Described as the “world’s first smart fingerprint padlock,” Tapplock is a high-tech padlock secured with a fingerprint. According to its creators, the smart lock’s owners no longer need to remember combination codes, but simply swipe their finger instead to open the smart lock. In addition, the device can be managed using a smartphone, so it can be remotely unlocked to let other trusted people access whatever it is protecting.
However, according to cybersecurity experts, the Tapplock can reportedly be opened by anyone with a smartphone. Researchers said it took them just 45 minutes to breach any Tapplock device, which the company quickly acknowledged, and said it was issuing “an important security patch.” This fix reportedly addresses several of the smart lock’s Bluetooth and communication flaws that would allow unauthorized users to infiltrate the device.
“You can just walk up to any Tapplock and unlock it in under two seconds. It requires no skill or knowledge to do this,” says Pen Test Partners (PTP) security expert Andrew Tierney.
Tierney says it was so astoundingly easy to breach a smart lock that he ordered a second just in case his first attempt was a fluke. One of the major causes behind the device’s susceptibility to being accessed by cybercriminals lies in the lock’s software, which doesn’t even take simple steps to secure the data it broadcasts, leaving the Tapplock vulnerable to these trivial attacks. The Tapplock’s notable design flaw lies behind how the device’s unlock key is easily discoverable because it is generated from the Bluetooth low-energy ID that the device resonates.
Anyone with a smartphone could pick up this key if they scanned for Bluetooth devices when close to a Tapplock. Using this key in conjunction with commands would let attackers successfully open any one of these particular devices they discover. To make matters worse, the backside of the Tapplock can easily be removed to let attackers infiltrate the device. This particular weakness was traced back to faulty manufacturing, and a subsequent test showed other locks were exempt from suffering this type of attack.
Instead of looking into its physical design, Tierney and his team examined the smart lock’s software to see who can manage and use the device. Shocked and disturbed by his findings, Tierney contacted Tapplock, who said they were aware of the flaw. The company was given time to rectify the problem before PTP went public with their findings, during which Tierney urged Tapplock to warn their customers about the lock’s vulnerabilities.
In response to the breach’s discovery, Tapplock stated it would issue a software update to fix the flaw, while urging customers to update their app once it becomes available to their region. The company also strongly recommended upgrading the smart lock’s firmware to receive the latest production. In addition, Tapplock was grateful for PTP alerting them of their product’s flaws, and pledged to continue keeping up with the latest security trends, along with providing periodic updates.
Filed Under: Cybersecurity, M2M (machine to machine)