Findings & discussion
Organization of discussion
As described in Characteristics of lock boxes under the Handgun safe design section, there are five main components to most electronic lock boxes. I have organized my findings based on these five main components.
1) Doors and hinges. Handgun safes are built on one of four basic configurations. The first is a simple box with a vertically hinged door that swings open. This design is more common to small personal safes. The second configuration is more common in handgun safe design, an elongated box with a door at one end. The door is hinged horizontally along the bottom and swings downward, usually thrown open by springs. The third configuration is common to handgun safes and portable cases, a flat, two-part container with a top that springs open. Finally, one can find a forth configuration, a flat box with a drawer, though this is the least common of the four styles.
The most typical design weakness with regard to doors and hinges is the presence of gaps that allow access to programming buttons or, in the worst-case scenario, access to the latch itself. The Honeywell 5301DOJ is a prime example of how a gap beneath a vertically hinged door, in combination with poorly placed controls, can leave a safe vulnerable. The Union Safe Co. item #62984 provides an example of how a latch can be accessed over the top of a downward swinging door. The Stack-On PC-900 is an example of a portable case with a gap along its side allowing access to its controls.
2) Interior housings for locking mechanisms. The locking mechanisms installed in handgun safes are usually assembled in small housings of their own. Handgun safes with vertically opening doors typically have a housing mounted on the inside of the door. Other arrangements include locking mechanisms built into trays mounted under the top of a safe, or housings that span the front of a container.
If the exterior walls of a safe are the first line of defense for the locking mechanism, the interior housings for locking mechanisms are the second line of defense. There can be no extraneous holes in the housing of a locking mechanism. Yet the housings for locking mechanisms often have holes that leave critical components exposed.
3) Keypad fittings. More often than not, the keypad fittings on handgun safes are plastic. They are usually held in place by screws threaded directly into the plastic of the fitting. Screws threaded into plastic are not gripping anything that provides resistance to prying. An example of an easily pried up fitting can be found on the Stack-On PS-514. An example of a keypad designed to be held in place by only two screws can be seen on the Billconch Fingerprint Pistol Box.
The easiest way to remedy these vulnerabilities is for designers to stop thinking in terms of keypad fittings. Liberty Safe and Sentry Safe market lock boxes with buttons and bypass cylinders that extend through the framework of the box.
A certain number of lock boxes have keypad fittings made of rubber simply glued in place. This is devastating to the security of a safe if the fitting conceals holes beneath it. Glued fittings can be pulled up, and several lock boxes I’ve examined are vulnerable because of this, including the Union Safe Co., Item #62984.
4) Decorative fittings. Many lock boxes on the market have additional fittings or attachments that serve as feet or bumpers to prevent marring surfaces. The common examples of this are plastic fittings enclosing the sides of a top-opening handgun safes. Fittings like these that are removable may be used to conceal extraneous holes in the container.
Plastic side piecesThis is the Fortress B-P2EA, though the safe is completely generic, and is imported and sold under multiple different names in the U.S.
Plastic side piecesThis is the RPNB RP19001F, which shares a latching mechanism and the plastic side-piece design elements with the Fortress B-P2EA.
of the locking mechanism
The internal components of locking mechanisms are almost never arranged or shielded in ways to protect them from being manipulated. In many cases, poor design decisions made with regard to plastic keypad fittings on the outside of a lock box would not present security issues if some effort were made to shield the components of the locking mechanism inside. The same is true of every other aspect of lock box design; mistakes in design and fabrication would not cost these devices their security if the mechanical components of their locking mechanisms were protected.
1) Motorized boltwork. As described in the Handgun safe design section under “Locking mechanisms,” motorized boltwork mechanisms are inherently more secure than other mechanisms, because the bolts are locked in place by the gearing of the motor that actuates them. I have found no design problems in the mechanical parts of the motorized boltwork mechanisms I have examined. However, I have found safes with accessible circuitry, such as the Bulldog Vaults safes BD4010 and BD4020, and safes with weak bypass locks, as in the Verifi Smart Safe.
2) Motorized latches. The motorized latching mechanisms in handgun safes and portable cases are not all equally vulnerable to attack. Because this type of mechanism is actuated by a motor rotating a fitting not directly connected to the latching hardware, the components move independently of the motor. Any holes, gaps, or other openings in the container that allow access to latching hardware leave the mechanism vulnerable to being manipulated. The mechanism pictured here is installed in the Paragon Quarter Master 7650 (discontinued). Stack-On's portable cases have motorized latches installed in them, as do portable cases sold by Bulldog Cases and Vaults.
3) Spring-release latches. Like motorized latching mechanisms, the mechanical components of spring-release latches move independently of the motor that actuates them. Most lock boxes on the market are equipped with spring-release latch mechanisms, and many have unnecessary holes in their framework allowing their releases to be actuated with paperclips and other materials. Examples of this can be seen in the GunVault GVB 1000 and Union Safe Co.’s Item #62984.
4) Solenoid-locked boltwork. As described in the Handgun safe design section, a solenoid must be installed in a way to prevent the solenoid pin from being shaken or bounced, which would allow the boltwork to move freely. The housing for the solenoid/boltwork assembly must also be shielded from probing with wires. Because safes featuring solenoid-locked boltwork have been exposed online, manufacturers have experimented with new arrangements. Stack-On’s PS-1514 features a solenoid encased in a housing with a pivoting lever built into it; when the solenoid receives power, the pin snaps down, allowing the lever to be pushed out of the way by the boltwork. The intervening lever makes this device highly resistant to being bounced open.
of the locking mechanism
1) Access codes and fingerprints. Reset buttons for programming new access codes and buttons for registering fingerprints are among the most easy-to-highjack components in lock boxes. Either the buttons themselves are accessible through a bit of creative probing with wires or metal shims, or in some cases the wires connecting these buttons to the main circuitry boards are accessible.
Buttons that are supposed to be protected inside a lock box are usually accessed around the doors or lids of the boxes. The way to remedy this vulnerability is for reset buttons to be shielded and/or recessed inside the housing of the locking mechanism. Sentry Safe solved the problem of making controls inaccessible by putting the reset button of the Quick-Access Pistol Safe (QAP1E) inside the battery compartment, behind the battery holder.
2) Circuitry. In many handgun safes, circuitry can be divided roughly between external circuitry (on the outside of the lock box) and internal circuitry (inside the locking mechanism, including the main circuitry board). In the same way that reset buttons and other controls should not be accessible from outside the lock box, critical circuits should not be accessible on the outside of a lock box. A “critical circuit” has an item on it that is directly responsible for releasing a door, like a motor or solenoid. The presence of a critical circuit on the outside of a lock box removes all security from a device. This vulnerability was once a problem with the Bulldog Vaults BD 1050, BD 1060, and BD 1070.
3) Circuitry boards. Circuitry boards and in particular their solder points need to be shielded from probing with wires. This means circuitry boards need to have insulation of some kind. In the case of several safes, the Bulldog Vaults BD4010 and BD4020 and the Union Safe Co.’s Item #62984, I was able to reach in through holes with wire and metal shims to tap circuitry boards directly, closing the circuit on reset functions.
Exploiting hole in keypadThis safe, the Bulldog Vaults BD4010 (discontinued) has a removable cover over the bypass lock, which allows one to slide in wire to close the circuit on the reset function.
Exploiting hole in keypadThis safe, the Bulldog Vaults BD4020 (discontinued) has a removable cover over the bypass lock, which allows one to slide in wire to close the circuit on the reset function.
4) Tolerances and power. The circuitry of lock boxes is usually designed with very close resistor tolerances for the voltage that circuitry can handle. Unfortunately, some of the battery compartments (typically holding four AA batteries or four AAA batteries) are connected to circuitry by use of plugs that will also connect directly with a 9V battery. The lock box owner who thinks he or she might have to change batteries less frequently by replacing batteries with a 9V battery will ruin the circuitry.
Circuitry in lock boxes should be designed to “require” the use of a 9V battery—that is, circuitry should be designed with tolerances that would accept power from a 9V battery without sustaining any damage. Grocery stores and convenience stores are more likely to have 9V batteries than any other kind of batteries, because these batteries are used in smoke detectors. Many people are in the habit of changing out smoke detector batteries at a certain time of the year. This would be an ideal time to swap the battery out on one’s handgun safe.
Another option manufacturers should consider is equipping lock boxes with rechargeable batteries. A rechargeable lithium battery will last longer than a store-bought battery. Furthermore, if the battery can be charged from a USB port on the outside of the safe, the owner who is unable to find the bypass keys won’t be locked out of the safe should the battery go dead.
5) Exterior contact points. In a few lock boxes, designers have left off installing mechanical bypass locks in favor of providing exterior contact points so that one can hold a 9V battery to the points when batteries inside fail. This amounts to leaving the circuitry’s resisters exposed to whatever power source a person might subject them to. As already mentioned, these lock boxes are designed with close resistor tolerances. Therefore, devices that have exterior contact points are vulnerable to sabotage. Although doing away with a bypass cylinder may cut production costs, leaving a lock box’s circuitry exposed should never be considered an option.
1) Reset commands. The sequence for programming a new access code cannot be so simple that a reset button only has to be pressed once. The simpler the programming sequence, the better the chances are for an attacker to enter a new access code if he can reach the reset button. A programming sequence should involve pressing a reset button two or more times, should require knowledge of the current access code, and ideally should involve entering a programming sequence on the keypad as part of putting the circuitry in programming mode.
2) Biometrics. Putting a safe into registration mode to accept a new fingerprint cannot require that a primary control button need be pressed only once. As with my recommendations for a proper sequence for programming an access code, the process for registering fingerprints cannot be simple. The process must require that the owner register one or two “administrative” prints, which must be used before registering additional fingerprints in the system. Furthermore, no controls involved in either registering or deleting fingerprints can be located on the outside of the safe. The Bulldog Vaults BD 3000 (now discontinued) was easily compromised because of this mistake.
Keyed bypass locks
1) Common bypass locks. Most handgun safes are fitted with cam locks that override the locking mechanisms proper. These locks typically rotate a piece of hardware—or cam—that pushes or pulls a release of some kind, allowing access in the event that batteries need replacing. The most common cam locks installed for bypass locks in handgun safes are simple cross locks, tubular locks, and wafer locks. Most of these locks can be opened with tools made specifically for opening them; one doesn’t need skills with general-purpose lock-picking tools in order to compromise them.
The subject of keyed locks encompasses a diverse field of design with a long history of innovation. No one who knows what they’re doing steps into the business of selling safes or locks casually. An industrial designer with an interest in locks can expect to invest 3 or 4 years in the study of locks before acquiring the knowledge base to enter the field of lock design. Unfortunately, the biggest mistake made by manufacturers and importers of firearm safety products is the belief that they can market safes and locks without knowing the subject.
Manufacturers who do not have a lock specialist involved in product development must consult a physical-security expert for guidance in selecting appropriate bypass locks for their products. Parts suppliers are not qualified to make recommendations.
2) Mistakes to avoid. The most common mistake I come across involves giving bypass cylinders decorative covers. Whether made of metal, plastic, or rubber, decorative covers usually fit into holes in the body of a safe or its keypad fitting. The resulting holes can allow access to circuitry beneath a keypad and even access into the interior of the locking mechanism. The P-20 Security Safe, once imported by Bighorn Safe Co., is a perfect example of how a simple decorative cover—and the resulting holes—can undermine the security of a safe.
on lock box manufacture
Most of the lock boxes I have examined are made in China. I would encourage the reader to go online to Alibaba.com, where many of the imported lock boxes currently sold in the U.S. can be found. A quick search using phrases like “electronic safe” or “pistol box” will yield hundreds of results, a few of which will be familiar to the reader. These are the devices sold on Amazon under multiple different brand names.
One of the problems facing importers is that very little effort, if any, has gone into engineering these safes. The imported safes I’ve examined are built of recycled design components. Locking mechanisms in these safe are copies of one another, which I’ve come to recognize through taking the safes apart. What U.S. importers don’t understand, or perhaps are unconcerned about, is that Chinese industry has a long history of disregarding intellectual property law. The components of the safes I’ve examined come from designs that have been copied and recopied so many times the designs are in the public domain as far as Chinese manufacturers are concerned.
Still another issue complicating the import of these devices is a problem fundamental to engineering. Engineers tend to see their intensions in their work. If a design meets approval, if a prototype functions, if the materials used fall within imposed constraints, the job is considered good. Engineers don’t generally look for disconfirming evidence with regard to their work—that is, evidence that they haven’t solved the problem that needed to be solved. Chinese engineers compound the oversights resulting from this tendency by recycling designs whenever possible in order to be efficient.
Importers of handgun safes need to understand the limitations of Chinese industry, and need to make the above engineering recommendations a requirement of contractual dealings with Chinese safe manufacturers. I believe these recommendations will allow imported lock boxes to pass any statutory tests that California might require in the future, in the event California’s Penal Code, Title 11, Division 5, Chapter 6 is significantly updated. Even if it is not, I see no reason U.S. importers should be satisfied with products that are “good enough for government work.” As I reveal in the next section, California DOJ approval of these devices is empty approval, and arguably negligence on the part of California’s DOJ.