Researcher finds smart fingerprint padlock is not as secure as first thought, and can be unlocked in seconds
A major flaw has been discovered with a so called smart padlock called Tapplock, which is a padlock that be secured with a person’s fingerprint.
But researchers at Pen Test Partners (PTP) have discovered that the padlock can be unlocked by any one with a smartphone, in just a matter of seconds.
The Canadian firm Tapplock has in turn admitted the flaw and said it was issuing “an important security patch”.
On its website, Tapplock is described as having an “unbreakable design,” but it took security expert Andrew Tierney from Pen Test Partners (PTP) just 45 minutes to discover a major flaw with the lock.
He said he began to wonder about the smart padlock security after having viewed another Youtube video in which a man physically dismantled the padlock and opened the shackle, using a sticky GoPro mount.
Tierney brought a lock for himself and then began studying it. He found it was built using brittle Zamak 3 zinc aluminium alloy.
However, the padlock is said to be secured with AES 128 encryption.
“They’ve gone for the ‘AES 128-bit encryption’ with an inference that their security is on a parallel with the military. It must be secure!” blogged Tierney. “This is a red flag to a IoT hacker though – it ignores pairing, key exchange, key sharing… and most importantly, makes no mention of authentication. Time and time again we see AES-128 used in manners that make it entirely insecure.”
Tierney first tried to dismantle the padlock using the sticky GoPro mount trick from the Youtube video, but his Tapplock remained stubbornly intact.
So Tierney then moved onto the padlock’s Bluetooth Low Energy and in his words “this is where things get really, really bad.”
“Normally I love reading about IoT hacks that take time, effort and ingenuity, but I can’t do that here,” he blogged. “In under 45 minutes, we had the ability to walk up to any Tapplock and unlock it.”
“First things first, the app communicates over HTTP,” he wrote. “There is no transport encryption. This is unforgiveable in 2018.”
Essentially, Tierney had discovered that Tapplock does not take simple steps to secure the data it broadcasts, which makes it vulnerable to several “trivial” attacks. The Tapplock flaw is that the unlock key for the device is easily discovered because it is generated from the Bluetooth Low Energy ID that is broadcast by the lock.
“Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock,” he wrote.
Indeed, Tierney found that the hi-tech padlock could be opened by anyone with a smartphone, who is near the padlock.
And furthermore, Tierney was able to use a 12” pair of bolt-cutters to cut open the shackle in under 10 seconds.
“As a padlock, the Tapplock has a very succinct security goal: frustrate an attacker with physical access from opening the shackle,” he wrote. “The Tapplock, however, falls way below any acceptable standard. It can be opened in under 2s with only a mobile phone. Discovering this took under an hour.”
At first Tapplock responded to Tierney saying it was “well aware of these notes.”
Tierney was astonished as Tapplock knew about the flaws but continued to sell it on Amazon without warning buyers.
Then just hours before Tierney’s public disclosure of the flaw, the company pushed out the following notice.
“Tapplock is pushing out an important security patch,” it said. “Please be attentive to update your app once it becomes available to your region.”
“We highly recommend you also upgrading the firmware of your locks to get the latest protection,” it added. “This patch addresses several Bluetooth / communication vulnerabilities that may allow unauthorised users to illegal gain access.”
“Many thanks to the Pen Test Partners for the timely prompt and ethical disclosure,” it concluded.
“It seems rather too little rather too late: it doesn’t clearly state that anyone can open any lock, nor that a temporary replacement lock should be used until the firmware update is applied,” said Pen Test Partners’ Tierney.
“It was nice to be credited for the work, though we would prefer it if Tapplock had proactively contacted all customers with a clear explanation, mitigation and remediation plan,” he added.
Do you know all about security? Try our quiz!