This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

Unbreakable smart lock devastated to discover screwdrivers exist • The Register

Oi! Not encrypting RPC traffic? IETF bods would like to change that
Panasas tells world+dog: We've broken free from chains of proprietary kit
Ethernet patent inventor given permission to question validity of his own patent
OK Google, what is African ISP Main One, and how did it manage to route your traffic into China through Russia?
Microsoft lobs Windows 10, Server Oct 2018 update at world (minus file-nuking 'feature') after actually doing some testing
SAP can claim to change its culture, but can it convince customers?
Michael Howard: Embrace of open source is destroying 'artificial definitions' of legacy vendors
Just a little heads up: Google is still trying to convince everyone that web apps don't suck
Oz telcos' club asks: Why the hell do Australia Post, rando councils, or Taxi Services Commission want comms metadata?
Scumbag who phoned in a Call of Duty 'swatting' that ended in death pleads guilty to dozens of criminal charges
It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page
Russia: We did not hack the US Democrats. But if we did, we're immune from prosecution (lmao)
Save £100s on DevOps, Containers, Agile and Continuous Delivery NOW
How one programmer's efforts to stop checking in buggy code changed the DevOps world
Cisco and AWS hop into bed for steamy hybrid Kubernetes action
GitHub lost a network link for 43 seconds, went TITSUP for a day
We definitely don't need more towers, says new Vodafone boss scraping around for €8bn savings
Data-nicking UK car repairman jailed six months instead of copping a fine
Cheeky cheesemaker fails to copyright how things taste
French president Macron insists new regulations needed to protect us all from Facebook's claws
Scam or stunt? It's looking like the latter... Xiaomi so sorry for £1 smartphone 'promo'
YouTube supremo says vid-streaming-slash-piracy giant can't afford EU's copyright overhaul
'Frontline workers' of the world, unite! And grab yourselves a Surface Go White Van Man edition
Huawei Mate 20 Pro: If you can stomach the nagware and price, it may be Droid of the Year
Rocket Labs mean business, Brits stick pin in Mars map, and Japan celebrates HTV-7’s dive into the atmosphere
Brit boffins build 'quantum compass'... say goodbye to those old GPS gizmos, possibly
Thank $deity that week's over. Look, here's some trippy music generated from pixels of a Martian sunrise to play us out
Third Soyuz does not explode while auditors resume poking around NASA's big rocket SLS
Oi, Elon: You Musk sort out your Autopilot! Tesla loyalists tell of code crashes, near-misses
Another 3D printer? Oh, stop it, you're killing us. Perhaps literally: Fears over ultrafine dust
Eye eye! AI could stop blindness, Facebook's after math, and how to get started in the ML biz
Bloke jailed for trying to blow up UK crypto-cash biz after it failed to reset his account password
Verity hauls out That Old Time 2018 IT songbook
Open the pod bay doors: Voice of HAL 9000 Douglas Rain dies at 90
Townsfolk left deeply unsatisfied by Bury St Edmunds' 'twig' of a Christmas tree
Bill Gates joined on stage by jar of poop as he confesses deep love for talking about toilets

Emergent Tech

Internet of Things

Unbreakable smart lock devastated to discover screwdrivers exist

Tapplock: Once, twice, three times a screwup

By Kieren McCarthy in San Francisco 15 Jun 2018 at 21:32 210 SHARE ▼ Not sure that's supposed to happen. Ladies and gentlement: the Tapplock. Videograb: JerryRigEverything

Video It's never easy to crack into a market with an innovative new product but makers of the "world's first smart fingerprint padlock" have made one critical error: they forgot about the existence of screwdrivers.

Tapplock raised $320,000 in 2016 for their product that would allow you to use just your finger to open the "unbreakable" lock. Amazing. Things took a turn for the worse when the ship date of September came and went, and backers complained that the upstart has stopped posting any updates and wasn't responding to emails nor social media posts.

But after months of silence, the startup assured El Reg that everything was still moving forward and the delays were due to "issues with manufacturing in China."

Fast forward 18 months and finally – finally – the $100 Tapplock is out on the market and it is… well, how do we put this kindly? Somewhat flawed.

No less than three major problems with the lock have been discovered that make it less than useless because presumably people intend to use the lock to secure valuable things.

One of the first things to note is that the Tapplock used zinc aluminum alloy Zamak 3: something that it claims lends the lock "unbreakable durability." Unfortunately, as materials engineers are happy to point out, aluminum may be a lovely lightweight metal and this alloy does provide an enviable degree of detail when die cast, but it is not exactly the best choice for something that is supposed to be unbreakable.

It isn't very strong, it melts at high temperatures, and it is quite brittle. It looks cool. But it's more suited for its more common use: door handles. It will be easy to cut through this lock with bolt cutters.

Here we go

That, by the way, is not one of the three flaws.

The first major flaw was in the way it used Bluetooth to lock and unlock. Andrew Tierney, aka cybergibbons, reviewed the lock for Pen Test Partners, and it took him less than hour to find a way to open every single Tapplock.

If you use ‘smart’ Bluetooth locks, you're asking to be burgled

READ MORE

How is that possible? Well, it turns out the lock broadcast its own Bluetooth MAC address over the airwaves, and uses that MAC address to calculate a key used to lock and unlock the device.

Tierney cracked the system disturbingly quickly: "It upper cases the BLE MAC address and takes an MD5 hash. The 0-7 characters are key1, and the 16-23 are the serial number." The upshot? He was able to write a script, port it to an Android app, and open any nearby Tapplock wirelessly using his phone and Bluetooth, taking less than two seconds each time.

"This level of security is completely unacceptable," he complained. "Consumers deserve better, and treating your customers like this is hugely disrespectful. To be honest, I am lost for words."

The problem was so bad that Tierney informed the manufacturer, and gave it seven days before he went public with the fundamental flaw. Just hours before the deadline was up, Tapplock put out a security advisory warning that everyone needed to upgrade their lock's firmware "to get the latest protection."

"This patch addresses several Bluetooth/communication vulnerabilities that may allow unauthorised users to illegal gain access," the company noted. But Tierney notes that it doesn't mention that literally anyone can open any lock that doesn't have the firmware updated.

Holding to account

On to flaw 2.

Security researcher Vangelis Stykas published a blog post on Friday outlining that Tapplock API endpoints have literally no security checks beyond checking whether there was a valid token.

So if you create a Tapplock account and gain a login, you will be able – again – to open every single Tapplock out there.

Tierney noted in his piece that he saw all kind of red flags that made him confident that the lock's security was going to be terrible, and Stykas notes the same thing – but with different red flags.

He approached the lock from a different angle – the lock's app. And was immediately concerned that it didn’t even use HTTPS. And so he dug around and found pretty quickly that it was trivial to manipulate other users' accounts from a different account.

Aside from being able to get at the lock itself, the security flaw enabled him to access the actual account information as well.

Amazingly, he approached the first flaw discoverer – Andrew Tierney/cybergibbons – and asked if he would share the email address he used for his account. Tierney agreed and within minutes, Stykas was not only able to add himself to Tierney's smart lock but was able to see his name and address.

New York Attorney General settles with Bluetooth lock maker over insecurity claims

READ MORE

That's right, Tapplock is literally handing out all the information people need to not only access others' locks but where you can find them physically.

It's safe to say that Stykas was not impressed. "I really have no postmortem on this one," he noted. "The lock had several flaws and to my understanding they had a great marketing team but a non existent security team. I cannot tell you to buy or not buy anything as I don’t have the authority to do so but I would not buy this lock."

Tapplock disabled the API exploited by Stykas to thwart further attempts to obtain strangers' information through it.

So those are two catastrophic software errors. What about the actual physical lock itself?

Aside from the nice-looking but shoddy aluminum alloy it is built out of – oh, and the lack of a decent physical step in the lock arm itself that all decent lock manufacturers add to prevent thieves from shimming it open – there is another pretty insane flaw in the lock: you can potentially unscrew the back off.

Next page: And now... opening the back Page: Tips and corrections 210 Comments

Most read

  1. OK Google, why was your web traffic hijacked and routed through China, Russia today?

  2. Sudden Windows 10 licence downgrades to forced Xcode upgrades: The week at Microsoft

  3. Just a little heads up: Google is still trying to convince everyone that web apps don't suck

  4. Between you, me and that dodgy-looking USB: A little bit of paranoia never hurt anyone

  5. Scare Force: Pakistan military hit by Operation Shaheen malware




Whitepapers

The Business Value of NVMe

With NVMe, we can improve productivity, increase revenue, be more competitive, and transact more. This gives us the ability to respond better, and increase our competitiveness in the market.

Planning for Office 365 Gaps

Plan your risk management strategy - don’t just hope your email and data is protected in the cloud.

Get Less with Rimini Street

Our clients have saved more than $3 billion with less hassle, threats, intimidation and achieved better support outcomes

The Automated Enterprise eBook

Organizations are trying to optimize resources, speed development, and adapt faster to market changes.

More from The Register

Facebook's security boss is offski. Not to worry, it has 'embedded security' in all divisions

Alex Stamos's replacement not yet announced

Palo Alto Networks buys security startup Redlock for $173m

Threat detection outfit gets new owners

Audit finds Department of Homeland Security's security is insecure

The agency that keeps America safe runs un-patched Flash, and worse besides

Cisco drops a cool $2.3 billion on SaaSy outfit Duo Security

Switchzilla slurps trusted access into cloud to make it rain

Mozilla-endorsed security plug-in accused of tracking users

Web Security says there's nothing nefarious to its URL collection

Intel finds a cure for its software security pain: Window Snyder

Microsoft, Mozilla veteran will also handle external researcher work

Microsoft 'kills' passwords, throws up threat manager, APIs Graph Security

Ignite Cloud lineup gets security overhaul with 2FA and new monitoring tools

WebSphere and loathing in New York: IBM yanks buggy application server security fix from admins

Patched server, or working server. Pick one...

Sponsored links

About us

More content

Situation Publishing

The Register - Independent news and views for the tech community. Part of Situation Publishing

Sign up to our Newsletters

Join our daily or weekly newsletters, subscribe to a specific section or set News alerts

Subscribe

Biting the hand that feeds IT © 1998–2018

Cookies Privacy Ts&Cs