LAS VEGAS — Is a plastic drinking straw from McDonald’s the only thing keeping a thief — or worse, a child — from accessing the loaded weapon in your closet safe?
That’s apparently the case with one model of personal safes that a team of researchers will be cracking at DefCon on Friday.
But the researchers found similar problems with several brands of personal safes that are marketed for securing guns and other valuables. Toby Bluzmanis, Marc Weber Tobias, and Matt Fiddler demonstrated in videos that they were able to swiftly open seven models of safes, using household items like paper clips, a wire hanger and a drinking straw. In one case, they opened a safe simply by lightly bouncing it on a floor once.
It’s estimated that about a fifth of all households own a handgun, according to a study by the American Journal of Preventive Medicine. About 500 teens and children are killed accidentally each year with guns, some of them by handguns stored in their homes.
The safes the researchers looked at are sold at Walmart and sporting good stores and Amazon.com. Many of them are certified as being compliant with California penal code standards for securing firearms. But Tobias notes in one of the videos that the companies that make the safes “do not understand security engineering,” and that “every one of these safes should be pulled from the market until they’re fixed … before someone else gets hurt or killed.”
The researchers began examining the safes six months ago after Tobias was contacted by a former detective named Ed Owens from the Clark County Sheriff’s office in Vancouver, Washington. Owens’s 3-year-old son was accidentally shot to death in September 2010 after his 11-year-old step-sister retrieved the detective’s loaded handgun from a Stack-On safe in which it had been stored.
Stack-On safes had been issued to all deputies in the sheriff’s department to secure service revolvers at home after a previous shooting incident in 2003 in which another child was killed with a deputy’s gun. Owens asserted that the safe his employers gave him was not working properly, and that the sheriff’s department knew this before the shooting occurred but did not recall the safes. The sheriff’s department accused Owens of failing to report the malfunctioning safe.
In 2004, Stack-On had recalled 1,320 of the model of safes that was purchased by the sheriff’s department, because the safes could be opened by simply jiggling the doorknob, though the sheriff’s department maintains that the recalled safes were not from the same lot number as the ones the law enforcement agency bought.
In either case, the researchers were called in to test the model of safe connected with the shooting, and found that a magnetic pin that moves up and down when someone enters the correct combination was superfluous. They could simply move the pin by bouncing the safe, causing the door to swing open. In a video the researchers made showing the vulnerability, a 3-year-old boy lifted the safe a couple of inches off the floor and set it down, causing the door to spring open.
“This is what happens when you have a defective design,” Tobias says. “The sheriff’s department didn’t have a clue what they were buying and didn’t know how to evaluate them.”
The researchers decided to test six other models of safe to see if they had similar problems.
They tested four models of safes made by Stack-On, a leading seller based in Illinois, and others made by Bulldog, GunVault and Amsec. All of them were easily opened. Some of them could be opened in ways that were undetectable, so that anyone just looking at the safe afterward would never know that it had been opened and its contents removed. Some of the safes are used by the TSA to store papers and evidence at airports.
Among the safes they examined were three models of Stack-On PS Biometric safes with a combination keypad, biometric fingerprint reader and key bypass. The researchers examined three models of the biometric safe because, as Tobias says in the video, “we could not believe the first one that we opened how simple it was, so we wanted to confirm our findings with three different versions, and they’re all vulnerable.”
The safes are made of solid steel and are supposed to be pry-resistant, but the researchers opened them easily with a paper clip in two seconds. The fingerprint reader was irrelevant except to provide them a hole through which to get to the locking mechanism. They simply pushed the fingerprint reader in, and used the hole for the reader to insert a wire and move the solenoid responsible for opening the lock.
They also examined a Stack-On PC650, which has an electronic lock and, according to Stack-On, meets TSA airline firearms guidelines. The safe is opened by pressing buttons in a combination. The researchers were able to open the safe in several ways – first through a small space around one of the buttons on the top of the safe. The buttons have a rubber plate on top of them, which is easily removed. The researchers inserted a small pick in the button recess and manipulated the latch open in seconds.
The safe also has a reset button for the combination inside the safe, which the researchers accessed by simply inserting a screwdriver to slip a metal shank into the safe and reset the combination.
Stack-On’s PDS-500, a high-security strongbox drawer safe with an electronic combination lock and key bypass, was also hacked. The safe has a soft plastic plate on the front. The researchers simply tore a small hole in the plastic with a screwdriver, then inserted a wire to manipulate the solenoid inside and open the safe. They also opened the bypass lock with a paper clip.
“This is really a serious problem because, believe me, any kid can do this,” Tobias says.
Stack-On’s QAS1200B, a biometric lock with a fingerprint reader similar to one used on laptops, was also easily defeated. The safe has a rubber plate on top that can be removed, as can the fingerprint reader beneath the plate. This provides access to a small hole through which they were able to slip a pick to trip a locking mechanism and open the safe. By putting the fingerprint reader and rubber plate back in place, no one would know the safe had been opened.
A $100 Stack-On QAS 710 strongbox safe, with motorized electronic lock and keypad as well as key bypass, was opened by slipping a flat piece of brass into a space around the safe door and manipulating the locking mechanism. They did the same trick with a drinking straw from McDonald’s. The safe could also be opened by putting a little pressure with a screwdriver on the key bypass lock and turning it.
“It really looks good,” Tobias. says. “It’s heavy metal. But you can take a brass shim or a straw … and pop it open in five seconds,” Tobias says. “This is what’s protecting kids.”
Tobias notified Stack-On about the problems with its safes three months ago.
Asked this week if it planned to recall the safes or fix them, Stack-On said in a statement to Wired that its products provide “secure solutions that are certified to meet the California Department of Justice (DOJ) standards…. This certification involves testing, by an independent laboratory approved by California DOJ, for compliance with their adopted standards. In addition, our Portable Cases comply with TSA airline firearm guidelines. We are proud of this designation and the protection we provide.”
And, finally, a Bulldog BD1500 Deluxe Digital Pistol Vault safe could be opened simply by inserting a piece of flat brass stock and pushing the lock mechanism to pop open the door. They also opened the door by inserting a coathanger wire into the battery port, creating a short that popped open the door.