Slashdot Mirror
The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com)
Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.
Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
Most commercial locks are only good for keeping honest people out. If someone really wants to get into a place and has the know how, a lock is nothing more than a slight inconvenience.
Still I sleep better with a nice dead bolt and a chair against the door.
I read at +2. If your post doesn't reach that level I will not see or respond to it.
Some locks are for that. Others are designed to force the bad guy to make noise or hang around looking suspicious long enough to get caught. No lock is absolutely PROOF against unauthorized access.
Another purpose of a lock is to remove plausible deniability. It's hard to say you didn't know you were trespassing if you had to pick or break a lock to get in.
Same for safes. The crappy ones talk about how they keep people out with absolute security. The good ones talk about how long it will take the bad guy to get in (as they inevitably will if they're determined).
But locks that can be opened through actions indistinguishable from legitimate access are totally worthless.
Also, bosnianbill
Locks are not invincible. They can be bypassed, shimmed, bumped, picked, rapped, cut, pulled apart, melted, etc... However, all these attacks require a bit of skill and time, and can make noise, and make you appear suspicious.
Serious lock certifications usually grade the locks by how long it will take to defeat the lock, no one pretends a lock will never be defeated. In France for example, the highest security level for residential door locks is 15 minutes for a well equipped burglar. Level 1 (which is still considered good) is just 5 minutes with basic tools.
Have gnu, will travel.