Sigma Metalytics has been made aware of a security vulnerability in the Database Downloader program for a subset of PMV Original, PMV Investor, and PMV PRO devices currently in the field. This page is to explain what’s going on, what the fix is, and, most importantly, what steps you can and should take to keep you, your device, and your metals safe.

What’s the software issue?

A security vulnerability in the PMV Database Downloader program was discovered. The vulnerability allows users to modify database entries.

Why is this an issue?

We think that most users are well intentioned and, using this recently discovered security vulnerability, may seek to modify the databases on their PMVs to include custom entries for coins and bars they frequently test that are not already in the standard database. We have a lot of metals in our database, but there are many unique, rare, and uncommon coins out in the market, so we don’t have everything covered.

However, a bad actor may exploit the security vulnerability to intentionally set incorrect database entries to mislead unsuspecting users into trusting a test result on a bad sample. Given that trust is paramount in this industry and is core to our business identity, we want everyone to be able to trust their PMV test results.

While the security vulnerability enables a user to change database entries to show different names and different ranges, the numerical test results of the device (the actual internal math of the PMV) cannot be changed. The PMV PRO and PMV Investor devices always show the numerical test results of the sample to the right of the red/yellow/green range; these test results cannot be changed by the database and are therefore immune from the recently discovered security vulnerability. The PMV Original can show the numerical test results by setting the device’s display mode to Resistivity; these test results also will not change if the database is modified. Therefore, you can always independently compare the device’s numerical test results with the known good range published on our website (here).

Is my device trustworthy?

In all likelihood, yes.

If you purchased your device through us or a trusted distributor, have not intentionally modified the software with your PC, and have only used databases downloaded from the Sigma Metalytics website, then your device is using a trusted database.

A PMV device is only vulnerable if someone has physical access to the device and takes a number of steps to intentionally change the device using software and procedures not published by Sigma Metalytics. If you have not done that to your device, then your device is using a trustworthy database. It is important to remember that the PMV Original, PMV Investor, nor PMV PRO are able to connect to the Internet and, therefore, cannot be modified unless an individual has physical access to the device.

Which devices are vulnerable?

PMV Originals with model number SM1601 and with serial numbers up to 32749.

PMV Investors with model number SM3012 and with serial numbers up to 5403.

PMV PROs with model number SM2601 with firmware of 2.05 or greater.

PMV PROs with model number SM2701 and with serial numbers up to 15426.

PMV PRO Minis are not susceptible to this vulnerability.

You can check on the back of your device for its model and serial number. Your PMV PRO will show the firmware version on the screen when powering on.

If my device is included in the above ranges, what can I do?

Give us a call (530.562.4589, option 2) or send us an email (info@sigmametalytics.com) and we can help you check if your device is using a trusted database. If you want to be very certain, we can also arrange for the device to be sent in for a software update to patch the vulnerability free of charge.

What’s the fix going forward?

On our side, we’re updating the security of the devices and publishing additional information to keep you safe during testing.

The software changes are already in place and new devices produced by Sigma Metalytics will not be vulnerable to this threat.

We have also published a procedure (below) to confirm if a device you’re using (whether your own or someone else’s) is safe to use.

How to determine if a PMV has a trustworthy database:

1.      If the device is yours and you have not used a modified database downloader program and/or you have not loaded a modified database onto your device, then it has a trustworthy database. Our devices do not connect to the internet and are not vulnerable to a third party remotely modifying your device that you already own.

2.      When purchasing a device, only purchase from a trusted party, such as directly from Sigma Metalytics or from an Authorized Distributor.

3.      When interacting with a third party’s device (such as at a coin shop or from a private seller), you can check the following things:

a.      Does the database have any entries that our standard database does not? You can compare the device’s database options to our published database list with center values (found here). If the device you’re looking at has a different set of database options, it might be using a modified database.

b.       Does the device display samples in the right range? The published database list with center values (here) lets you compare the device’s results to the good ranges for that sample. For example, if you are testing a .999 gold coin on the PRO and the device is showing a test result of 5.5, but putting that result in the
green then that device might be using a modified database (the acceptable green
range for a .999 gold coin is 2.1 to 2.4, so a result of 5.5 should be way out
in the red to the right).

c.      How do the device’s results compare to another PMV’s test results? Two PMVs should test basically the same. There are always some slight variations between devices due to being hand-assembled and hand-calibrated, but there shouldn’t be a significant difference between the two (for example, if a sample passes one device and not the other, one of them might be using a modified database). You can always bring your own device to a shop and compare results when testing a sample.

d.       How does the device test a known, good sample? If you have a known, good sample that either tested well in the past or currently tests well on other devices,
it should also pass testing on this device in the same way.

e.      Is the deal too good to be true? It probably is! If someone is selling pieces way below spot or is willing to part ways with their pieces for less than the pieces should be worth, those pieces might be questionable. Always view pieces with a critical eye, regardless of test results, and always do as much testing as possible using all the tools at your disposal when examining a piece. Similarly, if someone is willing to sell you a PMV for way below market price, it might be damaged, misused, or modified in some way.

As always, our team is here to help with this and any other questions you may
have. Please call or email us and we’re happy to help however we can.

P.S. Big thank you to Kevin for flagging this issue and taking the time to talk to us about it!