It might be time to move on.
Remember Wednesday, when we thought the $100 Tapplock fingerprint-equipped smart padlock might not be quite as hilariously easy to open as a couple of viral videos showed, and that maybe -- just maybe -- the crowdfunded company could redeem itself?
Ah, the innocence of youth -- because today, ZDNet is reporting the company's security was so bad, a hacker could easily use the company's servers to find the last-known location of any lock online and get the keys to unlock it. (Imagine hackers driving around with a treasure map.)
So bad that a hacker could share access someone else's lock with anyone else, without the original owner knowing.
So bad that Tapplock says it's disabling Bluetooth access to all of its locks while the company works on a patch.
Security researcher Vangelis Stykas discovered the hack, which builds on the one PenTestPartners released the other day, and the good news is that the same patch planned for that hack might help solve this one as well. But Tapplock will also have to fix its "leaky" API server, which allowed Stykas to easily grab users' sensitive info.
In short, we've now seen three extremely embarassing flaws in this lock:
Out of those three flaws, two of them might not be as bad as you'd think:
But that firmware update still hasn't arrived two days later -- both Google Play and the Apple App Store show Tapplock's app last updated on May 25.
And it's not clear what exactly Tapplock will do about the new vulnerabilities. "Aside from the patch, we are working on additional infrastructure improvements on Tapplock's security stack. We are expecting more updates to come in the following weeks," reads the company's notice today.
We asked Tapplock about this newest security issue. They told us they've disabled the Bluetooth app features and are planning to send security patches out tonight that will likely reach Android users tomorrow and iOS users "shortly after." Tapplock also added that the service was shut down for patching within 24 hours of receiving the report, and the patch addresses both the API as well as the lock's firmware. Tapplock isn't offering refunds at this time, but added:
Tapplock assumes 100% responsibility for the security flaws. We are doing our best to respond and fix the issues at hand, and we are launching a comprehensive security program to enhance our security stack in the long-run, including hiring independent penetration groups to conduct periodic tests.
At this point, I personally wouldn't trust this company anymore. A lock company should have no excuse for security as poor as disclosed here.