/cdn.vox-cdn.com/uploads/chorus_asset/file/6947785/Vaultek_Cover_1_gmizv3.jpg)
The security company tested out a Vaultek VT20i safe, which owners can lock with a PIN and pair with an Android App. The app uses a pairing code that is the same as the PIN, and allows an unlimited number of attempts to get in. The lab was able to write a program to use brute force to guess the password. Furthermore, the researchers found that the connection between the phone and the safe aren’t encrypted (contrary to the Vaultek’s claims), meaning that the information could be intercepted. They also discovered that the safe doesn’t verify a PIN code coming from the paired phone, which means that it can be unlocked with the right command, even if the PIN is incorrect.
The lab published its findings in a blog post after Vaultek issued issued a firmware update that capped the number of attempts for the PIN, and encrypted the transmissions between the app and safe.
ncG1vNJzZmivp6x7tbTEr5yrn5VjsLC5jmtnam9fZn9wfY9oaG9vZW6BdYCOr5iupKSauG6vzqelnpukmrFuv8CfnGabqZeys7%2FEnKyroaSueqO41J6rqKeknXq3wcunnKuZkp65qsDY