The Federal Trade Commission has slapped Tapplock, the maker of smart padlocks that it bills as “unbreakable,” with an official complaint that could lead to fines down the road.
The agency alleges that the company engaged in false and deceptive claims about its security practices, after the lock was shown to be hackable.
The $100 Tapplock smart locks are internet-connected and use fingerprint biometrics for security. The company also offers a companion mobile app that allows users to lock and unlock their smart locks with Bluetooth.
The FTC alleges that there are “reasonably foreseeable electronic security vulnerabilities that could have been avoided” within the device and the app.
The company raised over $300,000 on Indiegogo in 2016, before it went into production and released the locks in March 2018. Shortly after, the issues were discovered, and the manufacturer released patches at the time. However, the FTC is now taking issue with the disconnect between the company’s advertising claims regarding security, and the reality of the situation.
A Bevy of Smart-Lock Bugs
According to the complaint, one of the flaws at issue allowed researchers (at Pen Test Partners) to lock and unlock any nearby Tapplock smart lock due to a lack of encryption around the Bluetooth communication between the lock and the app.
“Researchers were able to easily discover and replicate how [Tapplock] generated the private keys necessary to lock and unlock user’s smart locks,” according to the FTC complaint [PDF], filed this week.
The FTC also alleged that Tapplock doesn’t take adequate precautions to secure user data, contrary to its privacy policy. The mobile app collects usernames, email addresses, profile photos and location history, and shows the geolocation of a user’s smart lock, the FTC pointed out – adding that there was a privacy bug that could offer an attacker access to all of it.
Discovered by researcher Vangelis Stykas, the bug existed in Tapplock’s API, the complaint said; he was able to exploit it to bypass account authentication and gain full access to any Tapplock user account — along with the personal information contained within.
“A researcher who logged in with a valid user credential could…access another user’s account without being re-directed back to the login page, thereby allowing the researcher to circumvent respondent’s authentication procedures altogether,” the complaint reads.
Even so, Tapplock states that “we take reasonable precautions and follow industry best practices to make sure [personal data] is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.”
The complaint also outlined a third flaw, also discovered by Pen Test Partners, having to do with third-party access. If a user allowed, for instance, a neighbor or a dog-walker temporary access to the lock, that person could exploit the bug to keep their lock access even after a user officially revoked it, the complaint said.
“This vulnerability allowed the researchers to sniff data packets for the information necessary to authenticate their access to the lock,” the FTC explained. “With that information, researchers were able to continue accessing the lock even after their access had been revoked.”
Adding insult to injury, the complaint also noted that it’s possible unlock the smart locks by simply unscrewing the back panel. In June 2018, Youtuber JerryRigEverything posted a video demonstrating how the lock could come apart using a screwdriver to loosen and pop off the back of the lock, and then open the shackle.
Possible Fines Ahoy
The upshot of all of this, according to the FTC, is that Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information,” despite advertising that it did.
“[Tapplock] advertised its smart locks to consumers as ‘Bold. Sturdy. Secure.,’” according to the complaint. “[Its] advertisements touted that its ‘secure’ smart locks were also…designed to be ‘unbreakable.’” The complaint added, “in fact, [Tapplock] did not have a security program prior to the discovery of the vulnerabilities.”
The allegations, if proven true, means that the company violates the provisions of the Federal Trade Commission Act and could result in damages or fines for the company.
This is not the first internet-of-things (IoT) lock shown to have major security vulnerabilities. Last year at Black Hat, researchers demonstrated an exploit that allowed researchers to break into hotel rooms. The locks in question are dubbed “mobile keys” because of their reliance on mobile phones as opposed to card-based access such as those based on mag-strips and RFID.
Also last year, pen testers said a keyless smart lock made by U-tec, called Ultraloq, could allow attackers to track down where the device is being used and easily pick the lock – either virtually or physically.
Tapplock did not immediately respond to a request for comment from Threatpost.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.