Most of us take for granted that “smart” objects are better than regular ones — smart TVs are better than regular TVs, for example, and smart phones are better than flip phones. Well, it turns out that “smart” is not always better… Tapplock is a “smart” padlock that can be opened either via your fingerprint or via your phone. It costs around $99 and you can authorize other people within the app to unlock it remotely.
It can also be hacked in less than two seconds.
Before getting into how it can be hacked so quickly, you have to understand how it is designed. Basically, it’s a fingerprint scanner that uses Bluetooth technology to lock and unlock the device. Sounds pretty great, right?
Not so fast…there is one major flaw here. Unfortunately, the device is sharing it’s Bluetooth network address with anyone who wants it, and within that address is the code to unlock the padlock.
Yikes. Uhm, oversight?
To make things worse, a UK based company, Pen Test Partners, created a program that can unlock any Tapplock, just to prove that it could be done. This is basically no different than creating a program that can access the PIN for your debit card. Unfortunately, this isn’t the only bad news for Tapplock; the administration tools are also easily hackable, which means as long as you know what you are doing, you can authenticate yourself as an authorized user and get access to any Tapplock account.
What you can do if you own a Tapplock
If you own a Tapplock device, there are some things you can do to protect yourself.
First, the company has released a patch. Download it and install any future patches they release. Note: this first patch probably doesn’t fix the problem entirely, so be on the lookout for more updates as they come.
If you are a web programmer, make sure that account IDs are not easy to figure out. Though sequential account numbers are usually not an issue in a secure system, try not to make it too easy.
Are you a service delivery manager? If yes, stop allowing plain HTTP. Make sure your servers use HTTPS connections and ensure your client software uses HTTPS only.
If you are an IoT business owner, try something new; don’t let the programmers you work with create their own cryptography. Also, don’t trust that just because they ‘say’ it is secure that it actually is secure. This can lead to a nightmare scenario, which is exactly what Tapplock is going through right now.
Smart devices and the rise of hackers
We’ve talked about it before on here, but with more and more devices connected to the internet, smart home products are increasingly vulnerable to hackers. And these devices were not built with security as a primary focus; they were built with a goal to increase productivity (so you can turn your lights on or off at home simply by asking Alexa, for example, or so you can unlock your smart padlock with your mobile phone).
These products, while achieving their intended purpose, often leave gaping holes when it comes to security. So be aware, keep your devices updated, and take every measure to protect your security online.
Talking of: Have you downloaded Hotspot Shield for free yet? Hotspot Shield is an internet security and privacy app that encrypts your data—it’s the number one tool to prevent your phone, tablet, and desktop computer from getting hacked. Click the button below to download today.