Remember last week’s ROTFL story about the $99 digital padlock that could be opened in just two seconds without an angle grinder or a bolt cutter?
Canadian internet of things (IoT) startup Tapplock learned the hard way why you should never knit your own cryptography – unless you’re a proper cryptographer, of course.
UK penetration testing company Pen Test Partners took a glance at Tapplock’s cool-sounding, fingerprint scanner-equipped, Bluetooth-speaking padlock and almost immediately noticed that the “secret” code for each lock could be calculated directly from the lock’s Bluetooth network address.
Because network MAC addresses aren’t meant to be secret – in fact, they’re specifically designed to be broadcast publicly, in order for the network to function – they aren’t, errrrrr, well, they aren’t secrets!
Using your padlock’s public MAC address as your secret padlock access code is like writing the PIN of your bank card on the front in LARGE DIGITS, using an indelible marker pen.
As a result, Pen Test Partners managed to create an “unlock any Tapplock” program that could open any lock in just two seconds, compared to the 0.8 seconds required for the official app to open a specific lock.
Sadly, it gets much worse.
Turns out you don’t need to spend two seconds, or even to use an unofficial unlocking app.
Tapplock’s cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly.
Amusingly, Stykas, an independent researcher who has to buy all his own kit for testing, went down the software-only route for simple practical reasons:
I did not have any locks (and I am out of IoT budget for this month as my wife has -kindly- informed me).
Turns out he saved himself $99, and ended up with a faster and even more generic Tapplock-cracking trick than PTP’s “figure out the key by sniffing the MAC address” hack.
Stykas found that once you’d logged into one Tapplock account, you were effectively authenticated to access anyone else’s Tapplock account, as long as you knew their account ID.
You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base – but you didn’t really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets.
As a result, Stykas could not only add himself as an authorised user to anyone else’s lock, but also read out personal information from that person’s account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock’s back-end system would not only let him open other people’s locks using the official app, but also tell him where to find the locks he could now open!
Of course, this gave him an unlocking speed advantage over Pen Test Partners – by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
Note. Stykas didn’t prove his point by trying out likely account IDs until he got lucky. He specifically asked for, and received permission, to use one of the Pen Test Partner’s test accounts. This means he didn’t need to risk reading someone else’s personal information just to prove his point. Cybercrooks, of course, have no such scruples.
What to do?
- Tapplock user? Get and install any and all patches provided. Apparently, the company has now addressed the most obvious web portal holes (guessable account IDs and no HTTPS), but we assume an app update will be needed as well.
- Web programmer? Don’t make account IDs easy to guess. In an otherwise secure system, account numbers that go 1,2,3… shouldn’t be a problem, but why make it easy?
- Service delivery manager? Don’t allow plain HTTP any more. Make sure your servers insist upon HTTPS connections, and update your client software to use HTTPS exclusively.
By the way, if you’re an IoT entrepreneur, why not try something a bit different?
Don’t let your programmers invent their own cryptography, don’t take their word for it that your cool new product will stand up to public cybersecurity scrutiny, and don’t cut GDPR corners with your customers’ data – you’re more likely than ever to get found out.
Be an IoT trendsetter – cybersecurity as value, not cost!
s31064
Unbelievable. As Forrest Gump said, “dumber than a bag of hammers”.
s31064
Just remembered that wasn’t Forrest Gump, it was Ulysses Everett McGill in “Oh Brother, Where Art Thou”.
ratteau
Derek Sanderson, an ex-Boston Bruin turned play-by-play commentator used to use that description against certain members of the Montreal Canadians back in the 80s..
ejhonda
There should be criminal charges for this level of incompetence…
Arno Pijnappels
Sophos UTM’s quarantaine release link also still uses http on a custom tcp port. This often doesn’t work at all because of HSTS on other services on the same firewall….
Paul Ducklin
We hear you – we’ve passed this on to the development team responsible :-)
Thanks for the comment – we appreciate the feedback.
Paul Ducklin
They’ve agreed to change it! The next maintenance release should be HTTPS only. The release date isn’t locked down precisely yet but it should be early next month (UTM 9.5 MR 8).
ejhonda
Kudos for working this into a feature enhancement request!
Anonymous
No CVE?
Will
I don’t know if you went far enough in the “Tapplock User” recommendation, honestly. An appropriate analogy might be if you start to see problems from the home builder, just because they come back and fix any issues, shore up failing structure, etc., that doesn’t instill a high degree of confidence in the whole building and their business practices end to end.
Though it’s a waste of good money, the best answer might be to toss it in the bin and go buy a more secure lock from a more reliable manufacturer.
Paul Ducklin
Well, that’s an option. (Where you wrote “more secure” I suspect just “secure” would have been enough :-)
Will
Very true!
H Davis
Anyone that would buy a product from this bunch is dumber than they are.
Keith
I went over and read their web site, an interesting exercise in marketing. At no time do they claim the lock is secure. In fact, the one close claim where they say “Unbreakable design” the description goes on to say “The lock features unparalleled industrial design…” It doesn’t say anything about unparalleled security. Also, there’s a whole lot of unintentional truth “Share smartphone access remotely with unlimited users.” :)
Paul Ducklin
We covered that “unbreakable design” claim in the first article:
https://nakedsecurity.sophos.com/2018/06/14/the-99-digital-padlock-that-kept-crooks-out-for-2-whole-seconds/
At the bottom of the web page, in smaller writing, they say just “virtually unbreakable”.
0laf
I wonder if I could disable the fingerprint reader just using vaseline or maybe a bit of sandpaper to buy time to pop the lock with a heavier tool or download the right app.
Gregg
The crypto is one thing, but this lock is also not physically secure. They can update the software, but they also need a hardware redesign. [URL removed]
Paul Ducklin
In our first article here…
https://nakedsecurity.sophos.com/2018/06/14/the-99-digital-padlock-that-kept-crooks-out-for-2-whole-seconds/
…we touched on the physical insecurity (given how much of that you might expect for $99). The UK Pen Test Partners team who hacked at this lock found that they could cut the shackle at its weak point with just a 30cm bolt cutter. As for opening it with a GoPro mount glued on the back – turns out that was a QA problem, not a design problem. As our own Mark Stockley said on hearing that additional detail, “So many lessons!”
MrGutts
I don’t see the part about being able to take a suction cup to the back of the lock and un-screwing it, then unlocking it.
Paul Ducklin
Check the comments. I mentioned it there:
https://nakedsecurity.sophos.com/2018/06/14/the-99-digital-padlock-that-kept-crooks-out-for-2-whole-seconds/#comment-5107208