back to article Remember Tapplock, the 'unbreakable' smart lock that was allergic to screwdrivers? The FTC just slapped it down for 'deceiving' folks

The manufacturer that claimed its Bluetooth-connected fingerprint-reading smart lock was “unbreakable,” only to find it being opened in seconds by someone armed with nothing more than a mount and a screwdriver, has been slapped down by a US watchdog. Tapplock “did not take reasonable measures to secure its locks, or take …

  1. Giles C Bronze badge

    Well....

    The Mk1 could be opened with a screwdriver and a bit of work

    The Mk2 can be opened with a magnet

    Will the Mk3 need just a hard scare.

    Most locks would be more secure with each new version, this seems to be getting weaker?

    1. The Man Who Fell To Earth Silver badge
      Devil

      Re: Well....

      Given that kids are becoming less and less mechanically inclined due to thinking "tech savvy" means working a phone, the old locks with keys are getting more secure each day without doing anything.

      1. DiViDeD Silver badge

        Re: thinking "tech savvy" means working a phone

        Maybe our dependence on "hands off" technology leads us to so overcomplicate our solution that we for get how uncomplicated the problem can be, as illustrated in this fine vintage example of an obligatory xkcd

        1. John Miles

          Re: thinking "tech savvy" means working a phone

          Another one relevant to over complicating things - xkcd: I'm An Idiot

      2. Anonymous Coward
        Anonymous Coward

        Re: Well....

        This is not even a joke. Two brothers were unable to open doors to our houses. :(

    2. Smooth Newt Silver badge
      Meh

      Re: Well....

      The real problem is that security is actually very hard indeed. It is even harder than safety critical systems, since a secure system has to defend against an intelligent, resourceful attacker who can try time and time again, whilst a safety critical one only has to defend against bad luck or an idiot.

      Unless you put a lot of time, effort and experience into design and testing then the result will generally be be disappointing. Having said that, the majority of padlocks on the market are only nominally secure, because they are mostly only used to deter opportunist thieves, and this one is no different. Youtube is full of videos of people easily defeating padlocks - either by force or by circumventing the locking mechanism. e.g. this, this and this

      If you need to spend $100 on a lock for it, then you don't want a padlock.

      1. Kevin Johnston Silver badge

        Re: Well....

        As a follow on from that, consider the value of the item(s) it is intended to protect. You could easily end up in the position where the lock system is worth more than what it is protecting

        1. John Brown (no body) Silver badge

          Re: Well....

          I remember a Jasper Carrot sketch where he commented on Woolworths having 5 grands worth of CCTV protecting 20 quids worth of Pick'n'Mix.

          (Maybe that was the start of their downfall?)

        2. Rol Silver badge

          Re: Well....

          So that's why 10 Downing Street has no lock.

          1. Anonymous Coward
            Anonymous Coward

            Re: Well....

            I remember being told about a branch of a bank in Scotland. They did not need to bother with security during the day.

            As the few mile long road into and out of the area meant you knew of anyone trying to raid you, and if they tried to escape, it would take a tad bit longer than the cops showing up at the only exit would!

      2. JimboSmith Silver badge

        Re: Well....

        The real problem is that security is actually very hard indeed. It is even harder than safety critical systems, since a secure system has to defend against an intelligent, resourceful attacker who can try time and time again, whilst a safety critical one only has to defend against bad luck or an idiot.

        One company who a previous employer used for one of their software progs had very lax password rule. It could be just one character if you wanted but not blank. This was for access to company propriety information that would have been invaluable to competitors. Another security hole was that your password was used to access the program. Then once in you could access any of the databases in the correct folder. So you could purloin a database from a rival company and access it from your copy of the program. I pointed this out and was told it would be hard to replicate in the real world. I was told about the security on the entry to the room and how difficult it was to enter.

        Then they pointed out that even if you got into the room the racks and the drives were secured by good locks. I said you didn't need to breech any of that and anyway it just prevented physical damage. To get hold of the seriously valuable data you just copied the databases from the server to your desktop. From there you just burned them onto a CD-R. Doing it that way as opposed to directly off the server helped avoid detection. Again I was told the risk was low which worried me.

        Conversely the code to authenticate and license the damn thing was about twenty characters. It required reading your multi character code down the phone to the lady at head office. She'd input that into her machine and give you another code to input (this was at the dawn of the internet). All this had to be done quite quickly as your machine would generate a new code every minute or two. If that happened you had to start again. Painful wasn't the word for it.

        1. Wellyboot Silver badge

          Re: Well....

          Relative importance !

          Making sure every running copy is paid for - #1

          Customer data security... meh

          1. JimboSmith Silver badge

            Re: Well....

            I think you're right and I mentioned this when phoning to keep our license valid. I was told I was very wrong but there wasn't conviction in her voice. I was much more concerned by my company's response. They had the clout and could have kicked up a fuss.

          2. Crypto Monad

            Re: Well....

            And another xkcd: relative importance.

    3. This post has been deleted by its author

    4. Fungus Bob Silver badge

      Re: Well....

      "Most locks would be more secure with each new version, this seems to be getting weaker?"

      Progress

  2. Stuart Halliday
    Facepalm

    Just playing at being grownups....

    1. jake Silver badge

      Objection.

      Assumes facts not in evidence.

  3. Scott 1

    Great Youtube Channel

    Nice that you embedded a video from the Lockpicking Lawyer. It's a great channel.

    1. eldakka Silver badge
      Happy

      Re: Great Youtube Channel

      Except for the fact it sent me down a 3 hour rabbit warren of LockPicking Lawyers lockpicking!

      1. Totally not a Cylon

        Re: Great Youtube Channel

        Have you got to where he opens electronic safes with a fork?

        1. Kane Silver badge
          Thumb Up

          Re: Great Youtube Channel

          More importantly, his April Fool's special for this year?

          1. Blofeld's Cat Silver badge
            Thumb Up

            Re: Great Youtube Channel

            Worth checking out the ones from previous years as well

      2. Anonymous Coward
        Anonymous Coward

        Re: Great Youtube Channel

        Only 3?!

  4. mevets

    quel surprise

    In most of that country they don't lock their doors; its a bit like buying Alaskan air conditioners.

    1. redpawn Silver badge

      Re: quel surprise

      They need them now, didn't used to before global warming.

    2. jake Silver badge

      Re: quel surprise

      "a bit like buying Alaskan air conditioners"

      Almost mandatory, then?

      My brother made quite a decent living selling and maintaining refrigeration and HVAC systems in Fairbanks. When weather is as extreme as they get there, maintaining nicely conditioned indoor air isn't quite as easy as it is in a more Mediterranean climate.

  5. Anonymous Coward
    Anonymous Coward

    So..

    .. it's an open and shut case then, but the shutting didn't work so well :).

    Lock security is hard. First of all it's never an absolute, it's about delaying someone long enough for them to give up or be caught so you have to decide right there on a cost/benefit point, keeping in mind that you still have to keep the price low enough that someone will actually buy it (although this has "hipster" written all over it). Next, the world is full of people who will be at least as clever as you so you're fighting an uphill battle anyway.

    I feel sorry for them. I liked the idea, but yeah, you have to involve some people who break things for a living IMHO, and I'm not even sure that is enough.

  6. Andy Non Silver badge
    FAIL

    Don't think padlocks are very secure in general

    I put an expensive heavy duty padlock and clasp on my elderly father's garage for him. It looked very secure. However, when he died a few years later I found myself without a key to get into said garage. I found an old pick (the ground digging type) and within around 30 seconds and some brute force and leverage managed to break the lock gaining entry.

    Since then I regard all padlocks as more of a visible deterrent than a real one. They may deter a casual opportunist thief such as your average druggy, but certainly not someone "going equipped" as the police call it.

    1. Doctor Syntax Silver badge

      Re: Don't think padlocks are very secure in general

      "managed to break the lock gaining entry"

      Even if the lock didn't break you'd have eventually broken whatever it was attached to. Building a securely locked vault starts with a securely built vault.

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't think padlocks are very secure in general

        Building a securely locked vault starts with a securely built vault.

        I remember the story of a physical intrusion testing team going into a company, with the target being their secure records room. They made it to the door of the room - steel door, keypad access. Very nice. Mounted in a plasterboard wall...

        The team member simply punched a hole in the wall, opened the door by turning the inside handle, and put generic safety-awareness stickers over the holes.

        1. Jellied Eel Silver badge

          Re: Don't think padlocks are very secure in general

          They made it to the door of the room - steel door, keypad access. Very nice. Mounted in a plasterboard wall...

          Depressingly common. See also building secure rooms on top of suspended floors. Lift floor tile(s) outside using a pair of screwdrivers, pop up inside room. This method was eventually defeated in one popular UK shared datacentre due to the amount of cable underfloor creating a barrier to entry. Rumors of net eng's playing tunnel rat whilst bored can neither be confirmed nor denied.

        2. Stuart Castle Silver badge

          Re: Don't think padlocks are very secure in general

          I know of a company that moved some of it's operations in to a very nice, state of the art, custom designed building (they were involved in all aspects of the design).

          My friend's department needed to store some valuable equipment, and they were given access to some cages on one of the corridors in the basement, near their office. My friend queried the lack of CCTV, and was told that it wasn't needed, as all doors to that corridor had swipe card access, and the cages were secure anyway.

          The problem was that hundreds of staff members had access to that corridor, most didn't need it, but had it anyway due to a misconfiguration of the the door access system. Even without that, it was entirely possible for a staff member to give their swipe card to a friend as there was no ID checking beyond the swipe card.

          So, one day, my friend came in to find that someone had broken into a couple of the cages, stealing > 10 thousand pounds worth of equipment. It turns out they'd actually (stupidly) used their own ID card, and a decent pair of bolt cutters to get into the cages.

          In that case, the police did actually catch and charge the person, but criticised the company heavily for having no CCTV in the area. The new cameras are now stored in a very heavily secured room, with heavily restricted access, and CCTV everywhere.

  7. Anonymous Coward
    Anonymous Coward

    Another in a long line of companies that unwisely decided to use the 'unbreakable security' marketing line.

    Nothing like a red rag to a bull.

  8. TheProf Silver badge

    IRL

    I wonder how well the 'one simple magnet trick' works when the padlock is actually locking something.

    In the video the magnet is freely swept up over the locking loop. How's that going to happen when the hand holding the magnet keeps colliding with a locked hasp?

    1. John Brown (no body) Silver badge

      Re: IRL

      ...and he specified a STRONG magnet costing about $25, so it'll keep sticking too.

      I've no doubt the "hack" will still work, but it might take a bit longer.

      1. Version 1.0 Silver badge

        Re: IRL

        You can get the same strength magnet out of decent hard drive.

  9. Terry 6 Silver badge

    Tech aside

    It sounds as if they went full out to design a product that worked in a certain way. But didn't bother much to see whether it could be circumvented and/or (ab)used in a different way.

  10. Jaspa
    Pint

    Someone had to ....

    Tapplock or "Tap tap tap unlock?"

    Sorry, I'm furloghed and really bored

    Icon as I could see a cold one off in a few gulps at the moment.

  11. James O'Shea

    hmmm..

    Q1: how tough is the metal loop on the lock? Related q: how tough is whatever the lock is used to lock? A good bolt-cutter or a heavy hammer would work wonders.

    Q2: how good is the fingerprint reader? Fingerprint readers on cell phones can be fooled, with a bit of effort. How does it deal with extreme heat or cold? Some of these locks would be outside, exposed to the elements. They're gonna get hot, they're gonna get cold, how do they react? What happens when your finger touches the fingerprint reader that's been outside when the temp hits 100F, which it has around here in summer? What happens when your finger touches the fingerprint reader that's been outside when the temp hits -30F, which doesn't happen here, thank Christ, but which does happen in the Wilds of Northern Minnesota, where my insane sister lives. (It gets hotter than Florida and temps of lower than -40F(or C, same thing) have been recorded. Why anyone lives there is beyond me. It could be worse. It could be Canukistan. I have an insane cousin in Alberta.)

    Q3: in these, Ye Years of Ye Plague, how resistant is it to cleaning agents, ranging from plain water to isopropyl alcohol to bleach? You are, after all, _supposed_ to touch it with your bare hand... A lot of electronics doesn't take kindly to liquids...

    Q4: it uses Bluetooth. Apparently at least one BT hack has already been found, and an incredibly stupid one: they used the BT MAC to generate the key. One wonders what other BT vulnerabilities lurk.

    1. jake Silver badge

      Re: hmmm..

      To be fair, why anyone would intentionally live anywhere East of the Rockies is beyond me. There are even parts of Canada that are worth living in on the left side of the Rockies ... The Okanagan comes to mind.

      1. Montreal Sean

        Re: hmmm..

        @Jake

        Because Montreal is an amazing place to live, and it's well east of the Rockies. :)

        1. jake Silver badge
          Pint

          Re: hmmm..

          Shirley you mean Montréal? Isn't that one of those benighted places that thinks the French should still be in charge? Its a nice place to visit[0], but there is no way I'd want to live there. For one, you only have two seasons, winter and mosquito ... I need at least four. (Here in Northern California we have four: summer, fire, mudslide and earthquake. Sometimes all on the same day.)

          Ah, well. Vive la différence? This round's on me.

          [0] Especially if the Sharks are playing the Canadiens and I have tickets ... In my experience the locals are very tolerant of out-of-town sports fans, even us left-coasties, once they discover some of us actually know something about hockey.

    2. Shooter

      Re: hmmm..

      "Q1: how tough is the metal loop on the lock? Related q: how tough is whatever the lock is used to lock? A good bolt-cutter or a heavy hammer would work wonders."

      The linked article discusses the shortcomings of the metal used for the lock.

      https://www.theregister.co.uk/2018/06/15/taplock_broken_screwdriver/

  12. Mike 137 Silver badge

    Tap[p]lock

    Well named. Just belt it with a mallet...

    The orginal could be broken that way anyway.

  13. Duffaboy
    Pirate

    Nothing is secure

    By design there is always a work around to defeat any type of security as this let's the manufacturers in for testing. What they hope for is that this is never leaked or discovered and it keeps the opportunist out, anyone determined to get in will.

    1. jake Silver badge

      Re: Nothing is secure

      Uh, no.

      That word "always" doesn't mean what you think it means.

      There is a large difference between consumer-grade tat and more important hardware.

      Most reputable manufacturers have figured out that security by obscurity is a bad idea.

  14. Starace
    Devil

    Buy a proper padlock

    *Looks at solid closed shackle Ingersoll 10-lever padlock*

    A proper lock isn't cheap, but you won't get it open easily. The really good ones are built to take serious attacks and have some expensive lock cores in them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Buy a proper padlock

      I don't think there are many locks LPL cannot open in less than 60 seconds. The amount that "defeated" them are probably countable on 1 hand.

      That's an expert though. So just decide how valuable or desirable the item you are locking it.

  15. TeeCee Gold badge
    Facepalm

    "...naming a specific employee to be in charge of its new security program..."

    "Congratulations Ted, you're being promoted!"

    "Great news. What's my new job title?"

    "Shit Magnet".

  16. ElectricPics

    Locks only keep honest people out anyway. To the rest they're just a hindrance.

  17. Giovani Tapini Silver badge
    Boffin

    Unlike a normal lock

    Defeat of this lock gives you more than the things it locked... That's got to be 10/10 for reverse engineering psychology!

    Now I'm left wondering if you open it the intended way, do you get less than you start with?

  18. onebignerd

    The hubris of man will not die.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020