X

The smart lock everyone saw get hacked is now getting fixed

Have you sworn off buying a Tapplock? Read this first.

Sean Hollister Senior Editor / Reviews
When his parents denied him a Super NES, he got mad. When they traded a prize Sega Genesis for a 2400 baud modem, he got even. Years of Internet shareware, eBay'd possessions and video game testing jobs after that, he joined Engadget. He helped found The Verge, and later served as Gizmodo's reviews editor. When he's not madly testing laptops, apps, virtual reality experiences, and whatever new gadget will supposedly change the world, he likes to kick back with some games, a good Nerf blaster, and a bottle of Tejava.
See full bio
Sean Hollister
2 min read
tapp-lock-1
Chris Monroe/CNET

We liked the Tapplock. It seemed smart. Then, we saw YouTube star JerryRigEverything defeat the $100 fingerprint lock with a freaking suction cup.

So did 1.4 million viewers on YouTube. It hit the top of Reddit, too.

And then, today, security firm PenTestPartners showed that the company's digital security was laughably, hilariously bad. Like, walk up to any Tapplock and open it in 2 seconds bad. See for yourself:

That is a very, very bad look, and I have to agree with PenTestPartners -- it's pretty unforgivable. I wouldn't dream of buying these locks after watching these videos.

Oh, except for two very important things. You can't actually just open any Tapplock with a suction cup, and Tapplock is issuing a firmware update to fix the digital security, too.

A week ago, CNET tested the suction cup trick with every suction cup we could find, including the exact model that JerryRigEverything used in his video. It didn't work. 

Tapplock told us that JerryRigEverything's lock has a very specific defect. There's normally a spring-pin that keeps the back of the lock from rotating, but sometimes the spring pin wasn't properly inserted into the notch.

According to Tapplock, the company's upgrading its QA process and will issue free replacements if you can find the defect yourself:

Our QA procedures now includes a 2 step inspection to make sure the spring-pin mechanism is effective.

All future Tapplock one batches will use proprietary screws in the inside chambers as a secondary protective mechanism.

We are giving free replacements to any customer who is able to open the back-cover without damaging the locks.

So, what about someone hacking your lock with a phone? Tapplock tells CNET it's already pushing out a security patch that includes a firmware update for the lock -- one that'll automatically pop up the next time you try to use it. 

We haven't tried that firmware update yet, so we can't be sure it does the job, but it sure sounds like literally every Tapplock user is about to have a lock that works.

I wouldn't blame you for still doubting Tapplock -- I do, personally -- but as a tech reviewer, I'm duty-bound to point out that the product probably isn't anywhere near as vulnerable as it seemed.

Update, June 15 at 10:03 a.m. PT: Tapplock has another, even nastier security flaw. You'll want to read this.