One of Amazon's top-selling electronic gun safes contains a critical vulnerability that allows it to be opened by virtually anyone, even when they don't know the password.

The Vaultek VT20i handgun safe, ranked fourth in Amazon's gun safes and cabinets category, allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how.

As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that's required to make it work is that the safe have Bluetooth connectivity turned on.

Vaultek holds out the VT20i as a reliable way to keep guns and other valuables safely secured and out of the wrong hands. With more than 250 customer reviews on Amazon, it boasts an overall rating of 4.5 stars out of a possible five stars. Marketers also say the safe is compliant with Transportation Security Administration rules required for people to fly with guns carried in checked luggage.

In an e-mail, Vaultek Vice President of Product Development Dustin Culbreth confirmed that the VT20i has no online update mechanism. Still, he said Vaultek plans to offer a firmware fix, either by sending customers a USB dongle that stores the update or by asking customers to ship safes back to the manufacturer, where the update will be installed.

"The new firmware will implement a time out feature to prevent against brute force attacks, as well as updating the PIN code verification process to prevent any transmissions from attempting to open the safe without the correct access code," Culbreth wrote. Vaultek engineers "are actively working on this and planning to release a new firmware update as early as next week for all customers with applicable models."

Culbreth's statement no longer claimed that the attack demonstrated in the video would be hard to execute, as a statement companies officials on Friday said.

"What you are not seeing is the prep time required to isolate the correct code and the time required to study the safe and it's transmissions, and the subsequent decoding time needed to generate the final code," company officials wrote on Friday. "This can take hours of work and also requires the ability to observe a correctly paired phone."

Not so fast

Two Six Labs researchers, however, disputed the claim and said the Vaultek statement fundamentally mischaracterizes their exploit.

"Once you have developed this capability or written a script to do it, you can affect any safe in this product line in a matter of seconds," Austin Fletcher, Two Sixes Labs' lead vulnerability research engineer, told Ars. "Anyone can do this."

In a blog post disclosing the vulnerability, the researchers included most of the code required to exploit the vulnerability. A competent developer would need 20 to 60 minutes to supply the missing portion. With that, the developer could build a smartphone app that could silently break into any existing VT20i safe in seconds, as long as Bluetooth was turned on.

Vaultek officials said they are in the process of introducing changes to their safes after receiving a private report two months ago about Two Six Labs' findings. "Vaultek takes personal security very seriously and we constantly monitor our products and will make every effort to continually improve," Vaultek officials wrote.

Daniel Su, Two Six Labs' research engineer, told Ars he doesn't believe the bug can be fixed easily in existing safes. That assessment, he said, is based on the fact that the flaw resides in the firmware that runs on the safe. "We have not seen any evidence of there being a firmware update mechanism," he said. E-mails from Vaultek left Ars' questions about the lack of an update mechanism unanswered. Vaultek VP Culbreth said the firmware can be updated, but went on to say the process requires customers to receive a USB dongle or to send the safe back to the manufacturer.

Two Six Labs also reported two other vulnerabilities in the popular safe. One, stemming from a lack of encryption in the Bluetooth communications, allows attackers within range to obtain the unlock PIN.

A second weakness allows anyone to make an unlimited number of attempts to pair a Bluetooth device with the safe. The safe design allows PINs that are four to eight digits long, but it only accepts digits 1 through 5. That means there are a maximum of 390,625 combinations (that is, 58). The number of combinations will be considerably smaller number if owners use a PIN shorter than eight digits.

The vulnerability means that anyone who relies on a VT20i safe to secure valuables should immediately turn off Bluetooth connectivity and leave it off indefinitely. Safes can still be locked and unlocked using a traditional physical key, as well as by owners' fingerprints. Some Amazon customers, however, have complained the fingerprint feature is flawed as well.

This post has been updated to add information provided on Monday by Vaultek VP Culbreth.