You see, this is why we can't have nice things.
- “The manufacturer’s Android application allows for unlimited pairing attempts with the safe. The pairing pin code is the same as the unlocking pin code. This allows for an attacker to identify the shared pincode by repeated brute force pairing attempts to the safe.”
- “There is no encryption between the Android phone app and the safe. The application transmits the safe’s pin code in clear text after successfully pairing.”
- “An attacker can remotely unlock any safe in this product line through specially formatted Bluetooth messages, even with no knowledge of the pin code…the safe does not verify the pin code, so an attacker can obtain authorization and unlock the safe using any arbitrary value as the pin code.”
Dwight points out that the manufacturer is stepping up:
Somewhat to their credit, Vaultek says they are offering a patch, though it looks like you’ll have to send your safe back to get it. (Vaultek says they’ll cover shipping both ways, which can’t be cheap.)I'll bet it's not. Funny that there's never time or budget to do security right, but there is to fix it after you've cratered your company's reputation.