CVE-2017-17436

Name of the Vulnerable Software and Affected Versions Vaultek Gun Safe VT20i products (affected versions not specified)

Description The issue concerns the lack of encryption in the communication session between the Android application and the Vaultek Gun Safe VT20i products. Despite claims of using "Highest Level Bluetooth Encryption" and "Data transmissions are secure via AES256 bit encryption", the communication channel is not encrypted. This is particularly noteworthy because AES256 bit encryption is not supported in the Bluetooth Low Energy (BLE) standard and would need to be implemented at the application level. As a result, an individual can learn the passcode by eavesdropping on the communications between the application and the safe.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.