Tapplock One smart lock, dubbed the “world's first fingerprint padlock”, claims to use high-quality metal along with an integrated fingerprint sensor and a rechargeable battery to secure devices. However, security researchers from Pen Test Partners have discovered a critical vulnerability that could allow anyone with a smartphone to open the lock in under 2 seconds.
Researchers looked into the smartlock after a YouTuber named JerryRigEverything posted a video in which he used a sticky GoPro mount suction cup to remove the back of the lock and dismantle it with a screwdriver. However, the researchers tested the same method and did encounter the same results.
“It turns out that there is a spring-loaded pin in the back of the body that engages with the plate, preventing it from turning. It’s possible that we could apply enough force to shear the pin, but it would need more than a sticky pad,” researchers said. “That removes the elegant simplicity and speed of the original attack. The JerryRig issue was apparently with just a single lock – others don’t appear to have this problem. At least ours didn’t.”
In a statement to CNET, Tapplock said the YouTuber JerryRigEverything's lock contained a very specific defect. “There's normally a spring-pin that keeps the back of the lock from rotating, but sometimes the spring pin wasn't properly inserted into the notch.”
The company said it is upgrading its QA procedures and will issue free replacements if anyone finds a similar defect in the future.
However, Pen Test Partners discovered the Bluetooth Low Energy flaw using which the lock connects to to a smartphone that allows trusted devices to unlock it. Researchers demonstrated the vulnerability by unlocking Tapplock one in under 2 seconds. “It took 45 minutes to figure out the way to break it,” said the researcher.
“First things first, the app communicates over HTTP. There is no transport encryption. This is unforgivable in 2018,” researchers said. “The app allows you to ‘share’ the lock with someone else, revoking permissions at a later date. I shared the lock with another user, and sniffed the BLE data. It was identical to the normal unlocking data. Even if you revoke permissions, you have already given the other user all the information they need to authenticate with the lock, in perpetuity. This issue is remarkably similar to the problem with the Ring Smart Doorbell – it was impossible to revoke another high privilege users permissions.
“It was then seen that there was no factory reset for the lock. You can delete the lock from an account, but the data used to unlock it remains unchanged. This same data was sent to and from their servers using HTTP, so an attacker appropriately positioned on the network could just intercept the data and unlock the lock.”
The researcher further explained that the only thing needed to unlock the lock was the BLE MAC address which is broadcast by the lock.
“I was so astounded by how bad the security was that I ordered another and emailed Tapplock to check the lock and app were genuine,” the researcher said. “I scripted the attack up to scan for Tapplocks and unlock them. You can just walk up to any Tapplock and unlock it in under 2s. It requires no skill or knowledge to do this.”
Another physical security vulnerability allowing the attacker to cut down the thin and stress-prone area of the shackle which is visible using a 12’’ pair of bolt-cutters.
The security researchers disclosed the findings with Tapplock Corp to which the company responded and said "Thanks for your note. We are well aware of these notes." The researcher also suggested Tapplock to pro-actively inform their customers through email about the incident.
Tapplock has released an official statement about the vulnerability, saying it is pushing out an important security patch to address it.
“Please be attentive to update your app once it becomes available to your region,” the company said. “We highly recommend you also upgrading the firmware of your locks to get the latest protection. This patch addresses several Bluetooth / communication vulnerabilities that may allow unauthorised users to illegal gain access. Tapplock will continue to monitor the latest security trends and provide updates from time to time.”