “APP” as nothing more than a way in if I should forget my code. I can enter my code way faster than going through my phone.
For those talking about bricking the thing so the owner can’t get back in, nice try. There is of course a key if all else fails (my keys are in my safety deposit box so the apps a nice touch if I forget my code. I can also see if anyone has tampered with my safe).
As far as battery life, I read a lot of reviews before settling on this safe and most people were reporting 4-6 months without a charge with access a couple times a day (I guess they are cc people). More than adequate and easy to check the charge status by pushing a couple keys or in the app (mine is still at 100% after a week and frequent entries.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »