The U.S. Federal Trade Commission (FTC) has formally censured Tapplock for its lax security practices and misleading marketing. Tapplock is best known as a maker of biometric padlocks. The IoT devices utilize fingerprint recognition, and can be paired with a smartphone app that allows users to open their Tapplocks once they are in Bluetooth range.
The crux of the FTC’s complaint is that the locks are not nearly as secure as advertised. Though Tapplock boasted that its products have an “unbreakable design,” FTC researchers found that the locks were in fact quite vulnerable, from both a hardware and a software perspective. For example, one researcher was able to open the lock simply by unscrewing the back panel.
There were also several gaping security flaws in the API Tapplock used for its app. Researchers were able to bypass authentication protocols to gain full access to every user account (and the personal information contained in them). To make matters worse, the data flow between the lock and the app was unencrypted, so researchers could generate new keys that would allow them to unlock any Tapplock device in the vicinity. A similar vulnerability made it nearly impossible to revoke access once it had been granted to another user.
Given the scope of the issues, the FTC’s complaint implies that Tapplock’s smart locks were so compromised that any attempt to market them as a reliable security product would be fundamentally misleading. The two sides have now reached a settlement that bans Tapplock from making such deceptive claims about its devices, and forces the company to implement a new security program. Tapplock will also have to submit to regular third-party assessments and receive annual certification for its products.
In the meantime, the FTC suggested that Tapplock could have avoided the problem if it had followed proper security protocols. The organization advises other companies to incorporate security and authentication into the design of their products at the earliest stages, and to test those products vigorously before releasing them to market
April 13, 2020 – by Eric Weiss