Infosec experts from PenTest Partners preformed a test last week where they were able to unlock TappLock’s smart padlock technology in just a few seconds. These researchers were able to exploit vulnerabilities in the digital authentication method, which they felt had serious issues. Technicians from PenTest remarked that they believed an individual who could find out the Bluetooth Low Energy MAC address assigned to the smart lock could then unlock the code.
While this wouldn’t be a simple task for most individuals, the device does broadcast this address so those skilled with wireless technology might be able to undo the lock as soon as they intercepted a broadcast. The tools needed to intercept such a broadcast wouldn’t be very difficult to find for those with such skills either.
Vangelis Stykas, an IoT researcher from Thessaloniki, has now released a report that TappLock’s cloud-based administration tools are also influenced by a vulnerability. The report states that those who log into an account are functionally empowered to control other accounts if they know the ID names of other users.
TappLock doesn’t appear to currently use a secure HTTPS connection to transmit data back to the home base. Moreover, account IDs are based on an incremental formula that makes them closer to home addresses than actual IDs.
Stykas found that he was unable to add himself as an authorized user of any lock that didn’t belong to him, meaning that the vulnerability does have limitations even without the company behind the lock releasing a patch.
He did, however, state that he could read some bits of personal information from an account. This includes the last location of where the lock was opened. In theory, an attacker could figure out what was the best time to gain physical access to an area was. It also seems that he was able to open another lock with the official app.
While there haven’t been any announcements about patches as of yet, it isn’t hard to believe that the company would release some changes soon enough considering they’ve been working hard to correct other vulnerabilities. Nevertheless, researchers also found that regardless of what digital security functions were enabled on the app they were still able to cut through the lock with a pair of old fashioned bolt cutters.