FTC Alleges that Tapplock IoT Smart Lock Was All About Promises, Not Security
The Federal Trade Commission (FTC) accused smart lock designer Tapplock of false advertising by promoting its smart padlock as secure and compliant with the industry’s best practices, after a complaint alleged exactly the opposite.
The smart padlock is built by Tapplock, described as an Internet of Things (IoT) company. One of its products is an Internet-connected, fingerprint-enabled padlock, but the FTC says that pretty much none of their claims about the device hold up.
First of all, the padlock was advertised as physically secure, as you would expect from a regular, non-smart padlock. But one researcher managed to bypass the protection in just a few seconds by removing the backplate.
The smart part of the padlock offered many promises, including the option of adding new users to the app, with access to the device, along with a geolocation feature that would allow users to unlock the padlock with the help of Bluetooth.
Three vulnerabilities were identified in the software, allowing a potential attacker to bypass the account authentication process to gain full access to the accounts of all Tapplock users and their personal information and to lock and unlock any Tapplock smart lock nearby. A third vulnerability prevented users from revoking access to the smart lock.
“Padlock’s designs the smart locks it sells to U.S. consumers, is responsible for remediating security vulnerabilities and other flaws associated with those locks, and directly or through its distributors markets and advertises its locks to U.S. consumers,” states the FTC complaint.
Also, the FTC says the company had no security program prior to the discovery of the vulnerabilities. The somewhat good news is that a newer version of the lock fixed some of the problems found by people trying to physically access it, but there’s no word yet if the software vulnerabilities were corrected as well.exploit padlock smartlock vulnerability