Unbreakable smart lock devastated to discover screwdrivers exist

Tapplock: Once, twice, three times a screwup


Video It's never easy to crack into a market with an innovative new product but makers of the "world's first smart fingerprint padlock" have made one critical error: they forgot about the existence of screwdrivers.

Tapplock raised $320,000 in 2016 for their product that would allow you to use just your finger to open the "unbreakable" lock. Amazing. Things took a turn for the worse when the ship date of September came and went, and backers complained that the upstart has stopped posting any updates and wasn't responding to emails nor social media posts.

But after months of silence, the startup assured El Reg that everything was still moving forward and the delays were due to "issues with manufacturing in China."

Fast forward 18 months and finally – finally – the $100 Tapplock is out on the market and it is… well, how do we put this kindly? Somewhat flawed.

No less than three major problems with the lock have been discovered that make it less than useless because presumably people intend to use the lock to secure valuable things.

One of the first things to note is that the Tapplock used zinc aluminum alloy Zamak 3: something that it claims lends the lock "unbreakable durability." Unfortunately, as materials engineers are happy to point out, aluminum may be a lovely lightweight metal and this alloy does provide an enviable degree of detail when die cast, but it is not exactly the best choice for something that is supposed to be unbreakable.

It isn't very strong, it melts at high temperatures, and it is quite brittle. It looks cool. But it's more suited for its more common use: door handles. It will be easy to cut through this lock with bolt cutters.

Here we go

That, by the way, is not one of the three flaws.

The first major flaw was in the way it used Bluetooth to lock and unlock. Andrew Tierney, aka cybergibbons, reviewed the lock for Pen Test Partners, and it took him less than hour to find a way to open every single Tapplock.

Open barn door

If you use ‘smart’ Bluetooth locks, you're asking to be burgled

READ MORE

How is that possible? Well, it turns out the lock broadcast its own Bluetooth MAC address over the airwaves, and uses that MAC address to calculate a key used to lock and unlock the device.

Tierney cracked the system disturbingly quickly: "It upper cases the BLE MAC address and takes an MD5 hash. The 0-7 characters are key1, and the 16-23 are the serial number." The upshot? He was able to write a script, port it to an Android app, and open any nearby Tapplock wirelessly using his phone and Bluetooth, taking less than two seconds each time.

"This level of security is completely unacceptable," he complained. "Consumers deserve better, and treating your customers like this is hugely disrespectful. To be honest, I am lost for words."

The problem was so bad that Tierney informed the manufacturer, and gave it seven days before he went public with the fundamental flaw. Just hours before the deadline was up, Tapplock put out a security advisory warning that everyone needed to upgrade their lock's firmware "to get the latest protection."

"This patch addresses several Bluetooth/communication vulnerabilities that may allow unauthorised users to illegal gain access," the company noted. But Tierney notes that it doesn't mention that literally anyone can open any lock that doesn't have the firmware updated.

Holding to account

On to flaw 2.

Security researcher Vangelis Stykas published a blog post on Friday outlining that Tapplock API endpoints have literally no security checks beyond checking whether there was a valid token.

So if you create a Tapplock account and gain a login, you will be able – again – to open every single Tapplock out there.

Tierney noted in his piece that he saw all kind of red flags that made him confident that the lock's security was going to be terrible, and Stykas notes the same thing – but with different red flags.

He approached the lock from a different angle – the lock's app. And was immediately concerned that it didn’t even use HTTPS. And so he dug around and found pretty quickly that it was trivial to manipulate other users' accounts from a different account.

Aside from being able to get at the lock itself, the security flaw enabled him to access the actual account information as well.

Amazingly, he approached the first flaw discoverer – Andrew Tierney/cybergibbons – and asked if he would share the email address he used for his account. Tierney agreed and within minutes, Stykas was not only able to add himself to Tierney's smart lock but was able to see his name and address.

lock

New York Attorney General settles with Bluetooth lock maker over insecurity claims

READ MORE

That's right, Tapplock is literally handing out all the information people need to not only access others' locks but where you can find them physically.

It's safe to say that Stykas was not impressed. "I really have no postmortem on this one," he noted. "The lock had several flaws and to my understanding they had a great marketing team but a non existent security team. I cannot tell you to buy or not buy anything as I don’t have the authority to do so but I would not buy this lock."

Tapplock disabled the API exploited by Stykas to thwart further attempts to obtain strangers' information through it.

So those are two catastrophic software errors. What about the actual physical lock itself?

Aside from the nice-looking but shoddy aluminum alloy it is built out of – oh, and the lack of a decent physical step in the lock arm itself that all decent lock manufacturers add to prevent thieves from shimming it open – there is another pretty insane flaw in the lock: you can potentially unscrew the back off.

Similar topics


Other stories you might like

  • Venezuelan cardiologist charged with designing and selling ransomware
    If his surgery was as bad as his opsec, this chap has caused a lot of trouble

    The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.

    A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges that Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.

    The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits.

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • Oracle really does owe HPE $3b after Supreme Court snub
    Appeal petition as doomed as the Itanic chips at the heart of decade-long drama

    The US Supreme Court on Monday declined to hear Oracle's appeal to overturn a ruling ordering the IT giant to pay $3 billion in damages for violating a decades-old contract agreement.

    In June 2011, back when HPE had not yet split from HP, the biz sued Oracle for refusing to add Itanium support to its database software. HP alleged Big Red had violated a contract agreement by not doing so, though Oracle claimed it explicitly refused requests to support Intel's Itanium processors at the time.

    A lengthy legal battle ensued. Oracle was ordered to cough up $3 billion in damages in a jury trial, and appealed the decision all the way to the highest judges in America. Now, the Supreme Court has declined its petition.

    Continue reading

Biting the hand that feeds IT © 1998–2022