TappLock bills itself as an “unbreakable” smart lock. The $100 Bluetooth-based, fingerprint-activated lock has received praise across various press outlets in recent months, since its IndieGoGo campaign raised more than $300,000.
But it turns out that it’s easy to crack the lock open with some bolt cutters in around 10 seconds. Or, even quicker, an Android app can hack it open in just 2 seconds, researchers from British outfit Pen Test Partners claimed Wednesday. Tapplock has promised to issue an update that solves the latter problem.
‘Very bad security’
Pen Test Partners discovered that not only was the Tapplock sending data used to verify an unlock over unencrypted HTTP lines, but the data was the same every time. This meant an attacker sitting on the same network as a Tapplock user could sniff the traffic and grab the unlocking data, so it could be reused anytime, in perpetuity. A more secure technology would change that data for each unlock and send it encrypted.
Making matters worse was the way in which the Tapplock key was created. It was derived from the Bluetooth low-energy (BLE) MAC address, a unique device identifier that was openly broadcast across the network. Here’s why that’s bad, as explained by Pen Test Partners researcher Andrew Tierney: “The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast