VAULTEK™ BLUETOOTH SECURITY UPDATE

12.09.2017

OVERVIEW

On this page we will review Two Six Labs’ security research released December 6, 2017 and explain the vulnerabilities discovered and how they affect your safe.

The vulnerabilities Two Six Labs’ discovered include CVE-2017-17435 and CVE-2017-17436.

WHAT THIS MEANS

The vulnerabilities discovered, with some time, will allow an unauthorized user access to the safe. Two Six Labs identified key components for improvement and provided solutions for Vaultek™ to review and implement into their designs. We have since made revisions and are continuing to make updates for all future models released and planing a new firmware upgrade available for current customers.

HOW CAN IT HAPPEN

The vulnerabilities uncovered by Two Six Labs, a professional security firm, demonstrate how a hacker can gain unauthorized access to your safe by using a couple different methods.  One method uses special equipment to “scan” communications with a synced smartphone and reinterpret the data, but requires a synced phone be actively communicating with the safe. The other method is an attack referred to as Brute Force, in which a coded program repeatedly tries to guess the safe’s access code. Either of these methods are not easily captured and require several factors to execute including time, the right equipment, and close proximity to the safe.

LOW RISK FACTOR

Due to the knowledge required to perform an attack, and be in close proximity to the safe the vulnerabilities are considered low risk.

The Bluetooth feature in Vaultek™ safes is convenient for setting several safe settings and viewing the battery levels, and safes are equipped with the feature to toggle off the Bluetooth connection altogether if customers are concerned with the risk.

VAULTEK™ RESOLUTION

Vaultek™ is taking immediate action with updated firmware that implements new time out features to exhaust Brute Force entry as well communication improvements to resolve vulnerability CVE-2017-17435, and with additional development time, CVE-2017-17436. This new firmware will be directly integrated into new production, as well as available to current customers interested in having the upgrade.

AS OF JAN 2018 , ALL PRODUCTION MODELS FEATURE UPGRADED FIRMWARE.