Another Tapplock security flaw lets hackers pull smart lock’s location, other sensitive data from API server

Another major security flaw has been found affecting the “unbreakable” Tapplock One smart lock, dubbed the “world’s first fingerprint padlock”, this week. Last week, Pen Test Partners’ Andrew Tierney discovered a critical vulnerability that allowed anyone with a smartphone to hack a Tapplock over Bluetooth Low Energy (BLE) in under two seconds without a user’s fingerprint.

Building off of that research, security researcher Vangelis Stykas has disclosed another flaw that could allow anyone to access sensitive information to locate a lock and open it using data gathered from the company’s API server.

Stykas demonstrated how hackers could potentially retrieve the lock’s last known postal address along with additional data needed to create an unlock code. This code can then be used to locate the smart lock and open it.

According to Tierney’s initial findings, the Tapplock could be easily opened because the unlock code is generated from the unique MAC address that all Bluetooth devices have and broadcast. The lock takes this Mac address and converts it using the weak MD5 algorithm. An attacker with close proximity to the lock could potentially obtain the MAC address broadcast by the device, convert it to an MD5 hash and crack the device.

Tapplock’s API requires a registered email address - which can be created by a user using the mobile app - to work. According to Stykas’ findings, an attacker can use this email address to access the API and retrieve a lock’s location and its MAC address from the server by running a few terminal commands. Using Tierney’s technique, the retrieved data can then be converted to a code to unlock the device, provided the attacker is in close proximity to the lock.

Whenever a new fingerprint is registered with a particular lock, a new record is created and uploaded to the server, Stykas discovered. Each record is then given a unique user number, which means an attacker could try to various user number combinations to try and crack the lock and obtain other users’ data as well.

“Tapplocks’ API endpoints had no security checks other than a valid token to access any data.This results in anyone with a valid login (easily obtained by creating an account) being able to manipulate every tapplock available!” Stykas wrote in a Medium post. “I could access really sensitive PII (like the user exact address when he/she unlocked the lock via bluetooth (possibly home address) and email) which is probably a violation of GDPR.” He added that an attacker could do everything he wanted by just changing some parameters in the HTTP calls with no further checks performed by the API server.

In a statement release last Friday, Tapplock acknowledged the initial security flaw disclosed by Tierney saying: “Tapplock is applying a critical security update to our app and servers. App features are temporarily disabled while we work on the patch. Meanwhile, fingerprint and morse-code unlocking will be working as usual.”

Tapplock also confirmed that it has taken down the API considering the risk of a data breach.

"This patch addresses several security issues and upgrades Tapplock's communication and authentication security protocols. We will continue to monitor the latest security trends and provide updates from time to time," the company said, ZDNet reports.