Tapplock is a popular, Bluetooth-based, fingerprint activated padlock. The speciality of this padlock comes down to the fingerprint recognition technology which allows users to unlock the padlock with their fingerprint or use a mobile application remotely. As an added benefit, you can even allocate trusted individuals who can also use the mobile application to unlock the padlock.
Despite being advertised as ‘unbreakable’, PTP (Pen Test Partners) have recently discovered a vulnerability within Tapplock that allows attackers to very easily open the padlock without the need for bolt cutters.
Andrew Tierney from PTP reported that he identified the vulnerability and exploited it in under an hour. Once he had figured this out, he could unlock any Tapplock in under 2 seconds with a mobile phone.
The main security concern within Tapplock stemmed from the use of a digital key. This key provided the functionality for users to unlock the padlock from their mobile device using Bluetooth. However, any other device was able to retrieve this key by searching for nearby Bluetooth devices regardless of if it was listed as a trusted device. It was also discovered that all data used to verify the remote unlock was being sent via HTTP – an insecure, unencrypted protocol when compared to HTTPS and could be easily intercepted by an attacker on the same network. As if that wasn’t bad enough, all verification data remains the same each time you unlock the device. However, once an attacker intercepts this data, they have a permanent rite of passage because Tapplock does not have the functionality to change this data on demand!
Fortunately, Tapplock claims to release a patch for these security flaws within the next 7 days. If you do own one of these padlocks, be sure to update it as soon as this patch is released!