Edge + IoT

Remember Tapplock, the 'unbreakable' smart lock that was allergic to screwdrivers? The FTC just slapped it down for 'deceiving' folks

And you can still open its improved version with a strong magnet

The manufacturer that claimed its Bluetooth-connected fingerprint-reading smart lock was “unbreakable,” only to find it being opened in seconds by someone armed with nothing more than a mount and a screwdriver, has been slapped down by a US watchdog.

Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information,” the FTC alleged [PDF] in its formal complaint. “In fact, [TappLock] did not have a security program prior to the discovery of the vulnerabilities.”

Yes, it wasn’t just the fact the back of the $100 metal smart lock could be twisted off with a suitable mount and unscrewed with a normal screwdriver to defeat it. Its Canadian maker, which was funded through an Indiegogo campaign, had also failed to protect its online user accounts, did not encrypt the connection between its smartphone app and backend servers, and introduced a security hole that allowed anyone nearby to sniff Bluetooth packets between the app and lock, and use that info to unlock the gizmo.

The FTC accused the company of "deceiving" folks by falsely claiming the lock was “unbreakable” and not having taken “reasonable steps” to secure user data. The biz has settled with the federal watchdog, agreeing to “implement a comprehensive security program and obtain independent biennial assessments of the program.”

Unbreakable smart lock devastated to discover screwdrivers exist


Under the usual FTC settlement [PDF] terms, the manufacturer “neither admits nor denies any of the allegations” but there is long list of requirements it now has to follow.

These include naming a specific employee to be in charge of its new security program, providing reports on any future security incidents, training all its employees once a year on data privacy, putting in place various technical measures to protect users’ personal information, and running an annual review on its systems and security, including penetration testing.

Three holes

Infosec experts had found that one security hole in Tapplock’s API enabled them to bypass its account authentication process and gain full visibility of all user accounts, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks.

A second vulnerability could be exploited to lock and unlock any nearby Tapplock smart lock: its firmware broadcast its Bluetooth MAC address over the airwaves, and used that same MAC address to calculate the key used to lock and unlock the device. Anyone within radio range could thus figure out its digital key and unlock it. A third vulnerability prevented users from revoking access to their smart lock once other users had access to it, making the device permanently unsafe. It also did not use HTTPS between the app and its API servers.

To its credit, when faced with the deluge of criticism and bad press back in 2018, Tapplock did immediately try to fix things, and a year later, in July 2019, released a redesigned lock that it challenged people to hack. And it had some success with it. But then, just a week ago, the new lock was again bypassed by someone using nothing more than a $25 strong magnet, which you can see below:

Despite avoiding a big fine, the FTC made it clear that it will be keeping an eye on Tapplock. The regulator's director of consumer protection Andrew Smith noted that the biz had failed to even test its security boasts. “Tech companies should remember the basics – when you promise security, you need to deliver security,” he said. ®

Send us news

Google, Amazon, Microsoft make the Mozilla naughty list for Christmas shopping

Big Tech's toys have privacy problems. Why not buy utterly unconnected dead-tree books instead?

Meta goes to war with FTC over right to profit from kids' personal data

Awkward hill to die on, but OK

MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen

Real-life impact of buggy software laid bare – plus: Avast tries to profit from being caught up in attacks

Amazon on the hook for predictably revolting use of concealed clothes hook spy cam

Judge finds plaintiff's claim – that Amazon knew about illicit usage – credible enough for case to proceed

Rights warriors claim online ad auction data a danger to national security

'The industry can not be allowed to put elected leaders, military personnel at risk'

Senate bill aims to stop Uncle Sam using facial recognition at airports

Legislation would eliminate TSA permission to use the tech, require database purge in 90 days

What's really going on with Chrome's June crackdown on extensions – and why your ad blocker may or may not work

Manifest V3 transition deemed 'far from terrible' and yet not great for content filters

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

Google Chrome coders really, truly, absolutely ready to cull third-party cookies from 2024

Bonfire of the web trackers is coming, industry ready or not

Weak session keys let snoops take a byte out of your Bluetooth traffic

BLUFFS spying flaw present in iPhones, ThinkPad, plenty of chipsets

Plex gives fans a privacy complex after sharing viewing habits with friends by default

Grandma is watching what?!

Meta sued by privacy group over pay up or click OK model

Scrolling through endless humblebrags without targeted ads is a fundamental right, according to privacy expert