‘Smart’ biometric padlock hacked in 2 seconds [video]
Some smart devices aren’t quite as smart as others. That’s especially true for one smart padlock, which tinkerers have found vulnerable to two types of attack. After reading this, you might want to put your money into a traditional steel padlock with a metal key.
Tapplock is a $100 “smart” padlock marketed as “the world’s first smart fingerprint padlock.” In addition to its biometric prowess, Tapplock can be unlocked via Bluetooth using a phone, or through Morse-Code (you read that right) by pressing long / short combinations on the power button. Pretty impressive, right? Well, not if it’s vulnerable to unauthorized access.
Researchers have found the so-called smart padlock has a major flaw. The accompanying smartphone app allows users to “share” the lock with someone else, including temporarily. The creators of Tapplock say users can revoke permissions at any time. However, Andrew Tierney of Pen Test Partners proved that, if you retrieve the necessary data before revoking permissions, you can use it to unlock the padlock in the future, even if your permissions have been revoked.
“The app allows you to ‘share’ the lock with someone else, revoking permissions at a later date,” Andrew writes. “I shared the lock with another user, and sniffed the BLE data. It was identical to the normal unlocking data. Even if you revoke permissions, you have already given the other user all the information they need to authenticate with the lock, in perpetuity.”
The attack – once all the necessary data is sniffed and the hacking setup is complete – takes a mere two seconds, as shown in the video below.
Andrew says he and his team were inspired to buy the padlock and try to crack it after watching a YouTuber physically dismantle the same product using a sticky GoPro mount by simply twisting off the back of the device, which is an even more alarming flaw.
The team alerted the makers of Tapplock before publishing their findings so that the company could push out a patch in due time. The company has posted a warning on its website, urging users to update their companion apps once the patch is made available. A firmware update is also available for the padlock itself.biometric fingerprint padlock smart lock tapplock