In mid-November, Twitter follower Kevin Anderson asked me about a firearm lock box product called the GunBox. Every now and then, because of my general interest in teaching and presenting about firearms and gun technology folk will reach out with such questions. Often, the safe and lock box inquiries come my way because of a presentation I gave at DEF CON 19 regarding the relative security (or insecurity) of many popular firearm lock boxes.
According to the manufacturer’s web site, the GunBox “has cutting edge technology, state-of-the-art design, and incredible features that make safely storing firearms with quick access a reality” and it is “the ideal way to Defend Responsibly.” As you will see from the analysis below, while the GunBox is as effective as any other low-cost firearm lock box (most of them retail in the $150 – $300 range and the GunBox is within this zone, albeit on the higher end) at preventing a toddler from accidentally laying hands on your gun and having a terrible accident, it is not at all suitable for long-term storage or for deterring criminals or even curious teenagers.
The staff who monitor the GunBox’s Twitter account were not keen on discussing how their hardware functions, but it becomes apparent from the moment that you open up this unit how their lock (and also the bypass/override method) works. Honestly, this is the first thing you see when the lid is open. I didn’t even have to take the internal compartment apart or pull back any rubber or plastic elements. Because the bypass method is so painfully obvious, I do not have any real ethical qualms with documenting it here. The manufacturer is more than adequately aware of how this works and (it would seem) has no plans to change how this feature (or “vulnerability” depending on your point of view) is implemented.
Amazon has this item available via Prime shipping, so the unit actually beat me to my house. I ordered it a couple of days before flying home from the Persian Gulf and it was there when I arrived.
Upon opening the unit, one immediately can see the latching mechanism that keeps it shut when closed and locked. There is a small peg with a metal cone on its tip sticking up from the base…
… and this peg interfaces with a pair of sliding metal plates in the lid that form a hole which can expand and contract via spring pressure…
As the lock box can be closed just by pressing the lid shut, one can immediately discern that the metal plates slide apart simply by any force acting upon them. The lock and circuitry mechanism is not needed to cause them to move…
As mentioned by the GunBox folk on Twitter, the unit ships with a small hex head Allen key which can be used to bypass the main locking mechanism and open the box if other methods fail to work. While the conversation they had online was intentionally vague, they attempted to indicate that the Allen key was simply “the tool that is used [to access the bypass hole]” and they went on to state that “the manual override is not that simple.” This is patently false.
Yes, the hex head bit is used to remove a small set screw in the bottom of the box, exposing the bypass hole. After that, however, the same exact tool is inserted and simply wiggled from side to side. That is all. That’s the entire attack. The shaft of the Allen key interacts with this small slot on the metal plates…
When we opened up the box and look at this, you can see that we figured it out in seconds. The following video (which was Take One of the whole analysis) shows the process unfold. Not only did we figure out the attack in short order, but it was trivial to perform. It took me about 15 seconds to seat the handle of the Allen key in the correct slot the first time, then 5 seconds later the box was open. Subsequent attempts took under 10 seconds total. It’s a process of (1) insert, (2) rock the handle of the tool toward you and therefore angle the inside tip of the tool rearward, (3) find the bypass slot in the metal plates, (4) press the tool to your right and therefore disengage the upper plate which moves to the left inside the box, (5) press the tool to your left and therefore disengage the lower plate which moves to the right inside the box, (6) the box is open.
(If for any reason that video becomes unavailable on YouTube, I’ve also uploaded it here on Vimeo)
There were quite a few things that I found disturbing about this whole process…
1. This entire bypass process was monumentally trivial to discover and to perform. The fact that anyone could speak of this as though it were some massive secret is astonishing. The bypass hole and the slot in the plates where it is performed are immediately visible to anyone operating the safe or even just glancing at it when it is open.
2. There is no evidence at all that the bypass is used. The safe doesn’t appear to have any logging functionality if the latch is released manually. The small set screw could be secured with a tamper-evident seal (although, as The CORE Group will tell you, tampering with security seals is often a very valid attack vector, as well)
3. The unit does not alarm if the lid is made to open up without any valid credential or token associated with that event. (For instance, by bypassing it.) There is no reed switch or contact switch to tell the GunBox if the lid is open or closed.
4. In general, it was surprisingly hard to actually set off the “tamper” alarm at all. I could not tell what manner of conditions cause it to beep, but as you can see in the video a lot of jiggling and banging did not set it off. Apparently, only totally tipping the unit vertically seemed to cause the alarm for me. Maybe I was doing something wrong.
5. The fingerprint reader and RFID tag appeared very unreliable in their operation. Again, I’ll leave it to GunBox to respond… maybe I was making too many repeated attempts with fingerprints and mis-reads of the RFID tag and this caused some kind of delay/timeout period to trigger. In general, however, I would most assuredly NOT trust my safety or my family’s security to this unit during a tense situation when a firearm was needed quickly.
6. The RFID technoloy used looks highly clone-able. Babak is still in the Gulf for another week, but once he gets home we’ll test the RFID tokens out with his ProxMark. I’ll wager dollars to doughnuts that these RFID credentials have zero protection against cloning and copying. That will constitute Part Two of this review and analysis.
Beyond all that, the unit appears to be your run-of-the-mill firearm lock box. It is spacious enough to store one (or more) pistols or revolvers of adequate size…
… and I even hit on an interesting phenomenon: when I had two of my H&K pistols in this box together, they obscured and occluded the bypass hole and made it unfeasible to perform the manual override opening technique…
… of course, given how shaky the fingerprint and RFID readers were on the GunBox that I was testing, I don’t know how wise it is to lock up any valuable pistols with the override disabled. 😉
Honestly, though, if I were forced to choose between a lock box that offered almost no protection versus a box that was unreliable but had no bypass opening, I’d probably go with the latter. Were I to own a GunBox, I’d use some ThreadLock (the red permanent kind, not the blue light-duty variety) on that little set screw and feel a lot better about the unit. But that’s if I were somehow forced to use this. In the end, my plan will be to let my buddy tinker with the RFID controls, then box it all back up and return it to Amazon. The folks at GunBox have stated that they “do not want everyone knowing the manual override” but I can’t imagine how anyone would predict this information not becoming public. They have taken utterly no steps to obfuscate or protect the bypass feature. Ultimately, of course, security engineers know that the best way to prevent details of a backdoor in your system from becoming public is to not design a bypass in your security in the first place.
Personally, I’m very happy with my MicroVault and LockSĀF products, since I’ve modified their manual override locks for greater protection and robustness against attack. And that’s just for times when I need a quick-and-simple solution in my home or my car for carry pistols. Essentially ANY small firearm lock box tends to be something designed first and foremost to prevent little hands from causing a negligent discharge and then –only secondarily– to guard against some forms of basic quick theft attempts. Small firearm lock boxes should NEVER be though of as guns safes and they should not be considered a means of housing and storing valuable firearms in a permanent way. Only my daily carry pistols are kept in small lock boxes. My main collection all resides in heavy-duty Liberty safes at the various homes where it is housed.
That’s just my two cents. Feel free to do your own testing and do whatever you feel is right and best for you and your loved ones. Stay safe out there!