Unbreakable smart lock devastated to discover screwdrivers exist • The Register

Google Cloud Platform reins in its trigger-happy account-axing AI cops
Mellanox plumps up thanks to the storage world's hankering for high-speed Ethernet
Reduxio turns inward and, er, sales off for the channel
Micron-Intel 3D XPoint split: It's not you, it's m... nah, it is totally you
IBM attempts to graft virtual machine security onto container flexibility
Webinar: Get a good look at Microsoft’s Windows Analytics suite
Capita strikes again: Bug in UK-wide school info management system risks huge data breach
Skype Classic headed for the chopping block on September 1
Bloke accused of netting $5m on inside info about Lattice Semiconductor
Who's leaving Amazon S3 buckets open online now? Cybercroooks, election autodialers
Will this biz be poutine up the cash? Hackers demand dosh to not leak stolen patient records
So long and thanks for all the fixes: ERPScan left out of credits on Oracle bug-bash list
Continuous Lifecycle 2019 call for papers is open NOW
Devs: This is another fine Mesh you've got us into, Microsoft
Python creator Guido van Rossum sys.exit()s as language overlord
OK, so they sometimes push out insecure stuff, but software devs need our love and respect
Big(ish) Blue: IBM sales creep up three per cent, share price follows suit
Fork it! Google fined €4.34bn over Android, has 90 days to behave
Code of conduct claims new Texas Instruments CEO after just six weeks
Y'know... Publishing tech specs may be fair use, says appeals court
Brits whinging less? About ISPs, networks and TV? It's gotta be a glitch in the Matrix
Official: The shape of the smartphone is changing forever
Wearable hybrids prove the bloated smartwatch is one of Silly Valley's biggest mistakes
Samsung’s new phone-as-desktop is slick, fast and ready for splash-down ... somewhere
By Jove! Astroboffins spot 12 new spanking moons around Jupiter
Geoboffins spot hundreds of ghost dunes on Mars
Astroboffins spy the brightest quasar that lit the universe's dark ages
Open plan offices flop – you talk less, IM more, if forced to flee a cubicle
Engineer accuses AI avatar biz of rampant fraud and assault
Windows 10 IoT Core Services unleashed to public preview
Microsoft's 'room-scale' Ginormonitor probably not as big as a room
AI can untangle the jumble of neurons packed in brain scans
‘Elders of the Internet’ apologise for social media, recommend Trump filters to fix it
Crooks swipe plutonium, cesium from US govt nuke wranglers' car. And yes, it's still missing
It's 2018 so, of course, climate.news is sold to climate change deniers
Fix this faxing hell! NHS told to stop hanging onto archaic tech

Emergent Tech

Internet of Things

Unbreakable smart lock devastated to discover screwdrivers exist

Tapplock: Once, twice, three times a screwup

By Kieren McCarthy in San Francisco 15 Jun 2018 at 21:32 205 SHARE ▼ Not sure that's supposed to happen. Ladies and gentlement: the Tapplock. Videograb: JerryRigEverything

Video It's never easy to crack into a market with an innovative new product but makers of the "world's first smart fingerprint padlock" have made one critical error: they forgot about the existence of screwdrivers.

Tapplock raised $320,000 in 2016 for their product that would allow you to use just your finger to open the "unbreakable" lock. Amazing. Things took a turn for the worse when the ship date of September came and went, and backers complained that the upstart has stopped posting any updates and wasn't responding to emails nor social media posts.

But after months of silence, the startup assured El Reg that everything was still moving forward and the delays were due to "issues with manufacturing in China."

Fast forward 18 months and finally – finally – the $100 Tapplock is out on the market and it is… well, how do we put this kindly? Somewhat flawed.

No less than three major problems with the lock have been discovered that make it less than useless because presumably people intend to use the lock to secure valuable things.

One of the first things to note is that the Tapplock used zinc aluminum alloy Zamak 3: something that it claims lends the lock "unbreakable durability." Unfortunately, as materials engineers are happy to point out, aluminum may be a lovely lightweight metal and this alloy does provide an enviable degree of detail when die cast, but it is not exactly the best choice for something that is supposed to be unbreakable.

It isn't very strong, it melts at high temperatures, and it is quite brittle. It looks cool. But it's more suited for its more common use: door handles. It will be easy to cut through this lock with bolt cutters.

Here we go

That, by the way, is not one of the three flaws.

The first major flaw was in the way it used Bluetooth to lock and unlock. Andrew Tierney, aka cybergibbons, reviewed the lock for Pen Test Partners, and it took him less than hour to find a way to open every single Tapplock.

If you use ‘smart’ Bluetooth locks, you're asking to be burgled

READ MORE

How is that possible? Well, it turns out the lock broadcast its own Bluetooth MAC address over the airwaves, and uses that MAC address to calculate a key used to lock and unlock the device.

Tierney cracked the system disturbingly quickly: "It upper cases the BLE MAC address and takes an MD5 hash. The 0-7 characters are key1, and the 16-23 are the serial number." The upshot? He was able to write a script, port it to an Android app, and open any nearby Tapplock wirelessly using his phone and Bluetooth, taking less than two seconds each time.

"This level of security is completely unacceptable," he complained. "Consumers deserve better, and treating your customers like this is hugely disrespectful. To be honest, I am lost for words."

The problem was so bad that Tierney informed the manufacturer, and gave it seven days before he went public with the fundamental flaw. Just hours before the deadline was up, Tapplock put out a security advisory warning that everyone needed to upgrade their lock's firmware "to get the latest protection."

"This patch addresses several Bluetooth/communication vulnerabilities that may allow unauthorised users to illegal gain access," the company noted. But Tierney notes that it doesn't mention that literally anyone can open any lock that doesn't have the firmware updated.

Holding to account

On to flaw 2.

Security researcher Vangelis Stykas published a blog post on Friday outlining that Tapplock API endpoints have literally no security checks beyond checking whether there was a valid token.

So if you create a Tapplock account and gain a login, you will be able – again – to open every single Tapplock out there.

Tierney noted in his piece that he saw all kind of red flags that made him confident that the lock's security was going to be terrible, and Stykas notes the same thing – but with different red flags.

He approached the lock from a different angle – the lock's app. And was immediately concerned that it didn’t even use HTTPS. And so he dug around and found pretty quickly that it was trivial to manipulate other users' accounts from a different account.

Aside from being able to get at the lock itself, the security flaw enabled him to access the actual account information as well.

Amazingly, he approached the first flaw discoverer – Andrew Tierney/cybergibbons – and asked if he would share the email address he used for his account. Tierney agreed and within minutes, Stykas was not only able to add himself to Tierney's smart lock but was able to see his name and address.

New York Attorney General settles with Bluetooth lock maker over insecurity claims

READ MORE

That's right, Tapplock is literally handing out all the information people need to not only access others' locks but where you can find them physically.

It's safe to say that Stykas was not impressed. "I really have no postmortem on this one," he noted. "The lock had several flaws and to my understanding they had a great marketing team but a non existent security team. I cannot tell you to buy or not buy anything as I don’t have the authority to do so but I would not buy this lock."

Tapplock disabled the API exploited by Stykas to thwart further attempts to obtain strangers' information through it.

So those are two catastrophic software errors. What about the actual physical lock itself?

Aside from the nice-looking but shoddy aluminum alloy it is built out of – oh, and the lack of a decent physical step in the lock arm itself that all decent lock manufacturers add to prevent thieves from shimming it open – there is another pretty insane flaw in the lock: you can potentially unscrew the back off.

Sponsored: Minds Mastering Machines - Call for papers now open

Next page: And now... opening the back Page: Tips and corrections 205 Comments

Most read

  1. Trump wants to work with Russia on infosec. Security experts: lol no

  2. Western Digital formats hard disk drive factory as demand spins down

  3. LG G7 ThinkQ: Ropey AI, but a feast for sore eyes and ears

  4. Fork it! Google fined €4.34bn over Android, has 90 days to behave

  5. Capita strikes again: Bug in UK-wide school info management system risks huge data breach




Whitepapers

Office 365 Risk Mitigation

What are the three key areas of concern around Office 365 email you should be aware of?

A Framework for Deep Learning Performance

This paper explores PLASTER - the seven major AI challenges - in the context of NVIDIA’s DL solutions.

6 Steps to SIEM Success

The six steps to SIEM success will guide your team through key considerations to prepare for your SIEM deployment and choose a solution that will work for your environment.

IDC: Software-Defined Storage - Opportunities for the Enterprise

IDC believes that SDS is compelling enterprises to switch to a service-focused decoupled acquisition model in which hardware and software are acquired independent of each other.

More from The Register

Audit finds Department of Homeland Security's security is insecure

The agency that keeps America safe runs un-patched Flash, and worse besides

Intel finds a cure for its software security pain: Window Snyder

Microsoft, Mozilla veteran will also handle external researcher work

Security execs must prep for post-Brexit cyber challenges – report

Time to start planning now, people!

Schneier warns of 'perfect storm': Tech is becoming autonomous, and security is garbage

Israel Cyber Week Tel Aviv treated to Brucey's bonus views

Open Source Security hit with bill for defamation claim

Judge okays $260K in defense costs to Bruce Perens and lawyers under anti-SLAPP

Ugh, of course Germany trounces Blighty for cyber security salaries

Britons never, never, never shall be wage slaves. Oh wait

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

AT&T abducts AlienVault to bolster business end of its security probing

Don't panic: The Open Threat Exchange is still online

Sponsored links

About us

More content

Situation Publishing

The Register - Independent news and views for the tech community. Part of Situation Publishing

Sign up to our Newsletters

Join our daily or weekly newsletters, subscribe to a specific section or set News alerts

Subscribe

Biting the hand that feeds IT © 1998–2018

Cookies Privacy Ts&Cs