You see, this is why we can't have nice things.
- “The manufacturer’s Android application allows for unlimited pairing attempts with the safe. The pairing pin code is the same as the unlocking pin code. This allows for an attacker to identify the shared pincode by repeated brute force pairing attempts to the safe.”
- “There is no encryption between the Android phone app and the safe. The application transmits the safe’s pin code in clear text after successfully pairing.”
- “An attacker can remotely unlock any safe in this product line through specially formatted Bluetooth messages, even with no knowledge of the pin code…the safe does not verify the pin code, so an attacker can obtain authorization and unlock the safe using any arbitrary value as the pin code.”
Dwight points out that the manufacturer is stepping up:
Somewhat to their credit, Vaultek says they are offering a patch, though it looks like you’ll have to send your safe back to get it. (Vaultek says they’ll cover shipping both ways, which can’t be cheap.)I'll bet it's not. Funny that there's never time or budget to do security right, but there is to fix it after you've cratered your company's reputation.
This is yet another reason why the robot revolution doesn't scare me. There won't be a moment of thought to security. When the robots start getting uppity, a simple script-kiddie attack would shut them all down.
ReplyDeleteWhen I was a kid, everyone on TV, from the President Of The United States all the way through to the Supervillain Trying To Take Over The World - kept their valuables in electronic, high tech safes. I think people have been conditioned to equate electronics with security.
ReplyDeleteI see the cheap safes in the gun shops with their cheezy electronic number pads and digital displays - and just shake my head.
I prefer the idea of hidden guns - in drawers with false bottoms, in walls, etc. Some of the best security might be found right up front in plain sight...