Slashdot Mirror
The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com)
Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.
Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
It's almost like hiring people straight out of college for pennies (or getting free interns) for your startup is a bad idea.
Just make it a social networking program. You log in, everybody sees your data. They're already half way to being FaceBook. Social is where it's at. Nobody wants real security. They want companionship. This company could be perfectly positioned to combine a new kind of security with a new kind of social network. They could call it Social Security.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
This is a very predictable result of crowdfunding. No need to demonstrate competence or experience in a market since your funders are even more ignorant.
Working to get venture capital serves are real purpose, now we see the result when that is bypassed.
Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.
Well, yes, but there are degrees of lawyer. Someone with the right resources can break probably most locks, but your usual criminal will go for the easiest option, which you just don't make be you. You don't have to run faster than the bear, you have to run faster than the man next to you also running away from the bear.
Most commercial locks are only good for keeping honest people out. If someone really wants to get into a place and has the know how, a lock is nothing more than a slight inconvenience.
Still I sleep better with a nice dead bolt and a chair against the door.
I read at +2. If your post doesn't reach that level I will not see or respond to it.
When you live in a bubble, you think all your ideas are great. All the echoes tell you so.
Some locks are for that. Others are designed to force the bad guy to make noise or hang around looking suspicious long enough to get caught. No lock is absolutely PROOF against unauthorized access.
Another purpose of a lock is to remove plausible deniability. It's hard to say you didn't know you were trespassing if you had to pick or break a lock to get in.
Same for safes. The crappy ones talk about how they keep people out with absolute security. The good ones talk about how long it will take the bad guy to get in (as they inevitably will if they're determined).
But locks that can be opened through actions indistinguishable from legitimate access are totally worthless.
It's worse than that - the guy on this youtube video opens it with an adhesive gopro mount and a screwdriver.
If your dog isn't trained as an attack dog, a handful of treats will defeat him.
If he is trained as an attack dog, he's probably not safe to have around visitors, and a handgun will still easily defeat him.
Dogs are a terrible security investment. Compared to some good locks and an alarm system, they're expensive, time-consuming, easy to defeat, and your family is going to suffer a lot more emotional trauma if they get killed than they are if a camera gets smashed.
I sort of agree, but as someone who owns a 95 pound pit-dane mix I think it's more complicated than that.
When we have a new person who will be in our house a lot, we have them give the dog a treat (including issuing the 'wait' command and then the release command to take the food) so that the dog sees them as being 'OK' and a food supplier.
That being said, a few of these people have a background fear of the dog due to his size and dominant personality and the dog simply doesn't let them be, he continues to challenge them. I think its because he senses their fear and it makes him skeptical of them.
When we've had unexpected people over (door-door types, etc) the dog is NUTS. Quite often the shadier the visitor, the MORE the dog is nuts. Call me crazy, but I think dogs can SMELL motivation/aggression. I think it's part of why cops have such trouble with dogs -- they simply project aggression and hostility and dogs react to that.
I think if someone broke into my house, it would take more than a handful of treats. I think the dog would be in full-on dominance mode and 95 pounds of dog is fucking scary no matter how bad-ass you are and most humans are going to have a fear response to that. Unless you can somehow overcome this and project a submission to the dog, at least at our house you're gonna have a bad time.
Maybe some kind of dog expert would defuse the situation easily, but your random hood thief isn't that. Shooting a dog will kind of work, but there's plenty of evidence that dogs don't fall over and die from wounding shots, they keep going until they can't. My neighbor is a cop and he says he has seen guys empty 9 mm pistols into dogs with limited effect. Part of it is an agitated dog is a tough target and results in superficial wounds, but part of it is that cornered animals don't quit. Plus if you are looking to steal laptops/tablets/jewlry and get in-and-out, you're not blazing away with a handgun at a dog.