Slashdot Mirror

← Back to Stories (view on slashdot.org)

The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com)

Posted by BeauHD on from the bad-at-its-job dept.

Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.

Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.

Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.

139 comments

  1. Dont use on Manafort's ankle bracelet. Lock Him Up by Anonymous Coward · · Score: 0, Troll

    Oh wait, we don't need to monitor Trump's campaign manager's location, because they locked him up in prison.

    He'll be drinking toilet wine with Moscow Donald before long...

  2. where do I sign up? by ole_timer · · Score: 1

    wow - sign me up!

    --
    nothing to see here - move along
  3. Where do they find these people? by omnichad · · Score: 5, Insightful

    It's almost like hiring people straight out of college for pennies (or getting free interns) for your startup is a bad idea.

    1. Re:Where do they find these people? by ole_timer · · Score: 2

      maybe criminals started it? they sell leads on which house to break in?

      --
      nothing to see here - move along
    2. Re:Where do they find these people? by omnichad · · Score: 3, Insightful

      Then they're just as dumb at being criminals. You still want to be in control of the data you're selling.

    3. Re:Where do they find these people? by ole_timer · · Score: 1

      dumb = criminal = usual dumb crimianl smart = criminal = politician

      --
      nothing to see here - move along
    4. Re:Where do they find these people? by sjames · · Score: 2

      Not necessarily. They need plausible deniability when they start emptying out people's storage.

    5. Re:Where do they find these people? by Anonymous Coward · · Score: 0

      Well, there is this argument.

      "What is the security? Is there no pen-testing done? Reviews? Anything?"
      "We need pen-testers for this product!"
      "Hire some pennies for us!"
      "Find us some people willing to work for pennies!"
      "Yes sir!"

  4. They should just go with it by istartedi · · Score: 5, Funny

    Just make it a social networking program. You log in, everybody sees your data. They're already half way to being FaceBook. Social is where it's at. Nobody wants real security. They want companionship. This company could be perfectly positioned to combine a new kind of security with a new kind of social network. They could call it Social Security.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    1. Re:They should just go with it by Anonymous Coward · · Score: 0

      They could call it Social Security.

      And they could announce an Indiegogo program to make the other people pay for it. Or maybe even Mexico. They should also create a Support Net to provide the back-end services.

  5. They're vulnerable to bolt cutters by Anonymous Coward · · Score: 0

    Give me a pat on the back for being 1337 h4x0r

    1. Re:They're vulnerable to bolt cutters by Anonymous Coward · · Score: 1

      I was confused by that as well. While some might be more vulnerable than others, all locks are vulnerable to bolt cutters. So is 12 inches supposed to indicate that it is on the more vulnerable end of the spectrum, or the less vulnerable end?

    2. Re: They're vulnerable to bolt cutters by Anonymous Coward · · Score: 0

      More. A 12 inch bolt cutter is rather small. My larger one has handles nearly 4 feet long and my small one is maybe 18 inches.

    3. Re:They're vulnerable to bolt cutters by Anonymous Coward · · Score: 0

      It's pretty bad. That's inherent to the 7 mm shackle, though.

    4. Re:They're vulnerable to bolt cutters by Trongy · · Score: 4, Interesting

      It's worse than that - the guy on this youtube video opens it with an adhesive gopro mount and a screwdriver.

    5. Re: They're vulnerable to bolt cutters by Anonymous Coward · · Score: 0

      12" bolt cutters are easier to hide.

      "Are those 12" bolt cutters in your pocket or are you just pleased to see me?"

    6. Re: They're vulnerable to bolt cutters by Anonymous Coward · · Score: 0

      How have you ended up in the strange place where you know that all locks are vulnerable to boltcutters, but don't know that 12" cutters are almost as small as you can get?

    7. Re: They're vulnerable to bolt cutters by Anonymous Coward · · Score: 0

      Hey! My eyes are up here.

    8. Re:They're vulnerable to bolt cutters by Anonymous Coward · · Score: 0

      Actually, it has some to do with the material used (an aluminum alloy) not being as strong as you would want for this sort of thing.

    9. Re: They're vulnerable to bolt cutters by Anonymous Coward · · Score: 0

      There are a lot of padlocks that are bolt cutter proof, and a lot of others that require rather large bolt cutters.

    10. Re:They're vulnerable to bolt cutters by Anonymous Coward · · Score: 0

      According to another report, they made their padlock from a zinc/aluminium alloy, rather than from a hardened steel or something even more tough, like some of the boron alloys. There are plenty of locks out there which can't be cut by regular bolt cutters because they use a seriously hard and tough material for the shackle.

      Then again, if their software is so pathetic, why would you bother using bolt cutters? Beating the software means the owner of the padlock may not know you had access.

  6. end result of crowdfunding by dfghjk · · Score: 4, Insightful

    This is a very predictable result of crowdfunding. No need to demonstrate competence or experience in a market since your funders are even more ignorant.

    Working to get venture capital serves are real purpose, now we see the result when that is bypassed.

    1. Re:end result of crowdfunding by hwihyw · · Score: 1

      Can you post a link to a VC that specializes in lock startups, maybe has some locksmiths and infosec guys on the board. And after you get VC funding, the VC firm audits your hardware/software right? And then has a 3rd party do another audit, right? All paid out-of-pocket by the VC, right?

    2. Re:end result of crowdfunding by Alwin+Henseler · · Score: 4, Interesting

      This is a very predictable result of crowdfunding. No need to demonstrate competence or experience in a market since your funders are even more ignorant.

      For what it's worth: one may regard that as a *feature* of crowdfunding. To tread new ground where no established company would have gone because established company 'knows' it wouldn't work (note the quotation marks). Or for whatever reason chose not to go there.

      Sure that will produce lemons at times. Letting backers' money go to waste. But it can also produce surprises. Products that nobody thought possible. Or things that were possible, but deemed impractical or having no chance in the market.

      Nobody said that backers shouldn't do their homework.

    3. Re:end result of crowdfunding by hwihyw · · Score: 2

      When you buy a product on a shelf, you're already crowdfunding, just after the fact. How many times have you looked up the founders "competence or experience" when buying a lock at Home Depot? What difference does it make if I crowdfund the lock before it's made or after its on a shelf.

    4. Re:end result of crowdfunding by Jeremi · · Score: 2

      What difference does it make if I crowdfund the lock before it's made or after its on a shelf.

      If you don't mind taking a gamble with your crowdfunding money, perhaps it doesn't make a difference.

      If you do want some guarantee of value in exchange for your cash, OTOH, buying a product that's on the shelf gives you the option to research the product's quality before you part with your money, and also (usually) the option to return the product for a replacement or a refund if it turns out not the be suitable for purpose.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    5. Re: end result of crowdfunding by Anonymous Coward · · Score: 0

      If I buy a lock at Home Depot, I sure do do research on which is toughest... further, Home Depot only stock locks that donâ(TM)t do damage to their brand, which eliminates the shittiest ones. By crowd funding, you negate your ability to do research, and you negate the fact that shops check out items they sell before they put them on the shelves.

    6. Re:end result of crowdfunding by nitehawk214 · · Score: 5, Interesting

      Yeah, that is exactly how it works. An actual VC will have the money to hire an expert to review a company's product before investing.

      Otherwise they would just be throwing money away at someone with a good marketing video... .which is exactly what kickstarter is.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    7. Re:end result of crowdfunding by N1AK · · Score: 1

      How many times have you looked up the founders "competence or experience" when buying a lock at Home Depot?

      Never, it's a stupid question as the product already exists, I can judge judge the product on its merits or in the case of very new products on the recent quality of similar products by the firm. I've seen almost nothing as absurd as your claim that buying a released product is crowdfunding, it's certainly up there as one of the most self-contradictory statements I've seen.

  7. Locks are useless by 110010001000 · · Score: 1

    Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.

    1. Re: Locks are useless by Anonymous Coward · · Score: 0

      What about locks of hair?

      Didn't think of that, did you?

    2. Re:Locks are useless by jareth-0205 · · Score: 4, Funny

      Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.

      Well, yes, but there are degrees of lawyer. Someone with the right resources can break probably most locks, but your usual criminal will go for the easiest option, which you just don't make be you. You don't have to run faster than the bear, you have to run faster than the man next to you also running away from the bear.

    3. Re:Locks are useless by jareth-0205 · · Score: 1

      "degrees of lawyer"? What the hell am I on today..?

    4. Re:Locks are useless by Anonymous Coward · · Score: 0

      Funny. He is still quite new to lockpicking but has decent presentation. I remember him asking advice on the dark side not so long ago. Now some treat him like a celebrity. Imagine what veteran people know and are wise enough not to say.

      The point of security is to mitigate the risks posed by a Design Basis Threat (DBT) given a resource budget. Most locks are good enough for the DBT they are designed to protect against.

      Want perfect security? Choose to hold nothing valuable enough to secure.

    5. Re:Locks are useless by jwhyche · · Score: 4, Informative

      Most commercial locks are only good for keeping honest people out. If someone really wants to get into a place and has the know how, a lock is nothing more than a slight inconvenience.

      Still I sleep better with a nice dead bolt and a chair against the door.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
    6. Re:Locks are useless by Anonymous Coward · · Score: 0

      In fact, he recently reviewed a fingerprint lock that exposed the screws needed to disassemble the lock. With a power tool, it would take about 5 seconds to "brute force" that lock. You could do it very covertly with a very small manual screwdriver in under 15 seconds.

    7. Re:Locks are useless by 110010001000 · · Score: 2

      He isn't new. He has been picking locks for a long time. No, most locks are not good enough and he can defeat any lock. I don't know what else there is to "know".

    8. Re: Locks are useless by 110010001000 · · Score: 1

      I stand corrected!

    9. Re:Locks are useless by Calydor · · Score: 1

      Whatever it is, can I have some, please?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    10. Re:Locks are useless by Anonymous Coward · · Score: 0

      He isn't new. He has been picking locks for a long time. No, most locks are not good enough and he can defeat any lock.

      You must be very young.

    11. Re:Locks are useless by ole_timer · · Score: 1

      what do you call a lawyer at the bottom of the ocean? a good start!

      --
      nothing to see here - move along
    12. Re:Locks are useless by sjames · · Score: 5, Informative

      Some locks are for that. Others are designed to force the bad guy to make noise or hang around looking suspicious long enough to get caught. No lock is absolutely PROOF against unauthorized access.

      Another purpose of a lock is to remove plausible deniability. It's hard to say you didn't know you were trespassing if you had to pick or break a lock to get in.

      Same for safes. The crappy ones talk about how they keep people out with absolute security. The good ones talk about how long it will take the bad guy to get in (as they inevitably will if they're determined).

      But locks that can be opened through actions indistinguishable from legitimate access are totally worthless.

    13. Re:Locks are useless by Anonymous Coward · · Score: 0

      So you’ve removed all locks from your house and vehicles? If not, why not?

    14. Re:Locks are useless by arth1 · · Score: 2

      Still I sleep better with a nice dead bolt and a chair against the door.

      A good sized dog in the hallway works even better.

    15. Re:Locks are useless by arth1 · · Score: 1

      Some locks are for that. Others are designed to force the bad guy to make noise or hang around looking suspicious long enough to get caught. No lock is absolutely PROOF against unauthorized access.

      Sarin/polonium filled glass lock? :)

    16. Re:Locks are useless by GuB-42 · · Score: 3, Informative

      Also, bosnianbill

      Locks are not invincible. They can be bypassed, shimmed, bumped, picked, rapped, cut, pulled apart, melted, etc... However, all these attacks require a bit of skill and time, and can make noise, and make you appear suspicious.
      Serious lock certifications usually grade the locks by how long it will take to defeat the lock, no one pretends a lock will never be defeated. In France for example, the highest security level for residential door locks is 15 minutes for a well equipped burglar. Level 1 (which is still considered good) is just 5 minutes with basic tools.

    17. Re: Locks are useless by GuB-42 · · Score: 1

      These are dreadful, but not as bad as locks of war.

    18. Re:Locks are useless by sjames · · Score: 1

      They'll still get in, they just won't enjoy it long if they didn't take precautions. :)

    19. Re: Locks are useless by Anonymous Coward · · Score: 0

      A chair against the door? What kind of hell-hole do you live in?

    20. Re:Locks are useless by Anonymous Coward · · Score: 0

      what do you call a lawyer at the bottom of the ocean?

      your last hope for parole

    21. Re:Locks are useless by jwhyche · · Score: 3

      A good sized dog in the hallway works even better.

      This is Truth. I read a study once that a home invader will most often be deterred by the sound of a dog of any size. With that being said I believe they would be more "deterred" to the sound of a Rottweiler and a Chiwawa.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
    22. Re: Locks are useless by Anonymous Coward · · Score: 1

      Don't stand, sit, hold me in your lap, stroke my hair, and call me pretty.

    23. Re:Locks are useless by Anonymous Coward · · Score: 1

      He's not a seasoned spinner. A decent group 1 will stop him cold.

      There's some hero worship going on with the mod points and the posts. It isn't hard to find lockpickinglawyer picked up the hobby just a few years ago with the intent to copy bosnianbill's success. No judgement from me, but he is not an authority in the lockpicking field, let alone the greater security field, outside the youtube crowd.

    24. Re: Locks are useless by I'm+New+Around+Here · · Score: 1

      What? They don't have chairs where you're from?

      --
      If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    25. Re:Locks are useless by Anonymous Coward · · Score: 4, Insightful

      If your dog isn't trained as an attack dog, a handful of treats will defeat him.

      If he is trained as an attack dog, he's probably not safe to have around visitors, and a handgun will still easily defeat him.

      Dogs are a terrible security investment. Compared to some good locks and an alarm system, they're expensive, time-consuming, easy to defeat, and your family is going to suffer a lot more emotional trauma if they get killed than they are if a camera gets smashed.

    26. Re:Locks are useless by lgw · · Score: 1

      I've never seen a lock last more than a few seconds against a pick gun, without being immune to picking. And if you're willing to damage the door, just back a truck through it. Either way, nothing takes 15 minutes (unless we're talking about a safe or something).

      --
      Socialism: a lie told by totalitarians and believed by fools.
    27. Re:Locks are useless by Anonymous Coward · · Score: 0

      Most commercial locks are only good for keeping honest people out. If someone really wants to get into a place and has the know how, a lock is nothing more than a slight inconvenience.

      Still I sleep better with a nice dead bolt and a chair against the door.

      Most commercial are good for making the bad guy look for an easier target, why go for the shrouded padlock when there's an easy master lock in line of sight?.

    28. Re:Locks are useless by Anonymous Coward · · Score: 2, Insightful

      I've never seen a lock last more than a few seconds against a pick gun, without being immune to picking. And if you're willing to damage the door, just back a truck through it. Either way, nothing takes 15 minutes (unless we're talking about a safe or something).

      I suspect that it would take quite a bit more than 15 minutes to get the truck up the stairs or into the 4-person elevator to get it in position for backing up through my front door.

      I'm under no illusion about the safety of the lock. I know that someone who really wants in can get in. I have a concrete proof in that several years ago the guys from the fire department went into the neighboring apartment through the door and it took only a minute or two for them. I know it because they weren't interested in maintaining any secrecy, and trust me, you wake up when someone removes the whole frame of the door from the wall at 2 am.

      Almost all of the locks that we use here for buildings have disc tumblers and not rods like the folks in the US tend to use. Those are more difficult to pick than rodded ones as you can't bump key or use pick gun on them. They - especially the old ones - are not immune for picking, but it isn't a simple 'jam a tool in, open the door' operation.

      I'm pretty certain that no petty criminal searching for quick cash can pick my front door lock, and a professional lockpicker has no reason to break into my place. That leaves only breaking the door as an option, and doing that without causing enough noise to wake up the whole building will take more than 15 minutes.

    29. Re: Locks are useless by Anonymous Coward · · Score: 0

      Brazil or a USA ghetto or about half of africa

    30. Re:Locks are useless by Anonymous Coward · · Score: 0

      Most commercial locks are only good for keeping honest people out. If someone really wants to get into a place and has the know how, a lock is nothing more than a slight inconvenience.

      It could be a bit more than an inconvenience.
      The stuff in my storage is only valuable to me. Someone breaking into it won't find anything valuable to sell.
      If this is true for more people then you need to get past many locks to get something from it. Even if you find something valuable you aren't going to sell it for anything close to its value.
      The lock could make it too time consuming to be worth the effort.

      Also, if you need any non-concealable tools to get past the lock you will draw attention without being sure to actually get anything.

    31. Re:Locks are useless by Anonymous Coward · · Score: 0

      It's usually not about how long it takes to break it but to make it for (most) thieves too much work compared to your neighbour with a simpler door. Unless there is something of high value they really want at your house, thieves are not too picky if they clean out your house or your neighbour's, but they want to be fast and stealthy.
      It's like the joke with the hitchhikers and bear... you don't have to run faster than the bear, just faster than the other hitchhiker

    32. Re:Locks are useless by Anonymous Coward · · Score: 0

      Most commercial locks are only good for keeping honest people out. If someone really wants to get into a place and has the know how, a lock is nothing more than a slight inconvenience.

      Still I sleep better with a nice dead bolt and a chair against the door.

      a) Locks are bad.

      b) I use locks.

      Stunning contribution, Sir.

    33. Re:Locks are useless by sjames · · Score: 2

      Only to an extent. They aren't likely to do a comprehensive survey of the neighborhood. More likely they will look at your property and decide if the difficulty and risk is higher than they care for or not. If it is too high, THEN they move on.

    34. Re:Locks are useless by Cederic · · Score: 1

      Step 1: Hire a homeless person to break the glass

    35. Re:Locks are useless by Cederic · · Score: 1

      Dogs are a terrible security investment

      That depends whether the visitor knows someone is at home or not.

      If I know the householder is on holiday a dog will not deter me. Even an attack dog; they're easy to deal with, especially if I'm allowed to make noise.

      If there's a chance the property isn't empty, knowing that even the tiniest dog is going to wake up every cunt in the house is a fine deterrent.

      they're expensive, time-consuming, easy to defeat, and your family is going to suffer a lot more emotional trauma if they get killed

      Sorry, you can use the cost argument or the emotional attachment one. They negate each other so you can't use both.

    36. Re:Locks are useless by swb · · Score: 4, Interesting

      I sort of agree, but as someone who owns a 95 pound pit-dane mix I think it's more complicated than that.

      When we have a new person who will be in our house a lot, we have them give the dog a treat (including issuing the 'wait' command and then the release command to take the food) so that the dog sees them as being 'OK' and a food supplier.

      That being said, a few of these people have a background fear of the dog due to his size and dominant personality and the dog simply doesn't let them be, he continues to challenge them. I think its because he senses their fear and it makes him skeptical of them.

      When we've had unexpected people over (door-door types, etc) the dog is NUTS. Quite often the shadier the visitor, the MORE the dog is nuts. Call me crazy, but I think dogs can SMELL motivation/aggression. I think it's part of why cops have such trouble with dogs -- they simply project aggression and hostility and dogs react to that.

      I think if someone broke into my house, it would take more than a handful of treats. I think the dog would be in full-on dominance mode and 95 pounds of dog is fucking scary no matter how bad-ass you are and most humans are going to have a fear response to that. Unless you can somehow overcome this and project a submission to the dog, at least at our house you're gonna have a bad time.

      Maybe some kind of dog expert would defuse the situation easily, but your random hood thief isn't that. Shooting a dog will kind of work, but there's plenty of evidence that dogs don't fall over and die from wounding shots, they keep going until they can't. My neighbor is a cop and he says he has seen guys empty 9 mm pistols into dogs with limited effect. Part of it is an agitated dog is a tough target and results in superficial wounds, but part of it is that cornered animals don't quit. Plus if you are looking to steal laptops/tablets/jewlry and get in-and-out, you're not blazing away with a handgun at a dog.

    37. Re:Locks are useless by thegarbz · · Score: 1

      I had a South African colleage who described her escallating security measures to me.

      1. After a breakin through the window they upgraded security systems to include all the windows.
      2. After a breakin through the roof and manway they upgraded security systems to include lasers in the roof and to include the manway cover.
      3. After a breakin through the roof and through a hole drilled in the ceiling along with damaged security system they got 2 BIG dogs.
      4. After a breakin where both dogs were killed they moved to Australia.

      Sometime between 2 and 3 she got shot in the shoulder during a bank robbery. Not for doing anything other than being in the bank at the time, she *was* the warning shot. Honestly I'm surprised they even made it to 3 before leaving.

      Nothing deters a determined theif from a rich prize.

    38. Re:Locks are useless by Anonymous Coward · · Score: 0

      You can have attack dogs or dogs that are going to alert you of strange sounds or people. Most people want the security of the second option with the dog that has better senses than we do. We aren't looking at the dog to PROTECT anything, we are looking at the dog to ALERT us.

      Nothing is foolproof but people have much more of a chance of knowing something weird is going on with a dog than without. They do have a lot of false positives, especially if you have squirrels. My dog is never going to attack anyone, but nobody is going to get into my house silently either.

      This is all the same sort of idea of a security system. The security system isn't going to taser someone, it is going to alert you (or possibly someone else) to an issue. This is just a different variation (some people have both).

    39. Re:Locks are useless by froggyjojodaddy · · Score: 1

      I wish someone offered a 20 pack of padlocks that were keyed-alike..

    40. Re:Locks are useless by mjwx · · Score: 2

      Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.

      Well, yes, but there are degrees of lawyer. Someone with the right resources can break probably most locks, but your usual criminal will go for the easiest option, which you just don't make be you. You don't have to run faster than the bear, you have to run faster than the man next to you also running away from the bear.

      I was walking past a bike rack today and the local council had put up a sign saying "This is a known bike theft hotspot, secure your bike". I noted that most bikes had a chain with a standard combination lock on them. I recall that most of these locks can be "picked" simply by giving them a good whack with a rubber mallet (IIRC, the pins just fall out). You're better off with a decent padlock and length of chain which probably costs half as much as the combination locks. Of course these can be picked, but it's a lot harder than the bike chains (as you said, locks don't have to be unpickable, just hard enough to make a crim say "I cant be arsed").

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    41. Re:Locks are useless by mjwx · · Score: 1

      A good sized dog in the hallway works even better.

      This is Truth. I read a study once that a home invader will most often be deterred by the sound of a dog of any size. With that being said I believe they would be more "deterred" to the sound of a Rottweiler and a Chiwawa.

      Criminals now often bait dogs.

      Also there is no evidence that dogs will bark when criminals enter (in fact the evidence points to a trained dog not barking because they cant tell the difference between an owner and a criminal) and zero evidence that anyone else will act on a dog barking.

      The dog defence is a complete waste of time (and enough dogs are mistreated as it is).

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    42. Re:Locks are useless by Jason+Levine · · Score: 2

      Dogs can add to a security mix (with locks and other measures) in that they can make a house undesirable to rob. If you're a thief and you are presented with two houses - one with a deadbolt, security cameras, and a large dog, and the other with no deadbolt, cameras, or dog - then everything else being equal you'll go for the easier house. No security measure is 100% guaranteed. You just need to make yourself a less desirable target than everyone else.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    43. Re:Locks are useless by arth1 · · Score: 1

      You just need to make yourself a less desirable target than everyone else.

      This is indeed the case. Sure, while criminals can shoot dogs and plan ahead for how to get away after firing gunshots, and how not to be hunted down even though they have committed a greater crime than just burglary, why should they? They didn't become burglars because they were excellent planners and executors, no matter what Hollywood movies try to tell you. They need valuables, most likely quickly, and a good chance of getting away with it. So if there are dozens of possible targets, why would they want to pick one with a dog, increasing their risks of being caught, being hurt, or not getting loot?
      Never mind that most burglars are unarmed, and can't afford a gun and ammo. Being desperately broke is why most of them resort to breaking and entering in the first place.

    44. Re:Locks are useless by Anonymous Coward · · Score: 0

      Some locks are for that. Others are designed to force the bad guy to make noise or hang around looking suspicious long enough to get caught. No lock is absolutely PROOF against unauthorized access.

      Sarin/polonium filled glass lock? :)

      You could be sued if you do that due to setting off a booby trap to protect your property. It is crazy, I know, but it is not worth a try.

    45. Re:Locks are useless by Anonymous Coward · · Score: 0

      Growing up I had a 100+lb Golden Lab. Big barrel chested beast. Friendly as all get out but if you started to open the door while he was inside, it was an instant loud bark, and that dog sounded like he was 300+lbs at least. Only a fool would open that door without permission.

    46. Re:Locks are useless by pnutjam · · Score: 1

      Amazon has a 24 pack

      This site seems to offer custom amounts. This model, or several others. They even have combination locks with custom master keys.

      --
      Cheap storage VM.
    47. Re: Locks are useless by dgatwood · · Score: 1

      Never knew about war's locks, but I once let slip its dogs.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    48. Re:Locks are useless by tlhIngan · · Score: 1

      Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.

      Locks are not about 100% security - nothing can accomplish that. No lock can secure a house, when a burglar can just smash a window.

      The goal is to provide adequate security - any lock that requires lock picks already qualify. The locks that are easily defeated without actually picking the lock I deem inadequate - like one lock I saw that was "smart" and had fingerprint authentication. To defeat it, you just need about 10 seconds and a torx screwdriver - you undo the three screws around the edge and the lock falls apart, shackle and all. That is inadequate - you did not have to tamper with the lock mechanism in any way to bypass the lock - opening the case was sufficient.

      Then there was another lock, and he used a Ramset gun on it. To me, even though it failed, I see it as pretty strong because that's one specialized tool to be carrying around, makes a lot of noise, and really leaves a lot of evidence behind of malfeasance.

    49. Re:Locks are useless by Jarik+C-Bol · · Score: 1

      I decided to get a pick kit and a clear training lock a while back, mostly for kicks. and had that damn thing open in about 5 minutes after it arrived. So i closed the lock, closed my eyes, and tried again. Open. Then I pickex opened all my other padlocks i own. Lesson? Cheep locks are junk.

      --
      I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
    50. Re: Locks are useless by Anonymous Coward · · Score: 0

      This was what everybody who wasn't a bleeding leftist said would happen to South Africa when we forced them into black rule.
      Say it's racist, but it's a fact. South Africa went from a prosperous (by African standards) country to the leader in rape and AIDS.

    51. Re:Locks are useless by Anonymous Coward · · Score: 0

      Almost all of the locks that we use here for buildings have disc tumblers and not rods like the folks in the US tend to use. Those are more difficult to pick than rodded ones as you can't bump key or use pick gun on them. They - especially the old ones - are not immune for picking, but it isn't a simple 'jam a tool in, open the door' operation.

      But even then, why bother with the lock? If you can deal with 10 seconds of noise, the a battery-powered angle grinder with even a flimsy cutting wheel will fit between the door and jamb and will cut through the deadbolt itself, along with any shrouding that might be there to protect it.

    52. Re:Locks are useless by Anonymous Coward · · Score: 0

      I've never seen a lock last more than a few seconds against a pick gun, without being immune to picking. And if you're willing to damage the door, just back a truck through it. Either way, nothing takes 15 minutes (unless we're talking about a safe or something).

      You clearly haven't seen any of the several modern door locks. A pick gun is fine against a simple 5-pin cylinder, but useless against things like the locks with concentric cylindrical pins. There are others that use things like pins at four diagonals - I'd be fascinated to see how your pick gun would fare against that.

      I think the goal is to get a lock which is convenient for someone with a key, but requires brute force for someone without a key, because brute force means you have evidence to show the insurance company when making a claim.

    53. Re:Locks are useless by lgw · · Score: 1

      I didn't say a pick gun works on everything, only that for locks which can be picked in any reasonable amount of time, a pick gun will get them in seconds. And if you're going to bash the lock in, again if you brought a big enough hammer, it's going to open in seconds, or you need to go back for a bigger hammer. 15 minutes seems a very strange amount of time here.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    54. Re:Locks are useless by terrycarlino · · Score: 1

      It's almost impossible to secure a bike against theft. No lock made will resist a portable battery powered angle grinder. Even the best bike locks, made by the most reputable bike lock companies, which provide a guarantee against theft, will not honor their guarantee if a power tool is used. Such a tool can cut through even a harden steel U-lock in seconds. Fast enough that the thief can ride off before anyone who hears the tool can react.

      Bike theft in New York City is so bad that insurance companies won't insure bikes there. Bike thieves there steal crappy bikes to ride to the location of their next theft, so even having a crappy bike doesn't save you. It's so bad the NYPD actually puts bikes out with GPS just to be stolen.

    55. Re:Locks are useless by terrycarlino · · Score: 1

      There use to be a TV show called "It Takes A Thief", not the spy one. This one teamed a security expert up with an ex-thief. They arranged to break into people's houses to show them how bad their security was and then gave them a new security system, which the thief than tried to compromise.

      He managed to defeat the ''dog security system" every time by feeding them bacon. The ultimate insult was that after he emptied out the house he'd steal the dog.

      It was a great show. Sometimes he'd have to break a cheap door lock, but most often he'd get in because they left a window open or the garage door unlocked or had a hidy key under a fake rock or turtle figure. Sometimes they even had alarm systems, which they left off when leaving their house.

      Even though it was arrange before hand the people were always devastated. They never figured he would take all their stuff like he did. They seem to feel totally violated and almost always his second attempt was a failure, because for now at least they were actually paying attention to security

    56. Re:Locks are useless by terrycarlino · · Score: 1

      A typical modern house (in the US at least) is made of vinyl siding over chipboard backerboard with fiberglass insulation covered by drywall on a pine 2x4 frame.

      You don't have to back a truck through the steel deadbolted security door. Just take a battery powered sawsall to the wall between the door and the windows. In most neighborhoods they won't even notice the 45 seconds it takes you to cut an opening.

  8. Those researchers are always so negative... by Alwin+Henseler · · Score: 1

    Come on give 'em a break, this company is still learning. Their next product will be SO much more secure!

  9. Price comparison by Anonymous Coward · · Score: 0

    12 inch HFT bolt cutters $8.99
    Trivial BT software unlock $0
    Single gun metal Tapplock one $84
    Another app knowing your precise location for no reason PRICELESS

  10. why would anyone go to this trouble? by Anonymous Coward · · Score: 0

    Padlocks rarely lock anything of great value. They are usually just there to keep the local kids from playing with your stuff. If breaking into a shed, bolt cutters will usually do but a tire iron is more readily available in most people's trunk and will almost always rip latches or hinges off with no trouble.

    People place way too much confidence in locks and doors in general. Glass breaks easily, and I've seen steel doors with fancy locks on wood houses. Most break-ins occur during the day to avoid the night time burglary penalty if caught. Rather than go through the door, a chainsaw or sawzall can cut a hole in the back of the house in a couple of minutes. There is usually even a handy plug if you'd like to use a quieter electric chainsaw but bring your wire detector with you so you know where to cut.

    If you accidentally leave your garage open, the wall between the garage and house is usually just wallboard. You can kick your way through or use tools in the garage to go through even more easily. Often there is a handy axe or sledgehammer.

    The idea that security measures protect you is a fantasy. They are just a way to take more of your money. We spend many times more more on security than the total take in all robberies. Luckily, most of the threat the media works so hard to convince us of is fantasy too. We live in the safest times in 50 years.

    1. Re:why would anyone go to this trouble? by ChoGGi · · Score: 1

      There is usually even a handy plug if you'd like to use a quieter electric chainsaw but bring your wire detector with you so you know where to cut.

      Wires are usually ran a foot or so above the floor (less waste for connecting to outlets), just make sure you're not cutting near conjoining walls, or next to doors.

    2. Re:why would anyone go to this trouble? by Desler · · Score: 1

      So your house is completely unlocked and has no doors or windows?

      Yes, a determined criminal can break into virtually any house, but it’s well proven that most will avoid breaking into houses that even have something as simple as a home security sign in front (even if fake) since it’s not worth the chance of being caught versus a house that looks completely unguarded.

    3. Re:why would anyone go to this trouble? by whoever57 · · Score: 1

      Wires are usually ran a foot or so above the floor (less waste for connecting to outlets),

      In my house, most of the wires run from the roof space down the studs to the outlets or switches. Very few wires run laterally.

      --
      The real "Libtards" are the Libertarians!
    4. Re:why would anyone go to this trouble? by Anonymous Coward · · Score: 0

      The majority of break-ins today are not random. This is because most household items are now commodity. You're very unlikely these days to find valuable electronics (even computers are rarely expensive today) or anything easy to carry that is worth the risk. So, if you have a break-in, it is because you specifically have something they want. They are thus more determined than they used to be.

      On the plus side, this means you're probably OK if you don't have drugs or large amounts of cash laying around.

    5. Re:why would anyone go to this trouble? by ChoGGi · · Score: 1

      Hmm, expensive use of copper, but I suppose bad advice for breaking into a house isn't a bad thing.

    6. Re:why would anyone go to this trouble? by Cederic · · Score: 1

      Bollocks. Most thefts are opportunity based and a shitty tablet may not be worth much but hit 2-3 houses a day and that's your drug fix sorted.

    7. Re:why would anyone go to this trouble? by Shotgun · · Score: 1

      The wire would be cheaper than paying someone to drill a hole in every stud, fish the wire through every hole, and then install a protective steel plate in front of every hole.

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
    8. Re:why would anyone go to this trouble? by dgatwood · · Score: 1

      The majority of break-ins today are not random. This is because most household items are now commodity.

      A decent number of thefts are, in fact, essentially random, committed by drug addicts trying to get precisely those sorts of commodity items that won't look suspicious when they take them into a pawn shop to trade for cash to buy drugs.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    9. Re:why would anyone go to this trouble? by ChoGGi · · Score: 1

      Nah, that's what the guy standing around with his hands down his pants is for, and around here you don't need the plate (depending on the dist of the hole to the stud).

  11. You mean? by Anonymous Coward · · Score: 0

    You mean, like wipe the lock with a cloth?

  12. Crooks, assholes, and idiots ... by Anonymous Coward · · Score: 0

    Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets.

    Wow, it sounds like this company has hit upon the trifecta of incompetence ... they're crooks, assholes, and idiots.

    Sorry, but this bullshit "me too" endless stream of utterly shit quality products rushed out the door to say "yarg, we have teh bluetooths lock" ... this results in an endless stream of products made by crooks, sold by assholes, and bought by idiots. They're usually not fit for what they claim it is, and they've been so incompetently built there's no fucking point in owning one.

    So, as usual, the people who run this company and do the sales are lying sacks of shit who can't help but know their product is inferior. But, they've pushed them out the door for the unsuspecting public to buy.

    Honestly, I think that shitty/shady products should have a Yakuza type punishment -- we're going to lop off bits of the CEO as a demonstration that failure will not be tolerated. When the thieving crook of a fucking CEO has no digits or arms left, we throw them off a fucking dock.

    The sad thing is, the people who made this? They knew goddamned well they were selling shitty products, they just didn't care.

    Fuck all this connected shit. I don't want it, don't care about it, and have no reason to believe you're qualified to make a lock, let alone a connected lock.

    Whoever the people are who run this company, they know they're crooks and assholes. They are just hoping to cash in on the hype.

    Fuck 'em, kill 'em all.

  13. they're called "smart" devices.. by Anonymous Coward · · Score: 0

    because it takes a smart person to develop and secure them...

    too bad they didn't have one of those.

    their product and site security was probably managed by their accountant: "don't fuck around with details, just give me the cheapest and fastest. i've got investors to kiss-up to and i need something yesterday."

  14. Their web site doesn't have an about page by greenwow · · Score: 0

    What is the company's association with Microsoft? With this type of security, there just has to be.

    1. Re:Their web site doesn't have an about page by Tablizer · · Score: 1

      That's an unfair blow, Microsoft greatly improved their security so that it's up to "average" now. (Either that, everyone else got more sucky, can't tell.)

      --
      Table-ized A.I.
    2. Re:Their web site doesn't have an about page by johnsie · · Score: 1

      To be fair microsoft are going in the the right direction when it comes to security. Moving towards a walled garden and with pro-active security tools which are missing in many other operating systems. Most Linux/Mac machines have little or no software to find infections.

  15. This has to be be lawsuit material... by EndlessNameless · · Score: 1

    If there were ever a product that was defective and incapable of working in its intended capacity, this is it.

    How rubbish is a justice system if it can't slap the everloving crap out of this company?

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    1. Re:This has to be be lawsuit material... by N1AK · · Score: 2

      Is there anything in the products documentation, marketing, or the founders communication, that makes these security flaws a lie rather than a failure? Did they claim to have any certification or accreditation on the device which the device didn't have. Are there legal standards for this type of product that this doesn't meet?

      Failing the above then the justice system would be rubbish if it did anything to this company just because a bunch of people bought the product without understanding the risk of not requiring more information or proof it would be effective.

    2. Re:This has to be be lawsuit material... by BradleyUffner · · Score: 1

      Incompetence doesn't protect you from all legal liability. Though it will sometime lessen then punishment over outright maliciousness.

  16. From the people who brought you Juicero and Bodega by cinghiale · · Score: 4, Insightful

    When you live in a bubble, you think all your ideas are great. All the echoes tell you so.

  17. I'm sure this was a rhetorical question. by devslash0 · · Score: 0

    From that big, overpopulated, Asian country many we all so love. The customer support capital of the world.

  18. Engineering by the cheapest amateurs available by gweihir · · Score: 1

    This is just pathetic. While I do not like the idea of requiring an engineering certification for work like this very much, it seems we need it to remove said certification from the utter and complete fuckups that create atrocities like this one.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  19. HDHomeRun is insecure by Anonymous Coward · · Score: 0

    HDHomeRun CONNECT/PRIME calls home every 10 minutes uploading a complete list of available channels and device information including internal IP address of HDHomeRun devices.

    All data is unencrypted and transmitted entirely in the clear.

    SiliconDust operates an API ipv4-api.hdhomerun.com that is in no way secured or CSRF protected. API transmits the response header "Access-Control-Allow-Origin: *" explicitly enabling XMLHttpRequest to be trivially leveraged against owners of HDHomeRun devices by ANY malicious website the owner happens to stumble upon.

    Attempting to block HDHomeRun from calling home by blackholing hosts within hdhomerun.com domain results in HDHomeRun switching to Google DNS server 8.8.8.8 BYPASSING ACCESS CONTROL users have explicitly put in place to prevent this behavior. It is necessary to also block access to 8.8.8.8 or block access to every address referenced by ipv4-api.hdhomerun.com in order to stop this behavior in its entirety.

    A simple call to http://ipv4-api.hdhomerun.com/... by any web browser on your network provides a JSON formatted list of HDHomeRun devices on your network. The call includes unique device ID and internal URLs within your network that like ipv4-api.hdhomerun.com not only are not CSRF protected they openly invite malicious access to any website you happen to visit via CORS headers explicitly granting global XMLHttpRequest access.

    This vulnerability can be trivially leveraged by malicious websites to track you via unique Device ID, gather device AUTHORIZATION CODE, tune to channels, scan channels, transcode, gather data on current shows watched and view system logs all without any protection or authentication of any kind whatsoever.

    There was no clickwrap agreement notifying the customer of this behavior or any indication that HDHomeRun would be calling home and doing so in such a ridiculously insecure manner.

    To be perfectly clear the problem is NOT the inherent lack of authentication and encryption. Problems are threefold:

    1. Calling home without obtaining explicit consent
    2. Once consent is obtained transmitting data including unique identifiers in the clear
    3. HDHomeRun able to be accessed and data exfiltrated by ANY external website anyone on the users network happens to visit

    If you own a HDHomeRun device for your own security and privacy please take the following steps immediately:

    - Blackhole DNS access to ipv4-api.hdhomerun.com
    - Block access to Google public DNS servers @ 8.8.8.8

  20. Re:Dont use on Manafort's ankle bracelet. Lock Him by Anonymous Coward · · Score: 0

    Donald Trump's campaign manager is in prison though... lol.

  21. Re:Dont use on Manafort's ankle bracelet. Lock Him by Anonymous Coward · · Score: 0

    And he's trampolining your mom Hillary there.

  22. 110010001000 is an error by Anonymous Coward · · Score: 1

    Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.

    if locks are useless then why is it that the vast majority of the world's storekeepers show up every morning to find that their goods have not been stolen in the night?

    Clearly you are some sort of stupid automaton, incapable of registering actual reality in your brain

    1. Re: 110010001000 is an error by Desler · · Score: 1

      That and you’ll likely find that they have locks on their house despite proclaiming them to be worthless.

    2. Re: 110010001000 is an error by reanjr · · Score: 1

      That might have far more to do with alarm systems than locks.

    3. Re: 110010001000 is an error by Anonymous Coward · · Score: 0

      And yet tons of houses don’t have alarms and only locks and never get robbed.

    4. Re: 110010001000 is an error by nedlohs · · Score: 1

      And tons of houses have doors which they don't bother locking and never get robbed.

  23. Re:Dont use on Manafort's ankle bracelet. Lock Him by Anonymous Coward · · Score: 0

    Hillary is taking a walk in the woods while Moscow Donald and his co-conspirators go down for high treason.

    Only thing left to say is "but her emails"...

  24. Or you could just ... by PPH · · Score: 3, Informative

    ... unscrew the back

    --
    Have gnu, will travel.
  25. You are breaking the law by opening the lock by Gabest · · Score: 1

    No, it is not theft. You are violating their intellectual property.

    1. Re:You are breaking the law by opening the lock by Anonymous Coward · · Score: 0

      That's the magic of this lock: breaching IP law will scare off hardened criminals.

  26. Home Security companies ARE the thieves... by Anonymous Coward · · Score: 0

    Just read up on the inherent infeasibility of wireless house alarms...as a thief, either you RF jam them and they don't go off - or you RF jam them and they go off, so you just jam them until they become a nuisance (until the owner disables them - and you even have a way to verify they're off as well, then...).

    Look, utility people (i.e. the person installing your alarm...) are the people who scout your houses for robberies - usually passing that information on to others for a bit of cash, so that they can perform the robbery - and that's why nearly all home security systems are inherently vulnerable/insecure, with the person who installed them usually knowing the technical requirements or even codes (e.g. the manufacturing code, which overrides even your normal code...), for disarming them - or even worse, having a monitored alarm system, where the guy at the central monitoring office knows ALL the places whose monitored alarms aren't functioning, and can tip off thieves for a bit of cash.

    The goldmine of information in security companies, is the knowledge of who is safest to rob - it's a multi-million industry.

  27. proof of concept by Anonymous Coward · · Score: 0

    its not a bug, its a feature. they meant this, obviously.

  28. Is it impossible to make a "smart lock" secure? by Narcocide · · Score: 1

    Or is it just impossible to find someone ethical enough to be trusted to make smart locks?

    1. Re:Is it impossible to make a "smart lock" secure? by Anonymous Coward · · Score: 0

      It's possible to make a smart lock reasonably secure.
      I'm sure they believed they were being ethical, except they were entirely clueless about security.
      A lock made by "enthusastic idiots", i.e. non-expert dabblers in both padlock design and digital security is how you get a fuck up like this.

  29. Re: Dont use on Manafort's ankle bracelet. Lock Hi by Anonymous Coward · · Score: 0

    Trump 2020. Your suicide 2020.

    Kill yourself. It will fix everything.

  30. I call Bulls**t by Anonymous Coward · · Score: 0

    2 seconds? Really?

    This is typical Engineers not accounting for time correctly.
    Like the "I can make an app in a day" - Yeah! Sure! Testing must be non-existent and you didn't account for getting the idea, setting up, etc etc.

    Should account for time like you were going to be paid for it.

    1. Re: I call Bulls**t by Anonymous Coward · · Score: 0

      Watch the video. You press the button on the lock, 2s later it is open.

      But I got it down to 0.5s anyway.

  31. Lock are not to lockout PRO by aepervius · · Score: 1

    They are for the amateur, to lock them out long enough that activities are suspicious or even downright impossible for them. I have two U lock on my (rather expansive) lying-bike. They are not there for any Pro wanting to steal my bike which would knack them in 1 to 3 second each. They are there for the kids or adult wanting to have a joy ride on it.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
  32. And there is JerryRigEverything's teardown... by ChodaBoyUSA · · Score: 1

    Check out how easy the lock is to open with simple force. https://www.youtube.com/watch?...

  33. Re: Dont use on Manafort's ankle bracelet. Lock Hi by Anonymous Coward · · Score: 0

    Moscow Donald will be sentenced to life in prison for high treason well before I kick the bucket.

    Just in case, here is the National Suicide Prevention Lifeline
    Call 1-800-273-8255
    Available 24 hours everyday

  34. Just rebrand it... by Anonymous Coward · · Score: 0

    as community-based possession-sharing system

  35. Re:From the people who brought you Juicero and Bod by Anonymous Coward · · Score: 0

    The ideas were pretty good, it's the implementation that's the hard bit...

  36. Re:From the people who brought you Juicero and Bod by Anonymous Coward · · Score: 0

    They got money. That idea is great.

  37. Geocaching with a twist by Anonymous Coward · · Score: 0

    This lock will have a bright future for geocaching use.