Easy-To-Pick 'Smart' Locks Gush Personal Data, FTC Finds (arstechnica.com) 59
An anonymous reader quotes a report from Ars Technica: A padlock -- whether it uses a combination, a key, or "smart" tech -- has exactly one job: to keep your stuff safe so other people can't get it. Tapplock, Inc., based in Canada, produces such a product. The company's locks unlock with a fingerprint or an app connected by Bluetooth to your phone. Unfortunately, the Federal Trade Commission said, the locks are full of both digital and physical vulnerabilities that leave users' stuff, and data, at risk. The FTC's complaint (PDF) against Tapplock, released Monday, basically alleges that the company misrepresented itself, because it marketed its products as secure and tested when they were neither. A product -- any product -- simply being kind of crappy doesn't necessarily fall under the FTC's purview. Saying untrue things about your product in your advertisement or privacy policy, however, will make the commission very unhappy with you indeed.
The lock may be built with "7mm reinforced stainless steel shackles, strengthened by double-layered lock design with anti-shim and anti-pry technologies," as Tapplock's website promises, but according to the FTC, perhaps it should have considered anti-screwdriver technologies. As it turns out, a researcher was able to unlock the lock "within a matter of seconds" by unscrewing the back panel. Oops. The complaint also pointed to several "reasonably foreseeable" software vulnerabilities that the FTC alleges Tapplock could have avoided if the company "had implemented simple, low-cost steps."
One vulnerability security researchers identified allowed a user to bypass the account authentication process entirely in order to gain full access to the account of literally any Tapplock user, including their personal information. And how could this happen? "A researcher who logged in with a valid user credential could then access another user's account without being re-directed back to the login page, thereby allowing the researcher to circumvent Respondent's authentication procedures altogether," the complaint explains. A second vulnerability allowed researchers the ability to access and unlock any lock they could get close enough to with a working Bluetooth connection. That's because Tapplock "failed to encrypt the Bluetooth communication between the lock and the app," leaving the data wide open for the researchers to discover and replicate. The third vulnerability outlined in the complaint also has to do with a failure to secure communication data. That app that allows "unlimited" connections? The primary owner can of course add and revoke authorized users from the lock. But someone whose access was revoked could still access the lock because the vulnerability allowed for sniffing out the relevant data packets. As part of the settlement, the FTC is requiring Tapplock to create a security program for its products. "That program is required to include training for employees; timely disclosure of 'covered incidents,' including both loss of personal information and also unauthorized access to systems; actual penetration testing of the network; and several other elements, including annual review," reports Ars Technica.
The lock may be built with "7mm reinforced stainless steel shackles, strengthened by double-layered lock design with anti-shim and anti-pry technologies," as Tapplock's website promises, but according to the FTC, perhaps it should have considered anti-screwdriver technologies. As it turns out, a researcher was able to unlock the lock "within a matter of seconds" by unscrewing the back panel. Oops. The complaint also pointed to several "reasonably foreseeable" software vulnerabilities that the FTC alleges Tapplock could have avoided if the company "had implemented simple, low-cost steps."
One vulnerability security researchers identified allowed a user to bypass the account authentication process entirely in order to gain full access to the account of literally any Tapplock user, including their personal information. And how could this happen? "A researcher who logged in with a valid user credential could then access another user's account without being re-directed back to the login page, thereby allowing the researcher to circumvent Respondent's authentication procedures altogether," the complaint explains. A second vulnerability allowed researchers the ability to access and unlock any lock they could get close enough to with a working Bluetooth connection. That's because Tapplock "failed to encrypt the Bluetooth communication between the lock and the app," leaving the data wide open for the researchers to discover and replicate. The third vulnerability outlined in the complaint also has to do with a failure to secure communication data. That app that allows "unlimited" connections? The primary owner can of course add and revoke authorized users from the lock. But someone whose access was revoked could still access the lock because the vulnerability allowed for sniffing out the relevant data packets. As part of the settlement, the FTC is requiring Tapplock to create a security program for its products. "That program is required to include training for employees; timely disclosure of 'covered incidents,' including both loss of personal information and also unauthorized access to systems; actual penetration testing of the network; and several other elements, including annual review," reports Ars Technica.
LPL (Score:5, Informative)
Re:LPL (Score:5, Funny)
These guys deserve an award.
They made their lock vulnerable to practically everything I can think of: physically easily to compromise (screwdriver) CHECK, vulnerable to man in the middle attacks CHECK, poorly designed web site CHECK, motor not shielded from magnetic manipulation CHECK, etc.
Did they actually try to catch them all?
Re: LPL (Score:1)
perhaps it should have considered anti-screwdriver technologies. As it turns out, a researcher was able to unlock the lock "within a matter of seconds" by unscrewing the back panel.
It sounds like a project designed by a bunch of web programmers. I bet they used the latest flavor of coding for the software part.
Re: LPL (Score:2)
Don't call them programmers.
We have a nice term for that: Script kiddies.
Re: (Score:2)
Probably lack of QA testings. Or made a fake lock! :(
Re:LPL (Score:4, Funny)
He's a true professional. A week ago he even helped his ex-girlfriend with her back door [youtube.com] access.
Re: (Score:2)
He's got flawless delivery. Hell I can't watch any of his April 1st videos without giggling, and it looks like he does them in one take.
Re: (Score:2)
Why anyone would buy one of these instead of a good high-security lock (some of which can be had for less than the cost of this piece of junk) such an Abloy Protec or a Forever Lock or a Squire SS100CS or a BiLock is beyond me.
Encouraging (Score:5, Insightful)
An IoT padlock makes about as much sense as... (Score:4, Insightful)
... a Bluetooth refrigerator. I mean, what could possibly go wrong? They are hard to get right in the first place... let's add buffer overflows to bypasses. There are actually lock innovators in Canada without resorting to the "let's add network" approach to innovation. https://www.bowleylockcompany.com/ comes to mind. Sometimes less is more.
That Bowley lock is interesting. But Medeco (Score:4, Interesting)
That Bowley design is very interesting. It looks pretty sefure from picking and similar stealthy entry. Very cool innovation. Not super beefy as far as forced entry.
On the other hand, a good Medeco would cost less and Medeco has stood the test big time. Bowley might do well to lick their patent to Medeco, if they have a good patent. At this point, it looks like he had a great idea but hasn't executed it all that well. Medeco could execute it better and customers would have the full advantage of his idea - his pick-proofing idea in a well made lock at a lower price than he's charging.
Re: (Score:2)
Pretty darn well (Score:3)
Medecos have hardened rolling parts inside to ruin drill attacks. Medeco makes several different locks, but generally you'd be better off attacking the door than the lock, if there is Medeco on the door.
As far as padlocks go, if you can get your bolt cutters on this I'd like to see what the jaws of your cutters look like after chewing on cobalt:
https://www.medeco.com/en/prod... [medeco.com]
Re: (Score:2)
I guess you never had any friends or family visit your home... and found that you were elsewhere?
IF, which is a big if, internet connected lock work properly, you could have let your friends/family enter your home and wait for you, while you were out jogging or buying grocery. Some people may even choose to let delivery people enter to leave the package inside, rather than risk it getting stolen.
Not to mention the convenience of not having to carry keys with you when most people already carried their phone
Re: (Score:2)
Maybe 20 years ago. Now it's easy to coordinate by phone.
That's a bit of a trap, though. Quite a few of the designs I've seen use a battery, and if the battery runs out then you need to fall back to a physical key.
Re:An IoT padlock makes about as much sense as... (Score:4, Funny)
Another advantage of a smart lock is that you can get in even if you forget the code. Just find an open window and yell "Alexa, unlock the front door."
Re: An IoT padlock makes about as much sense as... (Score:1)
And so can I.
Signed,
Thief van Thiefson, Lord of Thiefshirecastershire (pronouced "Thiefshr")
Re: (Score:2)
Just find an open window and yell "Alexa, unlock the front door."
Or climb in the window.
Re:An IoT padlock makes about as much sense as... (Score:5, Informative)
As for IoT locks, they make plenty sense in certain applications, for instance hotels or other places where you might want to remotely manage access or want to do away with the hassle of managing physical keys. And in most cases, the problem isn't the IoT part. The problem is that most electronic locks are of poor design and build quality. No need for anything as advanced as a buffer overflow, in most cases a shim, magnet or screwdriver will make quick work of these locks. The fact that this particular company also leaked customer info is just icing on the cake. And yet another reason to ask IoT companies to not require customers to sign up with their damn service, if that "service" isn't strictly necessary for operating the product. Almost any IoT product will still be 100% functional with the online service being made optional.
Re: An IoT padlock makes about as much sense as... (Score:1)
Hotel rooms are instances where there is little of value secured behind the lock.
Re: (Score:2)
... a Bluetooth refrigerator. I mean, what could possibly go wrong?
I resemble that remark. My spouse bought a Samsung smart refrigerator for our kitchen. It can link to my phone and play my favorite tunes while I fix dinner. The speakers are superb.
If a good sound system is something you look for in a fridge, it can be a very wise choice.
Re: (Score:2)
Personally, I use my 5.1 cinema-surround-sound system to chill my beers.
two jobs (Score:1)
count the jobs. one, two.
Re: (Score:2)
It's an IoT device, so the second job is most likely "Send any and all of your private data to its maker".
IoT devices may fail their first job, but they generally do the second one flawlessly.
Locks should be done by Lock companies (Score:4, Insightful)
Anyone who thinks that they can build a lock out of the blue through sheer force of Valley Start-up Californication is very sorely mistaken.
Leave locks to lock companies. Seriously. Building a reliable and secure lock is not easy.
Re:Locks should be done by Lock companies (Score:5, Insightful)
Half the problem is that Smart Locks are made by Lock companies, who are strong in physical security but clueless in cybersecurity. The other half of the problem is the rest of the Smart Locks are made by IoT bandwagon startups, who are clueless in both.
Re: Locks should be done by Lock companies (Score:1)
Well, they should not have Internet access or electronics at all.
But you're clearly not a expert, given your usage of the word "cyber".
Re: (Score:2)
Most lock companies are clueless about physical security too. Take a look at The Lockpicking Lawyer on Youtube, so many locks have some ridiculous design defect that makes it easy to open.
Re: (Score:2)
Re: (Score:2)
Agreed. There are standards and practices for validating both physical and IoT security. Some two bit startup doesn't have the resources or process in place to take these steps. A large company that has a reputation to protect does. Nobody wants to be on the front page of Slashdot or CNN or some industry newsletter with a vulnerability.
Also, brand names have a wide variety of quality levels. It should be no surprise that a $1500 lock on a custom steel door with a reinforced door jam is much more secure
Re: (Score:2)
It's closer to 4 millennia, that we know of. Wikipedia says the oldest known example is a tumbler lock from some palace in Iraq.
Canadians (Score:2)
Really, though, it is true in the US as well. Most of us see a lock not a something that really secures something, but more of a social contract. I put a lock on this, I am saying that I have done my part and now it is your duty not to take my stuff.
I recall that i would attach by back tire of my back to the frame and secure the bike with the fancy bike lock. If I did not I would get the back part stolen. On the other han
Re: (Score:2)
BS. A closed door or merely the fact that an item isn't yours is enough of a social contract to discourage honest people.
The point of a lock is to make it more inconvenient for
Re: Canadians (Score:1)
There definitely are thieves who steal parts!
*Especially* wheels and saddles.
Maybe you don't use bikes a lot where you're from, but here in western/northern Germany and BeNeLux, you better secure your front wheel and take off your saddle if it is easy to remove, or if you ever leave it over night, it will be gone!
Hell, we literally had kids at my school who rode around on bikes made from nothing but mismatched parts stolen from other bikes!
And that was 2.5 decades ago.
But I've seen such a bike last year. XT
Befuddle Them Crooks (Score:5, Funny)
My doors use metal keys. My garage door has no remote opener and has to be unlocked with another metal key and opened by hand. My car has a manual transmission. My truck has cranks to open the windows. My technology is completely inaccessible to anyone under 50.
Re: Befuddle Them Crooks (Score:1)
Excuse me, but I'm 40, and I have no problems with anything old except computers from before the late 70s (like mainframes).
My youngest brother definitely would fail to access your stuff though. :)
Re: (Score:2)
...or Lives outside the USA - Manual cars the the norm in the rest of the World ..
Re: (Score:3)
If you really want to deter theft get a car with a manual choke, or even better a starter crank handle.
I had a manual choke once. Sold it to a friend, someone tried to steal it from them but couldn't get it to run for more than a second or two. They kept trying though and were caught red handed by my friend.
Re: (Score:2)
Very common (Score:3)
A lot of these access control devices are designed by people who have no concept of security whatsoever...
For instance, there are numerous fingerprint readers where the entire unit sits on the outside of the door. You can simply remove the unit, connect an identical/compatible one in its place and open the door.
If it were properly designed, only a dumb reader would be sitting on the outside and the actual decision making part would sit inside where you can't get access to it. That way even if you replace the the reader, all you can do is send authentication attempts to the actual processor which will reject them unless you guess the correct data to send.
Re: (Score:3)
You don't even have to go to all that trouble in most cases. Just get a strong magnet and run it around the edges until you trigger the relay that causes it to unlock. Works on many split systems too because most of them just use a dry contact from the reader to signal when they should open.
The ones that use cards more commonly send the data back to the "intelligent" part because they are often networked to make access control easier to manage.
Re: (Score:2)
IoT locks are garbage (Score:5, Interesting)
I have been auditing a lot of IoT devices. Among them, a lot of IoT locks. Not one of them, not a single one, was actually secure. If you think you know one that is, please tell me, I'd be happy to audit it.
IoT devices have one cardinal flaw, all of them: They are designed by people who are probably good at what the primary function of the device is, but they have ZERO experience with IT security and the companies that make those things usually are not able or willing to hire people who can actually create secure IT appliances. And no later than at the combination of a real-world item with an IT appliance, security gets borked.
Yes, it is possible to create a secure IoT device. But the cost would probably be prohibitive. To create a secure IoT lock, you need people who know locks, you need people who know IT security and you need them to be able to work together so seamlessly that they don't introduce flaws at the interface between the physical world and the internet component. Doing this is actually not as trivial at it may seem.
Saying untrue things about your product... (Score:1)
So you are saying they should have done it like the professionals, and lied by *omission* and suggestion?
Because apparently, since it exists, the FTC simply calls that sort of crime "advertisement".
I hear (Score:2)
Hiring Amatures to do a Professionals Job (Score:3)
The problem is most companies have been cheapping out in software development. It isn't that IoT is bad, or insecure by nature. But many of these companies are not putting in Consumer Grade Software (which is actually better written then enterprise-grade software). So they are building products that are based on code from that guy who took the boot camp in Python and Rasberry PI. Sure the software once gets the correct signal will just need to send the Open Command to the lock. Easy coding for anyone. But it takes an experienced development team to turn this simple code into a secure product meant for general use. Because most of this stuff is actually easy to perform the tasks, it means when hackers get in, they can do those tasks just as easily. Most IoT security is just limited to its interface layer. You don't know the password that means you stuck right? except for the fact that they left the web services code open, or worse the database openly visible.
I haven't worked for an IoT company, but I have created consumer-grade software and working with some Jr. Devs I am a pain, pointing out where we could get in, and not being happy until none of the development staff has a backdoor or trick, without full authentication, and if they left the company, and their accounts deactivated they wouldn't be able to access the product they help build.
Most devs don't think about security and just rely on buzzwords to help them. Yes, you Salted your Password Hash table, but here is where you can get in without a password at all. Oh, you are using session keys... But they are easily guessed, or when it is blank, a new one is given without full authentication. Also, this session key doesn't expire. So if you walked away from your PC. Someone can get it, and log into their own computer with it. Encryption is good, but there is a point in the code where it isn't encrypted, as you need to handle the data, and that part doesn't have any security around it.
This type of stuff turns a 1 week build into a 3 month build. And it is expensive. However, if your product is going to the masses we can't afford to have holes, and unlike enterprise solutions, we just can't yell at the customer for doing something stupid in their product.
Is it Freon-and-hammer-proof (Score:1)
Remember "The Club"? It was a steering-wheel lock popular in the 1990s.
It was easily defeated by a can of freon and a sledgehammer. Chill the "Club" enough and it becomes brittle enough to break with a sledgehammer.
Sometimes, old-fashioned is best (Score:3)
I'm all for the convenience and whiz-bang factors associated with gadgets. But sometimes, for cases like this, the old-fashioned KISS principle holds true. When I leave my house, I simply turn the lock button and the deadbolt knob and I know the door is secure. I don't have to worry about a hacker or dead batteries or bad wifi or any of that to know my home is secure.
Re: (Score:2)
I heartily agree!
Everything "smart" and requiring an app on your phone stinks of too many eggs in one basket.
Convenience comes at a price. It's not usually worth it. Because I have kids, I can hardly ever find the TV Remote, so I get up and walk across the living room to turn the TV on or off and change the volume. I wish the buttons and dials were still in the front of the TV like the old days. I wish the ROKU even had buttons!
Dumb people like smart technology (Score:2)
Video of Tapplock Being Cracked (Score:2)
https://youtu.be/RxM55DNS9CE?t... [youtu.be]
Twist off back, unscrew a couple screws, unlock.