Wireless Security Flaws Crack Connected Vault Wide Open
Security researchers have found several problems in a popular connected safe box that make it possible to open it without knowing the unlock code. The security flaws exist in the mobile app that accompanies the safe and in the implementation of the Bluetooth technology that pair the vault with a phone or tablet.
Vaultek’s VT20i is a Bluetooth-enabled safe approved by regulators for secure transportation of firearms. The vault can be unlocked with a fingerprint or a regular key, or by typing in a code on a physical keypad or in a companion Android app that connects via the Bluetooth LE (Low Energy) protocol.
To control the safe box from a smartphone or tablet, the vault needs to pair with the mobile device using the mobile app. According to researchers from Two Six Labs, the app lacks protection against brute-force attacks, so it accepts codes until the correct one is entered. The experts say that the pairing PIN is the same as the password that unlocks the VT20i box. An attacker would need about 72 minutes to go through all the possibilities, explain the researchers.
Although this is a serious flaw that is easy to exploit, the problems go deeper than this, as the data passes between the mobile device and the vault in clear text. Under these circumstances, a more skilled attacker who captures the communication between the two endpoints would find the unlock code. Bluetooth is a short-range wireless technology, but there are solutions to extend the distance.
Another approach, which implies reverse engineering the mobile app and wading through code, also paid off and led to opening the safe box without knowing the passcode. After analyzing how the app sends the commands, the researchers learned that “the safe does not check the pin code transmitted in the getAuthor packet, and will reply with a proper authorization token no matter what is in the field.”
Two Six Labs have created and published a proof of concept, holding the essential parts, to demonstrate their findings. They also alerted the manufacturer in early October to the vulnerabilities in VT20i, allowing them to come up with a fix before the problem could become public.
Vaultek considers the three attack methods “low risk,” due to the knowledge needed to pull off the attacks and the fact that the attacker has to be near the safe. Nevertheless, they have taken action to eliminate the prospect of unauthorized opening of the vault with a free firmware update that adds a time-out feature to stop brute-force attacks and fixes the passcode verification issue.
Adding encrypted Bluetooth communication is not easily fixable and requires more time. Turning off Bluetooth connectivity eliminates the possibility of a Bluetooth attack.
Img credit: VaultekBluetooth brute-force attack connected safe encryption safe box vault Vaultek VT20i