Vaultek is a company that manufactures Bluetooth-connected safes for valuables and firearms — things that you really want to make sure are secured. When we came across one of their products on Indiegogo last year, we noted that crowdsourced Internet of Things devices have a troubling history of being insecure. Recently, security firm Two Six Labs picked up one of Vaultek’s connected safes, and demonstrated that it can easily be cracked open.
The security company tested out a Vaultek VT20i safe, which owners can lock with a PIN and pair with an Android App. The app uses a pairing code that is the same as the PIN, and allows an unlimited number of attempts to get in. The lab was able to write a program to use brute force to guess the password. Furthermore, the researchers found that the connection between the phone and the safe aren’t encrypted (contrary to the Vaultek’s claims), meaning that the information could be intercepted. They also discovered that the safe doesn’t verify a PIN code coming from the paired phone, which means that it can be unlocked with the right command, even if the PIN is incorrect.
The lab published its findings in a blog post after Vaultek issued issued a firmware update that capped the number of attempts for the PIN, and encrypted the transmissions between the app and safe.