Findings and discussion
As described in Characteristics of lock boxes under the Handgun safe design section, there are five main components to most electronic lock boxes. I have organized my findings based on these five main components.
1) Doors and hinges. Handgun safes are built on one of four basic configurations. The first is a simple box with a vertically hinged door that swings open. This design is more common to small personal safes. The second configuration is more common in handgun safe design, an elongated box with a door at one end. The door is hinged horizontally along the bottom and swings downward, usually thrown open by springs. The third configuration is common to handgun safes and portable cases, a flat, two-part container with a top that springs open. Finally, one can find a forth configuration, a flat box with a drawer, though this is the least common of the four styles.
The most typical design weakness with regard to doors and hinges is the presence of gaps that allow access to programming buttons or, in the worst-case scenario, access to the latch itself. The Bulldog Vaults BD3000 is a prime example of how a gap beneath a vertically hinged door, in combination with poorly placed controls, can leave a safe vulnerable. Examples of how a safe’s latch can be accessed over the top of a downward swinging door include the Liberty Safe HD-200 and Union Safe Co. Item #62984. Examples of portable cases with gaps along their sides allowing access to controls include the Bulldog Vaults BD4050 and Stack-On PC-900.
2) Interior housings for locking mechanisms. The locking mechanisms installed in handgun safes are usually assembled in small housings of their own. Handgun safes with vertically opening doors typically have a housing mounted on the inside of the door. Other arrangements include locking mechanisms built into trays mounted under the top of a safe, or housings that span the front of a container, like a portable case.
If the exterior walls of a safe are the first line of defense for the locking mechanism, the interior housings for locking mechanisms are the second line of defense. There can be no extraneous holes in the housing of a locking mechanism. Yet the housings for locking mechanisms often have holes that leave critical components exposed. Worse, these housings are not fully enclosed in most cases, but are made “whole” when mounted against the interior of a safe.
The tray-styled housings are frequently the most vulnerable. The Bulldog Vaults BD4030, GunVault GVB 1000, and Union Safe Co. Item #62984 all provide examples of tray-styled housings that leave the safes they are installed wide open to attack. The Bulldog Vaults BD4010 and BD4020 are examples of vertically mounted housings that leave electronic components available for being exploited.
3) Keypad fittings. More often than not, the keypad fittings on handgun safes are plastic. They are usually held in place by screws threaded directly into the plastic of the fitting. Screws threaded into plastic are not gripping anything that provides resistance to prying. An example of an easily pried up fitting can be found on the Stack-On PS-514.
The easiest way to remedy this vulnerability is for designers to stop thinking in terms of keypad fittings. Liberty Safe and Sentry Safe market lock boxes with buttons and bypass cylinders that extend through the framework of the box.
Keypad fittings often have removable decorative covers over the bypass
cylinders. The problem with decorative covers is that, in order for them to be removable,
they have to fit into holes in the fitting. Any holes in the fitting equal potential
access to the circuitry beneath. This is a vulnerability found in the
Bulldog Vaults BD1050, BD1060, and BD1070. Two other safes marketed by
Bulldog Vaults, the BD4010 and BD4020, are equally vulnerable because the
removable bypass covers allow access through the doors of both safes to the
A certain number of lock boxes have keypad fittings made of rubber simply glued in place. This is devastating to the security of a safe if the fitting conceals holes beneath it. Glued fittings can be pulled up, and several lock boxes I’ve examined are vulnerable because of this, including the GunVault GV1000S, Stack-On QAS-1200, and Union Safe Co., Item #62984.
4) Decorative fittings. Though not often, lock boxes occasionally have additional fittings or attachments that serve as feet or bumpers to prevent marring surfaces. Fittings like these that are removable may pose additional sources of vulnerability. The Sentry Safe Quick Access Pistol Safes, both the standard and biometric models, have plastic fittings on their sides. The fittings are held in place by screws, and beneath are holes into the housings of the locking mechanisms. Worse, the Chinese-made knock-offs of these devices, marketed by Fortress and Gardall, have the same vulnerability built into them. The Artemis Security Case is an example of a device with removable rubber feet that allow access to the locking mechanism through the bottom of the device. Liberty Safe’s HDX-250 Smart Vault was at one time vulnerable to attack as a result of removable plastic corners, though Liberty has since remedied the problem.
5) Mounting hardware. On occasion, a manufacturer may have the idea of designing a lock box that attaches to a mounting plate that is supposed to be mounted onto a solid surface. The Paragon Quarter Master 7650 is an example of this mounting strategy.
This is an extremely poor design decision. A mounting plate requires additional holes in the lock box in order for the lock box to be attached to the mounting plate. If the mounting plate cannot completely fill or cover the additional holes in the lock box, the situation results in there being more holes to exploit. Worse, if the owner of the lock box decides not to use the mounting plate, whatever holes have been put in the lock box for mounting become easier to exploit.
A rule for any manufacturer designing a lock box: The lock box cannot require an intervening mounting plate in order to be secured to a solid surface.
Mechanical components of the locking mechanism:
The internal components of locking mechanisms are almost never arranged or shielded in ways to protect them from being manipulated. In many cases, poor design decisions made with regard to plastic keypad fittings on the outside of a lock box would not present security issues if some effort were made to shield the components of the locking mechanism inside. The same is true of every other aspect of lock box design; mistakes in design and fabrication would not cost these devices their security if the mechanical components of their locking mechanisms were protected.
1) Motorized boltwork. As described in the Handgun safe design section under “Locking mechanisms,” motorized boltwork mechanisms are inherently more secure than other mechanisms, because the bolts are locked in place by the gearing of the motor that actuates them. I found no design problems in the mechanical parts of the motorized boltwork mechanisms I examined. These were installed in the Bulldog Vaults BD3000, BD4010, and BD4020. However, I should note that these mechanisms have a pronounced drawback that makes them unpopular in handgun safe design. Motorized boltwork mechanisms are slow to actuate the bolts, and don’t offer the quick-release response people want in a handgun safe. Few handgun safes have this kind of mechanism installed in them.
2) Motorized latches. The motorized latching mechanisms in handgun safes and portable cases are not all equally vulnerable to attack. Because this type of mechanism is actuated by a motor rotating a fitting not directly connected to the latching hardware, the components move independently of the motor. Any holes, gaps, or other openings in the container that allow access to latching hardware leave the mechanism vulnerable to being manipulated. Handgun safes with this design oversight include Bulldog Vaults’ BD4030, Paragon’s Quarter Master 7650, and Stack-On’s QAS-1200.
3) Spring-release latches. Like motorized latching mechanisms, the mechanical components of spring-release latches move independently of the motor that actuates them. Most lock boxes on the market are equipped with spring-release latch mechanisms, and most have unnecessary holes in their framework allowing their releases to be actuated with paperclips and other materials. Such is the case with GunVault’s GVB 1000 and Union Safe Co.’s Item #62984.
4) Solenoid-locked boltwork. As described in the Handgun safe design section under “Solenoid-locked boltwork,” a solenoid must be shielded and installed in a way to prevent the solenoid pin from being shaken or bounced, which would allow boltwork to move freely. Because safes featuring solenoid-locked boltwork have been exposed extensively online, manufacturers have started experimenting with new arrangements.
The Bulldog Vaults BD1050, for example, has a solenoid installed with its pin hanging downward to thwart attempts to bounce the solenoid pin on its spring. Stack-On’s PS-1514 features a solenoid encased in a housing with a pivoting lever built into it; when the solenoid receives power, the pin snaps down, allowing the lever to be pushed out of the way by the boltwork. The intervening lever makes this device highly resistant to being bounced open.
Electrical components of the locking mechanism:
1) Access codes and fingerprints. Reset buttons for programming new access codes and buttons for registering fingerprints are among the most easy-to-highjack components in lock boxes. Either the buttons themselves are accessible through a bit of creative probing with wires or metal shims, or in some cases the wires connecting these buttons to the main circuitry boards are accessible.
Buttons that are supposed to be protected inside a lock box are usually accessed around the doors or lids of the boxes. The way to remedy this vulnerability is for reset buttons to be shielded and/or recessed inside the housing of the locking mechanism. Sentry Safe solved the problem of making controls inaccessible by putting the reset button of the Quick-Access Pistol Safe (QAP1E) inside the battery compartment, behind the battery holder.
2) Circuitry. In many handgun safes, circuitry can be divided between external circuitry (on the outside of the safe) and internal circuitry (inside the locking mechanism, including the main circuitry board). In the same way that reset buttons and other controls should not be accessible from outside the lock box, critical circuits should not be accessible on the outside of a lock box. A “critical circuit” has an item on it that is directly responsible for releasing a door, like a motor or solenoid. The presence of a critical circuit on the outside of a lock box removes all security from a device. Examples of this vulnerability can be found in early versions of the Bulldog Vaults BD1050, BD1060, and BD1070.
Wiring inside the housing of locking mechanism needs to be bundled and/or wrapped in ways to prevent wires from being pulled at and drawn to holes in the exterior of the lock box where they can be hijacked. Examples of this vulnerability can be found in the Bulldog Vaults BD4010 and BD4020. Also, wiring cannot have any more length to it than is necessary to connect a motor or solenoid or reset switch with a circuitry board; any attempt to pull at the wiring should result in torn wires.
3) Circuitry boards. Circuitry boards and in particular their solder points need to be shielded from probing with wires. This means circuitry boards need to have insulation of some kind. In the case of several safes, the Bulldog Vaults BD4010 and BD4020 and the Union Safe Electronic Handgun Safe, I have reached in through holes with wire and metal shims to tap circuitry boards directly, closing the circuit on reset functions.
If the housing of a locking mechanism inside a lock box is going to be made of thin metal, and if it is going to be held in place with only one or two screws, the circuitry board should be fitted with a housing or shielding of its own. Surprisingly, the typical circuitry board in a lock box sits next to greasy bolt work with wires trailing across moving hardware, and none of that wiring bundled or shielded in any way.
4) Tolerances and power. The circuitry of lock boxes is usually designed with very close resistor tolerances for the voltage that circuitry can handle. Unfortunately, some of the battery compartments (typically holding four AA batteries or four AAA batteries) are connected to circuitry by use of plugs that will also connect directly with a 9V battery. The lock box owner who thinks he or she might have to change batteries less frequently by replacing batteries with a 9V battery will ruin the circuitry.
Circuitry in lock boxes should be designed to “require” the use of a 9V battery—that is, circuitry should be designed with tolerances that would accept power from a 9V battery without sustaining any damage. Grocery stores and convenience stores are more likely to have 9V batteries than any other kind of batteries, because they are used in smoke detectors. Many people are in the habit of changing out smoke detector batteries at a certain time of the year. This would be an ideal time to swap the battery out on one’s handgun safe.
Another option manufacturers should consider is equipping lock boxes with rechargeable batteries. A rechargeable lithium battery will last longer than a store-bought battery. Furthermore, if the battery can be charged from a USB port on the outside of the safe, the owner who is unable to find the bypass keys won’t be locked out of the safe should the battery go dead.
5) Exterior contact points. In a few lock boxes, designers have left off giving the boxes a mechanical bypass lock in favor of providing a pair of exterior contact points so that one can hold a 9V battery to the points when batteries fail. This amounts to leaving the circuitry’s resisters exposed to whatever power source a person might subject them to.
As already mentioned, lock boxes are designed with close resistor tolerances. Therefore, devices that have exterior contact points are vulnerable to sabotage. Although doing away with a bypass cylinder may cut production costs, leaving a lock box’s circuitry exposed is not an option. An example of this arrangement can be found on the Homak Security, Quick Access Pistol Box, HS10036684.
1) Reset commands. The sequence for programming a new access code cannot be so simple that a reset button only has to be pressed once. The simpler the programming sequence, the better the chances are for an attacker to enter a new access code if he can reach the reset button. A programming sequence should involve pressing a reset button two or more times, should require knowledge of the current access code, and ideally should involve entering a programming sequence on the keypad as part of putting the circuitry in programming mode.
2) Biometrics. Putting a safe into registration mode to accept a new fingerprint cannot require that a primary control button need be pressed only once. As with my recommendations for a proper sequence for programming an access code, the process for registering fingerprints cannot be simple. The process must involve entering a sequence of commands in addition to requiring the safe owner, whose fingerprint is already registered, to authenticate the process by allowing the system to read a master fingerprint. Furthermore, no controls involved in either registering or deleting fingerprints can be located on the outside of the safe. The Bulldog Vaults BD 3000 is easily compromised because of this mistake.
Keyed bypass locks:
1) Common bypass locks. Most handgun safes are fitted with cam locks that override the locking mechanisms proper installed in the safes. These locks typically rotate a piece of hardware that either pushes or pulls a release of some kind, allowing access in the event that batteries need replacing.
The most common cam locks installed for bypass locks in handgun safes are tubular locks, wafer locks, and simple cross locks. My concern regarding these locks is that all of them can be opened with tools made specifically for opening these locks. One doesn't need to develop skills with general-purpose lock-picking tools in order to compromise them.
High-security cam locks made by Assa Abloy, Bi-Lock, and Medeco, are better choices than the generic Chinese-made locks usually found on lock boxes, though they are more expensive. Ultimately, the decision to install a bypass lock on a lock box is a compromise. It has to be good enough to deter a beginning lock picker using general-purpose tools and not so good as to be too costly.
2) Mistakes to avoid. The most common mistake I come across involves giving bypass cylinders decorative covers. Whether made of metal, plastic, or rubber, decorative covers usually fit into holes in the body of a safe or its keypad fitting. The resulting holes can allow access to circuitry beneath a keypad and even access into the interior of the locking mechanism. The P-20 Security Safe, once imported by Bighorn Safe Co., is a perfect example of how a simple decorative cover—and the resulting holes—can undermine the security of a safe.
Yet another mistake I have seen is allowing the keyway of a lock to open into the interior of the safe’s locking mechanism. This is the case in the Bulldog Vaults BD4010 and BD4020. Using these holes, I reached into these safes with wire and drew the wires for reset switches to the keyways. Without pulling the wires loose, I was able to pierce the wiring with a pair of safety pins and close the circuit on the reset function. Keyways cannot open into the interior of the safe’s locking mechanism. They must be shielded.
Closing remarks on lock box manufacture
Most of the lock boxes I have examined are made in China. I would encourage the reader to go online to Alibaba.com, where almost all of the imported lock boxes currently sold in the U.S. can be found. A quick search using phrases like “electronic safe” or "pistol box" will yield hundreds of results, a few of which will be familiar to the reader. These are the devices sold in sporting goods stores everywhere.
One of the problems facing importers is that very little effort, if any, has gone into engineering these safes. The imported safes I’ve examined are built of recycled design components. Locking mechanisms in these safe are copies of one another, which I’ve come to recognize through taking the safes apart. What U.S. importers don’t understand, or perhaps are unconcerned about, is that Chinese industry has a long history of disregarding intellectual property law. The components of the safes I’ve examined come from designs that have been copied and recopied so many times they’re essentially in the public domain as far as Chinese manufacturers are concerned.
Still another issue complicating the import of these devices is a problem fundamental to engineering. Engineers tend to see their intensions in their work. If a design meets approval, if a prototype functions, if the materials used fall within imposed constraints, the job is considered good. Engineers don’t generally look for disconfirming evidence with regard to their work—that is, evidence that they haven’t solved the problem they set out to solve. Chinese engineers compound the oversights resulting from this tendency by recycling designs whenever possible in order to be efficient.
Importers of handgun safes need to understand the limitations of Chinese
industry, and need to make the above engineering recommendations a requirement
of contractual dealings with Chinese safe manufacturers. I believe these
recommendations will allow imported lock boxes to pass any statutory tests that
California might require in the future, in the event California’s Penal Code,
Title 11, Division 5, Chapter 6 is significantly updated. Even if it is not, I
see no reason U.S. importers should be satisfied with products that are “good
enough for government work.” As I reveal in the next section, California DOJ approval
of these devices is empty approval, and arguably negligence on the part of