Have you heard of the famous smart lock ‘Tapplock’? Supposedly, it is the ‘world’s first smart fingerprint padlock’. It had enjoyed a good reputation for quite some time, however these days it is becoming unfavorable. Within a one week time period, two critical vulnerabilities have been reported for the Tapplock smart lock and both of them point out to the ease of unlocking the ‘smart’ locks.
Bug #1 – Tapplock Smart Lock Broadcasts Its BLE MAC Address
On June 13th, Andrew Tierney posted a detailed blog where he pointed out a critical vulnerability in Tapplock. At first, he highlighted the rather ‘non-serious’ security provided by this lock. Although the makers claim it to use AES 128-bit encryption, the lock, in fact, works over Bluetooth Low Energy, broadcasting its BLE MAC address itself.
Andrew Tierney demonstrated that anyone with a Bluetooth enabled smartphone can pick up the BLE key upon getting close to a Tapplock smart lock.
Besides, he also pointed out that the lock works over HTTP (instead of HTTPS), and has no factory reset option. It means a hacker can easily intercept the data being transmitted over unsecured connections and can unlock Tapplock.
Andrew Tierney from PenTestPartners informed Tapplock about his findings with a 7-day disclosure deadline. A day before the deadline (on June 12), Tapplock put an official statement on their website, disclosing about an upcoming security update.
“Tapplock is pushing out an important security patch. This patch addresses several Bluetooth / communication vulnerabilities that may allow unauthorized users to illegal gain access. Tapplock will continue to monitor the latest security trends and provide updates from time to time.”
Bug #2 – Anyone Can Pull In Sensitive Details From A Leaky API Server
Apparently, the problem should be resolved after Tapplock’s announcement for a fix. However, the chaos is not over yet.
The findings of Andrew Tierney fascinated Vangelis Stykas, a security researcher, who then decided to meddle with this lock further. Instead of going around the hardware, he inspected the software part and found another critical vulnerability. As reported in his blog on Medium, anyone can easily unlock this smart lock by ‘pulling in’ information right from the company’s leaky server.
Using the first researchers account details (with his permission), he demonstrated that he could easily retrieve all information about the lock through the leaky API. This information even included the lock users exact location.
Like Tierney, Stykas also informed Tapplock about the vulnerabilities, after which the company announced disabling the API in another notice.
“Tapplock is applying a critical security update to our app and servers. App features are temporarily disabled while we work on the patch. Meanwhile, fingerprint and morse-code unlocking will be working as usual.”
Upset with the apparent superficial security features of this smart lock, Stykas writes in his blog post,
“The lock had several flaws and to my understanding, they had a great marketing team but a non-existent security team. I cannot tell you to buy or not buy anything as I don’t have the authority to do so but I would not buy this lock.”
Aside from the software, Tapplock’s hardware also has several problems. A couple of weeks ago, JerryRigEverything also demonstrated in his YouTube video how easy it is to break open the lock with a suction pump.
Certainly, the company has a lot to work on to ensure adequate security for its customers.
Let us know your thoughts in the comments section below.