Tapplock Smart Lock Isn't So Smart About Security
Home security is getting smarter, or at least that's what the fast growing smart home market is trying to say. Pundits, however, warn of how the IoT rush could cause lapses in security, which has been proven time and again. Nowhere is that more troubling than when smart locks themselves are involved. One newcomer to that market is Tapplock, and its fingerprint-secured smart lock may not be so secure after all.
If this were baseball, Tapplock already has three strikes against it. The first came from YouTube channel JerryRigEverything, famous for its smartphone durability tests and teardowns. This time, he tears down the Tapplock One, twice even, to see how hard or easy it is to do so. Apparently, it's the latter, but that actually depends on whether you get a defective unit or not. Strike one for QA, which is a frightening strike for a lock.
Beyond the hardware, Tapplock may have also taken a few shortcuts in software. Pen Test Partners attempted to break into a lock digitally and claims it only took them 45 minutes to do so. And it only takes 2 seconds to walk up to any Tapplock and unlock it. Despite advertising AES-128 "military-grade" encryption, Tapplock skimps on other aspects. It doesn't use HTTPS to communicate with app, for example, and it uses the same Bluetooth MAC address the lock broadcasts as one of the critical pieces to unlock it remotely.
IoT security tester Vangelis Stykas took an even less arduous route using the Tapplock app as a starting point. That app can give or revoke permissions for more than one user but once permission is given, that other user has a complete view of the main user's data. Even worse, the data used to unlock Tapplock never changes even after deleting a lock from an account. So you've given that other user permanent access to the lock just by adding them, which can be done by simply iterating through Tapplock's list of IDs, which is a simple incremental number.
All in all, it seems that Tapplock doesn't offer much protection against hackers, the very same types who'd feel challenged to break into such a fancy hi-tech lock. It could simply be growing pains but with the $100 already out in the market, it might be difficult to put the genie back in the lamp.