Remember Wednesday, when we thought the $100 Tapplock fingerprint-equipped smart padlockas a couple of viral videos showed, and that maybe -- just maybe -- the crowdfunded company could redeem itself?
Ah, the innocence of youth -- because today, ZDNet is reporting the company's security was so bad, a hacker could easily use the company's servers to find the last-known location of any lock online and get the keys to unlock it. (Imagine hackers driving around with a treasure map.)
So bad that a hacker could share access someone else's lock with anyone else, without the original owner knowing.
So bad that Tapplock says it's disabling Bluetooth access to all of its locks while the company works on a patch.
Security researcher Vangelis Stykas discovered the hack, which builds on , and the good news is that the same patch planned for that hack might help solve this one as well. But Tapplock will also have to fix its "leaky" API server, which allowed Stykas to easily grab users' sensitive info.
In short, we've now seen three extremely embarassing flaws in this lock:
- As JerryRigEverything showed, some small, unknown number of Tapplocks can literally be opened with a suction cup and a Philips-head screwdriver in 30 seconds flat
- As PenTestPartners demonstrated, any Tapplock can be opened in 2 seconds using a simple "replay attack" because the company reportedly used its own MAC address to generate the key and it broadcast that key over an insecure channel.
- As Stykas now shows, the company's API server was ridiculously insecure.
Out of those three flaws, two of them might not be as bad as you'd think:
- CNET tested our Tapplock with suction cups, and were unable to break in. Tapplock says it was a rare manufacturing process error, and they'll replace those locks for free -- plus the company has changed its QA process to spot that error, and will no longer use Philips-head screws inside the locks.
- Tapplock says it's pushing out an app update and lock firmware update that stops the replay attack, one that'll auto-prompt you to install the next time you connect to the lock.
But that firmware update still hasn't arrived two days later -- both Google Play and the Apple App Store show Tapplock's app last updated on May 25.
And it's not clear what exactly Tapplock will do about the new vulnerabilities. "Aside from the patch, we are working on additional infrastructure improvements on Tapplock's security stack. We are expecting more updates to come in the following weeks," reads the company's notice today.
We asked Tapplock about this newest security issue. They told us they've disabled the Bluetooth app features and are planning to send security patches out tonight that will likely reach Android users tomorrow and iOS users "shortly after." Tapplock also added that the service was shut down for patching within 24 hours of receiving the report, and the patch addresses both the API as well as the lock's firmware. Tapplock isn't offering refunds at this time, but added:
Tapplock assumes 100% responsibility for the security flaws. We are doing our best to respond and fix the issues at hand, and we are launching a comprehensive security program to enhance our security stack in the long-run, including hiring independent penetration groups to conduct periodic tests.
At this point, I personally wouldn't trust this company anymore. A lock company should have no excuse for security as poor as disclosed here.