Recently-kickstarted Tapplock touts a Bluetooth-enabled smart lock that uses a fingerprint sensor. The company came under fire from tech-savvy commentators when popular YouTuber JerryRigEverything completely disassembled and defeated in a matter of minutes using a screwdriver and adhesive pad. This attack appears to be related to a quality control problem with the specific unit he used; a spring-loaded shear pin is supposed to prevent the back from rotating. It’s unclear whether that pin can be easily snapped or retracted, for example with a string magnet, but it turns out that doesn’t matter. UK-based security researchers PenTestPartners:
The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.
The security credentials used to control the lock are derived from the device’s publicly broadcast identifier. This means that every single lock is vulnerable to an attack that can be carried out with a smartphone app:
I scripted the attack up to scan for Tapplocks and unlock them. You can just walk up to any Tapplock and unlock it in under 2s. It requires no skill or knowledge to do this.
Can it get worse? Yes, it can. Responding to the researcher’s security disclosure, Tapplock reportedly said:
“Thanks for your note. We are well aware of these notes.”
Be wary of Internet of Things (IoT) “smart” security devices. The are neither smart nor secure.