By now, there shouldn’t be any doubt in your mind that I hate IoT.
Why do we need internet connected fridges? Or “smart” water bottles? Or internet connected padlocks??
Canadian company Tapplock has created a smart padlock that can use your phone or a build in bio-metric fingerprint scanner to unlock your valuables in less than 1 second. They boast security all over their website! They claim “unbreakable design” and “virtually unbeatable” security.
Security researchers took that as a challenge, and MANNNN did we have a field day with it. The first vulnerability to come out was just disassembling the lock. Youtube User JerryRigEverything posted a video of him cutting open a Tapplock and finding out the back of the lock was held on by twisting it shut. At that point he attached a 3M sticky GoPro mount and twisted it off. You can remove the locking pin at that point and open the lock. Less than a minute to break into a lock.
That is a relatively low-tech solution. Even regular padlocks have some physical vulnerability that allows people to open them (shimming, picking, etc.). PenTestPartners decided to take it one step forward, and sniffed the Bluetooth packets being transmitted between a phone and the Tapplock. All of the packets are transmitted via HTTP. No, not HTTPS. HTTP. Completely unsecured, clear text communications. You can see every bit of information being transmitted. To make it worse, the security key being exchanged to unlock the Tapplock was an MD5 hash of the Bluetooth MAC address. According to the BLE requirements, a Bluetooth device must broadcast its own MAC address when pairing. That is the equivalent of writing your PIN on your debit card in large numbers. This means that the key to unlock any Tapplock is being broadcast to the whole world. With this information, it takes 2 seconds to unlock any Tapplock with just an Android phone.
And then there’s the BIG security issue. Tapplock decided they were smart enough to roll their own cryptography. They weren’t. Once you log into the Tapplock website, you’re given an authentication cookie that lets you access LITERALLY EVERY OTHER TAPPLOCK ACCOUNT EVER MADE. The only think you have to change is the User ID, which turns out is a sequential key. If your user ID is 1234, the next user to sign up will be 1235. Since the Tapplocks also report location to the cloud service, you can also find out where other users are located and using their locks. Uh, hello GDPR!
In response, Tapplock has disabled the Bluetooth features on their apps, and is working on rebuilding their cloud API to be more secure. At this point, its too late. They were notified of the vulnerabilities and said “Thanks for your note. We are well aware of these notes.” Tapplock has no excuse for fixing these issues earlier, as a company that boasts security, there is no reason to trust this company anymore.