Tapplock Smart locks contain several physical and digital vulnerabilities, each of which could allow an attacker to crack the lock with some attacks taking as little as two seconds to execute.
Pen Test Partners reviewed the lock and found that despite its use of AES128-bit encryption, the device makers still ignored pairing, key exchange, key sharing and fail authenticate, according to a June 13 blog post.
The application for the lock allows the user to “share” the lock with someone and revoke access at a later date, however, even after permission is revoked the temporary still possesses all the information to authenticate the lock.
The lock was also criticized for sending data from its servers using HTTP allowing attackers positioned in the network to intercept data and unlock the lock. Researchers also criticized the lock for not having a factory reset and noted that if a user were to delete a lock from their account, the data used to unlock the device remains unchanged.
As a result of these flaws, it only took researchers 45 minutes to develop a technique to walk up to any Tapplock and unlock it in under 2 seconds. The only thing needed to carry out the attack is the devices BLE MAC address which is broadcasts by the lock making it easily obtainable.
“The vulnerability can be discovered in under an hour with just the downloaded app, therefore there is a significant chance that a malicious actor will also find – and exploit – the issue,” researchers said in the post. “The lock has received significant social media attention, increasing the chance that a malicious actor will attack the device.”
In addition to the cybersecurity vulnerabilities within the device, researchers also criticized the physical security of the zinc aluminum padlock. While the metal is commonly used in die-cast products such as toys, door handles, and men's razors, researchers noted the metal isn't particularly strong, is brittle, and has a relatively low melting point of 400 degrees Celsius.
The poor construction allowed researchers to remove the back of the device, dismantle it with a screwdriver and manually open the shackle. An attacker could also take a more blunt force approach to the attack and open the lock using a pair of 12 inch bolt cutter, although other non-digital padlocks are vulnerable to this.
Tapplock was notified of the issue and said that it will be pushing out a security patch to “addresses several Bluetooth / communication vulnerabilities that may allow unauthorized users to illegal gain access,” according to a June 12 notice. The firm will also be upgrading their firmware.
Pen Test Partners critiqued the notice for not explicitly stating that anyone can open the lock and not advise users to use a temporary replacement lock until the firmware update is applied.
Daniel Moscovici, co-founder of Cy-oT said the news is not surprising and that if someone can break a physical lock someone can break a “smart” lock as well.
“This also resembles the transformation in cars where ignition keys were replaced by a digital key transmitting wirelessly to start the car, and hackers were able to break in and steal the car,” Moscovici said.
"We are in an age where everything is going to be "smart" and connected, and thus will be susceptible to hacking or used as an attack platform - as we saw in the case of Mirai.”
Pen Test Partners recommend users simply invest in a reasonable mechanical padlock instead of a “Smart” lock.