For a product that’s been backed to over $300,000 on Indiegogo — over 500 percent of its original goal — Tapplock is having a bad week in the security department. Specifically, some friendly hackers at Pen Test Partners were able to crack the Bluetooth-enabled smart lock in seconds using only a cell phone.
Digital Trends wrote about the lock and its “cutting edge encrypted fingerprint sensor” back in 2016, but the $100 smart lock turns out to be pretty vulnerable to security penetration, both in terms of its physical makeup and its security platform.
First, its physical makeup is somewhat compromised. Sure, a pair of bolt cutters can go through the lock like a hot knife through butter but that’s true of most consumer market locks. Never mind that the lock isn’t even waterproof but merely “water resistant.” It turns out the lock is made up of an industrial alloy called Zamak 3, comprised of zinc aluminum more commonly found in die-cast toys and door handles, an element that isn’t strong, is brittle, and melts at temperatures below 800 degrees Fahrenheit. By comparison, an air-only blowtorch burns at more than 3,600 degrees F while an oxygen-fed torch fires up at more than 5,000 degrees.
But that’s not all on the physical security front. Several YouTubers have already put up videos demonstrating the fragility of the lock. On June 1, a user called JerryRigEverything was able to employ a sticky GoPro mount to remove the back of the lock, dismantle it with a screwdriver, and open the shackle. Subsequently, CNET tried the same trick and couldn’t break the lock, so whether the lock is physically secure is still up in the air.
In the meantime, Tapplock has issued a statement that all future lock batches will use proprietary screws in the inside chambers as a secondary protective mechanism. The company is also offering free replacements to any customer who is able to crack the back cover without damaging the lock.
Meanwhile, the company is dealing with the bigger headache of Pen Test Partners being able to break the Tapplock’s internal software in less than two seconds. The process took the penetration testers less than an hour. Not only was the software broadcasting over unencrypted HTTP lines, but the locks are using the same data every time. Any bad actor on the same network can sniff the traffic, grab the unlocking data, and use it to unlock the device into perpetuity. There is no factory reset for the lock.
“This level of security is completely unacceptable,” wrote Pen Test Partners researcher Andrew Tierny. “Consumers deserve better, and treating your customers like this is hugely disrespectful. To be honest, I am lost for words.”
When informed of the back, Tapplock’s backer Pishon Lab told Tierny, “We are well aware of these notes.”
Subsequently, the company says that it is upgrading its QA process and pushing out a security patch to address its software vulnerability. Its QA procedures now include a 2-step inspection to ensure the lock’s spring-pen mechanism is effective, while a software patch upgrades the security protocol that includes additional authentication steps. The patch involves an app update as well as a firmware update, administered via the company’s proprietary app.
Pishon Labs also offered thanks to Pen Test Partners for “the timely prompt and ethical disclosure.”