ORGANIZATION OF DISCUSSION
As described in Characteristics of lock boxes under the Handgun Safe Design section, there are five main components to most electronic lock boxes. I have organized my findings based on these five main components.
1) Doors and hinges. Handgun safes are built on one of four basic configurations. The first is a simple box with a vertically hinged door that swings open. This design is more common to small personal safes. The second configuration is more common in handgun safe design, an elongated box with a door at one end. The door is hinged horizontally along the bottom and swings downward, usually thrown open by springs. The third configuration is common to handgun safes and portable cases, a flat, two-part container with a top that springs open. Finally, one can find a forth configuration, a flat box with a drawer, though this is the least common of the four styles.
The most typical design weakness with regard to doors and hinges is the presence of gaps that allow access to programming buttons or, in the worst-case scenario, access to the latch itself. The Honeywell 5301-DOJ is a prime example of how a gap beneath a vertically hinged door, in combination with poorly placed controls, can leave a safe vulnerable. The Union Safe Co. item #62984 provides an example of how a latch can be accessed over the top of a downward swinging door. The Stack-On PC-1690 is an example of a portable case with a gap along its sides allowing access to controls.
2) Interior housings for locking mechanisms. The locking mechanisms installed in handgun safes are usually assembled in small housings of their own. Handgun safes with vertically opening doors typically have a housing mounted on the inside of the door. Other arrangements include locking mechanisms built into trays mounted under the top of a safe, or housings that span the front of a container.
If the exterior walls of a safe are the first line of defense for the locking mechanism, the interior housings for locking mechanisms are the second line of defense. Thus, there can be no extraneous holes in the interior housing of a locking mechanism. Yet it happens. Housings for locking mechanisms often have holes that leave critical components exposed.
The tray-styled housings are frequently the most vulnerable. The Bald Eagle BE1214 and Union Safe Co. Item #62984 provide examples of tray-styled housings that leave the safes they are installed in wide open to attack. The Union Safe Co. #64010 and the Sentry Safe X055 are examples of vertically mounted housings that leave mechanical components exposed to anyone who pries off the keypad fittings.
3) Keypad fittings. More often than not, the keypad fittings on handgun safes are plastic. They are usually held in place by screws threaded directly into the plastic of the fitting. Screws threaded into plastic are not gripping anything that provides resistance to prying. An example of an easily pried up fitting can be found on the Union Safe Co. #62980. An example of a keypad designed to be held in place by only two screws can be seen on the Billconch Fingerprint Pistol Box. On rare occasions, a careless Chinese manufacturer may even install a keypad using screws threaded into the safe on the outside, the vulnerability concealed by nothing but a decorative fitting that snaps into place. The Aseline MQ201 offers a perfect example of this.
The easiest way to remedy these vulnerabilities is for designers to stop thinking in terms of keypad fittings. Sentry Safe markets lock boxes with buttons and bypass cylinders that extend through the framework of the box.
A certain number of lock boxes have keypad fittings made of rubber simply glued in place. This is devastating to the security of a safe if the fitting conceals holes beneath it. Glued fittings can be pulled up, and several lock boxes I’ve examined are vulnerable because of this, including the Union Safe Co., Item #62984.
4) Decorative fittings. Many lock boxes on the market have additional fittings or attachments that serve as feet or bumpers to prevent marring surfaces. The common examples of this are plastic fittings enclosing the sides of a top-opening handgun safes. Fittings like these that are removable may be used to conceal extraneous holes in the container.
MECHANICAL COMPONENTS OF
THE LOCKING MECHANISM
Internal components of locking mechanisms installed in lock boxes are almost never arranged or shielded in ways to protect them from being manipulated. Though external design flaws in containers could be mitigated with internal shielding to protect latching mechanisms, circuitry, and controls, the effort is rarely made.
1) Motorized boltwork. As described in the Handgun safe design section, motorized boltwork mechanisms are inherently more secure than other mechanisms, because the bolts are locked in place by the gearing of the motor that actuates them. I have found no design problems in the mechanical parts of the motorized boltwork mechanisms I have examined. However, I should note that these mechanisms have a pronounced drawback that makes them unpopular in handgun safe design. Motorized boltwork mechanisms are slow to actuate the bolts, and don’t offer the quick-release response people want in a handgun safe. Few handgun safes have this kind of mechanism installed in them.
2) Motorized latches. The motorized latching mechanisms in handgun safes and portable cases are not all equally vulnerable to attack. Because this type of mechanism is actuated by a motor rotating a fitting not directly connected to the latching hardware, the components move independently of the motor. Any holes, gaps, or other openings in the container that allow access to latching hardware leave the mechanism vulnerable to being manipulated.
3) Spring-release latches. Like motorized latching mechanisms, the mechanical components of spring-release latches move independently of the motor that actuates them. Most lock boxes on the market are equipped with spring-release latching mechanisms. The latching mechanism pictured here is one of the most common, and it is the weakest by far. Other spring-release latching mechanisms are easily actuated with paperclips and wire scraps, provided holes are available to exploit. Such is the case with GunVault’s GVB 1000, RPNB's RP19003, and Union Safe Co.’s Item #62984.
4) Solenoid-locked boltwork. As described in the Handgun safe design section, a solenoid must be installed in a way to prevent the solenoid pin from being shaken or bounced or otherwise manipulated, which would allow the boltwork to move freely. Manufacturers have experimented with new arrangements. One strategy is to design a solenoid such that it is encased in a housing with a pivoting lever built into it; when the solenoid receives power, the pin snaps down, allowing the lever to retract. The intervening lever makes this device highly resistant to being bounced open. Yet, an easily pried keypad fitting on the outside of a safe can still leave a solenoid vulnerable to attack. See Union Safe Co. 64010: A Piece Of Junk, Extra Large.
ELECTRONIC COMPONENTS OF
THE LOCKING MECHANISM
1) Reset buttons. Reset buttons for programming new access codes and buttons for registering fingerprints are among the most easy-to-highjack components in lock boxes. Either the buttons themselves are accessible through a bit of creative probing with wires or metal shims, or in some cases the wires connecting these buttons to the main circuitry boards are accessible.
Buttons that are supposed to be protected inside a lock box are usually accessed around the doors or lids of the boxes. The way to remedy this vulnerability is for reset buttons to be shielded and/or recessed inside the housing of the locking mechanism. Sentry Safe solved the problem of making controls inaccessible by putting the reset button of the Quick-Access Pistol Safe (QAP1E) inside the battery compartment, behind the battery holder.
2) Circuitry. In many handgun safes, circuitry can be divided roughly between external circuitry (on the outside of the lock box) and internal circuitry (inside the locking mechanism, including the main circuitry board). In the same way that reset buttons and other controls should not be accessible from outside the lock box, critical circuits should not be accessible on the outside. A “critical circuit” has an item on it that is directly responsible for releasing a door, like a motor or solenoid. The presence of a critical circuit on the outside of a lock box removes all security from a device. I first uncovered this problem in a product marketed by Bulldog Vaults, the BD1050.
I find this circuitry problem often. The problem is so common that I've included additional examples here. I've embedded my examination of a safe sold under the brand name Wincent, and I've included a link to an examination of a safe called Railhorn.
Though I don't know why industrial designers are at risk of providing access to critical circuitry on the outside of a safe, I recommend that any designer developing circuitry for a safe memorize the following maxim:
One cannot design a device intended to prevent unauthorized access by giving it a multitude of methods for gaining entry. Every system incorporated into the device introduces more points of weakness.
3) Circuitry boards. Circuitry boards and in particular their solder points need to be shielded from probing with wires. This means circuitry boards need to have insulation of some kind. In the case of the Union Safe Co., Item #62984, I was able to reach in over the top of the door with a metal shim to tap the circuitry board directly, closing the circuit on reset functions.
4) Tolerances and power. The circuitry of lock boxes is usually designed with very close resistor tolerances for the voltage that circuitry can handle. Unfortunately, some of the battery compartments (typically holding four AA batteries or four AAA batteries) are connected to circuitry by use of plugs that will also connect directly with a 9V battery. The owner of one of these devices who thinks he might change batteries less frequently by replacing batteries with a 9V battery will ruin the circuitry.
Circuitry in lock boxes should be designed to “require” the use of a 9V battery—that is, circuitry should be designed with tolerances that would accept power from a 9V battery without sustaining any damage. Grocery stores and convenience stores are more likely to have 9V batteries than any other kind of batteries, because these batteries are used in smoke detectors. Many people are in the habit of changing out smoke detector batteries at a certain time of the year. This would be an ideal time to swap the battery out on one’s handgun safe.
Another option manufacturers should consider is equipping lock boxes with rechargeable batteries. A rechargeable lithium battery will last longer than a store-bought battery. Furthermore, if the battery can be charged from a USB port on the outside of the safe, the owner who is unable to find the bypass keys won’t be locked out of the safe should the battery go dead.
5) Exterior contact points. In a few lock boxes, designers have left off installing mechanical bypass locks in favor of providing exterior contact points so that one can hold a 9V battery to the points when batteries inside fail. This amounts to leaving the circuitry’s resisters exposed to whatever power source a person might subject them to. As already mentioned, these lock boxes are designed with close resistor tolerances. Therefore, devices that have exterior contact points are vulnerable to sabotage. Although doing away with a bypass cylinder may cut production costs, leaving a lock box’s circuitry exposed should never be considered an option.
1) Reset commands. The sequence for programming a new access code cannot be so simple that a reset button only has to be pressed once. The simpler the programming sequence, the better the chances are for an attacker to enter a new access code if he can reach the reset button. A programming sequence should involve pressing a reset button two or more times, should require knowledge of the current access code, and ideally should involve entering a programming sequence on the keypad as part of putting the circuitry in programming mode.
2) Biometrics. Putting a safe into registration mode to accept a new fingerprint cannot require that a primary control button need be pressed only once. As with my recommendations for a proper sequence for programming an access code, the process for registering fingerprints cannot be simple. The process must require that the owner register one or two “administrative” prints, which must be used before registering additional fingerprints in the system. Furthermore, no controls involved in either registering or deleting fingerprints can be located on the outside of the safe.
Keyed bypass locks
1) Common bypass locks. Most handgun safes are fitted with cam locks that override the locking mechanisms proper. These locks typically rotate a piece of hardware—or cam—that pushes or pulls a release of some kind, allowing access in the event that batteries need replacing. The most common cam locks installed for bypass locks in handgun safes are simple cross locks, tubular locks, and wafer locks. Most of these locks can be opened with tools made specifically for opening them; one doesn’t need skills with general-purpose lock-picking tools in order to compromise them.
The subject of keyed locks encompasses a diverse field of design and a very long history. No one who knows what they’re doing steps into the business of selling safes or locks casually. An industrial designer with an interest in locks can expect to invest 3 or 4 years in the study of locks before acquiring the knowledge base to enter the field of lock design. Unfortunately, the biggest mistake made by manufacturers and importers of firearm safety products is the belief that they can market safes and locks without knowing the subject.
Manufacturers who do not have a lock specialist involved in product development must consult a physical-security expert for guidance in selecting appropriate bypass locks for their products. Parts suppliers are not qualified to make recommendations. Furthermore, manufacturers and importers must understand that, by stepping into the business of marketing locks and safes, they have made a commitment to staying abreast of developments the world of lock testing. They must accept that they will replace the cylinders on their products over time as weaknesses are found and designs are updated.
2) Mistakes to avoid. The most common mistake I come across involves giving bypass cylinders decorative covers. Whether made of metal, plastic, or rubber, decorative covers usually fit into holes in the body of a safe or its keypad fitting. The resulting holes can allow access to circuitry beneath a keypad and even access into the interior of the locking mechanism. The P-20 Security Safe, once imported by Rhino Metals, is a perfect example of how a simple decorative cover—and the resulting holes—can undermine the security of a safe.
on lock box manufacture
Most of the lock boxes I have examined are made in China. I would encourage the reader to go online to Alibaba.com, where many of the imported lock boxes currently sold in the U.S. can be found. A quick search using phrases like “electronic safe” or “pistol box” will yield hundreds of results, a few of which will be familiar to the reader. These are the devices sold on Amazon under multiple different brand names.
One of the problems facing importers is that very little effort, if any, has gone into engineering these safes. The imported safes I’ve examined are built of recycled design components. Locking mechanisms in these safe are copies of one another, which I’ve come to recognize through taking the safes apart. What U.S. importers don’t understand, or perhaps are unconcerned about, is that Chinese industry has a long history of disregarding intellectual property law. The components of the safes I’ve examined come from designs that have been copied and recopied so many times the designs are in the public domain as far as Chinese manufacturers are concerned.
Still another issue complicating the import of these devices is a problem fundamental to engineering. Engineers tend to see their intensions in their work. If a design meets approval, if a prototype functions, if the materials used fall within imposed constraints, the job is considered good. Engineers don’t generally look for disconfirming evidence with regard to their work—that is, evidence that they haven’t solved the problem that needed to be solved. Chinese engineers compound the oversights resulting from this tendency by recycling designs whenever possible in order to be efficient.
Importers of handgun safes need to understand the limitations of Chinese industry, and need to make the above engineering recommendations a requirement of contractual dealings with Chinese safe manufacturers. I believe these recommendations will allow imported lock boxes to pass any statutory tests that California might require in the future, in the event California’s Penal Code, Title 11, Division 5, Chapter 6 is significantly updated. Even if it is not, I see no reason U.S. importers should be satisfied with products that are “good enough for government work.” As I reveal in the section called Firearm Safety Devices, California DOJ approval of these devices is empty approval, and arguably negligence on the part of California’s DOJ.