cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Tapplock

It's been many years in design, and two years in the making, but you can finally buy the world's first digital, biometric padlock.  You can open it with your fingerprint in less than a second.  (You and, potentially, 500 of your friends and family.)  (Or anyone to whom you give the code and an app.)  And, at the moment, the Website is showing 15% off!

 

Of course, there are a few problems.

 

Well, to be honest, practically a whole seminar on stupid security design full of problems.

 

First off, it's made of an aluminum alloy.  Not exactly a big challenge for bolt cutters.

 

Then there's the fact that, unlike just about any other padlock, there's nothing on the lock arm to prevent shimming it open.

 

Oh, and you can also unscrew the back and take it apart to unlock it.  (Well, maybe that unit was defective.)

 

But there are a few more problems.  The code you can give to a friend?  It's the same one.  Every time.  Standard static password.  (Oh, and no revocations-ees.)  And it's broadcast from the app to the phone.  And it's the same every time.  (Replay attack, anyone?)

 

And how does it generate the code?  Randomly?  Well, not exactly.  It's derived, in a not-terribly sophisticated way, from the MAC address.

 

But all of that is actually overkill.  It turns out, if you can open one Tapplock, you can open 'em all.  Or, rather, once you have an account for the app, apparently you can access, and modify, any other Tapplock account.  So you can open any other Tapplock.  And if you can't find one nearby, the system will tell you where a given lock was last unlocked.  (Which might be something of an indication of where it is, yes?)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
7 Replies
TimG
Newcomer III

Yeah - saw that. It took Pen Test Partners about an hour to write a mobile app that would open any Tapplock in 2 seconds. They did the responsible disclosure bit first but the manufacturer hasn't exactly leapt to the protection of its customers from what I saw.

If you really want to lock something up, then use some serious metal bearing the stamp of a recognised standards testing body. Or get a large dog with a personality disorder...

 

4d4m
Newcomer III

Been following this one too... I wonder how many more #IoTofTat devices we will see coming along... lots no doubt?

 

I saw someone demonstrating root access to a s*x t*y that had a camera at a show recently, all over wireless. Again, static credentials the same on all devices and interestingly they cannot be changed, no option to do that.

 

People have been given Bluetooth, Wi-Fi, very small OS footprint, and the ability to mount it in everyday devices, but have forgotten about the security.

 

Standards and enforcement required maybe?

 

Adam

rslade
Influencer II

Yeah, heard about the s*x t*y.  And various others.

 

I've been doing a presentation at conferences called "Hell No Barbie," using the Hello Barbie (and other toys) to introduce the huge variety of security issues around IoT.  I've started asking people for their favorite "stupid device to connect to the Internet."  The s*x t*y is right up there, but my current favorite is a wifi enabled sniper rifle.  (Well, technically, scope.)

 

(I didn't figure on IoT being the big point of the Tapplock example; I thought more in terms of failure of design.)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Shannon
Community Champion

To conclude, let's agree that Security is inversely proportional to Accessibility --- this lock being no exception.

 

Unfortunately, not everyone respects this, and that's something vendors usually capitalize on. Someone who wants to be seen as 'trendy' might go in for this product without considering the risks and the vendor may not be obligated to tell him / her about these --- assuming the vendor is even aware of them.

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
4d4m
Newcomer III

Sounds like an interesting talk!

 

Good point on IoT, I bet they will be working on a lock that can be accessed from anywhere...

 

#LoNoTat Local Network of Tat

 

Adam

CISOScott
Community Champion

Nice write up. I wonder if they just want to keep out the borderline honest thieves or opportunistic thieves. Like anything else, if you have a dedicated attacker they will achieve their goal, a motivated attacker will probably achieve their goal, a disinterested attacker may not spend much time to spend on achieving their goal and the opportunistic attacker may be deterred.

Just like bike locks, if you have a $1500 bike secured with a $200 lock to a piece of bent steel that is only cemented into the ground, a good thief won't try to break the lock, they will just cut the cheap steel that the lock is securing the bike to. Then they can make off with the bike and lock and break it somewhere else at their time and convenience. Grinding wheels are cheap, a grinder can be had for under $30 dollars. Like anything else with enough time and pressure (grinding) you can get through almost anything.

4d4m
Newcomer III

In that case I think the marketing department need to avoid saying things like "unbreakable" and not bother mentioning anti-shim capabilities. It does come across as very secure on the website. But you are right, need to select the appropriate security for the job!

 

We had some word based combination locks that claimed to be amazingly uncrack-able, but I did crack them in minutes (and not by guessing the combo).

 

Adam