The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com) 139
Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.
Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
where do I sign up? (Score:2)
Where do they find these people? (Score:5, Insightful)
It's almost like hiring people straight out of college for pennies (or getting free interns) for your startup is a bad idea.
Re: (Score:3)
Re:Where do they find these people? (Score:4, Insightful)
Then they're just as dumb at being criminals. You still want to be in control of the data you're selling.
Re: (Score:2)
Re: (Score:3)
Not necessarily. They need plausible deniability when they start emptying out people's storage.
They should just go with it (Score:5, Funny)
Just make it a social networking program. You log in, everybody sees your data. They're already half way to being FaceBook. Social is where it's at. Nobody wants real security. They want companionship. This company could be perfectly positioned to combine a new kind of security with a new kind of social network. They could call it Social Security.
Re: (Score:1)
Re:They're vulnerable to bolt cutters (Score:5, Interesting)
It's worse than that - the guy on this youtube video [youtu.be] opens it with an adhesive gopro mount and a screwdriver.
end result of crowdfunding (Score:5, Insightful)
This is a very predictable result of crowdfunding. No need to demonstrate competence or experience in a market since your funders are even more ignorant.
Working to get venture capital serves are real purpose, now we see the result when that is bypassed.
Re: (Score:1)
Can you post a link to a VC that specializes in lock startups, maybe has some locksmiths and infosec guys on the board. And after you get VC funding, the VC firm audits your hardware/software right? And then has a 3rd party do another audit, right? All paid out-of-pocket by the VC, right?
Re:end result of crowdfunding (Score:5, Interesting)
Yeah, that is exactly how it works. An actual VC will have the money to hire an expert to review a company's product before investing.
Otherwise they would just be throwing money away at someone with a good marketing video... .which is exactly what kickstarter is.
Re:end result of crowdfunding (Score:4, Interesting)
This is a very predictable result of crowdfunding. No need to demonstrate competence or experience in a market since your funders are even more ignorant.
For what it's worth: one may regard that as a *feature* of crowdfunding. To tread new ground where no established company would have gone because established company 'knows' it wouldn't work (note the quotation marks). Or for whatever reason chose not to go there.
Sure that will produce lemons at times. Letting backers' money go to waste. But it can also produce surprises. Products that nobody thought possible. Or things that were possible, but deemed impractical or having no chance in the market.
Nobody said that backers shouldn't do their homework.
Re: (Score:2)
When you buy a product on a shelf, you're already crowdfunding, just after the fact. How many times have you looked up the founders "competence or experience" when buying a lock at Home Depot? What difference does it make if I crowdfund the lock before it's made or after its on a shelf.
Re: (Score:3)
What difference does it make if I crowdfund the lock before it's made or after its on a shelf.
If you don't mind taking a gamble with your crowdfunding money, perhaps it doesn't make a difference.
If you do want some guarantee of value in exchange for your cash, OTOH, buying a product that's on the shelf gives you the option to research the product's quality before you part with your money, and also (usually) the option to return the product for a replacement or a refund if it turns out not the be suitable for purpose.
Re: (Score:2)
Never, it's a stupid question as the product already exists, I can judge judge the product on its merits or in the case of very new products on the recent quality of similar products by the firm. I've seen almost nothing as absurd as your claim that buying a released product is crowdfunding, it's certainly up there as one of the most self-contradictory statements I've seen.
Locks are useless (Score:2)
Re: (Score:2)
Re: Locks are useless (Score:1)
Don't stand, sit, hold me in your lap, stroke my hair, and call me pretty.
Re: (Score:2)
These are dreadful, but not as bad as locks of war.
Re: (Score:2)
Never knew about war's locks, but I once let slip its dogs.
Re:Locks are useless (Score:5, Funny)
Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.
Well, yes, but there are degrees of lawyer. Someone with the right resources can break probably most locks, but your usual criminal will go for the easiest option, which you just don't make be you. You don't have to run faster than the bear, you have to run faster than the man next to you also running away from the bear.
Re: (Score:2)
"degrees of lawyer"? What the hell am I on today..?
Re: (Score:2)
Whatever it is, can I have some, please?
Re: (Score:2)
Re: (Score:3)
Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.
Well, yes, but there are degrees of lawyer. Someone with the right resources can break probably most locks, but your usual criminal will go for the easiest option, which you just don't make be you. You don't have to run faster than the bear, you have to run faster than the man next to you also running away from the bear.
I was walking past a bike rack today and the local council had put up a sign saying "This is a known bike theft hotspot, secure your bike". I noted that most bikes had a chain with a standard combination lock on them. I recall that most of these locks can be "picked" simply by giving them a good whack with a rubber mallet (IIRC, the pins just fall out). You're better off with a decent padlock and length of chain which probably costs half as much as the combination locks. Of course these can be picked, but i
Re: (Score:1)
It's almost impossible to secure a bike against theft. No lock made will resist a portable battery powered angle grinder. Even the best bike locks, made by the most reputable bike lock companies, which provide a guarantee against theft, will not honor their guarantee if a power tool is used. Such a tool can cut through even a harden steel U-lock in seconds. Fast enough that the thief can ride off before anyone who hears the tool can react.
Bike theft in New York City is so bad that insurance companies won't
Re: (Score:3)
Re: (Score:1)
He's not a seasoned spinner. A decent group 1 will stop him cold.
There's some hero worship going on with the mod points and the posts. It isn't hard to find lockpickinglawyer picked up the hobby just a few years ago with the intent to copy bosnianbill's success. No judgement from me, but he is not an authority in the lockpicking field, let alone the greater security field, outside the youtube crowd.
Re: (Score:2)
Re:Locks are useless (Score:5, Informative)
Most commercial locks are only good for keeping honest people out. If someone really wants to get into a place and has the know how, a lock is nothing more than a slight inconvenience.
Still I sleep better with a nice dead bolt and a chair against the door.
Re:Locks are useless (Score:5, Informative)
Some locks are for that. Others are designed to force the bad guy to make noise or hang around looking suspicious long enough to get caught. No lock is absolutely PROOF against unauthorized access.
Another purpose of a lock is to remove plausible deniability. It's hard to say you didn't know you were trespassing if you had to pick or break a lock to get in.
Same for safes. The crappy ones talk about how they keep people out with absolute security. The good ones talk about how long it will take the bad guy to get in (as they inevitably will if they're determined).
But locks that can be opened through actions indistinguishable from legitimate access are totally worthless.
Re: (Score:2)
Some locks are for that. Others are designed to force the bad guy to make noise or hang around looking suspicious long enough to get caught. No lock is absolutely PROOF against unauthorized access.
Sarin/polonium filled glass lock? :)
Re: (Score:2)
They'll still get in, they just won't enjoy it long if they didn't take precautions. :)
Re: (Score:2)
Step 1: Hire a homeless person to break the glass
Re: (Score:2)
Re: (Score:2)
This site seems to offer custom amounts. This model, [keyedalike.com] or several others. They even have combination locks with custom master keys.
Re: (Score:3)
Only to an extent. They aren't likely to do a comprehensive survey of the neighborhood. More likely they will look at your property and decide if the difficulty and risk is higher than they care for or not. If it is too high, THEN they move on.
Re: (Score:3)
Still I sleep better with a nice dead bolt and a chair against the door.
A good sized dog in the hallway works even better.
Re:Locks are useless (Score:4)
A good sized dog in the hallway works even better.
This is Truth. I read a study once that a home invader will most often be deterred by the sound of a dog of any size. With that being said I believe they would be more "deterred" to the sound of a Rottweiler and a Chiwawa.
Re: (Score:2)
A good sized dog in the hallway works even better.
This is Truth. I read a study once that a home invader will most often be deterred by the sound of a dog of any size. With that being said I believe they would be more "deterred" to the sound of a Rottweiler and a Chiwawa.
Criminals now often bait dogs.
Also there is no evidence that dogs will bark when criminals enter (in fact the evidence points to a trained dog not barking because they cant tell the difference between an owner and a criminal) and zero evidence that anyone else will act on a dog barking.
The dog defence is a complete waste of time (and enough dogs are mistreated as it is).
Re:Locks are useless (Score:4, Insightful)
If your dog isn't trained as an attack dog, a handful of treats will defeat him.
If he is trained as an attack dog, he's probably not safe to have around visitors, and a handgun will still easily defeat him.
Dogs are a terrible security investment. Compared to some good locks and an alarm system, they're expensive, time-consuming, easy to defeat, and your family is going to suffer a lot more emotional trauma if they get killed than they are if a camera gets smashed.
Re: (Score:2)
Dogs are a terrible security investment
That depends whether the visitor knows someone is at home or not.
If I know the householder is on holiday a dog will not deter me. Even an attack dog; they're easy to deal with, especially if I'm allowed to make noise.
If there's a chance the property isn't empty, knowing that even the tiniest dog is going to wake up every cunt in the house is a fine deterrent.
they're expensive, time-consuming, easy to defeat, and your family is going to suffer a lot more emotional trauma if they get killed
Sorry, you can use the cost argument or the emotional attachment one. They negate each other so you can't use both.
Re:Locks are useless (Score:5, Interesting)
I sort of agree, but as someone who owns a 95 pound pit-dane mix I think it's more complicated than that.
When we have a new person who will be in our house a lot, we have them give the dog a treat (including issuing the 'wait' command and then the release command to take the food) so that the dog sees them as being 'OK' and a food supplier.
That being said, a few of these people have a background fear of the dog due to his size and dominant personality and the dog simply doesn't let them be, he continues to challenge them. I think its because he senses their fear and it makes him skeptical of them.
When we've had unexpected people over (door-door types, etc) the dog is NUTS. Quite often the shadier the visitor, the MORE the dog is nuts. Call me crazy, but I think dogs can SMELL motivation/aggression. I think it's part of why cops have such trouble with dogs -- they simply project aggression and hostility and dogs react to that.
I think if someone broke into my house, it would take more than a handful of treats. I think the dog would be in full-on dominance mode and 95 pounds of dog is fucking scary no matter how bad-ass you are and most humans are going to have a fear response to that. Unless you can somehow overcome this and project a submission to the dog, at least at our house you're gonna have a bad time.
Maybe some kind of dog expert would defuse the situation easily, but your random hood thief isn't that. Shooting a dog will kind of work, but there's plenty of evidence that dogs don't fall over and die from wounding shots, they keep going until they can't. My neighbor is a cop and he says he has seen guys empty 9 mm pistols into dogs with limited effect. Part of it is an agitated dog is a tough target and results in superficial wounds, but part of it is that cornered animals don't quit. Plus if you are looking to steal laptops/tablets/jewlry and get in-and-out, you're not blazing away with a handgun at a dog.
Re: (Score:2)
I had a South African colleage who described her escallating security measures to me.
1. After a breakin through the window they upgraded security systems to include all the windows.
2. After a breakin through the roof and manway they upgraded security systems to include lasers in the roof and to include the manway cover.
3. After a breakin through the roof and through a hole drilled in the ceiling along with damaged security system they got 2 BIG dogs.
4. After a breakin where both dogs were killed they moved
Re: (Score:3)
Dogs can add to a security mix (with locks and other measures) in that they can make a house undesirable to rob. If you're a thief and you are presented with two houses - one with a deadbolt, security cameras, and a large dog, and the other with no deadbolt, cameras, or dog - then everything else being equal you'll go for the easier house. No security measure is 100% guaranteed. You just need to make yourself a less desirable target than everyone else.
Re: (Score:2)
You just need to make yourself a less desirable target than everyone else.
This is indeed the case. Sure, while criminals can shoot dogs and plan ahead for how to get away after firing gunshots, and how not to be hunted down even though they have committed a greater crime than just burglary, why should they? They didn't become burglars because they were excellent planners and executors, no matter what Hollywood movies try to tell you. They need valuables, most likely quickly, and a good chance of getting away with it. So if there are dozens of possible targets, why would they want to pick one with a dog, increasing their risks of being caught, being hurt, or not getting loot?
Never mind that most burglars are unarmed, and can't afford a gun and ammo. Being desperately broke is why most of them resort to breaking and entering in the first place.
Re: (Score:1)
There use to be a TV show called "It Takes A Thief", not the spy one. This one teamed a security expert up with an ex-thief. They arranged to break into people's houses to show them how bad their security was and then gave them a new security system, which the thief than tried to compromise.
He managed to defeat the ''dog security system" every time by feeding them bacon. The ultimate insult was that after he emptied out the house he'd steal the dog.
It was a great show. Sometimes he'd have to break a cheap d
Re: (Score:2)
What? They don't have chairs where you're from?
Re:Locks are useless (Score:4, Informative)
Also, bosnianbill
Locks are not invincible. They can be bypassed, shimmed, bumped, picked, rapped, cut, pulled apart, melted, etc... However, all these attacks require a bit of skill and time, and can make noise, and make you appear suspicious.
Serious lock certifications usually grade the locks by how long it will take to defeat the lock, no one pretends a lock will never be defeated. In France for example, the highest security level for residential door locks is 15 minutes for a well equipped burglar. Level 1 (which is still considered good) is just 5 minutes with basic tools.
Re: (Score:2)
I've never seen a lock last more than a few seconds against a pick gun, without being immune to picking. And if you're willing to damage the door, just back a truck through it. Either way, nothing takes 15 minutes (unless we're talking about a safe or something).
Re: (Score:2, Insightful)
I've never seen a lock last more than a few seconds against a pick gun, without being immune to picking. And if you're willing to damage the door, just back a truck through it. Either way, nothing takes 15 minutes (unless we're talking about a safe or something).
I suspect that it would take quite a bit more than 15 minutes to get the truck up the stairs or into the 4-person elevator to get it in position for backing up through my front door.
I'm under no illusion about the safety of the lock. I know that someone who really wants in can get in. I have a concrete proof in that several years ago the guys from the fire department went into the neighboring apartment through the door and it took only a minute or two for them. I know it because they weren't interested in m
Re: (Score:1)
A typical modern house (in the US at least) is made of vinyl siding over chipboard backerboard with fiberglass insulation covered by drywall on a pine 2x4 frame.
You don't have to back a truck through the steel deadbolted security door. Just take a battery powered sawsall to the wall between the door and the windows. In most neighborhoods they won't even notice the 45 seconds it takes you to cut an opening.
Re: (Score:2)
I didn't say a pick gun works on everything, only that for locks which can be picked in any reasonable amount of time, a pick gun will get them in seconds. And if you're going to bash the lock in, again if you brought a big enough hammer, it's going to open in seconds, or you need to go back for a bigger hammer. 15 minutes seems a very strange amount of time here.
110010001000 is an error (Score:1)
Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.
if locks are useless then why is it that the vast majority of the world's storekeepers show up every morning to find that their goods have not been stolen in the night?
Clearly you are some sort of stupid automaton, incapable of registering actual reality in your brain
Re: (Score:1)
That and you’ll likely find that they have locks on their house despite proclaiming them to be worthless.
Re: 110010001000 is an error (Score:2)
That might have far more to do with alarm systems than locks.
Re: (Score:2)
And tons of houses have doors which they don't bother locking and never get robbed.
Re: (Score:2)
Locks are not about 100% security - nothing can accomplish that. No lock can secure a house, when a burglar can just smash a window.
The goal is to provide adequate security - any lock that requires lock picks already qualify. The locks that are easily defeated without actually picking the lock I deem inadequate - like one lock I saw that was "smart" and had fingerprint authentication. To defeat it, you jus
Those researchers are always so negative... (Score:1)
Come on give 'em a break, this company is still learning. Their next product will be SO much more secure!
Re: (Score:2)
There is usually even a handy plug if you'd like to use a quieter electric chainsaw but bring your wire detector with you so you know where to cut.
Wires are usually ran a foot or so above the floor (less waste for connecting to outlets), just make sure you're not cutting near conjoining walls, or next to doors.
Re: (Score:2)
In my house, most of the wires run from the roof space down the studs to the outlets or switches. Very few wires run laterally.
Re: (Score:2)
Hmm, expensive use of copper, but I suppose bad advice for breaking into a house isn't a bad thing.
Re: (Score:2)
The wire would be cheaper than paying someone to drill a hole in every stud, fish the wire through every hole, and then install a protective steel plate in front of every hole.
Re: (Score:2)
Nah, that's what the guy standing around with his hands down his pants is for, and around here you don't need the plate (depending on the dist of the hole to the stud).
Re: (Score:1)
So your house is completely unlocked and has no doors or windows?
Yes, a determined criminal can break into virtually any house, but it’s well proven that most will avoid breaking into houses that even have something as simple as a home security sign in front (even if fake) since it’s not worth the chance of being caught versus a house that looks completely unguarded.
Re: (Score:2)
Bollocks. Most thefts are opportunity based and a shitty tablet may not be worth much but hit 2-3 houses a day and that's your drug fix sorted.
Re: (Score:2)
A decent number of thefts are, in fact, essentially random, committed by drug addicts trying to get precisely those sorts of commodity items that won't look suspicious when they take them into a pawn shop to trade for cash to buy drugs.
Their web site doesn't have an about page (Score:1)
What is the company's association with Microsoft? With this type of security, there just has to be.
Re: (Score:1)
That's an unfair blow, Microsoft greatly improved their security so that it's up to "average" now. (Either that, everyone else got more sucky, can't tell.)
Re: (Score:1)
This has to be be lawsuit material... (Score:2)
If there were ever a product that was defective and incapable of working in its intended capacity, this is it.
How rubbish is a justice system if it can't slap the everloving crap out of this company?
Re: (Score:3)
Failing the above then the justice system would be rubbish if it did anything to this company just because a bunch of people bought the product without understanding the risk of not
Re: (Score:1)
Incompetence doesn't protect you from all legal liability. Though it will sometime lessen then punishment over outright maliciousness.
From the people who brought you Juicero and Bodega (Score:4, Insightful)
Engineering by the cheapest amateurs available (Score:2)
This is just pathetic. While I do not like the idea of requiring an engineering certification for work like this very much, it seems we need it to remove said certification from the utter and complete fuckups that create atrocities like this one.
Or you could just ... (Score:4, Informative)
You are breaking the law by opening the lock (Score:2)
Is it impossible to make a "smart lock" secure? (Score:1)
Or is it just impossible to find someone ethical enough to be trusted to make smart locks?
Lock are not to lockout PRO (Score:2)
And there is JerryRigEverything's teardown... (Score:2)