CVE-2017-17435 in Gun Safe VT20i
Summary
by MITRE
An issue was discovered in the software on Vaultek Gun Safe VT20i products, aka BlueSteal. An attacker can remotely unlock any safe in this product line without a valid PIN code. Even though the phone application requires it and there is a field to supply the PIN code in an authorization request, the safe does not check the PIN code, so an attacker can obtain authorization using any value. Once an attacker sees the Bluetooth Low Energy (BLE) advertisement for the safe, they need only to write a BLE characteristic to enable notifications, and send a crafted getAuthor packet that returns a temporary key, and an unlock packet including that temporary key. The safe then opens after the unlock packet is processed, with no verification of PIN or other credentials.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/12/2019
The vulnerability identified as CVE-2017-17435 represents a critical security flaw in Vaultek Gun Safe VT20i products, commonly referred to as the BlueSteal vulnerability. This issue affects a line of smart safes that rely on Bluetooth Low Energy communication for remote access control. The fundamental problem lies in the complete absence of authentication verification within the device's authorization protocol, creating a severe bypass mechanism that allows unauthorized access to protected contents. The vulnerability specifically targets the authentication flow of the device's mobile application, which despite requiring PIN code input, fails to enforce any validation of this credential during the actual unlocking process.
The technical implementation of this vulnerability exploits the device's Bluetooth Low Energy communication stack through a series of well-defined steps that bypass the intended security controls. An attacker with proximity to the device can observe the BLE advertisement packets broadcast by the safe, then manipulate the communication protocol by writing to specific BLE characteristics to enable notifications. The vulnerability manifests when an attacker sends a crafted "getAuthor" packet that successfully retrieves a temporary key from the device without requiring valid authentication credentials. This temporary key is then used in a subsequent "unlock" packet that triggers the physical mechanism to open the safe. The absence of any PIN code verification or credential validation during this process represents a complete breakdown in the security architecture, as the device accepts any value in place of the required authentication information.
The operational impact of CVE-2017-17435 is profound and directly correlates to the nature of the affected devices, which are designed for secure storage of firearms and other valuables. The vulnerability creates an immediate and complete bypass of the device's intended security controls, allowing any attacker within BLE range to access the safe without proper authorization. This represents a critical failure in the principle of least privilege and authentication enforcement, as the device provides no mechanism to verify the identity of the requesting party. The vulnerability's accessibility is particularly concerning given that it requires no specialized equipment beyond standard BLE scanning tools and can be executed by anyone with basic technical knowledge of BLE protocols. This flaw fundamentally undermines the security posture of the device and renders the physical security controls ineffective against remote exploitation.
This vulnerability aligns with CWE-287, which addresses improper authentication issues in software systems, and demonstrates a classic case of authentication bypass through flawed implementation of security controls. The attack pattern follows techniques consistent with ATT&CK framework's T1072, which involves application deployment in the target environment, and T1075, which covers remote access tools and techniques. The vulnerability also reflects weaknesses in secure coding practices related to authentication flow implementation, where the system fails to validate inputs that should be required for access control. Organizations should consider implementing network segmentation and physical security measures to mitigate the risk, while manufacturers should ensure proper authentication enforcement and implement robust credential validation mechanisms in all security-related systems. The vulnerability highlights the importance of thorough security testing of IoT devices, particularly those handling sensitive physical security functions, and underscores the need for proper authentication protocols that cannot be easily bypassed through protocol manipulation.