in ,

Easy-to-pick “smart” locks gush personal data, FTC finds, Ars Technica

Easy-to-pick “smart” locks gush personal data, FTC finds, Ars Technica
    

      you had one job –

             

Fancy anti-pry technology? Sure, maybe. Secure in any other way? Not so much.

      

      

The FTC’s complaint ( PDF

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true, “Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a written statement. “Tech companies should remember the basics — when you promise security, you need to deliver security.”

Tapplock’s advertisements say its flagship product, the Tapplock One, can store up to user fingerprints and can be connected to an “unlimited” number of devices through the app — a design optimized for something many people need to be able to access and for which handing off a physical key is impractical. To make the $ 99 lock work, Tapplock collects a great deal of personal information on its users, including usernames, email addresses, profile photos, location history, and the accurate location of a user’s lock.

According to the complaint, Tapplock’s privacy policy promised, “we take reasonable precautions and follow industry best practices to make sure [personal information] is not inappropriately lost, misused, accessed, disclosed, altered, or destroyed. ” However, almost a year ago — in June 2018 – three separate security researchers identified “critical physical and electronic vulnerabilities” in the locks.

Screwed

The lock may be built with “7mm reinforced stainless steel shackles, strengthened by double-layered lock design with anti-shim and anti-pry technologies, “as Tapplock’s website promises, but according to the FTC, perhaps it should have considered anti-screwdriver technologies. As it turns out, a researcher was able to unlock the lock “within a matter of seconds” by unscrewing the back panel. Oops.

The complaint also pointed to several “reasonably foreseeable” software vulnerabilities that the FTC alleges Tapplock could have avoided if the company ” had implemented simple, low-cost steps. “

One vulnerability security researchers identified allowed a user to bypass the account authentication process entirely in order to gain full access to the account of literally any Tapplock user, including their personal information. And how could this happen? “A researcher who logged in with a valid user credential could then access another user’s account without being re-directed back to the login page, thus allowing the researcher to circumvent Respondent’s authentication procedures altogether,” the complaint explains.

A second vulnerability allowed researchers the ability to access and unlock any lock they could get close enough to with a working Bluetooth connection . That’s because Tapplock “failed to encrypt the Bluetooth communication between the lock and the app,” leaving the data wide open for the researchers to discover and replicate.

The third vulnerability outlined in the complaint also has to do with a failure to secure communication data. That app that allows “unlimited” connections? The primary owner can of course add and revoke authorized users from the lock. But someone whose access was revoked could still access the lock because the vulnerability allowed for sniffing out the relevant data packets.

And how did Tapplock fail to discover any of these weaknesses? Because the company did not have a security program (prior to the third-party researchers’ discoveries, the FTC alleges.

The settlement, in which Tapplock does not admit to any wrongdoing, requires the company to create — and provide extensive documentation of —A security program for its products. That program is required to include training for employees; timely disclosure of “covered incidents,” including both loss of personal information and also unauthorized access to systems; actual penetration testing of the network; and several other elements, including annual review.

Read More

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Firefox 75 overhauls the browser’s address bar, Ars Technica

Firefox 75 overhauls the browser’s address bar, Ars Technica

Udemy Coupon 100% OFF | Finding a Job Amongst COVID-19