Published in IoT

FCC warns about smart padlock which isn’t

by on08 April 2020


Tapplock blasted

An electronic padlock which unlocks with a fingerprint or an app connected by Bluetooth to your phone does not work, according to the FCC.

Tapplock’s product is full of digital and physical vulnerabilities that leave users' stuff, and data, at risk.

The FTC's complaint (PDF) against Tapplock, alleges that the company misrepresented itself, because it marketed its products as secure and tested when they were neither.

While a product being pants is not normally a worry for the FTC saying untrue things about your product in your advertisement or privacy policy, is part of the Commission’s remit.

Tapplock's website said that its lock is built with "7mm reinforced stainless steel shackles, strengthened by double-layered lock design with anti-shim and anti-pry technologies".

While this is true, a researcher unlocked the lock "within a matter of seconds" by unscrewing the back panel.

The complaint mentions several "reasonably foreseeable" software vulnerabilities that the FTC alleges Tapplock could have avoided if the company "had implemented simple, low-cost steps".

One vulnerability security researchers identified allowed a user to bypass the account authentication process entirely in order to gain full access to the account of literally any Tapplock user, including their personal information.

A researcher who logged in with a valid user credential could then access another user's account without being re-directed back to the login page, thereby allowing the researcher to circumvent Respondent's authentication procedures altogether, the complaint said.

A second vulnerability allowed researchers the ability to access and unlock any lock they could get close enough to with a working Bluetooth connection.

Tapplock "failed to encrypt the Bluetooth communication between the lock and the app", leaving the data wide open for the researchers to discover and replicate.

Another vulnerability outlined in the complaint has to do with a failure to secure communication data. The app allows "unlimited" connections and while the primary owner can of course add and revoke authorised users from the lock. But someone whose access was revoked could still access the lock because the vulnerability allowed for sniffing out the relevant data packets.

The FTC is requiring Tapplock to create a security programme for its products. "That programme is required to include training for employees; timely disclosure of 'covered incidents', including both loss of personal information and also unauthorized access to systems; actual penetration testing of the network; and several other elements, including annual review.”

Last modified on 08 April 2020
Rate this item
(2 votes)