Slashdot Mirror
The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com)
Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.
Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
It's almost like hiring people straight out of college for pennies (or getting free interns) for your startup is a bad idea.
This is a very predictable result of crowdfunding. No need to demonstrate competence or experience in a market since your funders are even more ignorant.
Working to get venture capital serves are real purpose, now we see the result when that is bypassed.
When you live in a bubble, you think all your ideas are great. All the echoes tell you so.
If your dog isn't trained as an attack dog, a handful of treats will defeat him.
If he is trained as an attack dog, he's probably not safe to have around visitors, and a handgun will still easily defeat him.
Dogs are a terrible security investment. Compared to some good locks and an alarm system, they're expensive, time-consuming, easy to defeat, and your family is going to suffer a lot more emotional trauma if they get killed than they are if a camera gets smashed.
I've never seen a lock last more than a few seconds against a pick gun, without being immune to picking. And if you're willing to damage the door, just back a truck through it. Either way, nothing takes 15 minutes (unless we're talking about a safe or something).
I suspect that it would take quite a bit more than 15 minutes to get the truck up the stairs or into the 4-person elevator to get it in position for backing up through my front door.
I'm under no illusion about the safety of the lock. I know that someone who really wants in can get in. I have a concrete proof in that several years ago the guys from the fire department went into the neighboring apartment through the door and it took only a minute or two for them. I know it because they weren't interested in maintaining any secrecy, and trust me, you wake up when someone removes the whole frame of the door from the wall at 2 am.
Almost all of the locks that we use here for buildings have disc tumblers and not rods like the folks in the US tend to use. Those are more difficult to pick than rodded ones as you can't bump key or use pick gun on them. They - especially the old ones - are not immune for picking, but it isn't a simple 'jam a tool in, open the door' operation.
I'm pretty certain that no petty criminal searching for quick cash can pick my front door lock, and a professional lockpicker has no reason to break into my place. That leaves only breaking the door as an option, and doing that without causing enough noise to wake up the whole building will take more than 15 minutes.