Pen Test Partners has now conducted a thorough security test on a $100 connected padlock called the Tapplock and discovered that it isn’t nearly as secure as might be implied. Although the company behind the lock, sold as the Tapplock One, has billed its padlock as unbreakable, it turns out there are multiple ways to gain access and none of them is necessarily difficult. Among the more concerning problems, it turns out, stems from build materials used for the technology-inspired security device. Because the device is made from a zinc-aluminum alloy more commonly used in razors and door handles, it isn’t all that tough. Moreover, it has a melting point at 752°F. So traditional methods for breaking through a padlock, such as a torch or twelve inch bolt cutters, can get through the shackle in as little as ten seconds.
However, this lock is also intended to connect to a device via Bluetooth and unlock with a scan of the owner’s fingerprint. Security in that department doesn’t seem to be all that much better. With a bit of quick research and examination, the testers discovered several vulnerabilities which allowed the lock to be hacked into in under two seconds. That’s because the only real requirement to hack into the lock via Bluetooth is the BLE MAC address and that’s broadcast by the lock itself. With that knowledge, a script was easily drawn up with methods to pair with and access the lock. The process to create the script took quite a bit longer but, once created, it could reportedly be used walk up to any Tapplock lock and gain access to whatever that’s guarding. Moreover, a factory reset isn’t possible, the data doesn’t change between unlocks or locks, no transport encryption is enabled, and all data required to access the lock initially is sent over the air to servers. All of that adds up to mean that an enterprising malicious entity wouldn’t even need to buy a lock to work things out and there’s no way for the user to manually prevent it.
Tapplock has since issued a statement that it will be pushing a security patch to fix the issues found by the test in question. Moreover, the company has promised to keep a closer eye on security trends and release future updates as they become necessary. With any luck, the company will also take some lessons from the materials used in its design for future iterations of its lock. Although no lock or security is ever 100-percent secure, the Tapplock One just doesn’t seem as though it will meet most consumers’ expectations for a secure lock with consideration for its price point.