Unbreakable smart lock devastated to discover screwdrivers exist • The Register

Dive into the ecosystem of the future at Arm TechCon 2018 – and save cash with El Reg
London tipped to lead European data market. Yes, despite Brexit!
Click your heels, um, mouse thrice and you've quickly got Ubuntu on Hyper-V in Win 10 Pro
Vodafone sues Ofcom to reclaim 'overpaid' mobe spectrum fees
Microsoft tries a thinking cap on its cloud – voila, Dynamics 365 gets AI!
Early bird access to .NET Framework 4.8? Microsoft, you spoil us
App-y, app-y, joy, joy: Pain-free software installer Flatpak (kinda) works on Windows Subsystem for Linux
First 'issue-free' build of Windows 10 October 2018 Update arrives
Who ate all the PII? Not the blockchain, thankfully
Judge: Georgia's e-vote machines are awful – but go ahead and use them
US State Department confirms: Unclassified staff email boxes hacked
'I am admin' bug turns WD's My Cloud boxes into Everyone's Cloud
Kick-Kaas: NetApp gobbles cloudy Kubernetes upstart StackPointCloud
NPM not tied in knots over Yarn rival project
Microsoft adds Windows module support to PowerShell Core while Amazon unleashes it on Lambda
How have the BBC, Rovio and more put serverless to work?
'Men only' job ad posts land Facebook in boiling hot water with ACLU
Oz government rushes its anti-crypto legislation into parliament
Scrapping UK visa cap on nurses, doctors opened Britain's doors to IT workers
Now here's an idea: Break up Amazon to get more shareholder cash
GG n00b lol! Amazon frags support for its own games controllers
A basement of broken kit, zero budget – now get the team running
Probably for the best: Apple makes sure eSIMs won't nuke the operators
The grand-plus iPhone is the new normal – this is no place for paupers
The Reg chats with Voyager Imaging Team member Dr Garry E Hunt
Revealed: The billionaire baron who’ll ride Elon’s thrusting erection to the Moon and back
Russia: The hole in the ISS Soyuz lifeboat – was it the crew wot dunnit?
UK.gov finally adds Galileo and Copernicus to the Brexit divorce bill
Put your tin-foil hats on! Wi-Fi can be used to guesstimate number of people hidden in a room
SAP claims to be first Euro biz to get seriously ethical about AI code
NUUO, do not want! CCTV webcams can be hacked to spy on you
Boffins ask for £338m to fund quantum research. UK.gov: Here's £80m
First Boeing 777 (aged 24) makes its last flight – to a museum
Leeds hospital launches campaign to 'axe the fax'
Trump shouldn't criticise the news media, says Amazon's Jeff Bezos
US govt concedes that you can indeed f**k Nazis online: Domain-name swear ban lifted

Emergent Tech

Internet of Things

Unbreakable smart lock devastated to discover screwdrivers exist

Tapplock: Once, twice, three times a screwup

By Kieren McCarthy in San Francisco 15 Jun 2018 at 21:32 208 SHARE ▼ Not sure that's supposed to happen. Ladies and gentlement: the Tapplock. Videograb: JerryRigEverything

Video It's never easy to crack into a market with an innovative new product but makers of the "world's first smart fingerprint padlock" have made one critical error: they forgot about the existence of screwdrivers.

Tapplock raised $320,000 in 2016 for their product that would allow you to use just your finger to open the "unbreakable" lock. Amazing. Things took a turn for the worse when the ship date of September came and went, and backers complained that the upstart has stopped posting any updates and wasn't responding to emails nor social media posts.

But after months of silence, the startup assured El Reg that everything was still moving forward and the delays were due to "issues with manufacturing in China."

Fast forward 18 months and finally – finally – the $100 Tapplock is out on the market and it is… well, how do we put this kindly? Somewhat flawed.

No less than three major problems with the lock have been discovered that make it less than useless because presumably people intend to use the lock to secure valuable things.

One of the first things to note is that the Tapplock used zinc aluminum alloy Zamak 3: something that it claims lends the lock "unbreakable durability." Unfortunately, as materials engineers are happy to point out, aluminum may be a lovely lightweight metal and this alloy does provide an enviable degree of detail when die cast, but it is not exactly the best choice for something that is supposed to be unbreakable.

It isn't very strong, it melts at high temperatures, and it is quite brittle. It looks cool. But it's more suited for its more common use: door handles. It will be easy to cut through this lock with bolt cutters.

Here we go

That, by the way, is not one of the three flaws.

The first major flaw was in the way it used Bluetooth to lock and unlock. Andrew Tierney, aka cybergibbons, reviewed the lock for Pen Test Partners, and it took him less than hour to find a way to open every single Tapplock.

If you use ‘smart’ Bluetooth locks, you're asking to be burgled

READ MORE

How is that possible? Well, it turns out the lock broadcast its own Bluetooth MAC address over the airwaves, and uses that MAC address to calculate a key used to lock and unlock the device.

Tierney cracked the system disturbingly quickly: "It upper cases the BLE MAC address and takes an MD5 hash. The 0-7 characters are key1, and the 16-23 are the serial number." The upshot? He was able to write a script, port it to an Android app, and open any nearby Tapplock wirelessly using his phone and Bluetooth, taking less than two seconds each time.

"This level of security is completely unacceptable," he complained. "Consumers deserve better, and treating your customers like this is hugely disrespectful. To be honest, I am lost for words."

The problem was so bad that Tierney informed the manufacturer, and gave it seven days before he went public with the fundamental flaw. Just hours before the deadline was up, Tapplock put out a security advisory warning that everyone needed to upgrade their lock's firmware "to get the latest protection."

"This patch addresses several Bluetooth/communication vulnerabilities that may allow unauthorised users to illegal gain access," the company noted. But Tierney notes that it doesn't mention that literally anyone can open any lock that doesn't have the firmware updated.

Holding to account

On to flaw 2.

Security researcher Vangelis Stykas published a blog post on Friday outlining that Tapplock API endpoints have literally no security checks beyond checking whether there was a valid token.

So if you create a Tapplock account and gain a login, you will be able – again – to open every single Tapplock out there.

Tierney noted in his piece that he saw all kind of red flags that made him confident that the lock's security was going to be terrible, and Stykas notes the same thing – but with different red flags.

He approached the lock from a different angle – the lock's app. And was immediately concerned that it didn’t even use HTTPS. And so he dug around and found pretty quickly that it was trivial to manipulate other users' accounts from a different account.

Aside from being able to get at the lock itself, the security flaw enabled him to access the actual account information as well.

Amazingly, he approached the first flaw discoverer – Andrew Tierney/cybergibbons – and asked if he would share the email address he used for his account. Tierney agreed and within minutes, Stykas was not only able to add himself to Tierney's smart lock but was able to see his name and address.

New York Attorney General settles with Bluetooth lock maker over insecurity claims

READ MORE

That's right, Tapplock is literally handing out all the information people need to not only access others' locks but where you can find them physically.

It's safe to say that Stykas was not impressed. "I really have no postmortem on this one," he noted. "The lock had several flaws and to my understanding they had a great marketing team but a non existent security team. I cannot tell you to buy or not buy anything as I don’t have the authority to do so but I would not buy this lock."

Tapplock disabled the API exploited by Stykas to thwart further attempts to obtain strangers' information through it.

So those are two catastrophic software errors. What about the actual physical lock itself?

Aside from the nice-looking but shoddy aluminum alloy it is built out of – oh, and the lack of a decent physical step in the lock arm itself that all decent lock manufacturers add to prevent thieves from shimming it open – there is another pretty insane flaw in the lock: you can potentially unscrew the back off.

Next page: And now... opening the back Page: Tips and corrections 208 Comments

Most read

  1. Sysadmin misses out on paycheck after student test runs amok

  2. Watt the heck is this? A 32-core 3.3GHz Arm server CPU shipping? Yes, says Ampere

  3. First Boeing 777 (aged 24) makes its last flight – to a museum

  4. First 'issue-free' build of Windows 10 October 2018 Update arrives

  5. Microsoft reveals train of mistakes that killed Azure in the South Central US 'incident'




Whitepapers

Bursting the Cloud’s Bubble

Comparison of the costs of an organization growing its storage consumption on the Amazon EBS Cloud vs. a leased Tegile IntelliFlash HD storage. array

Mis-behaving: the Evolution of the Insider Threat

We speak to experts from LogRhythm, a security intelligence company that produces SIEM and UEBA products, and security industry analyst firm Freeform Dynamics

Remedying the Email Security Gaps in Microsoft Office 365

If you have made the move to Microsoft Office 365™ or imminently plan to, you are in good company.

The Spectrum Data Protection Portfolio from IBM Is a ‘Must See’

Spectrum CDM is a new addition to the IBM Spectrum data protection portfolio. It is designed to enable non-protectionrelated use cases for secondary data.

More from The Register

Facebook's security boss is offski. Not to worry, it has 'embedded security' in all divisions

Alex Stamos's replacement not yet announced

Audit finds Department of Homeland Security's security is insecure

The agency that keeps America safe runs un-patched Flash, and worse besides

Cisco drops a cool $2.3 billion on SaaSy outfit Duo Security

Switchzilla slurps trusted access into cloud to make it rain

Mozilla-endorsed security plug-in accused of tracking users

Web Security says there's nothing nefarious to its URL collection

Intel finds a cure for its software security pain: Window Snyder

Microsoft, Mozilla veteran will also handle external researcher work

Well, can't get hacked if your PC doesn't work... McAfee yanks BSoDing Endpoint Security patch

Don't install August update, world+dog warned

Security execs must prep for post-Brexit cyber challenges – report

Time to start planning now, people!

Schneier warns of 'perfect storm': Tech is becoming autonomous, and security is garbage

Israel Cyber Week Tel Aviv treated to Brucey's bonus views

Sponsored links

About us

More content

Situation Publishing

The Register - Independent news and views for the tech community. Part of Situation Publishing

Sign up to our Newsletters

Join our daily or weekly newsletters, subscribe to a specific section or set News alerts

Subscribe

Biting the hand that feeds IT © 1998–2018

Cookies Privacy Ts&Cs