Now-patched vulnerabilities allowed widely-popular gun safe to be easily exploited
In a blog post published Wednesday, researchers with Two Six Labs announced “BlueSteal” – a set of attacks that bypassed the Vaultek VT20i gun safe’s security features.
The Bluetooth-enabled safe, said to be one of the most popular on Amazon, is designed to only allow access to users with the correct pin code or paired cellphone utilizing the company’s app.
The first exploit, detailed in a video published by Two Six Labs, shows how a simple computer script was able to unlock the safe without the attacker knowing the pin code.
The researchers first discovered that unlimited attempts could be made to pair an Android phone to the safe without being rate-limited for giving incorrect pairing codes. Upon finding the code, Two Six Labs was not only able to open the safe from within the app as intended but also found that the same code was used to unlock the safe by hand as well.
In an attempt to see, if once paired, a brute force attack could be made against the safe, the team then crafted a python script that resulted in the safe quickly popping open.
“This vulnerability could have been prevented or mitigated if the application or safe had timeouts for incorrect retries, or enforced some maximum retry limit,” the researchers note.
The second vulnerability exploited the Android app’s failure to use encryption when communicating with the safe. Despite the company claiming to use strong encryption, the team says it was able to simply sniff the pin code out of the air.
“There is no encryption between the Android phone app and the safe,” the researchers added. “The application transmits the safe’s pin code in clear text after successfully pairing.”
Two Six Labs says the company even advertised the use of AES256 bit encryption, despite it being unsupported in the specific type of Bluetooth implemented.
“AES256 bit encryption is not supported in the Bluetooth LE standard and we have not seen evidence of its usage in higher layers. AES-128 is supported in Bluetooth LE, but the manufacturer is not using that either,” the researchers say. “This lack of encryption allows an individual to learn the passcode by eavesdropping on the communications between the application and the safe.”
The final vulnerability involved using specifically formatted Bluetooth messages to unlock the safe, also without knowing the pin code. The team found that the safe fails to verify whether the pin code it has been provided is legitimate so long as it came from the Android application.
“The phone application requires the valid pin to operate the safe, and there is a field to supply the pin code in an authorization request,” the blog post notes. “However the safe does not verify the pin code, so an attacker can obtain authorization and unlock the safe using any arbitrary value as the pin code.”
Although such exploits would require an attacker to be within close proximity of the gun safe, Two Six Labs concluded by stating that BlueSteal should serve as a “stark reminder” to companies developing smart products on the importance of security audits.
“In this case an audit before the product came to market would have revealed all of these vulnerabilities, which then could have been fixed in production,” the researchers add. “It is next to impossible for a manufacturer to fix these sorts of issues after sales begin. Thus, care needs to be taken to carefully engineer the security of the platform and its update mechanisms.”
Two Six Labs notes that it waited 60 days to release their findings after informing Vaultek of the issues in October, allowing the manufacturer time to patch the vulnerabilities and release an update to customers.
Vaultex says its update has “improved Bluetooth security with the option for disabling the Bluetooth unlock or the entire connection altogether” and that a “time out feature designed for brute force attacks and additional encryption for the communication between the app and safe” has been added.
H/T: Catalin Cimpanu
Got a tip? Contact Mikael securely: keybase.io/mikaelthalen