ORGANIZATION OF DISCUSSION
As described in Characteristics of lock boxes under the Handgun Safe Design section, there are five main components to most electronic lock boxes. I have organized my findings based on these five main components.
Most of the mistakes listed below could have been avoided had Industrial designers followed a basic principle of security: One cannot design a device intended to prevent unauthorized access by giving it a multitude of methods for gaining access. Every method of entry incorporated into a device introduces more points of potential vulnerability. Yet, in the current market, a single handgun safe may offer keyed access, keypad access, RFID access, biometric access, and remote access by phone. This is a byproduct of designing handgun safes around currently popular features, resulting in devices having unanticipated failings.
THE CONTAINER
1) Boxes, doors, and hinges
Handgun safes are built on one of five basic configurations. The first is a simple box with a vertically hinged door that swings open. The second configuration is an elongated box with a door at one end. The door is hinged horizontally along the bottom and swings downward. The third configuration is common to handgun safes and portable cases, a flat, two-part container with a top that springs open. The fourth configuration is a narrow wall-mounted box that drops open. Finally, a less common configuration involves a flat box with a drawer.
The most typical design weakness with regard to doors is the presence of gaps that allow access to programming buttons or, in the worst-case scenario, access to the latch itself. Below is a classic example of exploiting a gap under a door using a piece of bent coat hanger wire.
Mounting holes in the sides of handgun safes are another source of vulnerability. Though mounting holes are routinely provided in the bottoms of full-sized safes and small personal safes, many handgun safes are designed to offer too many mounting options, resulting in holes throughout.
In some cases, extraneous holes are incorporated into handgun safes as a byproduct of manufacturing. Since Chinese industrial designers who develop these products do not fully grasp the responsibility of gun storage in the United States, they perceive no danger in allowing these holes to remain.
2) Interior housings for locking mechanisms
Locking mechanisms installed in handgun safes are usually assembled into small housings. Safes with vertically opening doors typically have housings mounted on the inside of the door. Other arrangements include locking mechanisms built into trays mounted under the top of a safe, or housings spanning the front of a container. If the walls of a safe are the first line of defense for a locking mechanism, the housing for locking mechanism is the second. Unfortunately, though these small housings can be designed to shield the locking mechanism, they often provide no shielding.
Below is an example of combined oversights, a box designed with small holes in its sides and a wide-open tray-styled housing for the latch assembly. An unfolded paperclip can be used to pull back the release wire.
3) Keypad fittings
Keypad fittings on handgun safes are often made of plastic. They are usually held in place by screws threaded directly into the plastic of the fitting. Screws threaded directly into plastic are not gripping anything that provides resistance to prying.
Lock boxes may also have keypad fittings made of rubber simply glued in place. This is devastating to the security of a safe if the fitting conceals holes beneath it.
4) Decorative fittings
Handgun safes often have additional fittings or attachments that serve as feet or bumpers to prevent marring surfaces. Common examples of this are plastic fittings enclosing the sides of a top-opening handgun safes. Fittings like these may conceal extraneous holes in the container.
MECHANICAL COMPONENTS OF
THE LOCKING MECHANISM
1) Motorized boltwork
Motorized boltwork mechanisms are inherently more secure than other mechanisms, because the bolts are locked in place by the gearing of the motor that actuates them. The mechanical parts of a motorized boltwork mechanism are unlikely to have vulnerabilities.
2) Motorized latches
Motorized latching mechanisms in handgun safes and portable cases are often vulnerable to attack. Because this type of mechanism is actuated by a motor rotating a fitting not directly connected to the latching hardware, the components move independently of the motor. Any holes or gaps in a container that allow access to latching hardware leave the mechanism vulnerable.
Below are pictures of a motorized latching mechanism installed in a portable case. In the picture on the left, a red arrow indicates the cam that is rotated by a motor to push the latch to one side. In the next picture, an arrow indicates the direction of travel for the latch piece. The last two pictures illustrate how to slam the case downward to throw the latch.
3) Spring-release latches
Like motorized latching mechanisms, the mechanical components of spring-release latches move independently of the motor that actuates them. Spring-release designs are diverse, though they fundamentally rely on one of two methods of actuation: Release Wire and Contour Locking. Hybrid designs also exist, but any spring-release design will rely on one of these two methods of actuation.
Release Wire
The Release Wire assembly involves two pieces of hardware, a latch and a release, each mounted vertically on either side of a simple framework. Both pieces rotate in place. The latch piece has a spring attached to it to keep the latch under tension. The latch also has a pin passing through it that slips into a notch in the profile of the release. Another notch cut into the release allows a long sprung wire (the Release Wire) to pass through the assembly, where it rests against the release when the latch is locked.
To release the latch, a motor is used to draw back the Release Wire resting against the release. This rotates the release until is slips off of the pin attached to the latch, and the spring keeping tension on the latch throws the latch open.
This latching design is weak. It can be pried open repeatedly and still function. If a handgun safe with this latching mechanism is properly bolted down, as any handgun safe should be, prying it open will only be easier to do. Yet, this latching mechanism has one feature that has allowed it to pass California’s Firearms Safety Device testing standards. The Release-Wire latching mechanism is resistant to impact; the safe won’t open by being dropped. Below are two videos featuring handgun safes with this latching mechanism. Both are pried open quickly with screwdrivers.
Contour Locking
The Contour-Locking latch assembly involves two pieces of hardware, a latch and a release, mounted side-by-side on a framework. Both pieces rotate. A spring stretches between them. The latch and release are designed with profiles that allow the pieces to meet edge-to-edge in a stable position when locked. To release the latch, a motor is used to pull the release from its stable position, and the spring stretching between the two pieces throws the latch.
This mechanism may use one latch or two latches that release simultaneously. Roughly half of the top-opening handgun safes and portable cases often have duel contour- locking assemblies installed in them.
The contour-locking latch is highly resistant to prying. A duel contour-locking latch is even stronger. However, this type of locking mechanism is still often vulnerable to attack. This is because the stability of the mechanism depends upon two small pieces of hardware, the latch and release, meeting firmly edge-to-edge. If the housing of the latching assembly is not resistant to flexing or bending, or if the box itself is not resistant to flexing or bending, the contour-locking latch can be thrown by hard impact; the edges of the two components will slip and the spring stretching between will throw the latch.
Below are two videos featuring handgun safes with contour-locking spring-release latch mechanisms. The AmazonBasics product has a single-latch assembly, the Vaultek a dual-latch assembly.
Inappropriate Materials.
Below are two examples of spring-release latching mechanisms made of plastic. These mechanisms were designed in an attempt to save on material costs; injection-molded plastic parts are inexpensive and allow for rapid production. These materials also help industrial designers to develop portable cases that are light-weight and affordable. But the fact remains, these gadgets have no place in handgun safes.
4) Solenoid-locked boltwork
Security vulnerabilities involving solenoid-locking safes have been exposed extensively online. Video can be found throughout YouTube showing small personal safes and large floor-standing safes being compromised by having solenoids bounced, shaken, and manipulated by wires and magnets. As a result, designers have improved solenoid design by giving them internal levers that intervene between a solenoid pin and a boltwork assembly.
Old-styled solenoid, used for many years on small personal safes
Solenoid with housing and integrated lever
This style of solenoid is becoming the preferred design in small personal safes.
Below are two videos illustrating a common approach to attacking safes with poorly designed solenoids. In both videos, holes in the safes are exploited to press down on solenoid pins.
ELECTRONIC COMPONENTS OF
THE LOCKING MECHANISM
1) Buttons and switches
Reset buttons for programming new access codes or registering fingerprints are among the easiest components to highjack in lock boxes. Buttons are often accessible through a bit of creative probing with wires or metal shims. Gaps around doors and lids make this possible. And if one does not have an immediately available gap, one can make one by inserting a screwdriver.
2) External circuitry
In many handgun safes, circuitry can be divided roughly between external circuitry (on the outside of the lock box) and internal circuitry (inside the locking mechanism, including the main circuitry board).
In the same way that reset buttons and other controls should not be accessible from outside the lock box, critical circuits should not be accessible on the outside of a lock box. A “critical circuit” has an item on it that is directly responsible for releasing a door, like a motor or solenoid. Below are two videos showing what can happen as a result of careless circuitry design beneath keypad fittings.
3) Internal Circuitry
Circuitry boards, and in particular their solder points, need to be shielded from probing with wires. Without shielding or insulation, the solder points where reset buttons are attached to a circuitry board can be bridged with wire or metal shims. Reset buttons are nearly always momentary switches, open ends of a circuit that need to be closed for a second or two.
Below are two videos involving products with accessible reset functions, the vulnerability resulting from exposed, accessible circuitry. As stated, reset buttons are often momentary switches, and if their solder points are exposed one only has to tap the solder points with something conductive to close the circuit. This accomplishes the same thing as pressing the reset button.
The processor
and ON-BOARD PROGRAMMING
1) Reset commands
The sequence for programming a new access code cannot be so simple that a reset button only has to be pressed once. The simpler the programming sequence, the better the chances for an attacker to enter a new access code if he can reach the reset button. A programming sequence should involve pressing a reset button two or more times, should require knowledge of the current access code, and ideally should involve entering a programming sequence on the keypad as part of the process of putting circuitry into programming mode.
2) Biometrics
Providing biometric control in a handgun safe poses a special security issue. In the past, biometric-controlled locking mechanisms have been designed to behave as though a fingerprint or vascular scan were registered before the user enrolled any scans. In other words, the mechanisms would open for any random finger out of the box.
This has allowed users to set up safes incorrectly, leaving their safes accessible to anyone. Companies are now recognizing the need to prevent this form of user error, and are recalling devices. The Awesafe, a top-opening biometric safe pictured below, was recalled on February 22, 2024 for this reason. Yet, the problem of locking mechanisms being designed to permit this form of user error has been around for years. Below is a 2015 video covering this same issue in the Bulldog Vaults BD3000. The importer never initiated a formal recall, but quietly sold off the remaining inventory and discontinued the product.
Before deciding to import biometric-controlled handgun safes, importers should insist that devices meet the ASTM Standard Specification for Youth-Resistant Firearms Containers (YRFCs), ASTM F2456. One main reason for this is in Section 5., General requirements, which includes the following clause:
“5.5 Digital locking devices with biometric recognition lock features shall be received by the user in a condition such that locks shall not open with the biometric entry method until the authorized user programs a unique biometric method into the YRFC.”
This language is included to prevent user error. Even if an importer intends to have a product tested to California’s Firearms Safety Device standards, the importer should still demand this level of security before finalizing a purchase agreement.
Keyed bypass locks
1) Common bypass locks
Most handgun safes are fitted with cam locks that override the locking mechanisms proper, allowing access when batteries need replacing. The most common cam locks are short-cylinder cross locks, tubular locks, and wafer locks.
Manufacturers who do not have a lock specialist involved in product development must consult a physical-security expert for guidance in selecting appropriate bypass locks for their products. Parts suppliers are not qualified to make recommendations. Nor are locksmiths, since they only recommend locks they sell. Importers and manufacturers must consult a security expert who knows which lock manufacturers in China are making the appropriate locks at an affordable wholesale cost.
Short-cylinder cross locks:
These are mostly found on small personal safes. The cylinders are 1/4-inch to 5/16- inches in depth. With a maximum of two pins per row, and four rows of pins in a cross- shaped keyway, these locks can have as many as 8 pins. In practice, however, one fourth of the keyway is not used for pins, but is used to engage the key. So the typical short-cylinder cross lock has 6 pins. The key has a distinctive four-sided profile.
Short-cylinder cross locks are easily picked with a set of raking tools anyone can purchase on Amazon or through GOSO lock-picking tools online. The locks have been exposed widely on YouTube, and their continued use reveals how little importers know about locks; importers simply embark on selling safes and locks without taking time to learn the first thing about safes or locks.
Tubular locks:
When tubular locks were invented, they were a security innovation because there were no tools for picking them. Now, tools for picking these locks abound, and no skill is required to successfully compromise a tubular lock. The locks come in sizes ranging from micro-bore to small-bore to medium-bore to larger. They may have four pins, 7 pins, 8 pins, 10 pins, and pin-within-pin arrangements, though the typical tubular lock has 7 pins.
Tubular locks were designed to be opened rarely, and were commonly installed on vending machines, where they would sit undisturbed for weeks or months on end. Because the pins inside a tubular lock abrade against the body of the lock when a key is inserted and turned, the pins wear down quickly, and the locks fail under regular use. Therefore, should the electronics in a handgun safe stop working and leave the safe owner relying on a tubular lock for access, the safe owner will soon be left with an inaccessible device once the lock fails.
Wafer locks:
Wafer locks can be cheaply made and easily compromised, or they can be well made and hard to pick. Tools for jiggling open cheap wafer locks have been around for decades. Below on the far left is an example of a simple wafer lock. Next to this picture is a picture of jiggler keys made for opening this type of lock.
Following these are two pictures of wafer locks based on automobile lock designs, a special type of wafer lock that has been around since the 1980s. Lock-picking tools for automobile locks will allow one to attack most of these locks. The only way for these locks to resist picking is for them to have what is known as a side bar, a component that prevents tensioning a lock in order to pick it. But the importer who does not know how to identify this security feature will need a security expert to spot the decent lock among the junk locks. The range of wafer locks available makes consulting a security expert essential.
2) The “Everywhere” lock
Below are pictures of a lock used widely in handgun safes and portable cases exported out of China. It is a double-bitted wafer lock with a distinctive key. It is weak and completely inappropriate for a gun safe.
The lock was originally a place-holder lock for display purposes. Manufacturers in China showing their latest products at trade shows, or shooting images for use on Alibaba, installed this lock to cut costs. Higher quality locks could be recommended to importers when purchase contracts were being agreed upon. At some point however, as the popularity of importing these products into the U.S. grew, manufacturers learned that offering lock options was unnecessary, since importers took the products as shown online. Now, it is the responsibility of importers to update locks on the safes they import.
3) Other mistakes to avoid
Bypass cylinders often have decorative covers. Whether made of metal, plastic, or rubber, decorative covers usually fit into holes in the body of a safe or its keypad fitting. Without adequate planning, the resulting holes can allow access to the locking mechanism, and—as previously mentioned—to the electronics.
Closing remarks
on lock box manufacture
One of the problems facing importers is that very little effort, if any, has gone into engineering these safes. In a sense, Chinese industrial designers are the wrong people to be developing gun-safety products for export to the United States. There is no private gun ownership in China. No one in a Chinese factory making these products has ever handled a gun. From company owners to production-floor workers, no one involved in manufacturing handgun safes knows what it means to live in compliance with gun laws, never mind safe-storage gun laws.
Thus, the process of developing gun-safety products is an exercise in guesswork for a Chinese industrial designer. Since there are no standards imposed on the industry of handgun safes in the U.S., a Chinese company can market any product as a handgun safe, and any importer in the U.S. can import the product. Worse, Chinese industrial designers compound the oversights resulting from their guesswork by recycling designs whenever possible in order to be efficient. This results in handgun safes produced by different manufacturers being cobbled together of nearly identical components. Bad designs, bad bad locks, bad latching mechanisms, are all copied and recopied.
With no standards imposed on the industry, and no regulations imposed on the importation of gun-safety products, importers do not consider themselves to be responsible for testing handgun safes. Though in principle they are the last line of defense in preventing dangerous products from being released to the public, importers do not own any responsibility for testing. An entrepreneur in the U.S. can establish an Alibaba account, select products to import, set up an online store, and be in business in a matter of days. No knowledge of security or manufacturing is required to do this.
In the absence of regulations imposed on importers, importers need to make an attitude adjustment and admit their limitations. They also need to understand the limitations of Chinese industry and start testing the products they import. If an importer feels unqualified to do testing, security professionals are available to do the work. Importers simply need to decide the investment is worthwhile. Finally, with knowledge, importers can start making design recommendations to manufacturers. Better still, they should require that proposed revisions be addressed before finalizing contracts with Chinese manufacturers.