Smart lock maker Tapplock has settled with the US FTC, after complaints that it was misleading consumers with an “unbreakable” padlock that was anything but. The Canadian company raised hundreds of thousands of dollars in crowdfunding for its connected, fingerprint-secured smart lock, but security researchers subsequently found it was entirely too easy to crack open – either physically or digitally.
The Tapplock was “Bold. Sturdy. Secure” according to its advertising, but obvious shortcomings were quickly discovered. An exposed screw on the casing, for example, allowed one researcher to open up the rear panel and foil the lock that way. However even without a screwdriver there were more dangerous electronic exploits that were possible.
The FTC cited three such problems. In one, account authentication on Tapplock’s API could be bypassed, exposing all of the usernames, email addresses, profile photos, and location history of the company’s users, in addition to the precise location of the smart lock itself. That could have allowed a hacker with nefarious intent to track down the lock in real life.
In addition, Tapplock had not encrypted the Bluetooth connection between the smart lock and its app. That allowed researchers to eavesdrop on the data and figure out how to generate the keys used to open the lock. Finally, a vulnerability in the software stopped owners from revoking access to the lock, once access to other users had been granted.
As the FTC discovered, there were some obvious reasons why these vulnerabilities went undiscovered until the lock was released: Tapplock didn’t have a security program to actually test for them. “We allege that Tapplock promised that its Internet-connected locks were secure,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, says, “but in fact the company failed to even test if that claim was true.”
The settlement with the Federal Trade Commission will see that change. Tapplock has agreed to establish “a comprehensive security program and obtain independent biennial assessments of the program”; it’ll need to undertake employee training into security, too. The company is also banned “from making deceptive statements about security of a device or privacy of personal information.”
Internet of Things security has become a perennial topic of concern for researchers, as connected devices proliferate through both homes and businesses. While Tapplock’s problems might be notable for their scale, it’s certainly not the first company to have been found to use underwhelming data protection, or overlook basic issues. Whether it’s webcams with the default admin password left unchanged, or smart speakers that are vulnerable to remote control hacks, there have been numerous cases of firms over-promising but then under-delivering.
The FTC threw down the gauntlet to make IoT security a priority back in 2015, with then-Chairwoman Edith Ramirez appearing at CES to caution manufacturers that lackluster protection for consumers would have potentially severe ramifications.