This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

Unbreakable smart lock devastated to discover screwdrivers exist • The Register

Linus Torvalds pulls pin, tosses in grenade: x86 won, forget about Arm in server CPUs, says Linux kernel supremo
Decoding the President, because someone has to: Did Trump just blow up concerted US effort to ban Chinese 5G kit?
Trust the public cloud Big Three to make non-volatile storage volatile
HPE's cold storage digit: 2% growth better than a kick in the teeth – but it's no Dell EMC
Redis kills Modules' Commons Clause licensing... and replaces it with one of their own
OK, team, we've got the big demo tomorrow and we're feeling confident. Let's reboot the servers
Oracle sued for $4.5m after ERP system delivery date 'moved from 2015 to 2016, then 2017, then... er, never'
Linux love hits Windows 10 19H1 amid a second round of zombie slaying
Entrust Datacard lined up to unburden Thales of nCipher biz as price for Gemalto buyout
Infosec in spaaace! NCC and Surrey Uni to pore over satellite security
WTF PDF: If at first you don't succeed, you may be Adobe re-patching its Acrobat, Reader patches
Black-hat sextortionists required: Competitive salary and dental plan
CI/CD outfit Shippable shipped off to adopt the green tinge of JFrog
Fancy a .dev domain? They were $12,500 a pop from Google. Now, $1,000. Soon, $17.50. And you may want one
Software development and deployment? Yeah, we can help you with that...
Git money, git paid: GitHub waves larger wads of dollar bills to tempt bug hunters
How politics works, part 97: Telecoms industry throws a fundraiser for US senator night before he oversees, er, a telecoms privacy hearing
Google: Hmm, this government regulation stuff looks important. Let's stick some more lobbyists on that
Sueballs at the ready? Google promises end to forced arbitration after wave of staff protests
Northern UK smart meter rollout is too slow, snarls MPs' committee
ZX Spectrum Vega+ 'backer'? Nope, you're now a creditor – and should probably act fast
Oracle: Major ad scam 'DrainerBot' is rinsing Android users of their battery life and data
Samsung pulls sheets off costly phone-cum-fondleslab Galaxy Fold – and a hefty 5G monster
The bigger they are, the harder they fall: Peak smartphone hits Apple, Samsung the worst
Japan's Hayabusa 2 probe has got the horn for space rock Ryugu – a sampling horn, that is
Lunar lander's brief jaunt will place Israel as fourth country to make soft landing on Moon
Eggheads want YOU to name Jupiter's five newly found moons ‒ and yeah, not so fast with Moony McMoonface
Deton-8. Blastobox-3. Demo-1... One of these is the name of a SpaceX crew capsule test now due to launch in March
Now you've read about the bonkers world of Elizabeth Holmes, own some Theranos history: Upstart's IT gear for sale
Artificial Intelligence: You know it isn't real, yeah?
What's the frequency, KeNNeth? Neural nets trained to tune in on radar signals to boost future mobe broadband
EPIC demand: It's time for Google to fly the Nest after 'forgetting' to mention home alarm hub has built-in mic
Not so smart after all: A techie's tale of toilet noise horror
No yoke: 'Bored' Aussie test pilot passes time in the cockpit by drawing massive knobs in the air
'Occult' text from Buffy The Vampire Slayer ep actually just story about new bus lane in Dublin
You know the drill: SAP has asked Joe Public to name Munich arena so go forth and be very silly

Emergent Tech

Internet of Things

Unbreakable smart lock devastated to discover screwdrivers exist

Tapplock: Once, twice, three times a screwup

By Kieren McCarthy in San Francisco 15 Jun 2018 at 21:32 214 SHARE ▼ Not sure that's supposed to happen. Ladies and gentlement: the Tapplock. Videograb: JerryRigEverything

Video It's never easy to crack into a market with an innovative new product but makers of the "world's first smart fingerprint padlock" have made one critical error: they forgot about the existence of screwdrivers.

Tapplock raised $320,000 in 2016 for their product that would allow you to use just your finger to open the "unbreakable" lock. Amazing. Things took a turn for the worse when the ship date of September came and went, and backers complained that the upstart has stopped posting any updates and wasn't responding to emails nor social media posts.

But after months of silence, the startup assured El Reg that everything was still moving forward and the delays were due to "issues with manufacturing in China."

Fast forward 18 months and finally – finally – the $100 Tapplock is out on the market and it is… well, how do we put this kindly? Somewhat flawed.

No less than three major problems with the lock have been discovered that make it less than useless because presumably people intend to use the lock to secure valuable things.

One of the first things to note is that the Tapplock used zinc aluminum alloy Zamak 3: something that it claims lends the lock "unbreakable durability." Unfortunately, as materials engineers are happy to point out, aluminum may be a lovely lightweight metal and this alloy does provide an enviable degree of detail when die cast, but it is not exactly the best choice for something that is supposed to be unbreakable.

It isn't very strong, it melts at high temperatures, and it is quite brittle. It looks cool. But it's more suited for its more common use: door handles. It will be easy to cut through this lock with bolt cutters.

Here we go

That, by the way, is not one of the three flaws.

The first major flaw was in the way it used Bluetooth to lock and unlock. Andrew Tierney, aka cybergibbons, reviewed the lock for Pen Test Partners, and it took him less than hour to find a way to open every single Tapplock.

If you use ‘smart’ Bluetooth locks, you're asking to be burgled

READ MORE

How is that possible? Well, it turns out the lock broadcast its own Bluetooth MAC address over the airwaves, and uses that MAC address to calculate a key used to lock and unlock the device.

Tierney cracked the system disturbingly quickly: "It upper cases the BLE MAC address and takes an MD5 hash. The 0-7 characters are key1, and the 16-23 are the serial number." The upshot? He was able to write a script, port it to an Android app, and open any nearby Tapplock wirelessly using his phone and Bluetooth, taking less than two seconds each time.

"This level of security is completely unacceptable," he complained. "Consumers deserve better, and treating your customers like this is hugely disrespectful. To be honest, I am lost for words."

The problem was so bad that Tierney informed the manufacturer, and gave it seven days before he went public with the fundamental flaw. Just hours before the deadline was up, Tapplock put out a security advisory warning that everyone needed to upgrade their lock's firmware "to get the latest protection."

"This patch addresses several Bluetooth/communication vulnerabilities that may allow unauthorised users to illegal gain access," the company noted. But Tierney notes that it doesn't mention that literally anyone can open any lock that doesn't have the firmware updated.

Holding to account

On to flaw 2.

Security researcher Vangelis Stykas published a blog post on Friday outlining that Tapplock API endpoints have literally no security checks beyond checking whether there was a valid token.

So if you create a Tapplock account and gain a login, you will be able – again – to open every single Tapplock out there.

Tierney noted in his piece that he saw all kind of red flags that made him confident that the lock's security was going to be terrible, and Stykas notes the same thing – but with different red flags.

He approached the lock from a different angle – the lock's app. And was immediately concerned that it didn’t even use HTTPS. And so he dug around and found pretty quickly that it was trivial to manipulate other users' accounts from a different account.

Aside from being able to get at the lock itself, the security flaw enabled him to access the actual account information as well.

Amazingly, he approached the first flaw discoverer – Andrew Tierney/cybergibbons – and asked if he would share the email address he used for his account. Tierney agreed and within minutes, Stykas was not only able to add himself to Tierney's smart lock but was able to see his name and address.

New York Attorney General settles with Bluetooth lock maker over insecurity claims

READ MORE

That's right, Tapplock is literally handing out all the information people need to not only access others' locks but where you can find them physically.

It's safe to say that Stykas was not impressed. "I really have no postmortem on this one," he noted. "The lock had several flaws and to my understanding they had a great marketing team but a non existent security team. I cannot tell you to buy or not buy anything as I don’t have the authority to do so but I would not buy this lock."

Tapplock disabled the API exploited by Stykas to thwart further attempts to obtain strangers' information through it.

So those are two catastrophic software errors. What about the actual physical lock itself?

Aside from the nice-looking but shoddy aluminum alloy it is built out of – oh, and the lack of a decent physical step in the lock arm itself that all decent lock manufacturers add to prevent thieves from shimming it open – there is another pretty insane flaw in the lock: you can potentially unscrew the back off.

Next page: And now... opening the back Page: Tips and corrections 214 Comments

Most read

  1. Bored bloke takes control of British Army 'psyops' unit's Twitter

  2. Oracle sued for $4.5m after ERP system delivery date 'moved from 2015 to 2016, then 2017, then... er, never'

  3. Fancy a .dev domain? They were $12,500 a pop from Google. Now, $1,000. Soon, $17.50. And you may want one

  4. NASA boffins show Moon water supply could – er, this can't be right? – come from the Sun

  5. There's no 'My' in Office, Microsoft insists with new productivity hub




Whitepapers

Don't Overlook Your Email Archiving Systems

Today, business users need on-the-go access to all their critical data, which includes emails, documents and attachments.

451 Research: Addressing the Changing Role of Unstructured Data With Object Storage

We believe that unstructured data management remains one of the largest challenges for IT going forward.

Becoming a Pragmatic Security Leader

With companies of all sizes looking to get on top of their cybersecurity challenges, what does it take to get into a security leadership position?

Data Pipeline for Enterprise AI

Throughput bottlenecks, architecture and integration issues, from resiliency, security and governance are just a few of the pesky challenges that get in the way of ensuring that AI’s data needs are met.

More from The Register

Revealed: Numbers show extent of security fears about security biz Kaspersky Lab

Global sales up 4% but North America element down 25%

Brit security services firm SecureData sold to France's Orange for an undisclosed sum

UK biz sells to non-UK one that exploits sh!tty exchange rate

Arm wants to wrestle industry into a seat on the UK.gov's £70m hardware security train

We're taking it seriously, says chief architect

Facebook's security boss is offski. Not to worry, it has 'embedded security' in all divisions

Alex Stamos's replacement not yet announced

UK white hats blacklisted by Cisco Talos after smart security code stumbles

Cisco gracefully says it won't charge for the privilege

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses

Infosec's cool uncle says to hell with the carrot

Audit finds Department of Homeland Security's security is insecure

The agency that keeps America safe runs un-patched Flash, and worse besides

When selling security awareness training by email, probably a good shout not to hit 'reply all'

The irony meter is quivering

Sponsored links

About us

More content

Situation Publishing

The Register - Independent news and views for the tech community. Part of Situation Publishing

Sign up to our Newsletters

Join our daily or weekly newsletters, subscribe to a specific section or set News alerts

Subscribe

Biting the hand that feeds IT © 1998–2019

Cookies Privacy Ts&Cs