The manufacturer that claimed its Bluetooth-connected fingerprint-reading smart lock was “unbreakable,” only to find it being opened in seconds by someone armed with nothing more than a mount and a screwdriver, has been slapped down by a US watchdog.
Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information,” the FTC alleged [PDF] in its formal complaint. “In fact, [TappLock] did not have a security program prior to the discovery of the vulnerabilities.”
Yes, it wasn’t just the fact the back of the $100 metal smart lock could be twisted off with a suitable mount and unscrewed with a normal screwdriver to defeat it. Its Canadian maker, which was funded through an Indiegogo campaign, had also failed to protect its online user accounts, did not encrypt the connection between its smartphone app and backend servers, and introduced a security hole that allowed anyone nearby to sniff Bluetooth packets between the app and lock, and use that info to unlock the gizmo.
The FTC accused the company of "deceiving" folks by falsely claiming the lock was “unbreakable” and not having taken “reasonable steps” to secure user data. The biz has settled with the federal watchdog, agreeing to “implement a comprehensive security program and obtain independent biennial assessments of the program.”
Unbreakable smart lock devastated to discover screwdrivers existREAD MORE
Under the usual FTC settlement [PDF] terms, the manufacturer “neither admits nor denies any of the allegations” but there is long list of requirements it now has to follow.
These include naming a specific employee to be in charge of its new security program, providing reports on any future security incidents, training all its employees once a year on data privacy, putting in place various technical measures to protect users’ personal information, and running an annual review on its systems and security, including penetration testing.
Infosec experts had found that one security hole in Tapplock’s API enabled them to bypass its account authentication process and gain full visibility of all user accounts, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks.
A second vulnerability could be exploited to lock and unlock any nearby Tapplock smart lock: its firmware broadcast its Bluetooth MAC address over the airwaves, and used that same MAC address to calculate the key used to lock and unlock the device. Anyone within radio range could thus figure out its digital key and unlock it. A third vulnerability prevented users from revoking access to their smart lock once other users had access to it, making the device permanently unsafe. It also did not use HTTPS between the app and its API servers.
To its credit, when faced with the deluge of criticism and bad press back in 2018, Tapplock did immediately try to fix things, and a year later, in July 2019, released a redesigned lock that it challenged people to hack. And it had some success with it. But then, just a week ago, the new lock was again bypassed by someone using nothing more than a $25 strong magnet, which you can see below:
Despite avoiding a big fine, the FTC made it clear that it will be keeping an eye on Tapplock. The regulator's director of consumer protection Andrew Smith noted that the biz had failed to even test its security boasts. “Tech companies should remember the basics – when you promise security, you need to deliver security,” he said. ®