Easy-to-pick “smart” locks gush personal data, FTC finds

Fancy anti-pry technology? Sure, maybe. Secure in any other way? Not so much.

Kate Cox – Apr 7, 2020 2:45 pm | 94

Sure, the locker's locked for now. The companion app and the user's personal data, on the other hand... Credit: Tapplock

A padlock—whether it uses a combination, a key, or “smart” tech—has exactly one job: to keep your stuff safe so other people can’t get it. Tapplock, Inc., based in Canada, produces such a product. The company’s locks unlock with a fingerprint or an app connected by Bluetooth to your phone. Unfortunately, the Federal Trade Commission said, the locks are full of both digital and physical vulnerabilities that leave users’ stuff, and data, at risk.

The FTC’s complaint (PDF) against Tapplock, released Monday, basically alleges that the company misrepresented itself, because it marketed its products as secure and tested when they were neither. A product—any product—simply being kind of crappy doesn’t necessarily fall under the FTC’s purview. Saying untrue things about your product in your advertisement or privacy policy, however, will make the commission very unhappy with you indeed.

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a written statement. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

Tapplock’s advertisements say its flagship product, the Tapplock One, can store up to 500 user fingerprints and can be connected to an “unlimited” number of devices through the app—a design optimized for something many people need to be able to access and for which handing off a physical key is impractical. To make the $99 lock work, Tapplock collects a great deal of personal information on its users, including usernames, email addresses, profile photos, location history, and the precise location of a user’s lock.

According to the complaint, Tapplock’s privacy policy promised, “we take reasonable precautions and follow industry best practices to make sure [personal information] is not inappropriately lost, misused, accessed, disclosed, altered, or destroyed.” However, almost a year ago—in June 2018—three separate security researchers identified “critical physical and electronic vulnerabilities” in the locks.

Screwed

The lock may be built with “7mm reinforced stainless steel shackles, strengthened by double-layered lock design with anti-shim and anti-pry technologies,” as Tapplock’s website promises, but according to the FTC, perhaps it should have considered anti-screwdriver technologies. As it turns out, a researcher was able to unlock the lock “within a matter of seconds” by unscrewing the back panel. Oops.

The complaint also pointed to several “reasonably foreseeable” software vulnerabilities that the FTC alleges Tapplock could have avoided if the company “had implemented simple, low-cost steps.”

One vulnerability security researchers identified allowed a user to bypass the account authentication process entirely in order to gain full access to the account of literally any Tapplock user, including their personal information. And how could this happen? “A researcher who logged in with a valid user credential could then access another user’s account without being re-directed back to the login page, thereby allowing the researcher to circumvent Respondent’s authentication procedures altogether,” the complaint explains.

A second vulnerability allowed researchers the ability to access and unlock any lock they could get close enough to with a working Bluetooth connection. That’s because Tapplock “failed to encrypt the Bluetooth communication between the lock and the app,” leaving the data wide open for the researchers to discover and replicate.

The third vulnerability outlined in the complaint also has to do with a failure to secure communication data. That app that allows “unlimited” connections? The primary owner can of course add and revoke authorized users from the lock. But someone whose access was revoked could still access the lock because the vulnerability allowed for sniffing out the relevant data packets.

How’d this happen?

And how did Tapplock fail to discover any of these weaknesses? Because the company did not have a security program prior to the third-party researchers’ discoveries, the FTC alleges.

The settlement, in which Tapplock does not admit to any wrongdoing, requires the company to create—and provide extensive documentation of—a security program for its products. That program is required to include training for employees; timely disclosure of “covered incidents,” including both loss of personal information and also unauthorized access to systems; actual penetration testing of the network; and several other elements, including annual review.