Another flaw hits Tapplock smart locks, thanks to leaky server

Anyone could pull a lock's location and unlock code details directly from the company's servers.
Written by Zack Whittaker, Contributor

(Image: Tapplock)

For the second time this week, smart lock maker Tapplock is under fire over its security.

Security researcher Vangelis Stykas found anyone can obtain sensitive information to locate and open a lock, simply by pulling the information directly from a leaky company's API server.

He demonstrated how to retrieve the lock's last known postal address, and enough data to create an unlock code, which can be used to locate and open any smart lock.

CNET: Best Smart Home Locks for 2018

Stykas' work builds on research published earlier this week. Andrew Tierney found the lock can be easily opened without the owner's fingerprint, because the unlock code is generated from the unique, hard-coded networking address -- known as a MAC address -- that all Bluetooth devices have. Tierney found the lock takes that MAC address and converts it using the MD5 algorithm, an old algorithm that can be easily cracked. But because all Bluetooth devices broadcast their MAC address, a malicious hacker within a close proximity can obtain it, then convert it to an MD5 hash, and unlock the device.

Tapplock said it will fix the security issue in an upcoming app update. Android users are expected to get the app later today, while iOS users have to wait until Apple approves the app.

In a statement Friday, Tapplock confirmed it has pulled the API, which the app relies on to wirelessly open the lock using Bluetooth, given the risk of a data breach.

The lock can still be opened with a user's fingerprint and the backup Morse code feature, however, the statement said.

"This patch addresses several security issues and upgrades Tapplock's communication and authentication security protocols. We will continue to monitor the latest security trends and provide updates from time to time," the company said.

Stykas shared his findings with ZDNet, which we tested and verified.

The API requires a registered email address to work, which anyone can create using the mobile app. Using a few terminal commands that anyone can run from their computer, Stykas showed a malicious actor could obtain the lock's location and its MAC address, which, using Tierney's technique, can be easily converted to a code that can unlock the device in a close proximity.

Stykas also found that every time a new fingerprint was enrolled with a user's lock, a new record was uploaded to the server and was given a unique, automatically incrementing user number -- making it easy to try different user number combinations and obtain other users' data.

And because he found no evidence that the API was rate-limited, he said anyone could pull as much user data from the server as they want.

He also explained he could permanently share any lock with any other users' account without the owner's consent.

"I would not buy this lock," said Stykas, in his write-up.

Tapplock also came under fire earlier this month after its "unbreakable durability" claim was disproved. A YouTube user, JerryRigEverything, found that the design of the lock could be cracked open using a suction cup, defeating the lock's physical security.

The company said this one lock had a manufacturing defect, and all other locks were safe.

Editorial standards