The Tapplock one “smart” padlock, which received many rave reviews by tech-focused news sites and YouTubers, can be forced to open in under two seconds with a smartphone.
The discovery was made by Pen Test Partners researcher Andrew Tierney, who decided to probe the security of the software used by the product after seeing a YouTuber opening a locked Tapplock one by simply unscrewing its back and a few internal screws.
Breaking into the “smart” padlock
Tapplock one is a padlock that can be opened by placing your finger on the fingerprint sensor, via Bluetooth through a phone app, or by pressing the power button in a specific pattern.
Tierney discovered that the communication between the lock and the app is unencrypted, and that he app would send the same string of data over Bluetooth Low Energy (BLE) to the lock every time it connected to it, which means it’s vulnerable to replay attacks.
“The app allows you to ‘share’ the lock with someone else, revoking permissions at a later date. I shared the lock with another user, and sniffed the BLE data. It was identical to the normal unlocking data. Even if you revoke permissions, you have already given the other user all the information they need to authenticate with the lock, in perpetuity,” he also found.
Finally, he discovered that the only thing an attacker must know to do it is the BLE MAC address that is broadcast by the lock, as the unlock key is based on it. This allowed him to create a script that would scan for Tapplocks (via Bluetooth) and unlock them, as demonstrated in this video:
Sharing the discovery with the manufacturer
Tierney was shocked by the product’s poor security, and contacted the manufacturer to see whether they were aware of these flaws. They said they were, but did nothing to inform current customers and future buyers about them.
He decided to give them seven days to come up with fixes and push them out and, apparently, they did and are urging to users that they update their app and upgrade the padlock’s firmware.
But the thing that angers Tierney is that they failed to explain the risk these flaws carry.
“[The notice] doesn’t clearly state that anyone can open any lock, nor that a temporary replacement lock should be used until the firmware update is applied. It was nice to be credited for the work, though we would prefer it if Tapplock had proactively contacted all customers with a clear explanation, mitigation and remediation plan,” he noted.
When all is said and done, it’s a bit demoralizing that the manufacturer did not think to implement better security from the start and did not move to fix the flaws if they were, as they say, aware of them. (Perhaps they saw this video by another hacker who demonstrated the existence and expoitability of some of these bugs?)
It seems that, at least for now, we must depend on security researchers going out of their way to probe the various offerings and sharing the flaws with the public in order to force the manufacturers’ hand.