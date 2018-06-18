The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com) 74
Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.
Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
where do I sign up? (Score:2)
Where do they find these people? (Score:3)
It's almost like hiring people straight out of college for pennies (or getting free interns) for your startup is a bad idea.
Then they're just as dumb at being criminals. You still want to be in control of the data you're selling.
Not necessarily. They need plausible deniability when they start emptying out people's storage.
I'm sure this was a rhetorical question. (Score:1)
They should just go with it (Score:5, Funny)
Just make it a social networking program. You log in, everybody sees your data. They're already half way to being FaceBook. Social is where it's at. Nobody wants real security. They want companionship. This company could be perfectly positioned to combine a new kind of security with a new kind of social network. They could call it Social Security.
It's worse than that - the guy on this youtube video [youtu.be] opens it with an adhesive gopro mount and a screwdriver.
end result of crowdfunding (Score:2)
This is a very predictable result of crowdfunding. No need to demonstrate competence or experience in a market since your funders are even more ignorant.
Working to get venture capital serves are real purpose, now we see the result when that is bypassed.
Can you post a link to a VC that specializes in lock startups, maybe has some locksmiths and infosec guys on the board. And after you get VC funding, the VC firm audits your hardware/software right? And then has a 3rd party do another audit, right? All paid out-of-pocket by the VC, right?
This is a very predictable result of crowdfunding. No need to demonstrate competence or experience in a market since your funders are even more ignorant.
For what it's worth: one may regard that as a *feature* of crowdfunding. To tread new ground where no established company would have gone because established company 'knows' it wouldn't work (note the quotation marks). Or for whatever reason chose not to go there.
Sure that will produce lemons at times. Letting backers' money go to waste. But it can also produce surprises. Products that nobody thought possible. Or things that were possible, but deemed impractical or having no chance in the market.
When you buy a product on a shelf, you're already crowdfunding, just after the fact. How many times have you looked up the founders "competence or experience" when buying a lock at Home Depot? What difference does it make if I crowdfund the lock before it's made or after its on a shelf.
What difference does it make if I crowdfund the lock before it's made or after its on a shelf.
If you don't mind taking a gamble with your crowdfunding money, perhaps it doesn't make a difference.
If you do want some guarantee of value in exchange for your cash, OTOH, buying a product that's on the shelf gives you the option to research the product's quality before you part with your money, and also (usually) the option to return the product for a replacement or a refund if it turns out not the be suitable for purpose.
Locks are useless (Score:2)
These are dreadful, but not as bad as locks of war.
Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.
Well, yes, but there are degrees of lawyer. Someone with the right resources can break probably most locks, but your usual criminal will go for the easiest option, which you just don't make be you. You don't have to run faster than the bear, you have to run faster than the man next to you also running away from the bear.
"degrees of lawyer"? What the hell am I on today..?
Whatever it is, can I have some, please?
Re:Locks are useless (Score:4)
Most commercial locks are only good for keeping honest people out. If someone really wants to get into a place and has the know how, a lock is nothing more than a slight inconvenience.
Still I sleep better with a nice dead bolt and a chair against the door.
Re:Locks are useless (Score:5, Informative)
Some locks are for that. Others are designed to force the bad guy to make noise or hang around looking suspicious long enough to get caught. No lock is absolutely PROOF against unauthorized access.
Another purpose of a lock is to remove plausible deniability. It's hard to say you didn't know you were trespassing if you had to pick or break a lock to get in.
Same for safes. The crappy ones talk about how they keep people out with absolute security. The good ones talk about how long it will take the bad guy to get in (as they inevitably will if they're determined).
But locks that can be opened through actions indistinguishable from legitimate access are totally worthless.
Some locks are for that. Others are designed to force the bad guy to make noise or hang around looking suspicious long enough to get caught. No lock is absolutely PROOF against unauthorized access.
Sarin/polonium filled glass lock?
:)
They'll still get in, they just won't enjoy it long if they didn't take precautions.
:)
Still I sleep better with a nice dead bolt and a chair against the door.
A good sized dog in the hallway works even better.
Re: (Score:3)
A good sized dog in the hallway works even better.
This is Truth. I read a study once that a home invader will most often be deterred by the sound of a dog of any size. With that being said I believe they would be more "deterred" to the sound of a Rottweiler and a Chiwawa.
Re: (Score:3)
Also, bosnianbill
Locks are not invincible. They can be bypassed, shimmed, bumped, picked, rapped, cut, pulled apart, melted, etc... However, all these attacks require a bit of skill and time, and can make noise, and make you appear suspicious.
Serious lock certifications usually grade the locks by how long it will take to defeat the lock, no one pretends a lock will never be defeated. In France for example, the highest security level for residential door locks is 15 minutes for a well equipped burglar. Level
110010001000 is an error (Score:1)
Go search "Lockpicking lawyer" on Youtube. That guy shows how useless locks are, mechanical or digital.
if locks are useless then why is it that the vast majority of the world's storekeepers show up every morning to find that their goods have not been stolen in the night?
Clearly you are some sort of stupid automaton, incapable of registering actual reality in your brain
That and you’ll likely find that they have locks on their house despite proclaiming them to be worthless.
Re: 110010001000 is an error (Score:2)
That might have far more to do with alarm systems than locks.
Those researchers are always so negative... (Score:1)
Come on give 'em a break, this company is still learning. Their next product will be SO much more secure!
There is usually even a handy plug if you'd like to use a quieter electric chainsaw but bring your wire detector with you so you know where to cut.
Wires are usually ran a foot or so above the floor (less waste for connecting to outlets), just make sure you're not cutting near conjoining walls, or next to doors.
In my house, most of the wires run from the roof space down the studs to the outlets or switches. Very few wires run laterally.
So your house is completely unlocked and has no doors or windows?
Yes, a determined criminal can break into virtually any house, but it’s well proven that most will avoid breaking into houses that even have something as simple as a home security sign in front (even if fake) since it’s not worth the chance of being caught versus a house that looks completely unguarded.
Their web site doesn't have an about page (Score:1)
What is the company's association with Microsoft? With this type of security, there just has to be.
That's an unfair blow, Microsoft greatly improved their security so that it's up to "average" now. (Either that, everyone else got more sucky, can't tell.)
This has to be be lawsuit material... (Score:2)
If there were ever a product that was defective and incapable of working in its intended capacity, this is it.
How rubbish is a justice system if it can't slap the everloving crap out of this company?
From the people who brought you Juicero and Bodega (Score:2)
Engineering by the cheapest amateurs available (Score:2)
This is just pathetic. While I do not like the idea of requiring an engineering certification for work like this very much, it seems we need it to remove said certification from the utter and complete fuckups that create atrocities like this one.
Or you could just ... (Score:3)
