ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
It’s been known for many years now that any devices that use the Bluetooth LE protocol for authentication are a hack waiting to happen.
In spite of this, hardware vendors have continued to churn out Bluetooth LE devices because of the immense power consumption benefits they provide over using the original power-hungry Bluetooth protocol. After all, LE in Bluetooth LE stands for Low Energy.
Nonetheless, there are various security protections that manufacturers can include with their Bluetooth LE devices in order to prevent easy exploitation.
The latest vendor who learned this lesson is Vaultek, a company which sells one of the most popular gun safes on Amazon, the VT20i.
The company had to recently issue firmware updates for its product after security researchers from Two Six Labs found three huge security flaws in the design of their top-seller.
Attackers can guess the PIN’s safe in unlimited tries
The Vaultek VT20i works by allowing users to set up an access PIN from the PIN pad. There is also an Android app that allows the safe owner to unlock the safe via the Bluetooth LE protocol.
Before unlocking the safe, an app must pair with the safe. The pairing code is the same as the safe’s unlock code. According to researchers, the Android app allows for an unlimited number of pairing attempts.
This means that an attacker can brute-force the pairing process and determine a safe’s PIN code. The attacker can the use this PIN code to unlock a VT20i safe via an app installed on his phone, or just type it on the safe’s PIN pad if he has physical access.
App sends safe PIN code in cleartext via Bluetooth
But this is not all. According to Two Six Labs researchers, there’s also a flaw in the mobile app safe unlock process. This process works by the mobile app sending a Bluetooth LE unlock message together with the PIN code. Researchers say the safe does not verify if the PIN code is correct, and just unlocks the safe if the message comes from a paired phone.
Last but not least, researchers say that despite the vendor claiming to support AES-128 encryption for the communications sent between the safe and the mobile app, there is no such exchange of encrypted data.
“The application transmits the safe’s PIN code in clear text after successfully pairing,” researchers say. An attacker in the safe’s vicinity can sniff Bluetooth traffic and extract the PIN. Combined with the two previous flaws, he can then pair with the safe (because the pairing and the safe PIN are the same), and then send unlock commands, even after the owner has changed the PIN (because the safe doesn’t verify the PIN’s validity).
Vendor issued updates over the summer
Vaultek issued updates to address these three vulnerabilities — which researchers have codenamed BlueSteal — over the summer, but Two Six Labs have delayed their public disclosure until yesterday to give safe owners more time to update their devices.
The safe maker said it “improved Bluetooth security with the option for disabling the Bluetooth unlock or the entire connection altogether,” and added “a time out [sic] feature designed for brute force [sic] attacks and additional encryption for the communication between the app and safe.”
The Two Six Labs research team released the following video as proof for the BlueSteal vulnerabilities (CVE-2017-17435 and CVE-2017-17436).
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.