Ridiculously Insecure Smart Lock - Schneier on Security

Schneier on Security

Blog >

Ridiculously Insecure Smart Lock

Tapplock sells an "unbreakable" Internet-connected lock that you can open with your fingerprint. It turns out that:

  1. The lock broadcasts its Bluetooth MAC address in the clear, and you can calculate the unlock key from it.

  2. Any Tapplock account can unlock every lock.

  3. You can open the lock with a screwdriver.

Regarding the third flaw, the manufacturer has responded that "...the lock is invincible to the people who do not have a screwdriver."

You can't make this stuff up.

EDITED TO ADD: The quote at the end is from a different smart lock manufacturer. Apologies for that.

Tags: Bluetooth, locks, physical security

Posted on June 18, 2018 at 6:19 AM • 44 Comments

Comments

Mike Lieman • June 18, 2018 6:38 AM

>Regarding the third flaw, the manufacturer has responded that "...the lock is invincible to the people who do not have a screwdriver."

[www.campmor.com]

About Backpacker Bear Resistant Food Container

Tested and used by the National Parks Department.
This food container is made of high impact ABS plastic with stainless steel latches. The container is entirely flush and cannot be opened unless the bear has a coin or screwdriver. 603 Cubic Inches

me • June 18, 2018 6:38 AM

@schneier
> 1- The lock broadcasts its Bluetooth MAC address in the clear, and you can calculate the unlock key from it.

I have read few days ago and from what i remember the key *was* the mac address. it was not calculated from it.
i'll check...
anyway i think government should punish this deceptive behaviour, also more in general the iot things that self-brick after a year to force you buy the new one

Ian • June 18, 2018 6:40 AM

The quote was actually from a *different* manufacturer who made an even *more* physically insecure lock that had screws on the outside—not from Tapplock.

TimK • June 18, 2018 6:41 AM

The 'invincible' quote is, according to the linked article, from different manufacturer. However the Tapplock assurance that the back shouldn't unscrew because there should be a pin preventing that is not very reassuring.

Michael • June 18, 2018 6:47 AM

I think number 3 refers to another company making a Tapplock look alike.

me • June 18, 2018 6:50 AM

I was wrong, the key is "derived" from the mac address, but in an insecure, nosesne way.

Anyway for you consideration, standard low cost locks are insecure too.
i have opened one by inserting a paper clip and moving it randomly (agaim randomly, not with some logic or knowledge).
also you can insert thin metal foil (like coca cola can) between the fixed metal part and the cilyndric one that rotate if you insert a key.
than is super easy to open them.

Sluaghadhan • June 18, 2018 6:54 AM

MD5'ing the MAC address is by far the best way to create a key. Weak algorithm + only a public variable = great secret.

Thomas • June 18, 2018 7:18 AM

Following (3) through means:

So following this logic, anything and everything is secure(*) by design.

(*) if you don't try to break it.

Gaspy • June 18, 2018 7:39 AM

I may be old, but even without the flaws, the very idea of an internet-connected lock sounds very off-putting to me. There are simply too many variables and points of failure.

CallMeLateForSupper • June 18, 2018 8:42 AM

@Michel Renaud
" '"2. Any Tapplock account an unlock every lock.'
Er... What?"

Yeah, that tripped me too. I think the "c" in "(c)an" is lost in the ether.

scot • June 18, 2018 8:52 AM

Who ever _doesn't_ have a screwdriver? I currently have six in my pockets (two of which are on a TSA approved tool). I also keep a bobby pin and a paper clip in my wallet, which are sufficient for opening most filing cabinet and interior door locks.

wumpus • June 18, 2018 8:52 AM

@Mike Lieman

So we are teaching bears to be tool users now? From what I've heard, bears *will* get into the bear bags I learned to hang (between two trees) as a boy scout, I'd wonder what will happen if we teach bears to use screwdrivers and mug hikers for change.

"Bears mugging hikers" isn't necessarily a joke. Once upon a time hikers were told to throw bears their packs/food if confronted by a bear. These bears quickly learned that "hikers==food" and would confront/antagonize humans on sight, and hunt people if they found a trail. The bears were quickly killed/relocated and a long and protracted human reeducation campaign had to take place.

CallMeLateForSupper • June 18, 2018 9:07 AM

@Gaspy
"I may be old, but even without the flaws, the very idea of an internet-connected lock sounds very off-putting to me."

You are old. ;-) So am I. And most of the IoT stuff does not temp me, the ones that are "solutions looking for problems". Some of IoT does entertain me though, and this is one of them.


"I can unlock my gym locker while I'm finishing up on the treadmill."
That's a real time saver alright. Excellent use for a TELEPHONE, too.

"I can unlock this padlock from a-way over thar."
Why would you want to?

"I don't need to carry a key."
I use a key. I've never known it to need a charge.

me • June 18, 2018 9:08 AM

@Gaspy
Yes, not good idea in general, i have read about someone using an internet connected car (tesla maybe?).
he stopped in the middle of nowhere to take a photo of the sunset and than he could not turn on the car anymore since he used the cell phone to turn on the car. but in that point there was no signal.
he now always use keys.

CallMeLateForSupper • June 18, 2018 9:12 AM

@Mike Lieman @wumpus

You raise excellent arguments against the right to keep and arm bears.

Wilkins • June 18, 2018 9:34 AM

It's a lot more interesting to me, how you don't even have to test or develop solutions anymore. All you have to do is wait for someone else to point out a failed design then pile on to make it sound like you're such an excellent researcher yourself.

Clive Robinson • June 18, 2018 9:35 AM

@ All,

Yet more proof that marketting is not the department that should run "product development"...

There is a statistic that indicates that on average 98% of marketting is a compleate failure to the point of being a waste of money, a very big waste of money as it is the worlds largest industry.

This product is clearly a product of marketing ideas... I'm guessing there was a marketting "Wish List" that was subbed out to "China Knock Off" manufacturing houses, the price they quoted was too high thus things got stripped out of the spec to reduce price. The marketters then got screwed over by the knock off house that increased their profits by production line cut costs cutting of leaving steps out. Further I'd bet a pint that the marketters never "walked the line" during production and further had no Goodd Inward Test when the units were delivered...

Did I mention "security"? Err no, but then neither did the Marketters except on packaging and advertising...

In a way this is just a more obvious version of what is happening with IoT...

"Buyer beware" is now way more important than ever...

You can see earlier comments I made on this joke of a product over on the Friday Squid,

[www.schneier.com]

In response to a posting by @Moz.

Anselm • June 18, 2018 9:48 AM

It turns out that the National Parks Service actually keeps a bunch of bears at hand to assess purportedly bear-proof containers. If the container keeps the bears away from its content (enticing goodies that the bears would like to have, like rotting fish heads etc.) for an hour it is deemed “bear-resistant”. I don't think they have the temerity to actually label anything “bear-proof”.

Then there is the observation that the design of “bear-proof” garbage cans for use in national parks and other bear-infested areas is made difficult by the fact that the smartest bears are way more clever than the dumbest tourists.

albert • June 18, 2018 9:52 AM

@CallMeLateForSupper,
"..keep and arm bears..." Ouch!
You better pray you're not prey.
..
Re: locks.
Locks keep honest people honest.

"Smart" == "Not Smart" when discussing Iot stuff.

Tapplock, though rating high on the Absurdity Scale*, hasn't pegged the needle. Something even more absurd is just around the corner; I'm sure of it.

-----------
*The Absurdity Scale takes into account the lack of security, and also the potential damage that can result.

. .. . .. --- ....

oliver • June 18, 2018 9:57 AM

Hi Bruce,
just a related anecdote here: at work we have those door locks that work with a proximity fob, rfid i think, to unlock the door. The battery is in the door lock, on the INSIDE.
Change of occupant in that office, a couple weeks no entry, and the new guy want's to enter.
Wait for it..... battery is dead. It took close to three hours for our IT team to get into that office.
No they did not kick in the door.
Cheers, oliver

6_7nbbbb73d~ • June 18, 2018 12:54 PM

Isn’t there a theorem that says all security failures are equivalent to the case of a frame with a locked door standing in the middle of an open field ?

Robert • June 18, 2018 2:20 PM

Why should smart locks exist? Key management. The cost of key management in a business will keep driving the creation of better and better smart locks.

As is common with technological developments they will get transferred to down the economic stack. The problem here and this is already a problem with non smart door locks are that this market has no transparency or regulation. For it to self-regulate it needs transparency. Since the actors seem to be fighting transparency maybe we need NIST standards for locks. A minimum of two security pins are required for instance.

Dr. Wellington Yueh • June 18, 2018 3:10 PM

@wumpus re: bear bags... IIRC, they tested quite well, and were physically secure. The big flaw was the relative uselessness of foodstuffs after being subjected to 'live fire' tests.

PeaceHeadJune 18, 2018 3:49 PM

Wow, that padlock (NOT) case is pretty funny.

It reminds me of when i downloaded some bogus shareware back in the early 90's.

The documentation claimed it was freeware, but it wasn't. The fresh download asked for a code in order to use it. They didn't provide the code anywhere logical and the net provided a lot of false positives. On a whim, not knowing which letters or number to use, I typed in a series of all zeros...


... and it unlocked. hahaha

That was the type of thing that started getting me interested in digital security theory... all this password hype on the internet (much of it hot air). That, and locksmiths.

Another funny story...

I locked myself out of my own bedroom while my entire family was out of town. So I called a locksmith. When the locksmith showed up, he was only a little kid! But he did promptly unlock my door and charged me a common fee. After he left I was testing the door, this time with my key handy. I leaned on the locked door, and my own body weight popped open the door without even damaging any of the frame.

I felt so silly for having spent money on a locksmith when all I needed to do was to lean on the door.

hahahaha

happy days.
Peace is attainable.
May Peacefulness Prevail Within All Realms Of Existence

Jonathan Wilson • June 18, 2018 4:15 PM

I dont get why these insecure bluetooth locks seem to be so popular.

Frank WilhoitJune 18, 2018 5:47 PM

@ Clive Robinson,

We are all waiting for the day, long overdue, when business collectively realize that marketing doesn't work.

No...sorry...I'll try that again.

We are all waiting for the day when business collectively realize that it is unsustainable to spend money on things that don't work.

Aaargh! Never mind. One more shot, mmkay?

We are all waiting for the day when the victims of propaganda (including, but not limited to, marketing) collectively decide that they're not going to fall for it any more -- any of it, of any kind, from any source, because falling for it is, in practice, like hanging a sign round one's neck saying STUPID, and, in principle, the spiritual equivalent of suicide.

Oh Hell, I give up, I can't work it out. You have a go.

John Smith • June 18, 2018 7:47 PM

from wumpus:

"..These bears quickly learned that "hikers==food" and would confront/antagonize humans on sight, and hunt people if they found a trail..."

Damn. Must have been Yogi and his offspring. Smarter than the average bear.

Some Guy • June 18, 2018 8:16 PM

Smart locks make sense in certain cases, but not this type of lock. Several companies make locks that open with USB type keys. These are valuable whe. Keycards are too expensive to cable and install.

The key collects a log of when used with which lock. In the Electric Sector, we are required to collect and maintain these logs (CIP-006-6 R1.8-1.9, CIP-003-6 R2) to identify who entered. This is often implemented using a guard issuing and logging who has the key and plugging the key back into the key management box when done. No wifi and no remote unlocking. Doesn’t give real time alarming, but good for lower risk remote equipment.

John Smith • June 18, 2018 8:40 PM

from Frank Wilhoit:

"...We are all waiting for the day when the victims of propaganda (including, but not limited to, marketing) collectively decide that they're not going to fall for it any more -- any of it, of any kind, from any source, because falling for it is, in practice, like hanging a sign round one's neck saying STUPID, and, in principle, the spiritual equivalent of suicide..."

[www.123test.com]
[en.wikipedia.org]

About 24% of the population have an IQ of less than 90. Almost 1 in 4.
About 9% have an IQ less than 80. That's 1 in 11.
About 2.5% have an IQ less than 70.

Not everyone wins a prize in the genetic lottery.

Clive Robinson • June 19, 2018 1:00 AM

@ Frank Wilhoit, John Smith,

Suspect IQ[1] aside, I get the feeling most people do not think they just act effectively on whim when it comes to marketing...

Any introductory guide to setting up your own business and managment of it, usually makes the valid points of,

1, You need customers to buy your goods/services.
2, Customers can only buy your goods/services if they know of both them and your business.

Hence we get the sound bite of "It pays to advertise".

So far so good and not very controversial. What happens next is almost the same as that which happens with defence spending. It all starts with the question of "How much spending is sufficient?"

With national defence you know you have to have some degree of defence spending otherwise at some point you will be attacked. Thus you try to work out how much spending is needed. Often you hear this quoted as a percentage of GDP... But that only gives a guide to what level of spending you can aford, not what is effective, and almost certainly not what influances a potential attacker.

The real answer is you only know you have spent to little on defence in the past when you are attacked, or in the case of a business you run out of money. Conversely you never know when you have spent to much, or spent it ineffectively.

Which means you have a market place where it's not possible to determin optimal spending thus you get people taking advantage by FUD...

The only way you can avoid being taken in by such FUD is to clearly know the market you work in. The reality is though with the best will in the world any given market will by opaque and rife with "hidden knowledge" and the uncertainty that causes.

Thus people stop thinking and in effect abrogate their responsabilities, which opens the door to any and all who can "talk the talk".

In essence all any marketer can tell you is "What has been known to fail in the past", not even why. They can not tell you what will work beyond the two basic points above because nobody knows that... Thus you have to sanity check what your are told, and that requires both knowledge and the ability to analyse it which is a very hard task. Which is often why the "why bother behaviour" sets in and managers go into "auto-pilot mode" and just set a budget and spend it. Worse they also often get attached to an idea that is not working thus double down on what did not work the last time...

[1] Just about any time someone tries to run trials on IQ Tests they find that there is "hidden bias" in the IQ Test that more often than not reflects the views on intelligence of the test designer. Around a quater of a century ago I had a chat with someone involved with doing research into IQ Tests and asked them what the formal definition of intelligence was against which they drew up their testing specifications... Coherent answer their came not, when I pointed out that logically that ment that the test of the IQ Test was as equally flawed as the IQ Test, I got one of those looks that says "don't break my rice bowl". Since then I've given both IQ Tests and those that devise research tests on them a fairly wide berth...

Herman • June 19, 2018 4:50 AM

I once broke into a car which was parked behind me, boxing me in. When I got tired of waiting, I noticed that the side triangle window had a little screw on the outside (circa 1980 car). So I undid it, opened the door and moved the car a little bit, then left all the bits and pieces on the seat.

The bottom line is that in most cases one can break/circumvent a lock with a simple tool such as a screwdriver, hammer or bolt cutter.

Alehandro • June 19, 2018 6:05 AM

@Anseim

Re: "It turns out that the National Parks Service actually keeps a bunch of bears at hand to assess purportedly bear-proof containers."

Right, and they make them wear those wide brimmed Ranger hats in order to tell the difference between trained and tame bears vs. wild ones. I've heard they like donuts.

ps: The lock cost a hundred bucks!!! The Register story itself is worth reading. It's the most devastating take down of any electronic device I've ever read. Like a manual how NOT to do it right.

CallMeLateForSupper • June 19, 2018 9:59 AM

Found a CNET review of the TappLock. Some "review"! (mutter mutter).
But it was entertaining.
[www.cnet.com]

Reviewed: 29 MAR 2018
"With two methods of entry in addition to Bluetooth, I'd recommend Tapplock as a flexible way to secure and monitor valuables without a combination code or key."

We need more "flexible". Cheers all 'round.

"So if you thought you'd always have to remember to turn your lock three times to the right, once to the left and back to the right again, those days are over."

Oh praise &Diety! The torture of "remembering" is finally done away with.

"Now you just need a fingerprint."

Or a screwdriver. Or a software hack. But cnet didn't know any of this up to 31 March because its review was ... um... simply comment based solely on marketing screed, not any tests done on an actual device.

Just three days after the review...

Editors note on 1 JUN 2018:
"It's come to our attention that the Tapplock One [...] allows an attacker to twist off the back plate and use a standard screwdriver to quickly disassemble the lock. We've(sic) haven't independently confirmed this yet, and are currently investigating. We'll let you know what we find out."

TWO WEEKS after that...

Update on 15 JUN 2018:
"[...] Tapplock is reportedly working on these [many] issues, but until they are fully resolved, we can't recommend the Tapplock One."

Did cnet ever "independently confirm" that "twist[ing] off the backplate" can be done? (crickets)

Nasratullah • June 19, 2018 11:49 AM

The next massive DDoS attack waiting to happen from all of these "smart devices" I think there should be an independent body that gives guidelines to manufacturers about how to secure these devices, but i think it's too late-- only government involvement can bring drastic changes.

(required) • June 19, 2018 1:55 PM

@Alehandro here in Denmark, those locks are sold for about 250 bucks: www.computersalg.dk/i/3752306/haengelaas-tapplock-1603302-solv

Frank WilhoitJune 19, 2018 5:40 PM

@ Clive @ 0100:

You are "buying into the frame". Your analysis of how marketing gets started is purely supply-side. It implicitly assumes that there is no demand, until demand has been somehow ginned up from a vacuum, and that marketing is what does that. "If you build it, they will come" -- provided you have a strong enough hook to drag them in with. All of which is nonsense. If customers need your product, they will find you. If they don't, then worse luck you. The fact that your survival appears to depend upon creating demand ex nihilo does not make that a legitimate or acceptable thing to do.

@ John Smith:

Realizing that one is being manipulated does not depend upon exceptional intelligence, especially of the very narrow kinds that can be (albeit speciously) quantified. Realizing that one has been manipulated and then saying "never again" depends upon something that is usually not subsumed under the definition of the word "intelligence" to begin with.

Alyer Babtu • June 19, 2018 6:57 PM

Crows/Ravens/Rooks are pretty smart too, and probably could use a screwdriver. Which is smarter, they or the bears ?

Bob Paddock • June 20, 2018 8:02 AM

@Anselm

"I don't think they have the temerity to actually label anything “bear-proof”.

My late wife once received a catalog that dealt with supplies for pet dogs and cats. It went into detail of their new "Indestructible Ball" to let Fido play with. The next edition of the catalog went into details of how the "Indestructible Ball" became the "Virtually Indestructible Ball" after someone gave it to their pet lion as a toy.

Is that a marketing failure or testing failure to not have a lion at hand for the testing?

Randal • June 23, 2018 1:13 AM

2. Any Tapplock account [c]an unlock every lock.

See this article:
[nakedsecurity.sophos.com]

Apparently if you log in to a Tapplock account, you could have gained access to ANY account, not just your own.

Subscribe to comments on this entry

Leave a comment

← Friday Squid Blogging: Cephalopod Week on Science Friday Are Free Societies at a Disadvantage in National Cybersecurity →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.