Off-Prem

Edge + IoT

Unbreakable smart lock devastated to discover screwdrivers exist

Tapplock: Once, twice, three times a screwup


Video It's never easy to crack into a market with an innovative new product but makers of the "world's first smart fingerprint padlock" have made one critical error: they forgot about the existence of screwdrivers.

Tapplock raised $320,000 in 2016 for their product that would allow you to use just your finger to open the "unbreakable" lock. Amazing. Things took a turn for the worse when the ship date of September came and went, and backers complained that the upstart has stopped posting any updates and wasn't responding to emails nor social media posts.

But after months of silence, the startup assured El Reg that everything was still moving forward and the delays were due to "issues with manufacturing in China."

Fast forward 18 months and finally – finally – the $100 Tapplock is out on the market and it is… well, how do we put this kindly? Somewhat flawed.

No less than three major problems with the lock have been discovered that make it less than useless because presumably people intend to use the lock to secure valuable things.

One of the first things to note is that the Tapplock used zinc aluminum alloy Zamak 3: something that it claims lends the lock "unbreakable durability." Unfortunately, as materials engineers are happy to point out, aluminum may be a lovely lightweight metal and this alloy does provide an enviable degree of detail when die cast, but it is not exactly the best choice for something that is supposed to be unbreakable.

It isn't very strong, it melts at high temperatures, and it is quite brittle. It looks cool. But it's more suited for its more common use: door handles. It will be easy to cut through this lock with bolt cutters.

Here we go

That, by the way, is not one of the three flaws.

The first major flaw was in the way it used Bluetooth to lock and unlock. Andrew Tierney, aka cybergibbons, reviewed the lock for Pen Test Partners, and it took him less than hour to find a way to open every single Tapplock.

If you use ‘smart’ Bluetooth locks, you're asking to be burgled

READ MORE

How is that possible? Well, it turns out the lock broadcast its own Bluetooth MAC address over the airwaves, and uses that MAC address to calculate a key used to lock and unlock the device.

Tierney cracked the system disturbingly quickly: "It upper cases the BLE MAC address and takes an MD5 hash. The 0-7 characters are key1, and the 16-23 are the serial number." The upshot? He was able to write a script, port it to an Android app, and open any nearby Tapplock wirelessly using his phone and Bluetooth, taking less than two seconds each time.

"This level of security is completely unacceptable," he complained. "Consumers deserve better, and treating your customers like this is hugely disrespectful. To be honest, I am lost for words."

The problem was so bad that Tierney informed the manufacturer, and gave it seven days before he went public with the fundamental flaw. Just hours before the deadline was up, Tapplock put out a security advisory warning that everyone needed to upgrade their lock's firmware "to get the latest protection."

"This patch addresses several Bluetooth/communication vulnerabilities that may allow unauthorised users to illegal gain access," the company noted. But Tierney notes that it doesn't mention that literally anyone can open any lock that doesn't have the firmware updated.

Holding to account

On to flaw 2.

Security researcher Vangelis Stykas published a blog post on Friday outlining that Tapplock API endpoints have literally no security checks beyond checking whether there was a valid token.

So if you create a Tapplock account and gain a login, you will be able – again – to open every single Tapplock out there.

Tierney noted in his piece that he saw all kind of red flags that made him confident that the lock's security was going to be terrible, and Stykas notes the same thing – but with different red flags.

He approached the lock from a different angle – the lock's app. And was immediately concerned that it didn’t even use HTTPS. And so he dug around and found pretty quickly that it was trivial to manipulate other users' accounts from a different account.

Aside from being able to get at the lock itself, the security flaw enabled him to access the actual account information as well.

Amazingly, he approached the first flaw discoverer – Andrew Tierney/cybergibbons – and asked if he would share the email address he used for his account. Tierney agreed and within minutes, Stykas was not only able to add himself to Tierney's smart lock but was able to see his name and address.

New York Attorney General settles with Bluetooth lock maker over insecurity claims

READ MORE

That's right, Tapplock is literally handing out all the information people need to not only access others' locks but where you can find them physically.

It's safe to say that Stykas was not impressed. "I really have no postmortem on this one," he noted. "The lock had several flaws and to my understanding they had a great marketing team but a non existent security team. I cannot tell you to buy or not buy anything as I don’t have the authority to do so but I would not buy this lock."

Tapplock disabled the API exploited by Stykas to thwart further attempts to obtain strangers' information through it.

So those are two catastrophic software errors. What about the actual physical lock itself?

Aside from the nice-looking but shoddy aluminum alloy it is built out of – oh, and the lack of a decent physical step in the lock arm itself that all decent lock manufacturers add to prevent thieves from shimming it open – there is another pretty insane flaw in the lock: you can potentially unscrew the back off.

And now... opening the back

YouTuber JerryRigEverything was one of the first to review the lock, and approached it in a purely physical way – scratching it, trying to snap the back off, etc etc.

He was fairly happy with it until he took a serious cutter to the lock to see what was inside and discovered… that the back is literally screwed into the body. He went out and bought a second lock and then stuck a GoPro mount to the back of it, discovering, to his amazement that it simply unscrewed "like an expensive cookie jar."

That gave access to the back of the lock and to what were bog-standard Phillips head screws that could remove using, you know, a screwdriver. Once inside, it was trivial to pop the lock.

JerryRigEverything concluded that it would be possible to crack any Tapplock within physical reach in under 30 seconds using nothing more than a mount and a screwdriver.

Followed an amazed response – and over a million views – Tapplock responded that the lock has a metal pin inside that is supposed to prevent the back panel from rotating.

"Tapplock has said my particular unit is defective, and should not have come apart that easily," he noted before generously adding: "It seems to be more of a defective unit situation, instead of a poor design situation. Tapplock said they have reviewed the quality control and found no other defective units."

Even if that is true, and JerryRigEverything had somehow stumbled on the only Tapplock in the world where this pin didn't actually work, it still leaves the issue of the screws that can be opened with a normal screwdriver. We're told the gadget maker will in future use proprietary screws, and will check to make sure the pin is in place.

Also, if anyone can rotate the back off their lock, they should contact Tapplock for a new one.

Indienono

Companies serious about security – which tends to include lock manufacturers – will usually use custom screws requiring custom screwdrivers. It costs a little more but it results in a higher quality product, for obvious reasons.

In short, there is significant evidence that Tapplock has struggled from day one to provide what it promised. Not exactly the first time that an Indiegogo-funded idea has fallen short when the people behind the idea don't have the experience or expertise to actually deliver.

But even in the long and inglorious history of user-funded hardware (wonder how that Ataribox is going?) the Tapplock stands out as having failed miserably to fulfill its core goals – in this case, security.

But that's not all. With Tapplock having seemingly done such a good job marketing its useless lock, there is actually already a Tapplock knock-off that is even less secure that its inspiration. How is that even possible?

The manufacturers of this gem of a lock have actually put a screw on the outside of the lock that allows you to access its guts.

When another lock-testing netizen made the manufacturer aware of this, it provided a response so amazing that it's almost impressive.

"We designed this fingerprint lock of againsting [sic] theft," it begins. "However the lock is invincible to the people who do not have a screwdriver."

If it was easy, folks, other companies would already have done it. We'll wait until someone who knows what they are doing comes out with a fingerprint lock. ®

Send us news
218 Comments

Huawei CFO Meng Wanzhou admits lying about Iran deal, gets to go home

US drops charges, extradition attempt halted

Updated Huawei finance chief Meng Wanzhou has reached a deal with the US Justice Department to drop the fraud and conspiracy charges against her in exchange for admitting that she made false statements about her company's business dealings with Iran.

The deferred prosecution agreement will end Uncle Sam's attempt to extradite Meng to the United States. It will allow her to depart Canada, where she has been detained since 2018, and return to China, easing a major source of diplomatic tension between Canada, China, and the US.

After Canadian authorities arrested Meng at the Vancouver airport in December, 2018, on behalf of the Americans, the US Justice Department indicted her and her manufacturing giant for violating US sanctions on Iran by misrepresenting Huawei's relationship with Hong Kong-based Skycom, which operated in Iran.

Continue reading

For the nth time, China bans cryptocurrencies

Coin prices drop after People's Bank reiterates crackdown

China has once again banned cryptocurrencies.

It's not even the first time this month Beijing's done so, let alone the first time ever, yet word of the reiterated crackdown sent coin prices tumbling, which may have been the ultimate goal. After all, China would prefer its citizens use its non-illegal digital yuan.

Bitcoin fell by 5.5 per cent, Ethererum by 7.4 per cent, and Dogecoin by 14.9 per cent, for instance, after this latest announcement and have since rebounded somewhat.

Continue reading

Frustrated dev drops three zero-day vulns affecting Apple iOS 15 after six-month wait

Security Bounty program slammed over 'broken promises'

Upset with Apple's handling of its Security Bounty program, a bug researcher has released proof-of-concept exploit code for three zero-day vulnerabilities in Apple's newly released iOS 15 mobile operating system.

The bug hunter, posting on Thursday to Russia-based IT blog Habr under the name IllusionOfChaos and to Twitter under the same moniker, expressed frustration with Apple's handling of vulnerability reports.

"I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page," the researcher wrote.

Continue reading

Yugabyte's double-decker DBaaS follows Cochroach in distributed RDBMS

Hopes to lure users with promise of relieving operational burden

Distributed relational database Yugabyte has launched a database-as-a-service product following a rush of inspiration from Facebook, Google and the world of FOSS.

While the open-source DBaaS impressed one analyst, it will have to cope with competition from well-funded CockroachDB, which has had its DBaaS on the market for nearly three years.

Yugabyte is sort of a double-decker database. It is inspired by Google Spanner underneath and compatible with PostgreSQL on top. As Yugabyte founder and CTO Karthik Ranganathan, a former Facebook technical lead, explained to The Register earlier this year:

Continue reading

EurekAI... Neural network leads chemists to discover 'four new materials'

All said to conduct lithium atoms, may be useful for electric car batteries

Chemists have discovered four new materials based on ideas generated from a neural network, according to research published in Nature.

Uncovering new materials is challenging. Scientists have to search for combinations of molecules that lead to useful compounds that can be manufactured.

Traditional methods rely on fiddling around with known materials, and although these techniques narrow down the search for materials that work well, they don’t always produce something useful, according to Matt Rosseinsky, a chemistry professor at England's University of Liverpool who co-wrote the research paper.

Continue reading

Scientists took cues from helicopter seeds to invent tiny microchips that float on wind

'Microfliers' could carry sensors to monitor air pollution and more

Video As autumn arrives in the northern hemisphere, scientists have shown how tiny connected semiconductors can be distributed on the wind in a similar way to the seasonal spreading of airborne seeds.

Researchers led by Professor John Rogers of the US's Northwestern University designed printed circuits able to manifest rotational behaviours, as seen in helicopter and spinner seeds, that enhance the stability and flying behaviour.

In a paper published in Nature this week, they argue that simple electronics can be integrated into the designs, with one example containing a circuit to detect airborne particles.

Continue reading

With just over two weeks to go, Microsoft punts Windows 11 to Release Preview

What's that coming over the hill? Is it new hardware? Is it new hardware?

Microsoft has followed up a lacklustre Surface hardware event with a Windows 11 Release Preview for Windows Insiders.

Assuming, of course, those Insiders are possessed of an "eligible PC" – for Microsoft does not appear to be backing down on its vendor-delighting and customer-frustrating hardware requirements for the new operating system.

The build in question is 22000.194, which emerged last week in the Beta Channel to the disappointment of users trying to run Windows 11 on a virtual machine that is not to Microsoft's liking. Its arrival in Release Preview yesterday, just over two weeks from general availability on 5 October, is an indicator that fans should expect little more than patches and updates until then.

Continue reading

Fukushima studies show wildlife is doing nicely without humans, thank you very much

Biodiversity increasing, endangered species gradually returning despite radioactive terror pig presence

Studies of biodiversity around the former Fukushima nuclear power plant in Japan have shown that a decade after the nuclear incident there in March 2011, the local wildlife, at least, is mostly thriving.

The incident at the Fukushima Daiichi site – in which three of the site's six reactors suffered meltdowns due to damage from an earthquake-induced tsunami – was one of only two events in history to be rated at level 7 on the International Nuclear and Radiological Event Scale (the other being Chernobyl).

This scale is not related to the quantity of radioactive material released (although that was considerable), but by the number of people affected by the event. Following the incident, 154,000 people were evacuated from the area surrounding the plant due to the risk of radioactive contamination, a number second only to the 335,000 evacuated from the environs of the Chernobyl plant in 1986.

Continue reading

HPE campaigns against 'cloud first' push in UK public sector

Because HPE does not do public cloud? No, no, it is 'for the good'

Comment Hewlett Packard Enterprise has posted a "UK Public Sector Manifesto" with nine themes, alongside a campaign hyping the value of hybrid cloud.

The bugbear for HPE is that UK government introduced a "cloud first" policy in 2013.

The current version was revised in 2017 but it mandates that central government, when buying new IT services, must consider a cloud solution – and specifically a public cloud, rather than "a community, hybrid or private deployment model" – before any other option.

Continue reading

Tech contractors fume over payday outage at Giant Pay after it sniffs 'suspicious activity'

Technical difficulties, please stand by

Giant Pay – an umbrella company used by contractors across the UK – has confirmed "suspicious activity" on its platform is behind a days-long ongoing outage that has left folk fretting about whether they'll get paid this month.

In an update on its website today, the firm said: "Upon detection of suspicious activity on our network on 22nd September 2021, we immediately assembled a response team including IT data experts and specialist lawyers, and we are currently working with the highest priority to resolve this issue.

"As part of the investigation and as a measure of caution, we have proactively taken our systems offline and suspended all services temporarily." It also confirmed it had contacted regulatory authorities and assured contractors they would get paid.

Continue reading

Parking is expensive. It can cost an arm, a leg, and a Windows licence

Activate Windows and put up a parking lot

Bork!Bork!Bork! Sometimes only the freshest of borks will do, and sometimes the best laid plans of administrators can go awry.

Continue reading