Emergent Tech

Internet of Things

Remember Tapplock, the 'unbreakable' smart lock that was allergic to screwdrivers? The FTC just slapped it down for 'deceiving' folks

And you can still open its improved version with a strong magnet

Got Tips? 52

The manufacturer that claimed its Bluetooth-connected fingerprint-reading smart lock was “unbreakable,” only to find it being opened in seconds by someone armed with nothing more than a mount and a screwdriver, has been slapped down by a US watchdog.

Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information,” the FTC alleged [PDF] in its formal complaint. “In fact, [TappLock] did not have a security program prior to the discovery of the vulnerabilities.”

Yes, it wasn’t just the fact the back of the $100 metal smart lock could be twisted off with a suitable mount and unscrewed with a normal screwdriver to defeat it. Its Canadian maker, which was funded through an Indiegogo campaign, had also failed to protect its online user accounts, did not encrypt the connection between its smartphone app and backend servers, and introduced a security hole that allowed anyone nearby to sniff Bluetooth packets between the app and lock, and use that info to unlock the gizmo.

The FTC accused the company of "deceiving" folks by falsely claiming the lock was “unbreakable” and not having taken “reasonable steps” to secure user data. The biz has settled with the federal watchdog, agreeing to “implement a comprehensive security program and obtain independent biennial assessments of the program.”

Unbreakable smart lock devastated to discover screwdrivers exist


Under the usual FTC settlement [PDF] terms, the manufacturer “neither admits nor denies any of the allegations” but there is long list of requirements it now has to follow.

These include naming a specific employee to be in charge of its new security program, providing reports on any future security incidents, training all its employees once a year on data privacy, putting in place various technical measures to protect users’ personal information, and running an annual review on its systems and security, including penetration testing.

Three holes

Infosec experts had found that one security hole in Tapplock’s API enabled them to bypass its account authentication process and gain full visibility of all user accounts, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks.

A second vulnerability could be exploited to lock and unlock any nearby Tapplock smart lock: its firmware broadcast its Bluetooth MAC address over the airwaves, and used that same MAC address to calculate the key used to lock and unlock the device. Anyone within radio range could thus figure out its digital key and unlock it. A third vulnerability prevented users from revoking access to their smart lock once other users had access to it, making the device permanently unsafe. It also did not use HTTPS between the app and its API servers.

To its credit, when faced with the deluge of criticism and bad press back in 2018, Tapplock did immediately try to fix things, and a year later, in July 2019, released a redesigned lock that it challenged people to hack. And it had some success with it. But then, just a week ago, the new lock was again bypassed by someone using nothing more than a $25 strong magnet, which you can see below:

Despite avoiding a big fine, the FTC made it clear that it will be keeping an eye on Tapplock. The regulator's director of consumer protection Andrew Smith noted that the biz had failed to even test its security boasts. “Tech companies should remember the basics – when you promise security, you need to deliver security,” he said. ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

FTC kicks feet through ash pile that once was Cambridge Analytica with belated verdict

Trade boss says long-dead biz was indeed deceiving the public

AT&T subscribers back in court to crack open telco giant's $60m FTC settlement over limited 'unlimited data' plans

Updated Hey, no looking, that paperwork's private, says network operator

Simons says don't push us: FTC boss warns regulator could totally break up big tech companies if it wanted

Spoiler alert: It won't

Oh good, the FTC has discovered acqui-hires... American watchdog to probe decade of Big Tech takeovers

Hope they've got a dump truck or three to deliver paperwork covering years of acquisitions

Qualcomm gets to keep its chip tech to itself – for now – after federal agencies gang up on FTC

Ninth Circuit approves partial stay on injunction

FTC fines Facebook $5bn for making users believe they actually had control over their data

Privacy Board to keep tabs on potential naughtiness at the antisocial network

AT&T: We did nothing wrong in promising unlimited data that wasn't. We're just giving the FTC $60m for fun

Comment Watchdog agrees one day of profit ought to be enough after 5 years of arguing

If you could forget the $125 from Equifax and just take the free credit monitoring, that would be great – FTC

Not enough settlement cash to go around, sighs watchdog

Cough up, like, 1% of your valuation and keep up the good work, says FTC: In draft privacy deal, Facebook won't have to change a thing

Proposed settlement over Cambridge Analytica brouhaha slammed as ‘a mosquito bite’

FTC gets back to work: Now, where were we? Break up Facebook and fine it $2bn, you say?

Advocacy groups: Force 'em to 'disgorge' data slurped up from Instagram, WhatsApp

Tech Resources

Webcast Slide Deck | Ransomware has gone nuclear

A new generation of attackers are crafting plans to cause the most panic, pain, and operational disruption. They will take the time to maximize your organization’s potential damage and also their payoff -- not just encrypting your data, but stealing it and posting it publicly if you don’t play ball. Join Roger Grimes from KnowBe4 and Tim Phillips from The Reg for a RegCast in which they will be sounding the ransomware emergency klaxon.

Securing Remote Users with Rapid7

The traditional network perimeter? Not so traditional anymore.

CyberArk Alero Delivers Remote Third-Party Access Without Agents or Passwords

Alero provides ‘secure zero trust access’ that enables third-parties to access critical internal resources without VPNs, passwords or installing agents.

How to simplify data protection on Amazon Web Services

The way we backup and restore has changed, but the outcomes are often just as bad. If you’re waiting hours to restore, or keeping terabytes of data because you don’t know if you can delete it, you’re wasting your time and your money. So imagine a service that restores in seconds, even individual files. Join Sebastian Straub, N2WS’s “personable IT magician” and Danny Michael, Head of IT at Gett, who promise to show us a better way in a live Regcast.