Emergent Tech

Internet of Things

Remember Tapplock, the 'unbreakable' smart lock that was allergic to screwdrivers? The FTC just slapped it down for 'deceiving' folks

And you can still open its improved version with a strong magnet


The manufacturer that claimed its Bluetooth-connected fingerprint-reading smart lock was “unbreakable,” only to find it being opened in seconds by someone armed with nothing more than a mount and a screwdriver, has been slapped down by a US watchdog.

Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information,” the FTC alleged [PDF] in its formal complaint. “In fact, [TappLock] did not have a security program prior to the discovery of the vulnerabilities.”

Yes, it wasn’t just the fact the back of the $100 metal smart lock could be twisted off with a suitable mount and unscrewed with a normal screwdriver to defeat it. Its Canadian maker, which was funded through an Indiegogo campaign, had also failed to protect its online user accounts, did not encrypt the connection between its smartphone app and backend servers, and introduced a security hole that allowed anyone nearby to sniff Bluetooth packets between the app and lock, and use that info to unlock the gizmo.

The FTC accused the company of "deceiving" folks by falsely claiming the lock was “unbreakable” and not having taken “reasonable steps” to secure user data. The biz has settled with the federal watchdog, agreeing to “implement a comprehensive security program and obtain independent biennial assessments of the program.”

Unbreakable smart lock devastated to discover screwdrivers exist

READ MORE

Under the usual FTC settlement [PDF] terms, the manufacturer “neither admits nor denies any of the allegations” but there is long list of requirements it now has to follow.

These include naming a specific employee to be in charge of its new security program, providing reports on any future security incidents, training all its employees once a year on data privacy, putting in place various technical measures to protect users’ personal information, and running an annual review on its systems and security, including penetration testing.

Three holes

Infosec experts had found that one security hole in Tapplock’s API enabled them to bypass its account authentication process and gain full visibility of all user accounts, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks.

A second vulnerability could be exploited to lock and unlock any nearby Tapplock smart lock: its firmware broadcast its Bluetooth MAC address over the airwaves, and used that same MAC address to calculate the key used to lock and unlock the device. Anyone within radio range could thus figure out its digital key and unlock it. A third vulnerability prevented users from revoking access to their smart lock once other users had access to it, making the device permanently unsafe. It also did not use HTTPS between the app and its API servers.

To its credit, when faced with the deluge of criticism and bad press back in 2018, Tapplock did immediately try to fix things, and a year later, in July 2019, released a redesigned lock that it challenged people to hack. And it had some success with it. But then, just a week ago, the new lock was again bypassed by someone using nothing more than a $25 strong magnet, which you can see below:

Despite avoiding a big fine, the FTC made it clear that it will be keeping an eye on Tapplock. The regulator's director of consumer protection Andrew Smith noted that the biz had failed to even test its security boasts. “Tech companies should remember the basics – when you promise security, you need to deliver security,” he said. ®

Send us news
52 Comments
Get our IoT newsletter

Keep Reading

Privacy pilfering project punished by FTC purge penalty: AI upstart told to delete data and algorithms

Face-recognition biz hammered after harvesting people's pics, videos without permission

Appeals judges toss out FTC win: What Qualcomm did to its rivals was 'hypercompetitive, not anticompetitive'

Chip designer ruled not a monopolistic strangler after all

FTC kicks feet through ash pile that once was Cambridge Analytica with belated verdict

Trade boss says long-dead biz was indeed deceiving the public

AT&T subscribers back in court to crack open telco giant's $60m FTC settlement over limited 'unlimited data' plans

Updated Hey, no looking, that paperwork's private, says network operator

Simons says don't push us: FTC boss warns regulator could totally break up big tech companies if it wanted

Spoiler alert: It won't

Oh good, the FTC has discovered acqui-hires... American watchdog to probe decade of Big Tech takeovers

Hope they've got a dump truck or three to deliver paperwork covering years of acquisitions

Qualcomm gets to keep its chip tech to itself – for now – after federal agencies gang up on FTC

Ninth Circuit approves partial stay on injunction

FTC fines Facebook $5bn for making users believe they actually had control over their data

Privacy Board to keep tabs on potential naughtiness at the antisocial network

FTC gets back to work: Now, where were we? Break up Facebook and fine it $2bn, you say?

Advocacy groups: Force 'em to 'disgorge' data slurped up from Instagram, WhatsApp

AT&T: We did nothing wrong in promising unlimited data that wasn't. We're just giving the FTC $60m for fun

Comment Watchdog agrees one day of profit ought to be enough after 5 years of arguing

Tech Resources

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

Webcast Slide Deck | Zero trust strategies to zap ransomware peril

Join industry veteran and security pro Mike Wronski of Nutanix as he explains to Tim Phillips about zero trust strategies combined with HCI can improve your security posture, defend against threats, help prevent your business from being the next victim of ransomware.

Anatomy of a Private Cloud

Learn the key elements that combined, build a true Private Cloud

BaaS Is Maturing - Here Are the Top 5 Use Cases

Backup as a service is a cost-effective, easy-to-manage alternative or supplement to on-premises backup solutions.