It’s been known for many years now that any devices that use the Bluetooth LE protocol for authentication are a hack waiting to happen.
In spite of this, hardware vendors have continued to churn out Bluetooth LE devices because of the immense power consumption benefits they provide over using the original power-hungry Bluetooth protocol. After all, LE in Bluetooth LE stands for Low Energy.
Nonetheless, there are various security protections that manufacturers can include with their Bluetooth LE devices in order to prevent easy exploitation.
The latest vendor who learned this lesson is Vaultek, a company which sells one of the most popular gun safes on Amazon, the VT20i.
The company had to recently issue firmware updates for its product after security researchers from Two Six Labs found three huge security flaws in the design of their top-seller.
Attackers can guess the PIN’s safe in unlimited tries
The Vaultek VT20i works by allowing users to set up an access PIN from the PIN pad. There is also an Android app that allows the safe owner to unlock the safe via the Bluetooth LE protocol.
Before unlocking the safe, an app must pair with the safe. The pairing code is the same as the safe’s unlock code. According to researchers, the Android app allows for an unlimited number of pairing attempts.
This means that an attacker can brute-force the pairing process and determine a safe’s PIN code. The attacker can the use this PIN code to unlock a VT20i safe via an app installed on his phone, or just type it on the safe’s PIN pad if he has physical access.
App sends safe PIN code in cleartext via Bluetooth