Tapplock, a smart padlock that received positive reviews and media hype when it was released earlier this year, has issued a critical patch after researchers discovered several security issues enabling them to easily hack into and unlock the device.
The $100 lock is Bluetooth-based and can be fingerprint-activated. At first glance, everything about the Tapplock seemed promising – the lock is described as “unbreakable” by its manufacturer, and has received positive reviews by various media outlets. The company also raised over $300,000 on Indiegogo in 2016, before it went into production and was released in March 2018.
Then, in the beginning of June, Youtuber JerryRigEverything posted a video demonstrating how the lock could come apart using a screwdriver to loosen and pop off the back of the lock, and then open the shackle.
While Tapplock said that the issue appeared to be a single incident, the video also inspired two researchers in the security community to take a look at the lock. Pen Test Partners’ Andrew Tierney in June reviewed the device’s security – and it took him no more than 45 minutes to break into the smart padlock.
“As a padlock, the Tapplock has a very succinct security goal: frustrate an attacker with physical access from opening the shackle…The Tapplock, however, falls way below any acceptable standard,” said Tierney in a post last week about the lock. “It can be opened in under 2 seconds with only a mobile phone. Discovering this took under an hour.”
Tierney essentially figured out the Bluetooth low-energy (BLE) MAC address – a device identification – was publicly broadcast across the network; so, all he needed to unlock the device was the BLE MAC address.
But beyond that, Tierney said that there were several warning signs that a hack would be inevitable. He also found that the app communicates over HTTP, so there is no transport encryption – a flaw that is “unforgiveable in 2018,” he said.
When looking at the Bluetooth description, Tapplock described its security measures as using AES 128-bit encryption, “the same encryption used by the military to protect documents with confidential and secret security levels.”
“They’ve gone for the AES 128-bit encryption with an inference that their security is on a parallel with the military,” said the researcher. “It must be secure! This is a red flag to a IoT hacker though – it ignores pairing, key exchange, key sharing… and most importantly, makes no mention of authentication.”
There was also no factory reset for the lock – meaning that users can delete the lock from an account, but the data used to unlock it remains unchanged.
Researcher Vangelis Stykas followed on top of Tierney’s research to discover that once he was logged into a Tapplock account, he was able to have authenticated access into anyone else’s account, as long as he knew their ID.
This allowed Stykas to access sensitive PII – including the address of users when they unlocked the lock via Bluetooth, and email – as well as share any lock to any account and access all information about any lock.
“So after my findings, things look really bad,” said Stykas. “I could script an attack that would share any lock permanently with my account (or ANY account), then extract all the locks last unlock location, go there and unlock them via the official app.”
The Tapplock incident points to overarching issues in IoT devices – particularly ones that are supposed to secure personal items. But beyond that, the issue points to how the media – and manufacturers – approach IoT devices.
“The Tapplock has been reviewed by many big sites, and several YouTubers,” wrote Tierney. “I can’t see one that has tested the security of the lock. I can see plenty of them making statements about the security of the lock. This needs to be challenged – why are people reviewing devices allowed to parrot false security claims?”
Tapplock, for its part, released security notices regarding both Tierneys’ and Stykas’ discoveries, and urged customers to upgrade.
“Tapplock is pushing out an important security patch,” the company said in a security notice. “This patch addresses several Bluetooth/communication vulnerabilities that may allow unauthorized users to illegal lygain access. Tapplock will continue to monitor the latest security trends and provide updates from time to time.”