Smart lock can be hacked ‘in seconds’

Latest news

    Tapplock smart lockImage copyright Tapplock
    Image caption The padlocks are widely available in the UK and cost around £80

    A hi-tech padlock secured with a fingerprint can be opened by anyone with a smartphone, security researchers have found.

    On its website, Tapplock is described as the “world’s first smart fingerprint padlock”.

    But researchers said it took just 45 minutes to find a way to unlock any Tapplock.

    In response, the firm acknowledged the flaw and said it was issuing “an important security patch”.

    In a blogpost, security expert Andrew Tierney from Pen Test Partners (PTP), outlined how he had hacked the lock.

    “You can just walk up to any Tapplock and unlock it in under two seconds. It requires no skill or knowledge to do this.”

    He said he was “so astounded” by how easy it was that he ordered another lock in case his first attempt had been a fluke.

    The lock’s software does not take even simple steps to secure the data it broadcasts, he said, leaving it open to several “trivial” attacks.

    The “major flaw” in its design is that the unlock key for the device is easily discovered because it is generated from the Bluetooth Low Energy ID that is broadcast by the lock.

    Anyone with a smartphone would be able to pick up this key if they scanned for Bluetooth devices when close to a Tapplock.

    Using this key in conjunction with commands broadcast by the Tapplock would let attackers successfully open any one they found, said Mr Tierney.

    Dragons’ Den

    In response, Tapplock said in a statement that it was issuing a software update.

    “Please be attentive to update your app once it becomes available to your region. We highly recommend you also upgrading the firmware of your locks to get the latest protection.

    “This patch addresses several Bluetooth/communication vulnerabilities that may allow unauthorised users to illegally gain access. Tapplock will continue to monitor the latest security trends and provide updates from time to time.”

    It thanked PTP for alerting it to the issue.

    Canadian firm Tapplock raised more than $330,000 (£247,000) on crowdfunding site Indiegogo after being featured on Dragons’ Den Canada.

    The funding helped develop the Tapplock One which has been widely featured on gadget sites and has won an international design award.

    Tapplock One owners, according to its creators, need no longer remember combination codes or keys to unlock a padlock, but instead can just swipe with a finger.

    In addition, the lock can be managed via a smartphone so it can be opened remotely to let other trusted people get at whatever it protects.

    Mr Tierney became interested in testing Tapplock’s claims after he saw YouTuber JerryRigEverything defeat its physical security.

    The YouTuber found that the back of the padlock could easily be removed to let attackers unlock the device. However, this weakness was traced to faulty manufacturing and a subsequent test showed other locks were safe from this type of attack.

    Rather than investigate the lock’s physical design, Mr Tierney looked at the software it ran to manage who can use it.

    “Shocked” by what he found, Mr Tierney contacted Tapplock who said they were aware of the flaw.

    The company was given time to correct the problem before the firm he works for went public with its findings.

    View the original article:

    He urged the smart lock firm to warn customers about the problem.

    In the same category are

    Aidan McAnespie: Soldier faces checkpoint killing charges Image caption Aidan McAnespie was shot as he walked through a checkpoint A soldier is to be charged with manslaughter by gross negligence over the...
    Pine marten poaches Loch Garten osprey’s rotten eggs Image copyright RSPB Scotland/Carnyx Wild Image caption EJ defended her nest against a pine marten earlier in the breeding season Three eggs laid ...
    E.On announces 4.8% dual fuel price rise Energy giant E.On has said its prices will rise by 4.8% for those customers who take both gas and electricity, starting on 16 August.Customers will ...
    England T20 squad: Ben Stokes out but Curran brothers in for Australia & India games Sam Curran (left) and brother Tom both play for SurreyAll-rounder Ben Stokes has been left out of England's 14-man squad for the Twenty20 internation...
    World Cup 2018: England win attracts 18.3m TV audience, record 3m streams Harry Kane heads last-gasp England winnerEngland's World Cup win over Tunisia attracted a peak television audience of 18.3 million on BBC One, with a...
    Legalising cannabis: What you need to know Image copyright Lewis Whyld/PA. Image caption Cannabis is a class B drug and therefore illegal in the UK Lord Hague has reignited the debate on th...

    Leave a comment

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.